The Polish Personal Data Protection Authority had a busy end to the year, issuing three administrative fines, two of which are among the highest fines that have been imposed in Poland. We consider the implications for data security and reporting personal data breaches.

Breaches of IT security

On 3 December 2020, the Authority imposed a fine of PLN 1,968,524 (EUR 460,000) on Virgin Mobile Polska.

The sanction was imposed due to insufficient IT security measures, including a lack of regular testing, which enabled an unauthorised third party to access a database containing personal data of over 140,000 subscribers to pre-paid services. The disclosed details include given name and surname, national identification number (PESEL), series and number of their ID card, phone number and tax identification number. The fine is similar to that issued to Morele.net and confirms the Authority attaches considerable importance to information security.

Supply chain breaches

Insufficient IT safeguards were also the reason for a PLN 1,069,850 (EUR 250,000) fine on ID Finance Poland on 17 December 2020. The company did not react to a warning about a data security vulnerability affecting their hosting provider (acting as data processor), resulting in the loss of personal data.

The Authority concluded that the data controller is responsible for efficiently identifying personal data breaches and reacting rapidly to take remedial action where such a breach has occurred. The Authority confirmed that, since the data controller is obliged to monitor the entities to which it outsources its data processing, it is also liable for the processor’s failure to implement appropriate security measures and for any subsequent data breach.

Failure to notify data breaches

Finally, on 9 December 2020, the Authority issued a fine of PLN 85,588 (EUR 20,000) to Towarzystwo Ubezpieczeń i Reasekuracji Warta (“Warta”). The reason for the penalty was not the personal data breach itself, but the failure to report it to the Authority within the required timeframe, and the failure to inform the data subjects.

The breach occurred after the personal data of two of Warta’s customers were sent to the wrong recipient as a result of the customers themselves providing the insurer’s agent with an incorrect email address. The breach affected insurance policy documents, containing each customer’s given name and surname, national identification number (PESEL), home address and data about the insured vehicle.

Warta did not notify the Authority, but the incorrect addressee of the email did. Moreover, Warta failed to inform the affected customers for five months because it wrongly assumed that the breach did not result in a high risk of violating their rights.

The fine is controversial because the reason for the data breach was the customers’ own failure to correctly provide their email address. However, the Authority stated this was still a personal data breach and the customers’ fault does not exonerate the controller from liability. The Authority also argued that the data breach could have been prevented, for example by encrypting the messages or verifying the clients’ email address. The Authority also decided it was not sufficient to just ask the incorrect addressee of the email to delete the received documents, since third parties may not be reliable and might not permanently delete that data.

At first sight, the fine may seem relatively small. However, the incident in question was related to the personal data of only two customers.

All three companies have 30 days to appeal these fines to the Voivodship Administrative Court in Warsaw.

Lessons learned

These fines demonstrate the Authority takes a strict approach to the assessment of the risk of personal data protection breaches, the need for effective identification of breaches and the need to notify the Authority. The decisions also confirm the previous stance of the Authority that the disclosure of the national identification number (PESEL) creates a high risk.

The decision in Warta’s case also illustrates the need for data controllers to verify their customers’ email addresses prior to sending any messages to them containing personal data. Further, if the email or attachment comprises personal data, encryption should be used where possible.

Finally, the fines also demonstrate the need for continuous supervision of data processors, though it remains unclear what security measures would be regarded as satisfactory by the Authority. Further guidance would be welcomed.

Details of the fines (in Polish) is available from the following links: Virgin Mobile Polska sp. z o.o. (here), ID Finance Poland sp. z o.o. (here) and TUiR Warta S.A. (here).

By Szymon Sieniewicz and Daria Wojciechowska