UODO (Poland) - DKN.5131.28.2023: Difference between revisions

UODO - DKN.5131.28.2023
Authority:	UODO (Poland)
Jurisdiction:	Poland
Relevant Law:	Article 33(1) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	12.03.2024
Published:
Fine:	18000 EUR
Parties:	n/a
National Case Number/Name:	DKN.5131.28.2023
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Polish
Original Source:	UODO (Poland) (in PL)
Initial Contributor:	n/a

The Polish DPA imposed a fine of Є18,000 (PLN 78,575) on Toyota Bank for a failure to adequately assess the risk of a data breach, and to not notify Polish DPA as required by Article 33 GDPR.

English Summary

Facts

Toyota Bank Poland S.A. (controller) is a bank established under Polish law. On 31 March 2021 an employee of the controller, by mistake, sent a letter with personal data of the data subject to another client. The letter contained personal data from the loan agreement concluded between the data subject and the controller, specifically: name, surname, bank account number, address, national ID number (PESEL), ID number. The (incorrect) addressee picked-up and opened the letter. Eventually, the controller took the letter back by sending a courier.

The controller registered the incident within the internal register and performed a risk assessment. During the risk assessment, the controller took into account European Union Agency for Cybersecurity (ENISA) data breach guideline [ENISA Recommendations for a methodology of the assessment of severity of personal data breaches]. According to the controller, the breach affected only one person, the letter was swiftly retrieved and the (incorrect) addressee was the controller’s client and helped to solve the problem. Because of that, the controller assigned the breach a low-risk level. Hence, the controller did not notify the DPA. Nevertheless, the controller decided to inform the data subject about the breach by sending a letter.

The data subject filed a complaint with the DPA, claiming the controller unlawfully disclosed their personal data. During the complaint proceedings, on 7 September 2022, the controller notified the DPA about the breach. The notification was done almost 18 months after the breach. The controller explained the late notification with the minor risk assigned to the breach.

As a consequence of late data breach notification, the DPA initiated ex officio proceedings regarding the violation of Article 33(1) GDPR.

Holding

According to DPA, the controller failed to adequately assess the risk of the data breach. The DPA emphasised that the data subject interests should be the main reference when conducting a data breach risk assessment. Disclosed personal data contained the national ID number (PESEL) and other personal data. As such, it might be used for many unauthorised purposes, especially identity theft or fraud, and cause material or non-material damage to data subject. The DPA based it argumentation on EDPB Guidelines 9/2022 and EDPB Guidelines 01/2021 and jurisprudence of Polish administrative and regional court on cases where the disclosure of a national ID number (PESEL) was involved.

Also, the (incorrect) addressee did not qualify as a trusted party, since the controller was unable to anticipate the addressee’s further actions with disclosed personal data. Consequently, the data breach was more serious, and posed a higher risk, compared to the risk identified by the controller. Because of that, the controller was obliged to notify the DPA, not only the data subject.

In conclusion, the DPA found a violation of Article 33(1) GDPR and imposed a fine of Є18,000 (PLN 78,575.40).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Warsaw, March 12, 2024
Decision
DKN.5131.28.2023

Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775, as amended), Art. 7 section 1 and art. 60, art. 101 and art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), as well as Art. 57 section 1 letter a) and h), art. 58 section 2 letter i), art. 83 section 1 and 2, art. 83 section 4 letter a) in connection with Art. 33 section 1 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ EU L 119 of 04/05/2021, p. 1, hereinafter referred to as OJ EU L 74 of 4/03/2021 hereinafter referred to as "Regulation 2016/679", following administrative proceedings initiated ex officio regarding the violation of personal data protection provisions by Toyota Bank Polska S.A. based in Warsaw (ul. Postępu 18B, 02-676 Warszawa), President of the Personal Data Protection Office,
finding a violation by Toyota Bank Polska S.A. based in Warsaw (ul. Postępu 18B, 02-676 Warsaw) provisions of Art. 33 section 1 of Regulation 2016/679, which consists in failing to report a personal data protection breach to the President of the Office for Personal Data Protection without undue delay, no later than 72 hours after discovering the breach, imposes on Toyota Bank Polska S.A. with its registered office in Warsaw (ul. Postępu 18B, 02-676 Warszawa) an administrative fine in the amount of PLN 78,575.40 (say: seventy-eight thousand five hundred and seventy-five zlotys and forty groszy).

Justification

On September 7, 2022, Toyota Bank Polska S.A. with its registered office in Warsaw (ul. Postępu 18B, 02-676 Warszawa), hereinafter also referred to as the "Bank" or the "Administrator", reported a breach of data protection to the President of the Personal Data Protection Office, hereinafter also referred to as the "President of the Personal Data Protection Office" or the "supervisory authority". personal data including personal data of one natural person (hereinafter referred to as the "Data Subject" or "Bank Customer") in the scope of: name and surname, bank account number, address of residence, PESEL registration number, series and number of the ID card. The breach of personal data protection consisted in sending, as a result of an error by a Bank employee, a bank shipment containing an agreement and a loan repayment schedule to another Bank customer. The parcel was received and opened by this customer, as a result of which the Bank's client's personal data was disclosed to an unauthorized person. After the Bank sent a courier to the person in possession of the incorrectly sent parcel, the correspondence was returned to the Bank. The explanations provided show that the Bank registered a security incident in connection with the situation, but did not report the personal data protection breach to the supervisory authority within 72 hours of its discovery.

In the personal data breach notification form, the administrator indicated March 31, 2021 as the date of detection of the breach, and submitted the notification only on September 7, 2022, justifying the reasons for the delay in notifying the supervisory authority about the personal data breach by stating that "the Bank assessed the risk of violating the rights and freedom of data subjects to low, however, after the Office of Personal Data Protection (UODO) changed the principles of assessment. The speech referred to in the Bank's explanation concerns the proceedings conducted by the President of the Personal Data Protection Office regarding the complaint of the Bank's client, in connection with the breach of personal data protection, regarding irregularities in the process of processing her personal data by Toyota Bank Polska S.A., consisting in sharing personal data with a person third party without legal basis (ref. (…)).

Following the notification of a personal data protection breach to the supervisory authority, after the deadline of 72 hours from its discovery, i.e. almost 1.5 years from its discovery, the President of the Personal Data Protection Office initiated ex officio administrative proceedings against the Bank for violation of Art. 33 section 1 of Regulation 2016/679.

In response to the notification of the initiation of administrative proceedings in the matter in question, in a letter of October 19, 2023, the Bank sent additional explanations in which it indicated that "When assessing the seriousness of the breach in question, the Bank took into account the following circumstances: (i) the breach concerned only one person, (ii) the document containing the data was quickly recovered, (iii) there were no reasons to assume bad faith of the person who obtained unauthorized access to the data as a result of the breach, in particular due to the fact that this person was a client of the Bank, informed the Bank about the event and cooperated with the Bank to return the incorrectly addressed parcel and (iv) the fact that the Bank knew the personal data of this person, which, in the Bank's opinion, was a circumstance that reduced the risk of unauthorized use of these data to the detriment of the person affected by the breach. Moreover, during the assessment, an important point of reference was the ENISA guidelines on assessing the seriousness of a breach, which showed that the above-mentioned circumstances reduce the seriousness of the breach and suggested that breaches for which the risk of negative consequences for the rights and freedoms of natural persons are small.

The reason for the failure to report a personal data protection breach to the President of the Personal Data Protection Office, according to the Bank, "[...] was to reliably assess the seriousness of the breach, and not another, within the framework of the interpretation of Art. 33 section 1 GDPR, based on market practice and on the basis of available guidelines of the agency competent in the field of information security (ENISA).” In turn, as soon as the Bank "became aware of the expectations of the President of the Personal Data Protection Office regarding the application of Art. 33(1) of the GDPR" - "immediately took action to adapt its own practice in this respect to the expectations of the President of the Personal Data Protection Office. The change in the Bank's approach resulted in informing the President of the Personal Data Protection Office about the violation that was the basis for these proceedings.

Further in the explanation, the Bank indicates that regardless of the assessment of the personal data protection breach in the context of Art. 33(1) of Regulation 2016/679, prudently informed the person concerned about the breach, i.e. "although he did not report the breach immediately after the occurrence of the breach due to the risk assessment used, he nevertheless fulfilled the main task of the data controller, i.e. . counteracted the effects of the breach by immediately informing the data subject about the breach by letter.

In the Bank's opinion, the delay in reporting the breach in question to the President of the Personal Data Protection Office did not adversely affect the rights and freedoms of the data subject. The client had the opportunity to counteract the effects of a personal data protection breach immediately after it occurred, and she also received support from the Bank in this respect, which, among other things, covered the costs of purchasing the code (...).

On January 23, 2024, the Administrator received a letter which duplicated the Bank's previously submitted explanations, thus emphasizing the Bank's current position on this matter.

After reviewing all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:

Pursuant to Art. 4 point 12 of Regulation 2016/679 "breach of personal data protection" means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

Art. 33 section 1 and 3 of Regulation 2016/679 states that in the event of a breach of personal data protection, the controller shall report it without undue delay - if possible, no later than 72 hours after discovering the breach - to the supervisory authority competent in accordance with Art. 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours shall be accompanied by an explanation of the reasons for the delay. The notification referred to in section 1 must, at least: (a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach; b) contain the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained; c) describe the possible consequences of a personal data breach; d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.

From the analysis of the above The provisions therefore imply that, depending on the level of risk of violating the rights and freedoms of natural persons, the controller has different obligations towards the supervisory authority and the data subjects. If, as a result of the analysis, the administrator finds that the risk of violating the rights and freedoms of natural persons is low, he is not obliged to report the violation to the President of the Personal Data Protection Office. The indicated violation must only be entered in the internal register of violations. If a risk of violating the rights and freedoms of natural persons is identified, the controller is obliged to report the data protection breach to the President of the Personal Data Protection Office, as well as to place an entry in the internal register of violations. The occurrence of a high risk of violating the rights and freedoms of natural persons, in addition to an entry in the register of violations, requires the controller to take appropriate actions, both towards the supervisory authority (reporting a data protection breach), but also towards the data subjects. In the case of personal data protection breaches that may result in a high risk of violating the rights and freedoms of the data subject, Regulation 2016/679 introduces an additional obligation for the controller to immediately notify the data subject, unless the controller has taken preventive measures before the occurrence of the breach or remedial measures after the breach. occurrence of an infringement (Article 34(3) of Regulation 2016/679).

As follows from the above, if the controller detects a personal data protection breach, it is first necessary to analyze the risk of violating the rights and freedoms of natural persons. The administrator is exempt from the obligation to notify the supervisory authority about a breach if, as a result of the examination, it turns out that there is at most a low probability of a risk of violating the rights and freedoms of natural persons. However, it should be taken into account that the supervisory authority will be able to ask the controller to justify the decision not to report the breach, therefore the conclusions from the analysis should be recorded in the internal record of breaches.

It is worth recalling that the European Data Protection Board (EDPB) Guidelines No. 9/2022[1] adopted on March 28, 2023 include recommendations on reporting personal data protection breaches to the supervisory authority.

It should be emphasized that the assessment of the risk of violating the rights and freedoms of a natural person should be made from the perspective of the data subject and not the interests of the controller. Failure to report a personal data protection breach deprives the supervisory authority of the opportunity to respond appropriately to the personal data protection breach, which is reflected not only in assessing the risk of breach to the rights and freedoms of a natural person, but also, in particular, in verifying whether the controller has applied appropriate measures to address the breach. and minimize negative effects on data subjects, as well as whether it has implemented appropriate security measures to minimize the risk of a recurrence of the breach.

Reporting personal data protection breaches by controllers is therefore an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights and freedoms of data subjects and, if such a risk occurred, whether they have provided appropriate information to natural persons affected by the breach. The President of the Personal Data Protection Office verifies the assessment made by the controller and may, if the controller has not notified the data subjects, request such notification. Reports of personal data protection breaches allow the supervisory authority to respond appropriately to limit the effects of such breaches, as the controller is obliged to take effective actions to ensure the protection of natural persons and their personal data, which will, on the one hand, allow for monitoring the effectiveness of existing solutions and, on the other hand, assess modifications and improvements. aimed at preventing irregularities similar to those covered by the infringement. However, notifying natural persons about a breach provides them with the opportunity to provide them with information on the risk associated with the breach and to indicate the actions they can take to protect themselves against the potential negative effects of the breach (this enables the natural person to independently assess the breach in the context of the possibility of materializing negative consequences). consequences for such a person and deciding whether or not to apply remedial action).

In the letter of October 19, 2023, the Administrator indicates that "In the Bank's opinion, the delay in reporting the breach in question to the Personal Data Protection Office did not negatively affect the rights and freedoms of the data subject, because the client had the opportunity to counteract the effects of the breach immediately after it occurred, and moreover received the support of the Bank in this respect, which, among other things, covered the costs of purchasing the code (...) (which is also currently the Bank's standard).” According to the supervisory authority, the fact that the person affected by the personal data protection breach in question submitted a complaint to the President of the Personal Data Protection Office about irregularities in the process of processing his or her personal data by the Bank, consisting in making his or her personal data available to a third party without a legal basis, proves that that the Bank's response to this breach was not sufficient, and the Bank's Client herself had concerns about the security of the data processed by the Bank.

Toyota Bank Polska S.A., due to the scale and scope of its activities, i.e. the provision of various types of financial services, processes personal data of a very large number of customers with whom it contracts, among others: credit agreements. In the case under consideration, the personal data of the Bank's Client included in the contract between the parties, i.e. PESEL number, name and surname, address of residence, bank account number and the series and number of the ID card, were accessed by an unauthorized person. Therefore, there is no doubt that based on the disclosed data, the Data Subject can be easily identified. In addition, data related to the conclusion of the contract and its content were disclosed.

Consequently, the very assessment of the breach carried out by the Administrator in terms of the risk of violating the rights and freedoms of natural persons is necessary to determine whether there has been a data protection breach resulting in the need to notify the President of the Personal Data Protection Office (Article 33(1) and (3) of Regulation 2016/679) and the persons affected by the infringement (Article 34(1) and (2) of Regulation 2016/679) should, as it should be emphasized once again, be made from the perspective of the person affected by the infringement.

It is true that the Bank informed the data subject about the breach of personal data protection by providing him with the content of the notification, but due to the failure to properly report the breach of personal data protection to the President of the Personal Data Protection Office within the deadline provided for by law (72 hours from the discovery of the breach), deprived the supervisory authority of the opportunity to take an appropriate response to this violation, and therefore the opportunity to conduct an appropriate analysis of the content of the notification addressed to this person in terms of the Administrator's fulfillment of the obligations arising from Art. 34 section 2 in connection with Art. 33 section 3 of Regulation 2016/679 and provide the Data Subject with complete information regarding the possible consequences of the breach, as well as the measures that this person can take to protect himself against the potential consequences of the breach.

Please remember that accidental disclosure of personal data, even to one identified person, may lead to an increase in the scale of the breach and thus the risk of violating the rights and freedoms of the data subject. At the same time, the Administrator did not demonstrate, in accordance with the principle of accountability referred to in Art. 5 section 2 of Regulation 2016/679 that his client, to whose address the contract with the data of the Bank's Client was sent, may be considered the so-called trusted recipient. The explanations provided by the Bank in a letter of October 19, 2023 show that when assessing the seriousness of the breach in question, which resulted in refraining from reporting the breach to the supervisory authority, it "took into account the following circumstances: (i) the breach concerned only one person, ( ii) the document containing the data was quickly recovered, (iii) there were no reasons to assume bad faith of the person who gained unauthorized access to the data as a result of the breach, in particular due to the fact that this person was a client of the Bank and informed the Bank about the event, and cooperated with the Bank to return the incorrectly addressed parcel and (iv) the fact that the Bank knew the personal data of this person, which, in the Bank's opinion, was a circumstance that reduced the risk of unauthorized use of this data to the detriment of the person affected by the breach.

The risk assessment was based on the belief that the person who came into possession of the contract is characterized by the so-called "good faith" because "she informed the Bank about the event and cooperated with the Bank to return the incorrectly addressed parcel", and also "the Bank knew the personal data of this person". Taking the above into account, the Bank assessed "that the above-mentioned circumstances reduce the seriousness of the violation and which suggested that violations for which the risk of negative consequences for the rights and freedoms of natural persons are low should not be notified to the supervisory authority."

Therefore, for a better illustration of cases of personal data protection breaches resulting in accidental disclosure of data to an unauthorized person, please refer to Guidelines 9/2022, which indicates a case of data confidentiality breach involving the mistaken disclosure of personal data to a third party or other recipient. in a situation where these data are accidentally sent to the wrong department of the organization or to the supplier organization whose services the administrator uses. The administrator then has grounds to consider the unauthorized recipient as trusted because he or she has permanent relations with such an entity, knows the procedures used by it and can trust the recipient enough to reasonably expect that the recipient will not read the sent data by mistake or will not gain access to the them, as well as fulfill the order to send them back. Even if the data has been accessed, the administrator can still trust the recipient that he will not take any inappropriate actions and will return the data immediately to the administrator. As the EDPB further points out, in the case described above, the controller may take into account the fact that the recipient is a trusted person in the risk assessment carried out following the breach. However, this is not the case in this case. Another client of the Bank to whom correspondence with a contract containing the Data Subject's personal data was mistakenly addressed does not remain in a relationship with the Bank that allows it to be assumed that it is a trusted recipient, in accordance with the above position of the EDPB.

Referring to the above, it should be noted that the Bank's position is incomprehensible, explaining the failure to report a personal data protection breach, among others, that the Bank knew the personal data of the person to whom the parcel was mistakenly delivered and based on this belief, a risk assessment was made, completely downplaying the fact that the personal data of the Bank's client was disclosed to an unauthorized person. Otherwise, the Bank could each time send its clients' data to incorrect addresses, and thus make them available to third parties - other clients - and treat such situations as not carrying the risk of violating the rights and freedoms of natural persons. The fact that the data was made available to only one identified person is also irrelevant.  In the event of delivery of erroneous correspondence to a person known to the Administrator, e.g. another customer who informed the Data Subject about the Bank's error, there is no guarantee that the intentions of this person will not change.

Moreover, the Administrator is not sure whether, before returning the correspondence, the incorrect recipient did not make a copy or record the personal data contained in the contract in another way, e.g. by writing them down. The Bank also has no way of actually verifying that the unauthorized recipient did not transfer the Bank's Client's data to third parties or has a copy of this data. The Provincial Administrative Court in Warsaw expressed a similar opinion, in its judgment of January 21, 2022, ref. no. no. II SA/Wa 1353/21, indicated that "(...) there is no certainty that before these activities, the person did not make, for example, a photocopy or did not record the personal data contained in the content of the document in another way, e.g. by writing down. Merely performing the activities indicated in the declarations submitted by a third party - an unauthorized recipient - does not guarantee that the intentions of such a person will not change now or in the future, and the possible consequences of using such categories of data may be significant for the persons whose data were subject to the breach. . It should be emphasized once again that the fact that, in the Bank's opinion, "there were no reasons to assume bad faith of the person who obtained unauthorized access to the data as a result of the breach, in particular due to the fact that this person was a client of the Bank, informed the Bank about the event and cooperated with the Bank to return the incorrectly addressed parcel", does not mean that it is unlikely that the breach would result in a risk of violating the rights and freedoms of natural persons and does not exclude the assumption that there was a high risk of violating the rights and freedoms of the data subject . It should be pointed out once again that the personal data were made available to an unauthorized recipient, which means that there was a security breach leading to unauthorized disclosure of personal data, the unauthorized recipient cannot be considered a "trusted recipient", and the scope of these data determines that there is a high risk violation of the rights or freedoms of a natural person. In turn, the Bank's client affected by the incident in question submitted a complaint to the President of the Personal Data Protection Office about irregularities in the processing of her personal data by the Bank, consisting in making her personal data available to a third party without a legal basis. The Data Subject's complaint, in the opinion of the President of the Personal Data Protection Office, confirms that the risk assessment presented in the Bank's explanations in the case in question does not take into account the perspective of the Bank's Client, who, as a result of the breach of the protection of her personal data, very likely suffered non-pecuniary damage.

As indicated in Guidelines 9/2022, a breach of personal data protection may potentially cause a number of negative consequences for the natural persons whose data is subject to the breach. The possible effects of a violation of the EDPB include: physical damage, material or non-material damage. Examples of such damages include, but are not limited to: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal information and significant economic or social harm. In the present case, there is no doubt that due to the scope of data covered by the personal data protection breach in question, including the PESEL registration number along with the name and surname, there is a high probability of the above-mentioned damages occurring.

First of all, it should be emphasized that the personal data protection breach concerned the PESEL registration number, i.e. an eleven-digit numerical symbol that clearly identifies a natural person, containing, among others: date of birth and gender, and is therefore closely related to the private sphere of the natural person and is subject to also, as a national identification number, exceptional protection under Art. 87 of Regulation 2016/679 - being data of a special nature and requiring such special protection. The PESEL number serves as data identifying each person and is commonly used in contacts with various institutions and in legal circulation. The PESEL number together with the name and surname clearly identifies a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person. Moreover, it should be taken into account that as a result of the personal data protection breach in question, this registration number along with the name and surname of the Bank's Client was made available to an unauthorized person, which may be sufficient to "impersonate" the entity of the data and make a contract on behalf of and to the detriment of such an entity, e.g. monetary liabilities (see: https://www.bik.pl/poradnik-bik/wyluzenie-kredytu-tak-dzialaja-oszusci - where a case is described in which: "Only name, surname and PESEL number was enough for fraudsters to extort several loans worth tens of thousands of zlotys in total. Nothing else was correct: neither the ID card number nor the residential address." It is also impossible to ignore that the analyzed personal data protection breach also concerned the residential address and bank account number. and the series and number of the Bank Client's ID card. In assessing risk, a key factor is the type and sensitivity of personal data disclosed as a result of the breach. Guidelines 9/2022 emphasize that a collection of various personal data is usually more sensitive than individual data.

Moreover, as evidenced by case law, judgments in loan fraud cases are not uncommon and have been issued by Polish courts in similar cases for a long time - for confirmation, one can even mention the judgment of the District Court in Łęczyca of July 27, 2016 (reference number I C 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). In the justification for the above-mentioned judgment, the Court stated that: "The evidentiary proceedings conducted and the analysis of the documents attached by the plaintiff result in the unambiguous conclusion that in the case under consideration the defendant was not a party to the loan agreement concluded on May 5, 2014. the PESEL number of the defendant J.R. was used, but the indicated place of residence does not correspond to the place of residence of the defendant. The defendant J.R. never lived in W. The loan amount was transferred to an account that was not owned by the defendant. On the date of conclusion of the loan agreement, the ID card no. (...) expired on March 15, 2014. The mobile phone number indicated in the loan agreement and its annexes does not match the actual telephone numbers used and used by the defendant.

In another case (I C 693/16), the District Court in Zgierz ruled in its judgment of November 4, 2016: "The defendant's personal data in the form of his name and surname and PESEL number, which were consistent with the defendant's data, did not prove that On December 17, 2014, the defendant submitted a declaration of will to conclude a loan agreement. It cannot be ruled out that a person who gained unauthorized access to the defendant's personal data concluded a loan agreement on his account with (...) sp. z o.o. S.K.A. based in W. In the case in question, the defendant demonstrated that he never lived at the address indicated in the loan agreement and that the telephone number and e-mail address used to register on the website and submit the loan application belonged to him.

Courts ruled similarly in other such cases. As an example, there are judgments in which the courts dismissed a claim for payment of amounts due to loans granted by unknown persons using the personal data (name and surname and PESEL number) of the defendants:

    Judgment of the District Court for Łódź-Widzew in Łódź of August 13, 2020 in case no. No. II C 1145/19, in which a third party unknown to the defendant illegally came into possession of his PESEL number and ID card number, and the remaining address details - indicated in the loan agreement - were false - "In the opinion of the Court, the evidence offered by the defendant - especially documents from the files of a criminal case pending before the District Court in Tarnowskie Góry with file reference number VI K 383/16 - prove that the loan agreement of November 8, 2014 was concluded by a third party using some of Z. A.'s personal data. She provided a false address residence, where the defendant has never lived, and the loan amount was transferred to a bank account that did not belong to Z. A. [...] and the ID card number provided in this agreement was an ID number that the defendant no longer used on the date of concluding the loan agreement, because this ID expired approximately 8 months earlier”;
    Judgment of the District Court in Pisz of August 21, 2020, ref. no. file I C 260/20 - "[...] The court found that when concluding the contract in question, the defendant's data was used in an unauthorized manner and entered as the borrower's data, although the defendant was not a party to the contract. The defendant's position is confirmed by the report he submitted about committing a crime of fraud to his detriment, as well as by the fact that the prosecutor's office is conducting proceedings in this case against the person indicated by the defendant. Incidentally, it should be noted that also in the proceedings pending before this court for payment, ref. no. files I C 1/19 and I C 482/19, where E. M. also acted as a defendant and where financial liabilities were incurred in his name and surname in the same circumstances as in the present proceedings, final judgments were also issued dismissing the claim. In the court's opinion, the circumstances of concluding the contract with the plaintiff are the same as the first name and surname of the borrower and his PESEL number, and there is a discrepancy as to the remaining data resulting from the content of the defendant's ID card, i.e. the series and number of this document, the address of residence, taking into account the fact that criminal proceedings against a person who allegedly impersonated the defendant in order to conclude distance contracts and incur financial liabilities in various institutions, clearly indicate that it was not the defendant who concluded the loan agreement no. (...) with the plaintiff's legal predecessor;
    Judgment of the District Court in Puławy of April 7, 2022 in case no. No. I C 475/19, in which the Court clearly admitted that "[...] evidence enabling the verification of the defendant as a party to the contract in question is not the mere indication of his personal data: name, surname, PESEL number, as well as the series and number of the ID card in the content of the contract - in particular when the loan is concluded via an online platform, so obviously the lender is not able to directly verify the other party's identity, and the contract itself is not confirmed by the borrower's signature.

"It is also significant that, according to the parcel delivery card with a debit card, the ID card no. (...) presented to the deliverer had an expiration date of September 21, 2019, and the original ID card belonging to Ł. B. (1) was valid was until June 2, 2021 (page 220), which confirms the defendant's testimony, also that the probable source of the "leak" of his personal data was the car sales contract concluded by him on June 8, 2017, in which in addition to the name and surname of the seller and his PESEL number, there is also an ID card number, but this agreement does not include data including the parents' names - and in the bank account agreement these data are already entered incorrectly, as well as the validity date of the ID card - this is also incorrect is entered in the delivery card of the bank account agreement, which clearly indicates that the person concluding the bank account agreement did not have Ł. B.'s data (1) other than those contained in the car sales agreement, as well as the original blank ID card - this, according to the testimony "the defendant is still in his possession and has not been made available to third parties."

It is worth mentioning here one of the examples included in the Guidelines of the European Data Protection Board 01/2021[2] (case no. 14, p. 31), relating to the situation of "sending highly confidential personal data by mistake".  In the case described above In the case, the social security number, which is the equivalent of the PESEL number used in Poland, was disclosed.  In this case, the EDPB had no doubt that the disclosed data in the scope of: name and surname, e-mail address, postal address, social security number indicate a high risk of violating the rights and freedoms of natural persons ("involvement of their [victims'] social security number social media, as well as other, more basic personal data, further increases the risk, which can be described as high"). The EDPB recognizes the importance of national identification numbers (in this case the PESEL number), at the same time emphasizing that this type of personal data protection breach, which includes data such as: name and surname, e-mail address, correspondence address and social security number, requires the implementation of actions, i.e.: notification of the supervisory authority and notification of the breach to data subjects.

The European Data Protection Board has no doubt that an individually assigned number uniquely identifying a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve a high risk of violating the rights and freedoms of natural persons.

The EDPB also points out in other examples provided in Guidelines 01/2021 that data that uniquely identifies a natural person may result in a high risk of violating rights or freedoms. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by the attacker to guess customer passwords or to conduct a spear phishing campaign aimed at bank customers. For these reasons, the data breach was considered to be likely to result in a high risk to the rights and freedoms of all data subjects. Therefore, material (e.g. financial loss) and intangible (e.g. identity theft or fraud) damage may occur.”

The Provincial Administrative Court in Warsaw did not have similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violating the rights and freedoms of natural persons), in its judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, stated that "There is no doubt that the examples of damage mentioned in the guidelines may occur in the case of persons whose personal data - in some cases, including the PESEL registration number or the series and number of the ID card - have been recorded on shared recordings. Not without significance for such an assessment is the possibility, based on the disclosed data, of identifying the persons whose data were subject to the breach. Further, the Court in the cited judgment indicated that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases also the PESEL registration number or the series and number of the ID card, determines the that there is a high risk of violating the rights and freedoms of natural persons.” When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of July 1, 2022 issued in the case with reference number file II SA/Wa 4143/21. In the justification for this judgment, the Court stated that: "It should be agreed with the President of the Personal Data Protection Office that the loss of confidentiality of the PESEL number in connection with personal data, such as: name and surname, registered address, bank account numbers and the identification number assigned to the Bank's clients - CIF number , involves a high risk of violating the rights and freedoms of natural persons. In the event of a breach of data such as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects. Therefore, in the case in question, the Bank should have, without undue delay, pursuant to Art. 34 section 1 GDPR, to notify data subjects of a personal data breach so as to enable them to take the necessary preventive measures. It is also worth mentioning the judgment of August 31, 2022, ref. no. No. II SA/Wa 2993/21, in which the Provincial Administrative Court in Warsaw emphasized that "(...) the authority correctly assumed that there was a high risk of violating the rights and freedoms of persons affected by the breach in question due to the possibility of easy, based on the disclosed data , identification of persons whose data was subject to the breach. These data include name and surname, correspondence address, telephone number and PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify data subjects about the breach without undue delay. The Provincial Administrative Court in Warsaw expressed a similar opinion in its judgments of November 15, 2022, ref. no. no. II SA/Wa 546/22, June 21, 2023, ref. no. no. II SA/Wa 150/23 and November 6, 2023, ref. no. no. II SA/Wa 996/23.

In the light of the above, it is also worth mentioning the judgment of the Supreme Administrative Court in Warsaw of December 6, 2023, ref. no. No. III OSK 2931/21: "The President of the Personal Data Protection Office correctly determined that data was shared, among others. in terms of names and surnames, as well as PESEL numbers of natural persons, i.e. relatively permanent and unchangeable data, the disclosure of which may always result in a risk of negative consequences for the above-mentioned. people. Similarly, residential addresses are personal data whose unauthorized disclosure creates a high risk of negative legal consequences, regardless of the fact that the addresses were disclosed several years after their update.

It should also be borne in mind that the Administrator's performance of his obligation arising from Art. 33 section 1 of Regulation 2016/679 may not be made dependent on the existence of a violation of the rights and freedoms of natural persons whose data are affected by the personal data breach. As stated by the Provincial Administrative Court in Warsaw in the judgment of September 22, 2021 issued in case no. II SA/Wa 791/21: "It should be emphasized that the possible consequences of the event do not have to materialize. In the content of art. 33 section 1 of Regulation 2016/679 indicates that the very occurrence of a breach of personal data protection, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons. natural persons” (this Court ruled similarly in the previously cited judgment of July 1, 2022, issued in the case with reference number II SA/Wa 4143/21 and in the judgments of August 31, 2022, reference number II SA/Wa 2993/21, of November 15, 2022, ref. no. II SA/Wa 546/22 and of April 26, 2023, ref. no. II SA/Wa 1272/22).

In the letter of October 19, 2023, the Administrator indicates: "The assessment made by the Bank, indicating the lack of obligation to notify the breach, also resulted from the lack of a clear practice of the President of the Personal Data Protection Office regarding reporting personal data protection breaches at the time of assessing the breach, i.e. in April 2021. In 2021, the practice of applying Art. 33 section 1 was just taking shape, as evidenced by many publicly available and widely commented decisions of the President of the Personal Data Protection Office issued at the turn of 2021 and 2022, which ultimately shaped this practice (including (…) of October 14, 2021, (…) of 7 July 2022, (…) of June 21, 2021)”.

It is impossible to agree with the Bank's argumentation quoted above, because the President of the Personal Data Protection Office, and previously the Inspector General for Personal Data Protection, has consistently held the position for many years that the PESEL number is a unique identifier of a person, containing a lot of information, including: about age and gender, and its disclosure to an unauthorized person may result in the risk of identity theft. The decisions issued in this regard only confirm the above. Special protection of personal data, in particular the PESEL registration number, is also required from public trust institutions, which undoubtedly include the party to the proceedings in question.

Taking into account the current activity of the President of the Personal Data Protection Office, who is taking possible, appropriate steps to protect the national identification number - PESEL, such as even disclosing the PESEL number in the National Court Register or in a qualified electronic signature, it clearly proves how - in the opinion of the supervisory authority - what should be done in the event of possible disclosure of the PESEL number. The President of the Personal Data Protection Office has repeatedly pointed out that the processing of the PESEL number without observing appropriate security rules creates a number of threats to the privacy of a natural person, and when disclosed in many places it facilitates identity theft as well as profiling of a person without his or her knowledge and consent.

First of all, during the period in which the breach occurred, similar cases of breaches were reported to the supervisory authority, which is confirmed by the Report on the activities of the President of the Personal Data Protection Office published this year on the website of the Personal Data Protection Office[3], and breaches involving loss of correspondence by postal operator or opening correspondence before returning it to the sender were among the most frequently reported personal data protection violations by data controllers.

Therefore, the Bank's explanations are incomprehensible, explaining that the lack of notification of a personal data protection breach was the ambiguous practice of the President of the Personal Data Protection Office in this respect, and at the same time it did not use the materials and necessary instructions provided to it by the President of the Personal Data Protection Office. Importantly, by deciding not to report a personal data protection breach to the supervisory authority, the Administrator deprived himself of the opportunity to verify the correctness of his own practice.

On the one hand, the Bank claims that "The speech of the President of the Personal Data Protection Office, which shows that notification in the manner provided for in Art. 33 section 1 GDPR ((…)) is subject to any violation, including: the PESEL number is dated July 1, 2021, i.e. after the violation concerned by the proceedings occurred", and further in the explanation it indicates that: "From the moment the Bank became aware of the expectations of the President of the Personal Data Protection Office regarding the application of Art. 33(1) of the GDPR, the Bank immediately took steps to adapt its own practice in this respect to the expectations of the President of the Personal Data Protection Office. The change in the Bank's approach resulted in informing the President of the Personal Data Protection Office about the violation that was the basis for these proceedings.

As for the first statement, in matters analogous to the one covered by the proceedings in question, the President of the Personal Data Protection Office also informed the Bank about the relevant practice in letters before July 1, 2021, e.g. in the case with reference number (…), where the request was sent on March 26, 2021, i.e. from the period when the infringement covered by the proceedings occurred. As for the second finding - the notification of a personal data protection breach, the Bank made the notification not after the first reports of personal data protection breaches, where, according to the supervisory authority, no proper analysis of the risk of violating the rights and freedoms of natural persons to whom the PESEL number applies was made, but only as a result of a request sent on September 1, 2022 to supplement explanations regarding the submitted complaint of the person affected by the violation (reference number (...)), in which the supervisory authority asked the Bank to indicate whether it had done so in accordance with Art. . 33 of Regulation 2016/679, reporting a personal data protection breach to the supervisory authority.

As a side note, it should only be noted that, for example, the notification of a personal data protection breach of February 12, 2021, ref. no. (…), which also involved sending correspondence to the wrong recipient, and in which the scope of personal data covered was almost identical to the breach covered by these proceedings (the difference concerned only the series and number of the ID card - the notification (…) disclosed data regarding : name and surname, PESEL registration number, bank account number, address of residence or stay, contract number) was reported by Toyota Bank Polska S.A. to the supervisory authority.

In the case of a personal data protection breach, the failure to report to the supervisory authority within 72 hours of its discovery resulted in the initiation of these proceedings, the Bank notified the data subject about the breach of personal data protection, anticipating that this breach may involve a high risk for rights and freedoms of natural persons - therefore, he was even more obliged to report this violation to the supervisory authority. As stated in Art. 33 section 1 of Regulation 2016/679, in the event of a breach of personal data protection, the controller shall report it to the supervisory authority without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

In the context of the above explanations, the Bank seems to forget that when applying the provisions of Regulation 2016/679, the purpose of this regulation (expressed in Article 1(2)) should be taken into account, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data . In turn, the protection of natural persons with regard to the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - including in the event of a breach of personal data protection - these values should be taken into account first.

Obtaining by the supervisory authority the complete information required in Art. 33 section 3 of Regulation 2016/679 information about a specific breach of personal data protection, allows him to properly assess such a breach and respond appropriately, e.g. by requesting the controller to notify data subjects in a situation where this is necessary and the controller has not done so. on your own initiative. Failure to respond appropriately and quickly to personal data breaches increases the risk of related damages materializing.

It is worth emphasizing that when assessing the risk of violating the rights and freedoms of natural persons, which determines, among others, reporting a personal data protection breach, the probability factor and the importance of potential negative consequences should be taken into account jointly. A high level of any of these factors affects the overall grade, which determines the completion of, among others: the obligation specified in Art. 33 section 1 of Regulation 2016/679. Bearing in mind that due to the scope of personal data disclosed in the analyzed case, there was a possibility of serious negative consequences for the data subject (as shown above), the importance of the potential impact on the rights and freedoms of a natural person should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. Therefore, it should be stated that in connection with the breach in question there was a high risk of violating the rights and freedoms of the data subject, which consequently determines the obligation to notify the personal data protection breach to the supervisory authority.

In Guideline 9/2022, the EDPB, indicating the factors to be taken into account when assessing risk, refers to recitals 75 and 76 of Regulation 2016/679, which suggest that the controller should take into account both the likelihood of occurrence and the seriousness of the threat to the rights or freedoms of the person whose data applies. In the event of a personal data protection breach, the controller should focus its attention on the risk resulting from the breach of impact on the natural person. Therefore, when assessing the risk to an individual arising from a personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence.  Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk for natural persons. The risk of violating the rights and freedoms of a natural person under Guidelines 9/2022 will be greater when the consequences of the violation are more serious, as well as when the likelihood of their occurrence increases. The guidelines indicate that, in case of any doubts, the administrator should report a violation, even if such caution might prove excessive.

To sum up the above, it should be stated that in the case in question there is a high risk of violating the rights and freedoms of the person affected by the breach, which in turn resulted in the Bank's obligation to report the personal data protection breach to the supervisory authority, in accordance with Art. 33 section 1 of Regulation 2016/679, which must include the information specified in Art. 33 section 3 of Regulation 2016/679, and also - which was done - notifying this person about the infringement, in accordance with Art. 34 section 1 of Regulation 2016/679, which must include the information specified in Art. 34 section 2 of Regulation 2016/679. It should also be stated that in the situation in question, there are no grounds to conclude that the Administrator, for any reason, is exempt from the obligation to report a personal data protection breach to the supervisory authority in accordance with Art. 33 section 1 of Regulation 2016/679 and the obligation to notify the person affected by the breach (in accordance with Article 34(1) of this regulation). In the circumstances of the case under review, it cannot reasonably be said that the breach is unlikely to result in a risk to the rights and freedoms of the Data Subject. This breach concerned the following data: name and surname, PESEL registration number, residential address, bank account number, series and number of the above-mentioned ID card. persons included in the contract along with the loan repayment schedule, which was made available to an unauthorized person. In the opinion of the supervisory authority, there is no justification for the Bank's failure to fulfill its obligation under Art. 33 section 1 of Regulation 2016/679, the infringement of which is the subject of these proceedings.

Recital 85 of the preamble to Regulation 2016/679 explains: "In the absence of an appropriate and timely response, a breach of personal data protection may result in physical, material or non-material damage to natural persons, such as loss of control over their personal data or restriction of rights, discrimination, theft or falsification of identity, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, immediately upon becoming aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay and, where practicable, no later than 72 hours after becoming aware of the breach, unless the controller is able to demonstrate, in accordance with the principle of accountability, that it is unlikely that that the breach may result in a risk of violating the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, the notification should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually, without further undue delay.

To sum up the above argumentation of the supervisory authority, it should be stated that the Administrator - despite his obligations being updated in the circumstances of the analyzed case - did not report a personal data protection breach to the supervisory authority within 72 hours of detecting the breach, which means that the Bank violated the obligation under Art. 33 section 1 of Regulation 2016/679.

Pursuant to Art. 58 section 2 letter i) of Regulation 2016/679, each supervisory authority shall have the power to apply, in addition to or instead of other remedies provided for in Art. 58 section 2 of Regulation 2016/679, administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Bank pursuant to Art. 83 section 4 letter a) of Regulation 2016/679, which states, among others, that breach of the administrator's obligations referred to in Art. 33 of Regulation 2016/679, shall be subject to an administrative fine of up to EUR 10,000,000 and, in the case of an undertaking, up to 2% of its total annual worldwide turnover in the previous financial year, whichever is higher.

Pursuant to the content of Art. 83 section 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 section 2 letter a) - h) and letters j) Regulation 2016/679. When deciding to impose an administrative fine on the Bank, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 letter a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in this case and having an aggravating effect on the amount of the administrative fine imposed:

1. The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679).
In this case, a violation of the provisions of Art. 33 section 1 of Regulation 2016/679 (consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach). It is related to the event of providing an unauthorized person with a contract along with a loan repayment schedule containing personal data of one person in the form of: name, surname, PESEL registration number, address of residence, bank account number and the series and number of an ID card, which makes it it is of significant importance and serious nature, because this event may lead to material or non-material damage to the person whose data has been breached, and the probability of their occurrence is high. Due to a breach of personal data protection, which involved making bank documentation available to an unauthorized person, information covered by banking secrecy was unlawfully disclosed - which further increases the seriousness of the breach and indicates the possibility of negative consequences of the event for the data subjects.

The President of the Personal Data Protection Office considers the long duration of the Bank's violation of the provisions of Art. to be an aggravating circumstance. 33 section 1 of Regulation 2016/679. It should be assumed that it lasted almost 18 months. The Administrator learned about the personal data protection breach on (...) March 2021, and reported it only on September 7, 2022, and only due to parallel proceedings in connection with the submission of a complaint by the Entity. Data to make her personal data available to a third party - one of the questions asked to the Administrator in the ongoing proceedings concerned the indication whether, and if so, when, the Bank reported a personal data protection breach to the supervisory authority. It should also be emphasized that since the Bank's client submitted the above-mentioned a complaint about irregularities in the process of processing her personal data by Toyota Bank Polska S.A., consisting in making her personal data available to a third party without a legal basis, in the opinion of the President of the Personal Data Protection Office, this only confirms that the risk assessment presented in the Bank's explanations in the case in question only takes into account the perspective of the Administrator , which means that it does not take into account the perspective of the Bank's client who, as a result of a breach of the protection of her personal data, with a high probability, suffered non-pecuniary damage.

In the present case, the breach concerned the personal data of only one person. This number of people affected by the breach, especially in view of the fact that the Bank - due to the scale and scope of its activities - processes personal data of a very large number of customers, should be considered small, which undoubtedly favors the Administrator, but it did not change the overall assessment, i.e. the recognition in the analyzed case of the premises of Art. 83 section 2 letter a) of Regulation 2016/679 as incriminating.

2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).
According to the Guidelines of the Article 29 Working Party on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, approved by the EDPB on 25 May 2018), willfulness "covers both knowledge and intentional action in connection with the characteristics of the prohibited act. The Bank made a conscious decision not to notify the President of the Personal Data Protection Office about a personal data breach within 72 hours of its discovery. There is no doubt that the Bank, when processing personal data on a mass scale, must have knowledge in the field of personal data protection, including knowledge of the consequences of identifying a breach of personal data protection resulting in a risk of violating the rights and freedoms of natural persons (and this knowledge may be required not only from the Administrator but also from the data protection officer appointed by him). Being aware of this, the Administrator decided to resign from reporting a personal data protection breach to the President of the Personal Data Protection Office within 72 hours of its discovery.

3. Relevant previous infringements of the provisions of Regulation 2016/679 on the part of the controller (Article 83(2)(e) of Regulation 2016/679).
When deciding on the imposition and amount of an administrative fine, the supervisory authority is obliged to pay attention to any previous violations of Regulation 2016/679. In its Guidelines 04/2022[4] on the calculation of administrative fines under the GDPR, adopted on May 24, 2023, the EDPB clearly states: "The existence of previous violations may be considered an aggravating factor when calculating the amount of the fine. The weight given to this factor should be determined taking into account the nature and frequency of previous violations. However, the absence of previous infringements cannot be considered a mitigating circumstance since compliance with the provisions of [Regulation 2016/679] is the norm.' And although, as indicated by the above-mentioned guidelines "more weight should be given to infringements relating to the same subject matter because they are closer to the infringement at issue in the current proceedings, in particular where the controller or processor has previously committed the same infringement (repeated infringements)" (paragraph 88 of the Guidelines), however, " "all previous violations may constitute information about the controller's or processor's general approach to compliance with the provisions of Regulation 2016/679."

The supervisory authority has already found in previously issued administrative decisions that the Administrator has violated the provisions on the protection of personal data:
- in the decision of September 29, 2022 (reference number (...)), violation of the provision of Art. 6 section 1 of Regulation 2016/679;
- in the decision of May 8, 2023 (reference number (...)), violation of the provision of Art. 15 section 1 letter c Regulation 2016/679;
- in the decision of May 9, 2023 (reference number (...)), violation of the provision of Art. 15 section 1 letter a Regulation 2016/679;
- in the decision of November 14, 2022 ((…)), violation of the provision of Art. 15 section 1 letter c and art. 12 section 3 of Regulation 2016/679;
- in the decision of February 1, 2024 (reference number (...)), violation of the provision of Art. 6 section 1 of Regulation 2016/679.

The above-mentioned previous violations indicate the generally dismissive approach of the Administrator to the issue of data protection, which was previously applied to the Administrator in the above-mentioned cases. cases, corrective measures, including twice in May 2023, when the President of the Personal Data Protection Office ordered the Bank to adapt its personal data processing operations to the provisions of Regulation 2016/679 in the event of a violation of Art. 15 section 1 letter c) Regulation 2016/679 and Art. 15 section 1 letter a) of Regulation 2016/679, or in connection with decisions issuing a warning to the Administrator for violating the provisions of Art. 6 section 1 of Regulation 2016/679, as was the case in cases no. (…) and (…), fully justify the imposition of a financial sanction in these proceedings, as well as its size. It is not without significance that the last decision for violating the provisions of Regulation 2016/679 in relation to Toyota Bank Polska S.A., in which the supervisory authority applied a corrective measure (warning) to the Administrator, was issued on February 1, 2024, which in accordance with Guidelines 04/ 2022 - 'It is necessary to take into account the time at which the earlier infringement occurred, given that the longer the time between that infringement and the infringement that is the subject of the ongoing proceedings, the less significant is the earlier infringement. Consequently, the earlier the infringement occurred, the less importance the supervisory authorities should attach to it (point 84 of the Guidelines) - this should translate into the final decision of the supervisory authority and the amount of the administrative fine imposed.

Due to the above, in the case in question it should be considered that there are grounds for treating the condition set out in Art. 83 section 2 letter e) Regulation 2016/679 as aggravating.

4. Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679).
Personal data made available to an unauthorized person do not fall into the special categories of personal data referred to in Art. 9 of Regulation 2016/679, nor to the data specified in Art. 10 of Regulation 2016/679, however, the fact that the agreement between the parties includes a wide scope (name and surname, residential address, PESEL registration number, bank account number, series and number of the ID card) is associated with a high risk of violating the rights or freedom of a natural person. PESEL number, i.e. an eleven-digit numerical symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender designation and control number, and therefore closely related to the private sphere of the natural person and is also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, is data of a special nature and requires special protection. There is no other such specific data that would unambiguously identify a natural person. It is not without reason that the PESEL number serves as a data identifying each person and is commonly used in contacts with various institutions and in legal circulation. The PESEL number together with the name and surname clearly identifies a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person.

In this context, it is worth recalling the EDPB guidelines 04/2022, which indicate: "Regarding the requirement to take into account the categories of personal data affected by the breach (Article 83(2)(g) [Regulation 2016/679]), in [ Regulation 2016/679] clearly indicates the types of data that are subject to special protection and, therefore, a more stringent response when imposing fines. This applies at least to the types of data covered by Art. 9 and 10 [Regulation 2016/679] and data not covered by these articles, the dissemination of which immediately causes harm or inconvenience to the data subject (e.g. location data, private communications data, national identification numbers or financial data, such as transactions or credit card numbers). Generally speaking, the more such categories of data are affected by a breach or the more sensitive the data are, the more weight a supervisory authority can assign to such a factor. The amount of data relating to each data subject also matters, because with the amount of data relating to each data subject, the scale of the violation of the rights to privacy and the protection of personal data increases.

It is worth pointing out once again the emerging case law in this area, for example in the judgment of November 15, 2022, ref. no. II SA/Wa 546/22, the Provincial Administrative Court in Warsaw indicated: "It was also obvious that the authority, when determining the penalty, had to take into account the fact that the breach concerned highly sensitive data (including PESEL, address, health data)." . This view was also shared by the above-mentioned The court in its judgment of June 21, 2023 in case no. II SA/Wa 150/23, where the Provincial Administrative Court in Warsaw indicated: "To sum up, the Court is of the opinion that the disclosure of the PESEL number indicates a high risk of violating the rights and freedoms of natural persons."

When deciding to impose an administrative fine, the President of the Personal Data Protection Office took into account the following circumstances of the case, which constitute the necessity to apply this type of sanctions in this case and have a mitigating effect on the amount of the administrative fine imposed:

1. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).
It should be noted that, apart from properly fulfilling the administrator's procedural obligations during the administrative proceedings ending with the issuance of this decision, the Bank cooperated with the supervisory authority in the course of the administrative proceedings by providing appropriate information related to the breach of personal data protection (in response to the notice of initiation of the proceedings). and a request to send financial documents necessary to determine the basis for assessing the administrative fine). The Administrator also reported a breach of personal data protection as a result of initiating a complaint procedure and a summons issued in connection with these proceedings, and although this report was a specific response to the supervisory authority's request, it is a manifestation of an appropriate response to letters addressed to the Bank, and therefore this circumstance should be classified as mitigating.

2. Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly from the infringement or losses avoided (Article 83(2)(k) of Regulation 2016/679).
The bank notified the data subject about the breach of personal data protection and provided support to this person by purchasing a report from the Credit Information Bureau, which deserves to be noticed and accepted, therefore this action should be considered a mitigating circumstance in this case.

Other circumstances indicated below, referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were considered by the President of the Personal Data Protection Office to be neutral in his opinion, i.e. having neither an aggravating nor mitigating effect on the amount of the administrative fine imposed:

1. Actions taken by the controller to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679).
Despite the Administrator notifying the data subject about the violation of the protection of his or her personal data, resulting from Art. 34 section 1 of Regulation 2016/679, in which the notification indicated to this person the measures to prevent possible negative consequences of the breach, however, due to the nature of the breach identified in this case (failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than within 72 hours after its discovery) - which, in its essence, is not directly related to the risk of damage to the person affected by the personal data protection breach - it should be assumed that the condition specified in Art. 83 section 2 letter c) of Regulation 2016/679 has, in the case under consideration, neither an aggravating nor mitigating effect on the amount of the administrative fine imposed. It is not important in assessing the Bank's violation of the provisions of Art. 33 section 1 of Regulation 2016/679.

2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him under Art. 25 and 32 (Article 83(2)(d) of Regulation 2016/679).
Due to the nature of the breach identified in this case (failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than within 72 hours after its discovery) - which in essence is not related to the technical and organizational measures used by the controller - it should be assumed that the condition specified in Art. 83 section 2 letter d) of Regulation 2016/679 has, in the case under consideration, neither an aggravating nor mitigating effect on the amount of the administrative fine imposed. It is not important in assessing the Bank's violation of the provisions of Art. 33 section 1 of Regulation 2016/679.

3. The manner in which the supervisory authority learned about the infringement (Article 83(2)(h) of Regulation 2016/679).
On the occurrence of the violation of the provisions of Art. 33 section 1 of Regulation 2016/679 related to the event of the Administrator making available a document containing personal data to an unauthorized recipient, the President of the Personal Data Protection Office was informed as a result of reporting a personal data protection breach committed by the Bank almost 18 months after its discovery. However, the very notification of the violation after such a significant period of time was related to the parallel proceedings pending before the President of the Personal Data Protection Office based on the complaint of the person concerned by the violation in question, and in which case the President of the Personal Data Protection Office addressed the Bank, among others, with a question about reporting the violation in question. As it was determined, only the above request was the basis for reporting a personal data protection breach.

Failure to report a personal data protection breach to the supervisory authority without undue delay, no later than within 72 hours after discovering the breach, is the sole subject of these proceedings, and in the circumstances of the facts under consideration, the supervisory authority assumed that it would not treat this condition as an aggravating circumstance.

4. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679).
Before issuing this decision, the President of the Personal Data Protection Office did not apply any measures listed in Art. to the Administrator in the case under consideration. 58 section 2 of Regulation 2016/679, therefore the Administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.

5. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679).
The administrator does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.

6. Financial benefits obtained directly or indirectly in connection with the infringement or losses avoided (Article 83(2)(k) of Regulation 2016/679).
The President of the Personal Data Protection Office did not find that the Administrator obtained any financial benefits or avoided such losses as a result of the violation. Therefore, there are no grounds to treat this circumstance as aggravating the Administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the breach and its effects, is a circumstance which cannot, by its nature, be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 letter k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - occurring on the part of the entity committing the infringement.

The President of the Personal Data Protection Office, comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the administrative fine imposed.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the circumstances of this case fulfills the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.

It should be emphasized that the penalty will be effective if its imposition will result in the Bank, which processes personal data professionally and on a mass scale, in the future fulfilling its obligations in the field of personal data protection, in particular in reporting personal data protection breaches. President of the Office of Personal Data Protection.

In the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function as it will be a response to the Bank's violation of the provisions of Regulation 2016/679. It will also have a preventive function; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the Bank and other data controllers that it is reprehensible to disregard the controllers' obligations related to the occurrence of a personal data protection breach, which are aimed at preventing its negative and often painful consequences for the persons affected by the breach, as well as removing these effects or at least reducing them. 

Pursuant to the content of Art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "PDA", the equivalent of the amounts expressed in euro referred to in Art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table on January 28 each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the next exchange rate table of the National Bank of Poland after that date.

Taking the above into account, the President of the Personal Data Protection Office, pursuant to Art. 83 section 4 letter a) in connection with Art. 103 of the Personal Data Protection Act, for the violation described in the operative part of this decision, imposed on the Bank - using the average euro exchange rate of January 29, 2024 (1 EUR = PLN 4.3653) - an administrative fine in the amount of PLN 78,575.40 (which is the equivalent of PLN 18,000 ,- EUR).

In the opinion of the President of the Personal Data Protection Office, the fine imposed in the amount of PLN 78,575.40 (say: seventy-eight thousand five hundred and seventy-five zlotys and forty groszy) meets the conditions referred to in Art. 83 section 1 of Regulation 2016/679 due to the seriousness of the identified violation in the context of the basic objective of Regulation 2016/679 - protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative fine imposed on the Bank, the President of the Office of Personal Data Protection concluded that it is proportional to the financial situation of the Administrator and will not constitute an excessive burden for him.  The financial statements presented by the Administrator show that the Bank's total revenues for the financial year ended March 31, 2023 amounted to PLN 319,617,075, therefore the amount of the administrative fine imposed in this case is approximately 0.02% of the above. amount of proceeds. At the same time, it is worth emphasizing that the amount of the imposed penalty of PLN 78,575.40 is only approximately 0.18% of the maximum amount of the penalty that the President of the Personal Data Protection Office could - applying in accordance with Art. 83 section 4 of Regulation 2016/679, a static maximum penalty (i.e. EUR 10,000,000) should be imposed on the Bank for the violation found in this case.

The amount of the penalty was set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of violation of the administrator's obligations, but on the other hand, it does not result in a situation in which the need to pay a financial penalty will result in negative consequences, in the form of a significant reduction in employment or significant decline in the Bank's turnover. According to the President of the Personal Data Protection Office, the Bank should and is able to bear the consequences of its negligence in the field of data protection, as evidenced by the Bank's financial statements, sent to the President of the Personal Data Protection Office on December 15, 2023.

Finally, it is necessary to point out that when determining the amount of the administrative fine in this case, the President of the Personal Data Protection Office applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022 on the calculation of administrative fines under the GDPR adopted on May 24, 2023. In accordance with the provisions presented in this document instructions:

    The President of the Personal Data Protection Office categorized the violation of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The violation of the provisions of Art. found in this case. 33 section 1 of Regulation 2016/679, in accordance with Art. 83 section 4 letter a) of Regulation 2016/679 - to the category of infringements punishable by the lower of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 10,000,000 or up to 2% of the enterprise's total annual turnover from the previous financial year). Therefore, it was considered in abstracto (in isolation from the individual circumstances of a specific case) by the EU legislator as less serious than the violations indicated in Art. 83 section 5 of Regulation 2016/679).
    The President of the Personal Data Protection Office assessed the violation found in this case as a violation of low seriousness (see Chapter 4.2 of Guidelines 04/2022).  As part of this assessment, the following conditions were taken into account from among those listed in Art. 83 section 2 of Regulation 2016/679, which concern the subject matter of the infringement (constituting the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679), intentional or the unintentional nature of the breach (Article 83(2)(b) of Regulation 2016/679) and the categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. It should be noted here that consideration of their combined impact on the assessment of the infringement found in this case, treated as a whole, leads to the conclusion that its level of seriousness, also in concreto, is low (in the scale of seriousness of infringements presented in point 60 of Guidelines 04/2022). The consequence of this is that, as the starting amount for calculating the amount of the penalty, a value ranging from 0 to 10% of the maximum amount of the penalty that can be imposed on the Bank is adopted. Considering that the provision of Art. 83 section 4 of Regulation 2016/679 obliges the President of the Personal Data Protection Office to adopt, as the maximum amount of the penalty for the violation indicated in this provision, the amount of EUR 10,000,000 or - if this value is higher than EUR 10,000,000 - an amount constituting 2% of the Bank's turnover from the previous year turnover, the President of the Personal Data Protection Office states that the so-called static maximum penalty amount – EUR 10,000,000. The application of a 2% index applied to the Bank's turnover for the financial year ended March 31, 2023 (EUR 73,217,665, i.e. the equivalent of PLN 319,617,075 at the average EUR exchange rate on January 29, 2024) gives an amount of EUR 1,464,353 – lower than the static maximum penalty referred to in Art. 83 section 4 of Regulation 2016/679. Therefore, having a range from EUR 0 to EUR 10,000,000, the President of the Personal Data Protection Office adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the amount of the penalty of EUR 300,000 (representing 3% of the static maximum amount of the penalty).
    The President of the Personal Data Protection Office adjusted the starting amount corresponding to the low seriousness of the identified violation to the Bank's turnover as a measure of its size and economic strength (see Chapter 4.3 of Guidelines 04/2022). According to Guidelines 04/2022, in the case of enterprises with an annual turnover between EUR 50 and 100 million, the supervisory authority may consider further calculation of the penalty based on a value ranging from 8% to 20% of the starting amount. Considering that the Bank's turnover in the last reporting year (ending March 31, 2023) amounted to PLN 319,617,075, i.e. EUR 73,217,665 (according to the average EUR exchange rate of January 29, 2024), the President of the Personal Data Protection Office considered it appropriate to correct the penalty amount subject to calculation up to a value corresponding to 12% of the initial amount, i.e. up to EUR 36,000 (equivalent to PLN 157,150.80).
    The President of the Personal Data Protection Office assessed the impact of the remaining circumstances (apart from those included above in assessing the seriousness of the infringement) indicated in Art. 83 section 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer - as assumed by Guidelines 04/2022 - to its subjective side, i.e. to the entity itself that is the perpetrator of the infringement and to its behavior before, during and after the infringement. occurrence. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement is presented above. The President of the Personal Data Protection Office found that the mitigating circumstances in this case are: the degree of cooperation of the Bank with the supervisory authority in order to remove the violation and mitigate its negative effects (Article 83(2)(f) of Regulation 2016/679), as well as the actions taken by the Bank towards the person whose data has been subject to a personal data breach ("other mitigating factors" referred to in Article 83(2)(f) of Regulation 2016/679). However, the relevant previous violations of the Bank in the field of personal data protection found by the President of the Personal Data Protection Office (Article 83(2)(e) of Regulation 2016/679) have an aggravating effect on the penalty. The remaining premises (under Article 83(2)(c), d), h), i), j) of Regulation 2016/679) - as indicated above - had no impact, either mitigating or aggravating, on the assessment of the infringement and, consequently, to the penalty. Due to the existence of mitigating and aggravating circumstances in the above case, the President of the Personal Data Protection Office found it justified to further reduce the amount of the penalty established above, taking into account the Bank's turnover (point 3 above); adequate to the overall impact of the above-mentioned premises on the assessment of the violation, in the opinion of the President of the Personal Data Protection Office, is its reduction to EUR 28,800 (equivalent to PLN 125,720.64).
    Finally, the President of the Personal Data Protection Office assessed the amount of the fine determined in the above-mentioned manner in the context of the principles of effectiveness, proportionality and dissuasive nature of the administrative fine (see Chapter 7 of Guidelines 04/2022). As a result of this assessment, the President of the Personal Data Protection Office concluded that it requires additional correction due to the proportionality directive indicated by the EU legislator - as one of the three basic principles - in Art. 83 section 1 of Regulation 2016/679. In the opinion of the President of the Personal Data Protection Office, a fine of EUR 28,800 would undoubtedly be an effective penalty (due to its clear severity, it would allow achieving its repressive goal, which is to punish illegal behavior) and deterrent (effectively discouraging both the Company and other administrators from committing future crimes). violations of the provisions of Regulation 2016/679). However, such a penalty would be - in the opinion of the President of the Personal Data Protection Office - a disproportionately high penalty in relation to the gravity of the detected violation (which, both in abstracto and in concreto, is low - see points 1 and 2 above) and in the context of assessing the Bank's conduct after the violation was identified. , which – as indicated above in the assessment of the conditions under Art. 83 section 2 letter f) and k) of the 2016 Regulation - should, in principle, be assessed positively. The principle of proportionality requires, among other things, that the measures adopted by the administrative authority do not go beyond what is appropriate and necessary to achieve justified objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 […] ; Comment on Article 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Selected sectoral regulations. Therefore, taking into account the proportionality of the penalty, the President of the Personal Data Protection Office further reduced it - to the amount of EUR 18,000 (equivalent to PLN 78,575.40). In his opinion, such determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is the threshold above which a further increase in the amount of the penalty will not result in an increase in its effectiveness and deterrent nature. On the other hand, reducing the fine to a greater extent could be at the expense of its effectiveness and dissuasive nature, as well as a coherent - with respect to other supervisory authorities and the EDPB - understanding, application and enforcement of Regulation 2016/679, and the principle of equal treatment of market entities. internal EU and EEA. Importantly, the effectiveness and deterrent nature of the penalty imposed in this case (even in an amount far from its maximum limit) will consist in the fact that the fact of its ruling will have an undoubtedly aggravating impact on the assessment of each subsequent decision made by the Bank in the future. , infringement of the provisions of Regulation 2016/679.

In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.

[1] Guidelines of the European Data Protection Board on the reporting of personal data breaches, version 2.0, hereinafter referred to as Guidelines 9/2022. above the guidelines updated and supplemented the Article 29 Working Party's Guidelines on the reporting of personal data breaches in accordance with Regulation 2016/679 (Wp250 rev.01), adopted on 3 October 2017.

[2] European Data Protection Board Guideline 01/2021 on examples for personal data breach notification adopted on 14 December 2021, version 2.0, hereinafter referred to as "Guideline 01/2021".

[3] Report on the activities of the President of the Personal Data Protection Office in 2021, p. 181.

[4] Guidelines 04/2022 on the calculation of administrative fines under the GDPR adopted on May 24, 2023, version 2.1, hereinafter referred to as "Guidelines 04/2022" (available in English at: https://edpb. europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-calculation-administrative-fines-under_pl)