News

๐Ÿ‡ต๐Ÿ‡ฑ Ban on using personal data for testing ๐Ÿ‡ต๐Ÿ‡ฑ

Subcontracting, Confidentiality & Security | 25/03/2025

The Polish DPA sanctions a data controller and its processor

 Source : DKN 5130.2215.2020

๐—™๐—ฎ๐—ฐ๐˜๐˜€

The Polish Data Protection Authority (DPA) imposed fines for severe personal data security breaches:

๐Ÿญ ๐—บ๐—ถ๐—น๐—น๐—ถ๐—ผ๐—ป ๐—ณ๐—ผ๐—ฟ ๐˜๐—ต๐—ฒ ๐—ฑ๐—ฎ๐˜๐—ฎ ๐—ฐ๐—ผ๐—ป๐˜๐—ฟ๐—ผ๐—น๐—น๐—ฒ๐—ฟ: Fortum Marketing and Sales Polska SA, an electricity and gas provider.

๐Ÿฑ๐Ÿฏ,๐Ÿฌ๐Ÿฌ๐Ÿฌ ๐—ณ๐—ผ๐—ฟ ๐˜๐—ต๐—ฒ ๐—ฝ๐—ฟ๐—ผ๐—ฐ๐—ฒ๐˜€๐˜€๐—ผ๐—ฟ: PIKA, a digital archiving service provider.

Following a performance issue in the archive search system, PIKA ๐—ฝ๐—ฒ๐—ฟ๐—ณ๐—ผ๐—ฟ๐—บ๐—ฒ๐—ฑ ๐—ฎ ๐˜๐—ฒ๐—ฐ๐—ต๐—ป๐—ถ๐—ฐ๐—ฎ๐—น ๐—ผ๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ผ๐—ป ๐˜๐—ต๐—ฒ ๐—ฑ๐—ฎ๐˜๐—ฎ๐—ฏ๐—ฎ๐˜€๐—ฒ. Due to ๐—ถ๐—ป๐—ฎ๐—ฑ๐—ฒ๐—พ๐˜‚๐—ฎ๐˜๐—ฒ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—บ๐—ฒ๐—ฎ๐˜€๐˜‚๐—ฟ๐—ฒ๐˜€, a third party accessed the system and copied ๐˜๐—ต๐—ฒ ๐—ฝ๐—ฒ๐—ฟ๐˜€๐—ผ๐—ป๐—ฎ๐—น ๐—ฑ๐—ฎ๐˜๐—ฎ ๐—ผ๐—ณ ๐Ÿญ๐Ÿฏ๐Ÿณ,๐Ÿฏ๐Ÿญ๐Ÿฐ ๐—ถ๐—ป๐—ฑ๐—ถ๐˜ƒ๐—ถ๐—ฑ๐˜‚๐—ฎ๐—น๐˜€.

๐—–๐—ผ๐—บ๐—ฝ๐—ฟ๐—ผ๐—บ๐—ถ๐˜€๐—ฒ๐—ฑ ๐——๐—ฎ๐˜๐—ฎ

The compromised data included:

๐Ÿ‘ค Name and surname

๐Ÿ  Residential or domicile address

๐Ÿ“ PESEL number, type, series, and number of an identity document

โœ‰๏ธ Email address

๐Ÿ“ž Phone number

๐Ÿ”’ Contractual data

Despite the severity of the breach, ๐—™๐—ผ๐—ฟ๐˜๐˜‚๐—บ ๐—ฑ๐—ฒ๐—ฒ๐—บ๐—ฒ๐—ฑ ๐—ถ๐˜ ๐˜‚๐—ป๐—ป๐—ฒ๐—ฐ๐—ฒ๐˜€๐˜€๐—ฎ๐—ฟ๐˜† ๐˜๐—ผ ๐—ถ๐—ป๐—ณ๐—ผ๐—ฟ๐—บ ๐˜๐—ต๐—ฒ ๐—ฎ๐—ณ๐—ณ๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—ถ๐—ป๐—ฑ๐—ถ๐˜ƒ๐—ถ๐—ฑ๐˜‚๐—ฎ๐—น๐˜€, claiming that the violation posed no risks to their rights and freedoms.

๐—ฉ๐—ถ๐—ผ๐—น๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€

๐—•๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐—ผ๐—ณ ๐—”๐—ฟ๐˜๐—ถ๐—ฐ๐—น๐—ฒ๐˜€ ๐Ÿฏ๐Ÿฎ(๐Ÿญ) ๐—ฎ๐—ป๐—ฑ ๐Ÿฏ๐Ÿฎ(๐Ÿฎ) ๐—ผ๐—ณ ๐˜๐—ต๐—ฒ ๐—š๐——๐—ฃ๐—ฅ:

Lack of appropriate technical and organizational measures to ensure data security.

๐—ก๐—ผ๐—ป-๐—ฐ๐—ผ๐—บ๐—ฝ๐—น๐—ถ๐—ฎ๐—ป๐—ฐ๐—ฒ ๐˜„๐—ถ๐˜๐—ต ๐—”๐—ฟ๐˜๐—ถ๐—ฐ๐—น๐—ฒ ๐Ÿฎ๐Ÿด(๐Ÿญ) ๐—ผ๐—ณ ๐˜๐—ต๐—ฒ ๐—š๐——๐—ฃ๐—ฅ:

PIKA failed to follow the data controller's directives, particularly concerning data pseudonymization.

Fortum did not ensure its processor provided sufficient guarantees for personal data protection.

๐—–๐—ผ๐—ป๐˜€๐—ฒ๐—พ๐˜‚๐—ฒ๐—ป๐—ฐ๐—ฒ๐˜€

๐—๐—ฎ๐—ป๐˜‚๐—ฎ๐—ฟ๐˜† ๐Ÿญ๐Ÿต, ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฎ, ๐—”๐—ฑ๐—บ๐—ถ๐—ป๐—ถ๐˜€๐˜๐—ฟ๐—ฎ๐˜๐—ถ๐˜ƒ๐—ฒ ๐—ณ๐—ถ๐—ป๐—ฒ๐˜€:

๐Ÿ’ธ๐Ÿญ ๐—บ๐—ถ๐—น๐—น๐—ถ๐—ผ๐—ป for Fortum (data controller).

๐Ÿ’ธ๐Ÿฑ๐Ÿฏ,๐Ÿฌ๐Ÿฌ๐Ÿฌ for PIKA (processor).

๐Ÿ”— ๐——๐—ฎ๐—บ๐—ฎ๐—ด๐—ฒ ๐˜๐—ผ ๐˜๐—ต๐—ฒ ๐—ฟ๐—ฒ๐—ฝ๐˜‚๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ผ๐—ณ ๐—ฏ๐—ผ๐˜๐—ต ๐—ฒ๐—ป๐˜๐—ถ๐˜๐—ถ๐—ฒ๐˜€.

Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance
]]>