News

The Polish DPA sanctions a data controller and its processor

 Source : DKN 5130.2215.2020

𝗙𝗮𝗰𝘁𝘀

The Polish Data Protection Authority (DPA) imposed fines for severe personal data security breaches:

€𝟭 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗱𝗮𝘁𝗮 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗿: Fortum Marketing and Sales Polska SA, an electricity and gas provider.

€𝟱𝟯,𝟬𝟬𝟬 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗽𝗿𝗼𝗰𝗲𝘀𝘀𝗼𝗿: PIKA, a digital archiving service provider.

Following a performance issue in the archive search system, PIKA 𝗽𝗲𝗿𝗳𝗼𝗿𝗺𝗲𝗱 𝗮 𝘁𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻 𝗼𝗻 𝘁𝗵𝗲 𝗱𝗮𝘁𝗮𝗯𝗮𝘀𝗲. Due to 𝗶𝗻𝗮𝗱𝗲𝗾𝘂𝗮𝘁𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗺𝗲𝗮𝘀𝘂𝗿𝗲𝘀, a third party accessed the system and copied 𝘁𝗵𝗲 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗱𝗮𝘁𝗮 𝗼𝗳 𝟭𝟯𝟳,𝟯𝟭𝟰 𝗶𝗻𝗱𝗶𝘃𝗶𝗱𝘂𝗮𝗹𝘀.

𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 𝗗𝗮𝘁𝗮

The compromised data included:

👤 Name and surname

🏠 Residential or domicile address

📝 PESEL number, type, series, and number of an identity document

✉️ Email address

📞 Phone number

🔒 Contractual data

Despite the severity of the breach, 𝗙𝗼𝗿𝘁𝘂𝗺 𝗱𝗲𝗲𝗺𝗲𝗱 𝗶𝘁 𝘂𝗻𝗻𝗲𝗰𝗲𝘀𝘀𝗮𝗿𝘆 𝘁𝗼 𝗶𝗻𝗳𝗼𝗿𝗺 𝘁𝗵𝗲 𝗮𝗳𝗳𝗲𝗰𝘁𝗲𝗱 𝗶𝗻𝗱𝗶𝘃𝗶𝗱𝘂𝗮𝗹𝘀, claiming that the violation posed no risks to their rights and freedoms.

𝗩𝗶𝗼𝗹𝗮𝘁𝗶𝗼𝗻𝘀

𝗕𝗿𝗲𝗮𝗰𝗵 𝗼𝗳 𝗔𝗿𝘁𝗶𝗰𝗹𝗲𝘀 𝟯𝟮(𝟭) 𝗮𝗻𝗱 𝟯𝟮(𝟮) 𝗼𝗳 𝘁𝗵𝗲 𝗚𝗗𝗣𝗥:

Lack of appropriate technical and organizational measures to ensure data security.

𝗡𝗼𝗻-𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝘄𝗶𝘁𝗵 𝗔𝗿𝘁𝗶𝗰𝗹𝗲 𝟮𝟴(𝟭) 𝗼𝗳 𝘁𝗵𝗲 𝗚𝗗𝗣𝗥:

PIKA failed to follow the data controller's directives, particularly concerning data pseudonymization.

Fortum did not ensure its processor provided sufficient guarantees for personal data protection.

𝗖𝗼𝗻𝘀𝗲𝗾𝘂𝗲𝗻𝗰𝗲𝘀

𝗝𝗮𝗻𝘂𝗮𝗿𝘆 𝟭𝟵, 𝟮𝟬𝟮𝟮, 𝗔𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗶𝘃𝗲 𝗳𝗶𝗻𝗲𝘀:

💸 €𝟭 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 for Fortum (data controller).

💸 €𝟱𝟯,𝟬𝟬𝟬 for PIKA (processor).

🔗 𝗗𝗮𝗺𝗮𝗴𝗲 𝘁𝗼 𝘁𝗵𝗲 𝗿𝗲𝗽𝘂𝘁𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝗯𝗼𝘁𝗵 𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀.