UODO (Poland) - DKN.5112.35.2021
From GDPRhub
| UODO - DKN.5112.35.2021 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 20.05.2024 |
| Published: | 13.08.2024 |
| Fine: | 1,440,549 PLN |
| Parties: | American Heart of Poland S.A. |
| National Case Number/Name: | DKN.5112.35.2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (Poland) (in PL) |
| Initial Contributor: | wp |
A controller was fined PLN 1,440,549 (€330,000) and ordered to bring it's processing operations in line with the GDPR. The decision was made by UODO after an ex officio investigation following a reported data breach by the controller. The breach was considered significant, and the controller had not implemented appropriate safeguards.
English Summary
Facts
A hackers group attacked one of Polish companies of medical sector - American Heart of Poland SA. The hackers got access to company’s network drives and installed a ransomware software. Following categories of personal data of approximately 21,000 company’s employees and patients was affected:
- Name, surname, name of parents, date of birthday, e-mail address, phone number.
- Address data.
- PESEL number, ID number.
- Bank account number, financial data.
- Data concerning health.
- Credentials of company’s user account.
The hackers demanded ransom of USD 3,000,000. To make the company paid the ransom, the hackers shared a sample of obtained data on a Darknet website.
Due to the lost of data availability and confidentiality of the data, the company acting as a data controller, notified the Polish DPA (UODO) about the breach, under Article 33 GDPR. In response, the DPA initiated the investigation.
Initially, the controller didn’t find the source of data breach. However, after in-depth analysis of third-party specialist, it turned out that lack of company’s software update led to the breach – there was an exploit within the software, making it possible to gain exterbal control over one of the devices connected to the software. Company’s IT department, responsible for the update failed to do so. Also, the ISO audit of the controller didn't mention the exploit. Moreover, inadequate passwords quality and a phishing attack were indicated as a potential source of the breach.
Additionally, during the investigation, the DPA found the controller stored the data affected by the breach contrary to their own policy – data relating to health had to be stored on a specific drives, not network ones.
The data controller was actively involved in handling the data breach, inter alia by facilitating contact with data subjects (by a dedicated call centre).
The outcome of investigation and identified shortcomings caused the DPA open an ex-officio proceedings against the controller.
Holding
The DPA held the controller violated Article 5(1)(f) GDPR, Article 5(2) GDPR, Article 24(1) GDPR, Article 32(1) GDPR and Article 32(2) GDPR.
Firstly, the controller failed to assess the risk of data processing prior to the data breach. The controller assigned the majority of processing activities with low to mid-level risk, despite the fact the controller didn’t implement the policy of assessing the security measures. Furthermore, the risk assessment didn’t take into account the risk associated with an inadequate password protection.
Secondly, the controller didn’t regularly test or verify the functioning organisational and security measures nor created a concrete internal policy to do so. As a result, the DPA found erroneous security measures, inter alia referring to the domain configuration, especially the access to the domain (admin access set as a default option) and used software. Moreover, the controller was unable to identify the source of the data breach.
The abovementioned conduct caused the controller didn’t implement appropriate technical and organisational measures under Article 32 GDPR. The DPA emphasised that the majority of identified security shortcomings were still present after the data breach, during the ex-officio investigation.
Consequently, the controller was fined PLN 1,440,549 (€330,000) and ordered to bring processing operations into compliance with relevant provisions of the GDPR, in particular, by implementing appropriate technical and organisational measures. The DPA, while deciding on the amount of the fine, considered, inter alia, the controller’s negligent conduct, which contributed to the breach, and previous violations of the GDPR committed by the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Based on Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2023, item 775) in conjunction with Article 7 par. 1 and 2, Article 60, Article 90, Article 101 and Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781; hereinafter referred to as "the Act of 10 May 2018"), as well as Article 57 par. 1 letters a) and h), Article 58 par. 2 letter d) and letter i), Article 83 par. 1 - 3, Article 83 par. 4 letter a), a) in conjunction with Article 24(1), Article 32(1) and (2) and Article 83(5)(a) in conjunction with Article 5(1)(f) and Article 5(1) 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119 of 04.05.2016, p. 1, as amended), hereinafter referred to as "Regulation 2016/679", after conducting administrative proceedings initiated in the office regarding the infringement of the provisions on the protection of personal data by A. S.A. with its registered office in the U., ul. (...), the President of the Personal Data Protection Office,
finding infringement by A. Spółka Akcyjna with its registered office in the U., ul. (...) of the provisions of Art. 5 sec. 1 letter f) and sec. 2, art. 24 sec. 1 and art. 32 sec. 1 and 2 of Regulation 2016/679, consisting in failure to implement:
1) appropriate technical and organizational measures to ensure the security of data processing in IT systems and the protection of the rights of data subjects, based on a risk analysis conducted taking into account the state of technical knowledge, the cost of implementation, the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons,
2) appropriate technical and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of personal data processed in IT systems, in particular in the scope of vulnerabilities, errors and their possible effects on these systems and actions taken to minimize the risk of their occurrence,
resulting in a breach of the principle of integrity and confidentiality and the principle of accountability,
1. Orders A. Spółka Akcyjna with its registered office in U., ul. (...)., adapting processing operations to the provisions of Regulation 2016/679, by:a) implementing appropriate technical and organizational measures to minimize the risks associated with the processing of personal data, in particular those resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed, after conducting a risk analysis, taking into account the state of technical knowledge, the cost of implementation, the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons,b) implementing appropriate technical and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of measures to ensure the security of processing.
within 30 days from the date of delivery of this decision.
2. Imposes on A. Spółka Akcyjna with its registered office in U., ul. (...), for violating the provisions of Art. 5 sec. 1 letter f) and sec. 2 and art. 32 sec. 1 and 2 of Regulation 2016/679, an administrative fine in the amount of PLN 1,440,549.00 (in words: one million four hundred forty thousand five hundred forty-nine zlotys).
Justification
Pursuant to art. 33 sec. 1 of Regulation 2016/679, to the President of the Personal Data Protection Office, hereinafter referred to as the "President of the Personal Data Protection Office" or the "supervisory authority", a notification of a breach of personal data protection was sent by A. Spółka Akcyjna with its registered office in U. at ul. (...), hereinafter referred to as the "Company", registered under reference number (...). The aforementioned notification was received by the President of the Personal Data Protection Office on (...) 2021 and on (...) 2021 (supplement to the notification).
From the content of the aforementioned The reports showed that the breach of personal data protection consisted in obtaining unauthorized access by a hacking group called "A." to the IT resources (network drives) of the Company and installing "ransomware" software in the Company's IT system, as a result of which there was a loss of availability and confidentiality of personal data processed by the Company in the aforementioned system. On (…) 2021, the Company obtained confirmation of the breach of data confidentiality by accessing the so-called darknet website, using the address provided by the hacking group "A.". On the aforementioned website, on (…) 2021, a sample of personal data of the Company's employees was disseminated. The content of the darknet website of the hacking group contained a suggestion that it may further disseminate data if the Company does not contact it. Furthermore, on the aforementioned website, the website contained information that in the event of a ransom payment in the amount of (…) (in words: (…)) US dollars, no further dissemination of data would take place.
The aforementioned hacker group also placed a timer on the so-called darknet website setting a deadline for the payment of the ransom for the decryption of the data to which it had unlawfully gained access, as well as for its cessation of dissemination. It should be explained that the so-called darknet is an ICT network that can only be accessed using an appropriate IT application.
The loss of data confidentiality consisted in the dissemination of personal data by the aforementioned hacker group on the so-called darknet website. The personal data protection breach in question concerned the personal data of (…) persons, including the Company's patients and its employees. Data in the following categories were breached: surname, first name, parents' first names, date of birth, bank account number, residential or stay address, PESEL registration number, e-mail address, username or password, data concerning earnings or assets, health data, mother's maiden name, series and number of ID card and telephone number. In connection with the above-mentioned notification of a breach of personal data protection, the President of the UODO carried out explanatory activities, i.e. sent a request to the Company to provide additional explanations in the case in order to determine all circumstances of the event. Due to the fact that the explanations provided by the Company were, in the opinion of the supervisory authority, not exhaustive enough to assess compliance with the provisions on personal data protection, the President of the UODO, based on Article 78 sec. 1, Article 79 sec. 1 item 1 and Article 84 sec. 1 point 1-4 of the Act of 10 May 2018 in connection with Art. 57 sec. 1 letters a) and h) and Art. 58 sec. 1 letters b) and e) of Regulation 2016/679, in order to control the compliance of data processing with the provisions on the protection of personal data, carried out inspection activities at the Company from 15 to 19 November 2021 (ref. no.: ……..).
The scope of the inspection included, among others, the following issues:1. Whether appropriate technical and organizational measures have been implemented regarding the functioning of the Company's IT system related to the personal data breach, so that the processing of personal data is carried out in accordance with Regulation 2016/679 and taking into account the nature, scope, context, purposes of processing and the risk of infringement of the rights and freedoms of natural persons, and whether these measures are reviewed and updated as necessary, including the data protection policy (Article 32 and Article 24 of Regulation 2016/679). 2. Whether the effectiveness of the technical measures used to ensure the security of processing has been regularly tested, measured and assessed (Article 32 paragraph 1 letter d of Regulation 2016/679). 3. Verification by the Company of the circumstances of the personal data breach and indication of the IT systems that are the subject of the described breach and actions taken to minimize the risk of such breaches in the future. During the inspection, oral explanations were received from the Company's employees, and the devices and IT systems used by the Company to process personal data were inspected. In addition, the inspectors obtained copies of the Company's documents relevant to the subject of the inspection, constituting annexes to the inspection report. The factual circumstances established by the inspectors were described in the inspection report, which was signed by the person authorized to represent the Company, after the President of the UODO considered the reservations submitted by the Company to the inspection report.
Based on the evidence collected as part of the explanatory proceedings and during the inspection, the President of the UODO made the following findings regarding the factual circumstances:
The Company was entered into the register of entrepreneurs of the National Court Register under number (...). The sole shareholder of the Company as of the date of the inspection was A. a limited liability company entered into the register of entrepreneurs of the National Court Register under number (...).
The main subject of the Company's activity is the provision of health services. The Company's service office, i.e. the management board, departments responsible for the administrative service of the Company, including departments responsible for the operation of IT systems and for the security of personal data processed by the Company, are located in the building at ul. (...) in K. The Company, together with other companies, forms a capital group, within which there are a total of over (...) entities providing medical services, mainly in the scope of (...). These services are provided in places located in Poland, including under a contract with the National Health Fund.
In addition, as established, since (...) 2018, the Company has been in force a document called "Policy (...)" (hereinafter referred to as "Policy (...)"), drawn up taking into account the ISO/IEC 27001:2013 standard implemented in the Company. Another document regulating issues related to personal data security is the "Manual (...)", in force in the Company since (...) 2018, which is also part of the integrated management system implemented in the Company. In addition, a document called the "Procedure (...)" has been in force in the Company since (...) 2018, which is part of the integrated management system implemented in the Company.
During the inspection, it was established that the first risk analysis in the Company was prepared on (…) 2018 and updated on (…) 2019. Another risk analysis was performed on (…) 2020, and the next one on (…) 2021 due to the occurrence of a breach of personal data protection. As a result of the analysis of (…) 2021, the probability of events in the form of malware operating on data processing equipment and hacking into the Company's IT system increased. As a result of changes in the register of data processing activities, the risk analysis was also changed and was carried out again on (...) 2021.
Moreover, as it results from the explanations provided by the Company after the inspection in a letter dated (...) 2023 addressed to the President of the Personal Data Protection Office, the actions taken by it after the personal data protection breach did not allow for the unambiguous determination of the cause of the above-mentioned event. Nevertheless, it should be noted that as a result of the analysis carried out by an external IT expert engaged by the Company, Mr. W. A., described in two reports ("Report (...)" and "Report (...)"), potential "ransomware" attack vectors were identified. These included the breach of the security of edge devices (...) caused by the lack of software updates for these devices. Although the Controller provided, in principle, support from the device manufacturer, which allowed for the software update, due to an oversight by the Company's IT department employees, the required update was not actually performed. The Company's Management Board, according to its explanations obtained during the inspection, was not aware of the above circumstances, because it was also not disclosed during the external audit conducted in (...) 2020, the purpose of which was to extend the validity of the ISO/IEC 27001:2013 certificate held by the Company. However, the aforementioned report indicated that on the day of the hacker attack, there was an "exploit", i.e. a vulnerability resulting from an error in the programming (configuration) of the system, allowing the takeover of a device operating in the Company's IT system. Moreover, as it results from the aforementioned reports, the breach of the security of edge devices (...) could have been caused by administrative access to SSH and https on external interfaces. Another potential attack vector was "(...)", i.e. breaking the security of the cloud platform (...), through incorrect domain configuration and the use of too weak passwords by users of the Company's system (the administrator's system forced the use of passwords containing at least (...) characters, a capital letter, a digit and a special character).
A "phishing" attack was also not ruled out, consisting in the person attacking the IT system impersonating another entity (person) in order to extort specific information, e.g. related to the security of the aforementioned system, login data or infecting it with malware used for such extortion, i.e. most often the "ransomware A." program (by encouraging the attacked person to open a file containing the aforementioned malware). In the manner described above, the attacked person's workstation is often taken over by exploiting the vulnerabilities of operating systems and web browsers.
A "phishing" attack and the use of security gaps in edge devices were considered the most likely attack vector. The number of computer stations affected by the incident was (…), which was approx. (…)% of all computer stations of the Company. The number of servers affected by the incident was (…). As established, (…) servers with the (…) system did not have current technical support from the manufacturer (support ended in (…) 2020). Servers with installed software (…) were domain controllers operating in read-only mode (support servers).
As established during the inspection, in accordance with the principles adopted by the Company regarding data minimization and saving them in appropriately dedicated locations due to the classification of information and their security, the data that was breached should be stored in a system intended for processing health data, i.e. (…). In accordance with the provision of section (…) of the “Handbook (…)” in force in the Company, employees are obliged to secure data located in the IT system due to their classification, by saving them in the appropriate location. Due to the above regulations, personal data related to the provision of health services by the Company should have been located exclusively in the system (…). Placing and storing this data in the Company's network resources (on a network drive) and in workstations was therefore inconsistent with the principles adopted in the Company.
The explanations obtained from the Company during the inspection also indicate that during the activities determining the scope and extent of the breach of personal data protection, undertaken after its occurrence by the Company, it was found that there were files (…) on the workstations and on the Company's network drive, containing data of persons tested for the presence of COVID-19, using the Company's health services, i.e. health data.
In connection with the breach, the Company launched on (…) 2021, a special telephone hotline to provide information to individuals whose personal data were subject to a breach of personal data protection. Information about the hotline number was included in the content of breach notifications sent by the Company to data subjects. In addition, on (…) 2021, the Company concluded an agreement with B. S.A. with its registered office in W. in order to enable interested data subjects to obtain information on entries in B. S.A. with its registered office in W.
In light of the above. findings, the inspectors found irregularities consisting in
the selection of inappropriate technical and organizational measures to minimize the risks associated with the processing of personal data, in particular those resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed, as a result of an incorrectly conducted risk analysis, and the lack of regular testing, measurement and assessment of the effectiveness of measures to ensure the security of processing.
In connection with the above, the President of the UODO on (…) 2022 initiated ex officio administrative proceedings regarding the possibility of the Company, as a controller, violating the obligations arising from the provisions of Art. 5 sec. 1 letter f), Art. 5 sec. 2, Art. 24 sec. 1 and Art. 32 sec. 1 and 2 of Regulation 2016/679 (ref.: ……………..).
The Company, in a letter dated (…) 2022, responded to the allegations of the President of the Personal Data Protection Office regarding the identified violations of personal data protection provisions, which are the subject of administrative proceedings, listed in the notification of initiation of the proceedings. The Company indicated that:
1. In its opinion, the applicable regulations do not directly provide for a closed, enumerative list of technical and organizational measures that the administrator should apply, and the assessment of their adequacy requires a thorough technical analysis and taking into account the applicable standards for a given sector or branch of the economy. The Company argued that the notification of initiation of the proceedings in this case does not refer to any standards, guidelines or requirements issued by the competent authorities, associations or working groups and "it replicates the findings made in the "Report (...)", prepared at the request of the Company after the personal data protection breach occurred;
2. The aforementioned report constitutes an IT analysis of the breach, indicating potential attack vectors, but not clearly determining which of them was actually used. In the Company's opinion, the analysis resulting from the aforementioned report does not take into account issues related to the protection of personal data, e.g. the degree of adequacy to the risk, and does not exhaustively refer to organizational measures, e.g. appropriate procedures, actual and current activities conducted by the Company;
3. Meets the requirements of the ISO/IEC 27001:2013 standard and is subject to regular audits in its scope, and information in this regard, the certificate and the 2020 report were provided during the inspection by the President of the UODO. In the Company's opinion, the acceptance of the above-mentioned applications IT analysis ("Report (…)") by the President of the Personal Data Protection Office, i.e. accepting the fact of a breach of the provisions of Regulation 2016/679 without making "additional findings", conducting its own analysis or inspection by the President of the Personal Data Protection Office, in the Company's opinion leads to "erroneous conclusions regarding the significance of the deficiencies for the subject matter of the case". The Company indicated that in its opinion the indicated deficiencies, taking into account the industry standards existing at the time of the breach, i.e. the lack of binding legal requirements for the medical sector and the need to maintain proportionality of the steps taken to the available budget resources, also in the context of the activities necessary to organize remote work for some staff due to the pandemic period, did not differ significantly from the level of security in typical medical facilities.
However, the Company's claim raised in the above cannot be agreed with. in writing, that the breach of personal data protection, in connection with which the President of the UODO carried out an inspection, was an incident whose factual circumstances are so similar to the circumstances of the event that was the subject of the decision of the President of the UODO in case reference number (...) of (...) 2021, that it would justify the application of the same sanction to the Company as in the above-mentioned case. Although the supervisory authority in case reference number (...) also found irregularities in the scope of technical and organizational measures applied by the party to the proceedings (erroneous, unreliable preparation of a risk analysis, use of operating systems and IT systems used to process personal data without technical support by their manufacturer, lack of built-in and updated security measures increasing the risk of infection with malware and attacks by creating new security gaps, irregular testing, measurement and evaluation of security measures), in the cited case there was no loss of data confidentiality as in the present case.
In this factual situation, after reviewing all the evidence gathered in the case, the President of the Personal Data Protection Office considered the following:
In accordance with Article 32 paragraphs 1 and 2 of Regulation 2016/679, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of infringement of the rights and freedoms of natural persons with varying likelihood and severity of the threat, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, among others, where appropriate: a) pseudonymisation and encryption of personal data; b) the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident; d) regular testing, measuring and assessing the effectiveness of technical and organisational measures to ensure the security of processing (paragraph 1). In assessing whether the level of security is adequate, particular account shall be taken of the risks associated with processing, in particular those resulting from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed (paragraph 2).
Furthermore, pursuant to Article 24 paragraph 1 of Regulation 2016/679, taking into account the nature, scope, context and purposes of processing and the risk of infringement of the rights and freedoms of natural persons of varying likelihood and severity, the controller shall implement appropriate technical and organisational measures to ensure that processing is carried out in accordance with Regulation 2016/679 and to be able to demonstrate this. These measures shall be reviewed and updated as necessary.
In turn, pursuant to Article Article 5 paragraph 1 letter f) of Regulation 2016/679 states that personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Article 5 paragraph 2 of Regulation 2016/679 establishes the principle of accountability, according to which the controller is responsible for compliance with the provisions of paragraph 1 and must be able to demonstrate compliance with them.
It follows from the provisions cited above that the approach based on managing the protection of personal data from the risk perspective (the so-called risk-based approach) is a fundamental concept underlying Regulation 2016/679. This means that it is necessary to be able to prove to the supervisory authority that the solutions applied to ensure the security of personal data are adequate to the level of risk and take into account the nature of the organisation and the data processing mechanisms used. The consequence of this orientation is the abandonment of the lists of security requirements imposed by the legislator in favor of the independent selection of security measures based on the analysis of threats. Administrators are not indicated specific measures and procedures in the scope of security, and their determination should be made in a two-stage process. First, it is therefore necessary for the administrator to determine the level of risk of violating the rights or freedoms of natural persons, which is associated with the processing of their personal data, and then to determine what technical and organizational measures will be appropriate to ensure the level of security corresponding to this risk and to achieve compliance with the provisions of Regulation 2016/679.
According to recital 75 of the preamble to Regulation 2016/679, a risk of varying likelihood and severity to the rights and freedoms of natural persons may result from the processing of personal data which could lead to physical, material or non-material harm, in particular: where processing may result in discrimination, identity theft or identity fraud, financial loss, damage to reputation, a breach of the confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation or any other significant economic or social disadvantage; where data subjects may be deprived of their rights and freedoms or of the possibility of exercising control over their personal data; where personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, or trade union membership are processed and where genetic data, data concerning health or data concerning sexuality or criminal convictions and offences or related security measures are processed; where personal factors are assessed, in particular aspects relating to performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; or where data on vulnerable persons, in particular children, are processed and where the processing involves a large amount of personal data and affects a large number of data subjects.
The EU legislator also indicates in recital 76 of the preamble to Regulation 2016/679 that the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the data processing. The risk should be assessed on the basis of an objective assessment determining whether the data processing operations involve a risk or a high risk.
Recital 83 of the preamble to Regulation 2016/679 indicates, however, that in order to maintain security and prevent processing incompatible with Regulation 2016/679, the controller should assess the risks inherent in the processing and implement measures – such as encryption – to minimise those risks. When assessing the risk in terms of data security, account should be taken of the risks associated with the processing of personal data – such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed – which may in particular lead to physical, material or non-material damage.
With reference to the above-mentioned provisions and recitals of Regulation 2016/679, as well as taking into account the factual circumstances established by the President of the Personal Data Protection Office during the inspection and administrative proceedings, it should be stated that the Company incorrectly carried out the risk analysis of (...) 2021 (document of (...) 2021 called "(...)"), i.e. in the columns "Use of (...)" (threat category "IT" and "Occurrence of (...)" (threat category "IT") the risks related to data processing in the IT systems (resources) of A. Spółka Akcyjna were defined at too low, inadequate level in relation to the level of risk. In the item entitled "Use of (...)" (threat category "IT") of the above-mentioned risk analysis, the level of risk was defined for most activities and purposes of processing as "small" (for the activity/purpose of processing "Data (…)” as “minimal”). Furthermore, in the section “Occurrence of (…)” (“IT” risk category) the risk level for all data processing activities and purposes was defined as “medium”. In other words, in the aforementioned document the Company underestimated the risk associated with its use of software without the manufacturer’s support, i.e., among others, its updates, and the risk associated with incorrect domain configuration. The risk was defined as “medium”, and this was done despite the lack of a detailed procedure for testing, measuring and assessing the effectiveness of security measures in the Company. The lack of such a procedure in itself resulted in the inability to regularly test, measure and assess data protection measures (the lack of such regularity was confirmed during the inspection) and, as a result, prevented the proper preparation of a risk analysis due to the inability to fully determine and estimate the risks associated with the processing of personal data using IT systems. In addition, the Company did not take into account in the risk analysis to an appropriate extent the risks associated with processing, in particular those resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed, i.e. the Company did not include in the said document the risk of setting too weak a password for users of the Company's IT system (password for (...) - failure to include such a category in the analysis), as well as the risk associated with failure to regularly test, measure and assess the effectiveness of technical and organizational measures to ensure the security of processing (such a category was not included in the analysis). It is true that the document "(...)" dated (...) 2021 included a threat generally called "Error (...)" (the Company assessed the risk level of this threat as "medium"), however, according to the President of the UODO, it cannot be unequivocally assumed that the above-mentioned concept also covers the issue of setting access passwords with appropriate security strength. It should be noted that the level of risk estimated by the Company as "medium" (or even "low" in relation to the processing of "Employees (...)") in relation to the above-mentioned threat should be assessed, as in the other above-mentioned cases, as too low, taking into account the errors actually found in the settings of the Company's IT equipment during the UODO inspection, as well as the experience resulting from the circumstances of the data protection breach before the preparation of the risk analysis in question dated (...) 2021.
It should be added that in the item entitled "Use of IT systems without support" (threat category "IT") of the aforementioned risk analysis (document dated (…) 2021, named "(…)"), not only was the risk level for most processing activities and purposes defined as "small" (for the processing activity/purpose "Research data - veterinary services" as "minimal"), but it was additionally assessed that in the case of the aforementioned risk, "actions [are] not required". This was done despite the fact that among the identified potential "ransomware" attack vectors described in the document "Report on the analysis of the current security state", prepared at the request of the Company after the data breach, there was a breach of the security of edge devices (...) caused by the lack of software updates for these devices. In addition, the threat called "Occurrence of (...)" (threat category "IT") defined the risk level for all data processing activities and purposes as "medium".
In turn, in the case of the threat named "Error (...)", the Company assessed the risk level as "medium" or even "low" in relation to the processing of "Employees (...)".
In relation to the above, it should therefore be considered that the determination of the risks related to data processing in the Company's IT systems (resources) (including those without the manufacturer's support) was made at a level inadequate to the level of the threat. In other words, this analysis was not carried out in a way that would provide the Company, as the controller, with a basis for implementing appropriate technical and organizational measures to ensure a level of security corresponding to the risk of violating the rights or freedoms of natural persons with varying probability of occurrence and severity of the threat, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing. This assessment is also justified by the fact that the estimates and determinations of the above risk levels were determined after the personal data protection breach lasting from (…) to (…) 2021, i.e. an event whose occurrence clearly indicated a high level of occurrence of the above-mentioned risks, especially since the Company did not regularly test the effectiveness of the security measures used to process personal data in IT systems, nor did it implement – contrary to the requirements of Art. 32 sec. 1 and 2 of Regulation 2016/679 – a procedure for such testing, thereby depriving itself of an important means of reliably assessing the level of the above-mentioned risks. The assumption by the Company in such a situation that the above-mentioned risks are at a low or medium level was, in the opinion of the President of the UODO, an action without foundation, i.e. made on the basis of apparent and unverified premises. It should be added that the breach of the above-mentioned the provisions of Regulation 2016/679 also occurred due to the Company's failure to determine the cause of the incident after the data protection breach occurred, thus the Company was unable to include in the risk analysis of (...) 2021 the factors that caused the above-mentioned event and to reliably determine the level of risk associated with them, and the above in turn resulted in the incompleteness of the document of (...) 2021 called "(...)". It should be emphasized that even if the risk factors in the analysis prepared by the Company hypothetically included factors that could potentially cause a personal data protection breach, this inclusion took place without the possibility of properly estimating the risk levels. The Company's lack of awareness in the above-mentioned scope (as to the causes of the incident) must lead to a situation in which the risk analysis does not fully reflect the actual risk factors and its degree. Thus, the risk analysis was deprived of key information that would allow the Company to consciously and plannedly minimize specific risks related to data processing and to avoid (or at least limit) the occurrence of data protection breaches in the future.
It should be noted that the Company's violation of Article 24 paragraph 1 and Article 32 paragraphs 1 and 2 of Regulation 2016/679 also resulted from the improper conduct of the risk analysis before the date of the data protection breach (document "(...)" dated (...) 2020). As it results from the content of this document, under the items defining the threats named "Occurrence of (...)" and "Error (...)", the risk level was estimated as "medium". The risk assessment for the above level before the personal data breach occurred, in the opinion of the President of the Personal Data Protection Office, was inadequate to the actual state of affairs, taking into account the fact that the personal data breach occurred, as well as the findings of control regarding the course of the aforementioned incident and irregularities in the scope of organizational and technical measures applied by the Company to ensure the security of the processed data. The risk assessment as "small" or even "minimal" (e.g. in the processing process "Processing (...)") in the item "Use (...)" is also unacceptable. The above action should be considered incorrect and inconsistent with the provisions of Regulation 2016/679, taking into account the fact that support by the manufacturer of software used for data processing is generally considered in the IT industry to be a fundamental security principle. The above is also confirmed by the applicable technical standards[1], as well as in the guidelines of the European Data Protection Board (hereinafter: EDPB)[2]. It should therefore be stated that the assumption of a "low" level of risk of materialization of the threat called "Use (...)" for most processing activities and purposes before the data protection breach occurred was an action devoid of real, factually based conditions. Moreover, as indicated above, it was in conflict with generally accepted standards in the IT industry, as well as the EDPB guidelines.
Maintaining and using IT systems that have lost manufacturer support and devices equipped with unsupported software always poses a threat to the security of data processed using them, because in this way the administrator consciously deprives itself of the possibility of ongoing response to current IT threats that have a direct impact on data security. Therefore, since the Company, as the controller, decided to use such devices, and, moreover, as a result of the risk analysis conducted both before (analysis of March 30, 2020) and after the personal data protection breach (analysis of August 2, 2021), it determined the level of risk of this threat as "low", it should be considered that such action, in particular in view of the fact that the above-mentioned breach occurred, was disproportionate to the level of threat and the principles of IT security commonly applied in the field of IT.
As regards the accusation against the Company regarding the improper conduct of the risk analysis, including determining the level of certain risks at too low a level, the Company explained in a letter dated (...) 2022 that "The Authority refers to risk analyses carried out taking into account the methodology and risk levels adopted in the Administrator's organization (procedure provided to the Authority (...))." The Company also indicates that "a higher assessment indicated by the Authority, as part of the Administrator's methodology, would require the adoption of a probability of "(...)", which means that the risk is "very probable" - threats are expected to occur in most cases or circumstances and there is full knowledge of past occurrences, effects and causes. (...) at the time of preparing the analysis (i.e. (...) 2021), it could not be assumed that the occurrence of an event (another infection of systems) was very probable. It was still real, but not very probable. The mere fact of the existence of possible security gaps, in relation to which remedial actions have been initiated, cannot prejudge the high probability of an external attack, dependent on the actions of third parties and knowledge or identification of the aforementioned gaps." The Company's argument quoted above cannot be accepted. Due to the occurrence of the personal data breach, its "mechanism", scale and nature, the Company's classification of the risk level for most processing activities and purposes as "small" (for the processing activity/purpose "Data (...)" as "minimal"), as well as the determination in the point "Occurrence (...)" ("IT" risk category) of the risk level for all data processing activities and purposes as "medium", was, in the opinion of the President of the UODO, inadequate to the actual state of affairs. In turn, the above resulted in the application of insufficient organizational and technical measures to ensure the security of personal data.
As already indicated above, the Company underestimated the significance and scale of the personal data breach, which should have been a reliable point of reference for it when conducting the next risk analysis, and moreover, it clearly did not precede the above. analysis with appropriate actions to review the status of updates and configuration of its IT system or, despite carrying them out, ignored their result, since it determined the level of risk at a "small" and "medium" level, despite the fact that such deficiencies as e.g. lack of software updates were identified during the inspection. The above therefore indicates that the risk assessment was carried out unreliably, i.e. without due consideration of the actual state of security of the Company's IT systems, and above all without taking into account the element of life experience, which is associated with the Company's awareness of the occurrence of a similar event in the past, i.e. a breach of personal data protection (in relation to the risk analysis contained in the document "(...)" dated (...) 2021, i.e. after the occurrence of a breach of personal data protection).
It should be noted once again that the document assessing the level of risks for individual processing processes did not properly take into account the level of risk associated with the Company's use of software without the manufacturer's support, i.e., among others. its updates, risks related to incorrect domain configuration, risks related to setting too weak a password for users of the Company's IT system (password for (...)), as well as risks related to failure to regularly test, measure and assess the effectiveness of technical and organisational measures intended to ensure the security of processing. Events related to the above-mentioned. risks occurred as part of the personal data protection breach reported to the President of the Personal Data Protection Office prior to the inspection, therefore the Company, not to mention the fact that it ignored the current technical standards for the security of information and personal data processed in IT systems, cannot claim in its justification that, for example, the processing of data in outdated or unsupported IT systems was not associated with high risks of materialisation of these threats, since it itself did not sufficiently estimate the level of such risks when selecting technical and organisational measures or did not take them into account at all (e.g. in the event of failure to implement a software update due to an omission by employees), as evidenced by the content of the document dated (...) 2021, named "(...)", presented by it during the inspection.
What is important and should be emphasized again is that the aforementioned document was developed after the personal data protection breach occurred, i.e. at a time when the Company was aware of the risks and threats related to the use of the IT system for processing personal data, and the aforementioned incident should have been a reason for the Company to thoroughly analyze all factors related to the operation of its IT system, including issues such as lack of manufacturer support for the software installed in it, incorrect configuration of settings, etc. Therefore, taking into account in particular the wide scope of personal data processed by the Company on the resources of network drives operating in its IT system, as well as, among others, the number of persons (…) whose data are concerned and who were affected by the consequences of a breach of personal data protection, in order to properly fulfil the obligations arising from the provisions of Regulation 2016/679, the Company was obliged to take actions to guarantee an appropriate level of personal data protection by implementing appropriate technical and organisational measures to ensure the security of their processing, as well as to regularly test, measure and assess the effectiveness of the above measures. Decisions on the nature, types or intensity of such actions should be based on conclusions resulting from the risk analysis carried out for the processing operations performed, taking into account, among others, vulnerabilities, threats, possible effects of the breach and security measures aimed at ensuring the confidentiality, integrity and availability of the processed personal data, as well as experience resulting from the personal data protection breach that occurred before the risk analysis on (…) 2021.
Meanwhile, the evidence collected shows that the Company managed IT resources located outside the medical IT system (...), in which it processed the personal data of its patients and employees, without properly analysing the risks involved, without regularly testing the IT systems and their security, and – as a result of the above – without applying adequate technical and organisational measures for data protection. In the opinion of the President of the Personal Data Protection Office, the implementation of technical measures by the Company, while underestimating the risk associated with data processing using an incorrectly configured IT system, equipped with software without manufacturer support and its updates (and not tested, measured and regularly assessed in terms of the effectiveness of data protection), did not provide an adequate guarantee that these measures would be appropriate, adequate and that they would effectively minimise the risk of violating the rights or freedoms of data subjects. The above position of the supervisory authority is also reflected in the judgment of the Provincial Administrative Court in Warsaw of 26 August 2020 (reference number II SA/Wa 2826/19, Legalis no. 2480051), in which the Court stated that Article 32 paragraph 1 of Regulation 2016/679 "(...) does not require the controller to implement any technical and organizational measures that are to constitute personal data protection measures, but requires the implementation of adequate measures. Such adequacy should be assessed in terms of the manner and purpose for which personal data are processed, but the risk associated with the processing of such personal data, which risk may be of varying heights, should also be taken into account." At the same time, the Court emphasized that "[t]he measures adopted should be effective, in specific cases some measures will have to be of a low-risk mitigating nature, others – must mitigate high risk, however, it is important that all measures (and each one separately) are adequate and proportionate to the degree of risk". In turn, in the judgments of 13 May 2021, reference number II SA/Wa 2129/20, and of 5 October 2023, reference number II SA/Wa 502/23, the Voivodship Administrative Court in Warsaw indicated that "The data controller should (...) conduct a risk analysis and assess what threats it is dealing with". In the latter judgment, the Court also stressed that "the supervisory authority is not obliged to indicate to the Controller the technical and organizational solutions that it should implement in order to process personal data in accordance with the law. It is the Controller's task to introduce these measures and then - if necessary - demonstrate that it complies with the principles of personal data processing specified in Regulation 2016/679, in accordance with the principle of accountability (Article 5 paragraph 2 of the aforementioned regulation)".
In view of the improper conduct of the risk analysis related to the processing, including the failure to take into due account the above-mentioned risks related to using software without the manufacturer's support, its updates, incorrect domain configuration, setting too weak a password for users of the Company's IT system (password for (...)) and failure to regularly test, measure and assess the effectiveness of technical and organisational measures designed to ensure the security of processing, the Company was not able to demonstrate that, when implementing technical and organisational measures designed to ensure compliance of processing with Regulation 2016/679, as well as assessing whether the level of security of personal data is adequate, it actually took into account the criteria described in Art. 32 sec. 1 of Regulation 2016/679, including the risk of breaching the rights and freedoms of natural persons, and the risks related to processing, in particular those resulting from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data, in accordance with the obligation arising from Art. 32 sec. 2 Regulation 2016/679.
As also pointed out in the literature on the subject (P. Barta, P. Litwiński, M. Kawecki, Commentary to art. 5, in: General regulation on the protection of personal data. Personal data protection act. Selected sectoral provisions. Commentary, ed. P. Litwiński, Legalis 2021), "[a]ccountability, i.e. in particular the obligation to demonstrate compliance with the provisions of the law, consists in the opinion of the Article 29 Working Party [Opinion of 13 July 2010 3/2010 on the principle of accountability (WP 173), (...)] of the following partial obligations: 1) the obligation to implement measures (including internal procedures) ensuring compliance with the provisions on data protection in connection with data processing operations; 2) the obligation to prepare documentation that indicates to data subjects and supervisory authorities what measures have been taken to ensure compliance with the provisions on the protection of personal data.
(…) In this sense, accountability should therefore be understood as a certain property of processing activities that allows for proving compliance with the provisions of the law on operations on personal data, in particular by means of personal data protection documentation. A consequence of the principle of accountability is that in the event of a dispute with the data subject or with the supervisory authority, the controller should be able to provide evidence that it complies with the provisions on the protection of personal data. Such evidence may primarily be documents describing the principles of processing and protection of personal data”.
In connection with the above, it should be noted that the functioning of any organization, especially in the sphere of personal data protection, cannot be based on unreliable or unrealistic foundations, and disregarding the value of basic information that every administrator should regularly obtain on the state of organizational and technical measures applied by him, in particular as a result of their testing, measurement and evaluation, may create a false sense of security, leading to the administrator not taking the actions to which he is obliged, which in turn may result, as in the present case, in a breach of personal data protection, causing - due to the scope of personal data subject to infringement - a high risk of infringement of the rights or freedoms of natural persons.
The incorrect conduct of the risk analysis shown above resulted in the failure to apply appropriate technical measures for the security of personal data processing. The risk analysis is of fundamental importance for the proper selection of the above measures, because determining the types of risks and their levels determines the application of appropriate solutions in the situation of a specific administrator.
During the audit, the following irregularities were revealed in the technical measures used by the Company as the administrator: a) lack of software updates for edge devices, i.e. on the date of the personal data protection breach, an "exploit" existed that allowed the takeover of edge devices; b) enabled SSH and https administrative access on external interfaces of edge devices, which could have led to a breach of the security of the above-mentioned devices and, subsequently, to gaining access to the Company's ICT infrastructure and the personal data processed therein; c) incorrect domain configuration and use of too weak passwords by users, which increased the possibility of unauthorized acquisition of authorization data (passwords) by third parties; the minimum password length for (...) set by the Company was only (...) characters, which did not correspond to current practices in the IT industry (the standard on the day of the inspection was 12 characters)[3],d) incorrect configuration of the Company's domain and installation of utility software on the domain controller, which, if taken over by an attacker, could make it easier for him to perform further operations, e.g. take over a user account, install software enabling access to further IT resources,e) installation of utility software on the Company's domain controller, which, if taken over by an attacker, could make it easier for him to perform further operations in the Company's IT infrastructure,f) use of servers with the (...) system that did not have current technical support from the manufacturer (for approx. 1 year until the incident occurred; support ended in (...) 2020), thus increasing the risk of the occurrence and use by unauthorized persons of emerging vulnerabilities in the IT system,g) failure to conduct regular testing, measuring and assessing the effectiveness of technical and organisational measures designed to ensure the security of processing, which increased the risk of the above-mentioned irregularities and made it impossible for the Company to identify their occurrence before a personal data breach occurred.
The identified critical vulnerabilities, such as: lack of software updates for edge devices, configuration (...) inconsistent with best practices used in the IT industry on the date of the inspection and EDPB guidelines (indicated above), unsupported operating systems on domain controllers and workstations, and installation of utility software on the domain controller, were described in the "Report (...)", prepared by the Company after the personal data breach occurred. The above constitutes evidence that the Company was aware of the occurrence of the above irregularities on the date of the inspection, and yet did not take action to eliminate them. In addition, the violation of the above provisions of Regulation 2016/679 resulted from the Company's failure to regularly test, measure and assess the effectiveness of technical and organizational measures to ensure the security of data processing. In the judgment of 6 June 2023, file ref. Act II SA/Wa 1939/22, the Voivodship Administrative Court in Warsaw indicated that "(...) the obligation to regularly test technical and organizational measures, securing the processing of personal data, in order to ensure a level of security corresponding to this risk, within the meaning of Article 32 paragraph 1, introductory sentence of the GDPR, results directly from the wording of letter d of the indicated Article 32 paragraph 1, while the obligation to document activities in a given scope is established by the principle of accountability (Article 5 paragraph 2 of the GDPR)." This Court expressed a similar opinion in its judgment of 21 June 2023, reference number II SA/Wa 150/23.
It should also be emphasized that the above-mentioned testing, measuring and assessing technical and organizational measures intended to ensure the security of processing, in order to constitute the implementation of the requirement resulting from Article 32 paragraph 1, letter d) Regulation 2016/679, must be carried out on a regular basis, which means conscious planning and organization, as well as documenting such activities in specific time intervals, regardless of changes in the organization and course of data processing processes (in connection with the principle of accountability referred to in Art. 5 sec. 2 of Regulation 2016/679). The Company did not demonstrate during the inspection or in the administrative proceedings that it carried out the above activities regularly. The only manifestation of testing, measuring and evaluating in the scope of technical means used by the Company were the activities carried out in the Company, which were preceded by obtaining a certificate by it in the scope of the ISO/IEC 27001:2013 standard.
It should be noted, however, that the above the activities were incidental and one-off, as they were carried out only in connection with recertification related to the ISO/IEC 27001:2013 standard. Regularity should be understood as a situation in which the above-mentioned activities were carried out at specific intervals, not subject to randomness, but determined by the principles of testing adopted by the Company, and therefore also their frequency, developed taking into account the scale, nature and method of data processing. The Company did not develop the above-mentioned principles nor did it carry out testing in practice on a regular basis.
In response to the Company's claims contained in the letters dated (…) 2022 and (…) 2023 addressed to the President of the Personal Data Protection Office after the inspection, it should be stated that they do not contain arguments that deserve to be taken into account when considering the case in question and that would contradict the conclusions drawn on the basis of the evidence collected. The letter dated (...) 2022 contains an erroneous thesis that the President of the UODO, when initiating administrative proceedings against the Company and indicating a breach of the provisions of Regulation 2016/679 in the letter dated (...) 2022 (ref.: (...)), was guided mainly, or even solely, by the content of the "Report (...)" prepared at its request after the personal data protection breach occurred.
In view of the above, it should be stated that the above the document was taken into account by the President of the UODO when considering this case, however, the post-inspection conclusions and the allegations made against the Company were formulated primarily on the basis of applicable legal provisions and the assessment of the factual circumstances established by the inspectors described in the inspection report, resulting from the evidence obtained during the inspection, as well as on the basis of the currently adopted and generally known basic data security standards in the IT industry, which will be discussed in more detail later in the decision. It should also be noted that the allegations made against the Company by the President of the UODO in the proceedings in question, contrary to the Company's suggestion, do not determine the direct cause of the data protection breach. However, this does not change the fact that the inspection by the President of the UODO revealed a number of breaches of the provisions of Regulation 2016/679 committed by the Company, regardless of whether they had a direct impact on the occurrence of the personal data protection breach or not. In its judgment of 9 February 2023 (ref. III OSK 3945/21), the Supreme Administrative Court indicated in its justification that "in administrative law, an individual is liable for an administrative tort, and not for a culpable act consisting in conduct or omission. This liability is objective, not subjective. An administrative tort may therefore constitute a certain action, but also a certain objectively existing state of affairs for which the individual is liable. The Constitutional Tribunal emphasizes in its case law that in relation to administrative torts, the subsumption of the factual state comes down to determining whether a specific action has exhausted the features indicated in the Act (judgment of the Constitutional Tribunal of 14 October 2009, Kp 4/09, OTK-A 2009, No. 9, item 134). In such a state of affairs, an administrative tort does not have to constitute an act at all, and it is even less necessary to specify in the ruling of the decision the administrative tort for which the party is legally liable”. In the aforementioned judgment, the Supreme Administrative Court also indicated that “administrative sanctions for breach of the obligations specified in Article 32 of the GDPR are not imposed on the person who, as a controller or processor, allowed the unauthorized processing of personal data, but only on the entity that failed to maintain the appropriate standard of security measures in the given circumstances. An individual is not subject to punishment for the illegal action of a third party (e.g. a hacker), consisting in unauthorized access to the data processed by them, but for allowing such access in connection with the inadequate level of security applied. The circumstance of unauthorized access to data alone does not determine the violation of the cited provision, because such a state of affairs is potentially possible to occur even when the highest level of security is maintained. This interpretation is reinforced by the content of recital 76 of the GDPR, which indicates that <<[risk] should be assessed on the basis of an objective assessment that determines whether data processing operations involve a risk or a high risk>>”.
The Company's claim that the supervisory authority did not refer to any standards relating to the IT industry when formulating allegations against it is incorrect. It should be noted that, for example, the requirement and obligation of the data controller to provide ongoing support in the field of software updates, e.g. edge devices and software in the form of a system (...) installed on the Company's servers (support ended in (...) 2020, i.e. well before the inspection date), is common knowledge in the IT industry.
Knowledge in the above scope is widely known even among a wide group of non-professional users of IT devices, e.g. in the scope of the need to update environmental software (Windows, Linux) on computers, in order, among other things, to install additional security measures protecting against hacker attacks, etc. It is therefore difficult to assume that the above knowledge is not possessed by IT specialists employed by a computerized, professional entity conducting business activity, such as the Company. It should therefore be emphasized that ensuring current updates of software that, as mentioned above, is important for IT security, and therefore also for the security of personal data, is a basic, unquestionable and widely known obligation of the administrator. Evidence of disregard for the above threat is the fact that the risk level of this factor was recognized in subsequent risk analyses conducted by the Company as being at a "small" level.
At the same time, the Company's argument that in the above In this respect, there are no applicable standards sanctioned by law and that the irregularities pointed out by the President of the UODO to the Company are not directly included in the closed, enumerative catalogue of technical and organisational measures that the administrator should apply. Standards requiring the administrator, among other things, to update system software and data security software (antivirus, firewall, etc.), as indicated above, are commonly accepted in the IT industry and it is to them that reference should be made in the case at hand. Additionally, with regard to the obligation to update system software, such as the system installed on the Company's servers (...), on the day of the data protection breach, for example, the PN-EN ISO/IEC 27002 standard Chapter 12.5.1 letter a) "Installation of software in production systems" was in force. This standard clearly indicates the need to update software in order to ensure IT security, and thus also personal data security. The above argument applies equally to the issue of the lack of software updates for edge devices used by the Company in its IT system.
It should be noted once again that the Company, in the item in the document "(...)" entitled "Use of (...)" (threat category "IT"), defined the level of risk for most processing activities and purposes as "low", thus groundlessly concluding that the software update is of rather marginal importance for the security of its IT system.
The Company's other deficiencies in the scope of the applied technical (IT) measures referred to in Article 24 paragraph 1 and Article 32 paragraph 1 of Regulation 2016/679 should be assessed similarly, i.e. enabled SSH and https administrative access on external interfaces of edge devices, incorrect domain configuration and use of too weak passwords by users, which increased the possibility of unauthorized acquisition of authorization data (password) by third parties. The minimum password length for (...) set by the Company as the administrator at the level of only (...) characters, did not correspond to current practices used in the IT industry (the standard on the day of the inspection was 12 characters). It should be emphasized that the strength of the password set by the Company on the day of the inspection (and on the day of the breach of personal data protection) did not even meet the requirements specified in a very distant time, in 2004, i.e. in the repealed regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and technical and organizational conditions that should be met by devices and IT systems used to process personal data (Journal of Laws 2004 No. 100 item 1024).
A password with a strength of at least 12 characters was a commonly accepted and used market standard in the field of IT security on the day of the inspection by the President of the Personal Data Protection Office. In the above-mentioned scope, the selection of a password (its strength) in accordance with the level of risk is also provided for in the PN-EN ISO/IEC 27002 standard Chapter 9.4.3. "Password management system" letter c).
In the context of the above argument, reference should also be made to the content of the EDPB Guidelines 01/2021 on examples of reporting personal data breaches, adopted on 14 December 2021, version 2.0. In Chapter 2.5 "Organisational and technical measures to prevent and mitigate the effects of ransomware attacks", the EDPB made the following recommendations: "48. The fact that a ransomware attack may have taken place is usually an indication of the existence of one or more vulnerabilities in the controller's system. This also applies to ransomware cases where personal data have been encrypted but not exfiltrated. Regardless of the outcome and consequences of the attack, the importance of a comprehensive assessment of the data security system - with particular emphasis on IT security - cannot be overemphasized. Identified weaknesses and security gaps should be documented and addressed without delay.49 Recommended measures:(The list of measures below is by no means exclusive or exhaustive. Rather, the aim is to provide ideas for preventing attacks and possible solutions. Each data processing activity is different, so it is up to the administrator to decide which measures are most appropriate for a given situation.)- keeping the firmware, operating system and application software up to date on servers, client computers, active network components and any other devices on the same LAN (including Wi-Fi devices). Ensuring that appropriate IT security measures are in place, ensuring that they are effective and regularly updating them as processes or circumstances change or evolve. This includes keeping detailed logs that record what patches have been applied at a given time stamp;- designing and organising processing systems and infrastructure to segment or isolate data systems and networks to avoid the spread of malware within the organisation and to external systems;- having an up-to-date, secure and proven backup procedure. Medium and long-term backup media should be stored separately from the operational data store and out of reach of third parties, even in the event of a successful attack (e.g. daily incremental backup and weekly full backup); having/obtaining an appropriate, up-to-date, effective and integrated anti-malware program (...)".
It should be noted that administrators are not only obliged to achieve compliance with the guidelines of Regulation 2016/679 through a one-time implementation of technical and organizational security measures, but also to ensure continuous monitoring of the scale of threats and accountability in terms of the level and adequacy of the implemented security measures. As raised in the literature on the subject (P. Barta, P. Litwiński, M. Kawecki, Commentary to Article 5, in: General Regulation on Personal Data Protection. Personal Data Protection Act. Selected Sectoral Provisions. Commentary, ed. P. Litwiński, Legalis 2021) "(...) the obligation to provide appropriate technical and organizational measures, referred to in Article 32 paragraph 1 [of Regulation 2016/679], is dynamic in nature (...), as the EU legislator requires regular testing, measurement and assessment of the effectiveness of the measures applied to ensure security to a degree appropriate to the risk".
It should also be noted that during the proceedings the supervisory authority took into account the fact that the Company had obtained a certificate concerning the ISO/IEC 27001:2013 standard, however, the above does not mean that the Company met the requirements of Regulation 2016/679, since it did not provide evidence of the correct conduct of the risk analysis and regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, indicating only a one-time performance of these processes during the recertification audit. The above omissions, in turn, led to the improper selection of organizational and technical measures to ensure the security of data processed by the Company.
From the explanations provided by the Company during the inspection and after its completion, it follows that actions aimed at ensuring regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing were taken only after the personal data protection breach occurred, albeit to an insufficient degree. The Controller is obliged to verify both the selection and the level of effectiveness of the solutions used at each stage of processing. The comprehensiveness of this verification should be assessed through the prism of adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing. In the present factual situation, it should therefore be considered that the Company did not fulfil the above obligation.
Taking into account the findings made, it should also be considered that the lack of regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processed data was a consequence of the failure to implement adequate organizational measures, i.e. failure to include detailed provisions regarding regular testing, measurement and assessment of the applied technical and organizational measures in the developed and implemented documentation regulating the data processing process in A. Spółka Akcyjna. The Company did not apply appropriate organisational measures for the security of personal data processing, i.e. it did not include detailed provisions regarding regular testing, measuring and evaluating the technical and organisational measures applied in the developed and implemented documentation regulating the data processing process at A. Spółka Akcyjna, and in particular in section (...) of the procedure called "Management (...)", entitled "Security (...)", including failing to implement, as the controller, appropriate organisational measures to ensure – taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying likelihood and severity of the threat – a level of security appropriate to that risk, including, inter alia, where appropriate, regular testing, measuring and evaluating the effectiveness of technical and organisational measures intended to ensure the security of processing. The developed and implemented documentation describing the data processing process in the Company does not contain detailed provisions regarding regular testing, measuring and assessing the effectiveness of the applied technical and organizational measures.
For example, in section (…), and in particular in section (…) of the procedure called “Management (…)”, entitled “Security (…)”, there is a provision according to which the Company’s IT Department supervises the equipment. It concerns, among other things, system security checks and software checks (installation, uninstallation and update). However, the aforementioned procedure does not contain regulations regarding specific activities constituting the checks, the frequency, form and manner of their performance, the manner and form of preparation and storage of reports from the aforementioned checks. In addition, the regulations applied by the Company did not sufficiently specify which persons are responsible for conducting the inspections, and also for interpreting the inspection reports and taking appropriate actions to eliminate any irregularities identified during the aforementioned inspections.
It should be noted that the violation of Article 32 paragraph 1 letter d) of Regulation 2016/679 in connection with the failure to include detailed provisions on regular testing, measuring and assessing the effectiveness of the applied technical and organizational measures in the developed and implemented documentation regulating the data processing process in the Company, and in particular in paragraph (...) of the procedure called "Management (...)", entitled "Security (...)", is reflected - contrary to the Company's claim - in the content of the aforementioned provision.
Since regular testing, measuring and assessing the technical and organizational measures applied in the Company, in the light of art. 32 sec. 1 letter d) of Regulation 2016/679, is to ensure a level of security corresponding to the risk of violating the rights or freedoms of data subjects as a result of their processing, the manner, form, frequency or deadlines for carrying out the above-mentioned activities should be specified in the content of the relevant procedures and in accordance with the results obtained in the risk analysis conducted. Issues such as the manner of reporting the above-mentioned activities, storing the reports, as well as remedial actions taken on the basis of the said reports should also be specified.
In other words, the slogan-based and general regulation of the issue of testing, measuring and assessing technical and organizational measures in the section entitled "Security (...)" of the procedure entitled "Management (...)", without taking into account the above-mentioned detailed issues, is only a kind of general declaration and at the same time a repetition of art. 32 sec. 1 letter d) of Regulation 2016/679, which is already binding on the Company. Therefore, if the performance of the above-mentioned activities is to be regular and at the same time actually implemented in the Company's activities, such implementation requires procedural specification and detailing in the description of the methods, manner or frequency of performing these activities. Such specification and detailing ensuring the regularity of the above-mentioned activities is missing in the above-mentioned procedure of the Company, which as a result constitutes a violation of art. 32 sec. 1 letter d) of Regulation 2016/679, all the more so since the Company processes data on a large scale (which the Company confirmed in the explanations) and the scope of the processed data also includes data subject to special protection referred to in art. 9 sec. 1 of Regulation 2016/679 (concerning health).
Importantly, the provisions of (...) Policy (...) cited by the Company in its explanations after the inspection (letter dated (...) 2022) also do not contain the appropriate specification or detailing of the procedures for testing, measuring and assessing the effectiveness of the technical and organizational measures applied. The content of the above-mentioned provisions of the Security Policy contains general, declarative obligations to carry out the activities in question, without indicating their technical details, such as deadlines, methods, frequency, storage of reports, etc. They therefore constitute a slight specification of the obligation formulated in art. 32 sec. 1 lit. d) of Regulation 2016/679, but far from sufficient, as they amount only to general statements that specific issues are controlled or supervised, actions are taken to ensure security, etc.
Therefore, the content of the provisions indicated by the Company also cannot be considered a manifestation of compliance with the requirement of Article 32 paragraph 1 letter d) of Regulation 2016/679 regarding the obligation to regularly test, measure and assess the effectiveness of the organizational and technical measures applied. The provisions included in the documentation concerning the protection of data processed by the controller, which de facto plays the role of the data protection policy indicated in Article 24 paragraph 2 of Regulation 2016/679, cannot constitute only a kind of copy of the provisions of the aforementioned regulation, because otherwise they become useless in practice. The aim of the European legislator in creating the provisions of Regulation 2016/679, and in particular Article 32 and Article 24, was to impose on controllers the obligation to apply measures corresponding to the specificity of the processing processes taking place in each of them individually. The above therefore determines the obligation on the part of controllers to shape the content of the procedures used by them, which make up the data protection policy, so that they are adapted to the processing activities taking place in these controllers.
Since regular testing, measuring and evaluation of the technical and organizational measures applied in the Company, in the light of art. 32 sec. 1 letter d) of Regulation 2016/679, is to ensure a level of security corresponding, among others, to the risk of violating the rights or freedoms of data subjects as a result of their processing, the manner, form, frequency or deadlines for carrying out the above activities should be specified in the content of the relevant procedures and in accordance with the results obtained in the risk analysis conducted. Issues such as the method of reporting the above activities, storing reports, as well as remedial actions taken on the basis of said reports should also be specified.
As indicated by the Provincial Administrative Court in its judgment of 21 October 2021 (reference number: II SA/Wa 272/21), "The Court agrees with the position of the President of the Personal Data Protection Office (...) that conducting tests only in the event of an emerging threat, without introducing a procedure that would specify a schedule of actions ensuring regular testing, measurement and assessment of the effectiveness of the implemented measures is insufficient."
Incorrect conduct of the risk analysis resulting in the selection of inappropriate security measures and the lack of regular testing, measurement and assessment by the Company of the effectiveness of the implemented technical and organizational measures to ensure the security of processing significantly increased the risk of violating the rights or freedoms of data subjects and, moreover, constituted a violation by the Company of its obligations arising from Art. 24 sec. 1 and Art. 32 sec. 1 and 2 of Regulation 2016/679, and consequently also the principle of integrity and confidentiality expressed in Art. 5 sec. 1 letter f) of Regulation 2016/679.
Together with the violation of the principle of integrity and confidentiality, there was also a violation of the principle of accountability referred to in Art. 5 sec. 2 of Regulation 2016/679. As indicated by the Voivodship Administrative Court in Warsaw in its judgment of 10 February 2021 (ref. II SA/Wa 2378/20, Legalis No. 2579568), "(...) the data controller is responsible for compliance with all the principles when processing personal data (listed in Art. 5 sec. 1) and must be able to demonstrate compliance with them. The principle of accountability is therefore based on the legal responsibility of the controller for the proper performance of its obligations and imposes on it the obligation to demonstrate, both to the supervisory authority and to the data subject, evidence of compliance with all data processing principles”. This issue was interpreted similarly by the Provincial Administrative Court in Warsaw on 26 August 2020 (ref. II SA/Wa 2826/19, Legalis no. 2480051), stating that “[g]iven all the provisions of Regulation 2016/679, it should be emphasised that the controller has significant freedom in the scope of applied safeguards, but at the same time is liable for violating the provisions on the protection of personal data. It follows directly from the principle of accountability that it is the controller who should demonstrate, and therefore prove, that it complies with the provisions specified in Article 5 paragraph 1 of Regulation 2016/679”.
As previously demonstrated, ensuring the security of processed data is a fundamental obligation of the controller, which is a manifestation of the implementation of the general principle of data processing, i.e. the principle of integrity and confidentiality, specified in art. 5 sec. 1 letter f) of Regulation 2016/679. The literature indicates (P. Barta, P. Litwiński, M. Kawecki, Commentary to art. 32, in: General regulation on the protection of personal data. Personal data protection act. Selected sectoral provisions. Commentary, ed. P. Litwiński, Legalis 2021) that this principle "(...) imposes on the controller or the data processor the obligation to secure data, in particular against unauthorized or unlawful processing and accidental loss, destruction or damage to data. It should therefore also be understood as preventing access to data by unauthorized persons". It should be noted that the issue raised by the Company in its written explanations (letter of November 2, 2022) as to whether the deficiencies identified during the inspection differed or did not differ from the level of security in typical medical facilities is irrelevant for the assessment of the case and the formulation of charges against the Company. An important circumstance for the case is the very fact that, taking into account the requirements of the provisions of Regulation 2016/679 and the principles applicable in the field of so-called cybersecurity, the Company violated both, causing an increased risk to the protection of personal data, through failure to apply the organizational and technical measures necessary in the conditions of the Company's activity for such protection. The circumstance referred to by the Company, that other entities operating on the medical services market have similar or even more serious deficiencies, does not reduce, and even more so does not waive, the Company's liability for the violations of the provisions of Regulation 2016/679 found against it.
The Provincial Administrative Court in Warsaw, in its judgment of 19 January 2021 (ref. II SA/Wa 702/20, Legalis no. 2821108), emphasised that "(...) the data controller should appropriately protect personal data against accidental loss using appropriate technical and organisational measures. Personal data should be processed in a way that ensures their appropriate security and confidentiality, including protection against unauthorised access to them and to the equipment used to process them and against unauthorised use of such data and equipment (recital 39 of Regulation 2016/679). (...) the data controller is responsible not only for the actions of its employees, but also for the processing of data in the IT system used by it”.
It should also be noted that the explanations provided by the Company in the letter dated (...) 2022 indicate that it has taken remedial action in connection with the deficiencies identified during the inspection by the President of the Personal Data Protection Office. It should be noted, however, that these actions did not cover all infringements of the provisions of Regulation 2016/679 identified during the inspection by the Personal Data Protection Office and which are the subject of this decision. Therefore, considering the fact that the Company continues to process personal data, in particular without developing and implementing a detailed procedure relating to regular testing, measuring and assessing the effectiveness of technical and organizational measures intended to ensure the security of processing (and without actually performing the above activities), as well as without updating the software of edge devices used in the Company's IT system in accordance with the software manufacturer's update plan, the President of the UODO, pursuant to Art. 58 sec. 2 letter b) of the GDPR, d) Regulation 2016/679, ordered it to implement appropriate technical and organisational measures to minimise the risks associated with the processing of personal data, in particular those resulting from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, after conducting a risk analysis taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing and the risk of violating the rights and freedoms of natural persons, and to implement appropriate technical and organisational measures to ensure regular testing, measurement and evaluation of the effectiveness of measures to ensure the security of processing.
Referring to the content of the Company's letters of (…) 2023 and (…) 2023 containing evidentiary motions of the party to the proceedings, the President of the UODO found that these motions should not be considered. Under Article 78 § 1 of the Code of Administrative Procedure, the party's request to take evidence should be considered if the subject of the evidence is a circumstance that is relevant to the case. Furthermore, in accordance with Article 78 § 2 of the Code of Administrative Procedure, a public administration body may not consider a request (§ 1) that was not made during the taking of evidence or during the hearing, if the request concerns circumstances already established by other evidence, unless they are relevant to the case. In turn, under Article 75 § 1 of the Code of Administrative Procedure, anything that may contribute to the clarification of the case and is not contrary to the law should be admitted as evidence. In particular, documents, witness statements, expert opinions and inspections may be evidence.
In the case of evidentiary motions filed by the Company, the subject of the evidence is to be circumstances which – in the opinion of the President of the UODO – are either irrelevant to the case, or the request to take evidence concerns circumstances already established by other evidence or the evidence requested cannot contribute to the clarification of the case, i.e.:
1) evidence from the hearing of a witness, Mr. P.K., employed as a personal data protection officer in the Company, at the time when the personal data protection breach took place, in the event of: - the size of the hacker attack – this circumstance has already been established by other evidence, i.e. it was described, among others, in the minutes of the reception of oral explanations with the participation of the above-mentioned person during the inspection activities of the authority, - the possibility of identifying the perpetrators of the attack – a circumstance irrelevant to the case due to the established violations of the provisions of Regulation 2016/679, which in themselves are the subject of the resolution of this decision, regardless of the issue of their impact on the course of the personal data protection breach; the outcome of the criminal proceedings has no impact on the administrative proceedings concerning the infringement of the provisions of Regulation 2016/679, because the circumstance of a possible detection or failure to detect the perpetrators of the crime and the determination or failure to establish that it was committed has no impact on the fact that, regardless of the above-mentioned potential circumstances of the case, the President of the UODO established, as a result of the control activities undertaken and the administrative proceedings, that the Company had committed infringements of the provisions of Regulation 2016/679, which are subject to an administrative sanction regardless of such circumstances as, e.g. identification of the perpetrators of the crime in criminal proceedings conducted independently of the administrative proceedings, - the possibility of determining the technical methods of operation of the hackers - a circumstance confirmed by other evidence, including: in the minutes of the receipt of oral explanations with the participation of P. K. in the course of the authority’s inspection activities, as well as in the Company’s post-inspection written explanations (confirmed by the Company that ransomware was used in the attack); - organised and specialist action by the perpetrators of the hacker attack – a circumstance irrelevant to the case due to the identified infringements of the provisions of Regulation 2016/679, which in themselves are the subject of resolution in the decision, regardless of their impact on the course of the personal data protection breach; for the reasons indicated above, the outcome of the criminal proceedings has no impact on the administrative proceedings concerning the infringement of the provisions of Regulation 2016/679; - actions taken by the Company to minimise the effects of the hacker attack – a circumstance confirmed by other evidence, including, in the minutes of the oral explanations with the participation of P. K. during the inspection activities of the authority, as well as in the post-inspection, written explanations of the Company,
2) evidence from the hearing of the witness, Mr. J. B., currently employed in the Company as a data protection officer, regarding the circumstances: - the size of the hacker attack, the impossibility of identifying the perpetrators of the attack, the impossibility of determining the technical methods of action of the hackers, the organized and highly specialized actions of the unidentified perpetrators of the hacker attack, the actions taken by the Company to minimize the effects of the hacker attack - the evidence requested above cannot contribute to the clarification of the case due to the fact that J. B.'s testimony as a witness regarding the course of the data protection breach cannot be reliable, since at the time of his appearance he was not employed in the Company in a position that required him to perform duties related to monitoring, assessing and taking action in connection with the above. event, in the scope of data protection, and moreover, the circumstances that are to be the subject of the aforementioned evidence were confirmed by other evidence, including in the minutes of the receipt of oral explanations with the participation of P. K. during the inspection activities of the authority, as well as in the post-inspection, written explanations of the Company or the subject of the evidence is to be a circumstance that is irrelevant to the case;
3) documentary evidence, i.e. the "application to the Provincial Police Commander in K., pursuant to Art. 76a § 1 of the Code of Administrative Procedure, with a request to provide copies or with a request to provide originals of documents contained in the files of the investigation in the case with reference number (...) conducted by the Department (...), including in particular the resolution of (...) 2022 on discontinuing the investigation into an event related to the event that is the subject of these proceedings" - the subject of evidence is to be a circumstance that is irrelevant to the case due to the infringement of the provisions of Regulation 2016/679 found by the President of the Personal Data Protection Office, which in themselves are the subject of a decision, regardless of the issue of their impact on the course of the personal data protection infringement, and regardless of the ruling in this case by the competent authority on the commission or non-commitment of an unlawful act within the meaning of criminal law, because the above does not affect the assessment by the President of the Personal Data Protection Office of the actions of the Company as a controller in the light of the provisions of Regulation 2016/679; for the reasons indicated above, the outcome of the criminal proceedings has no impact on the administrative proceedings concerning the infringement of the provisions of Regulation 2016/679,
4) admission and taking of evidence pursuant to Art. 75 § 1 of the Code of Administrative Procedure from documents contained in the files of the investigation in the case with reference number (...) conducted by the Department (...), including in particular the resolution of (...) 2022 on discontinuing the investigation into the event related to the event that is the subject of these proceedings due to the following circumstances: their content, the size of the hacker attack, the inability to determine the perpetrators, the inability to determine the technical methods of action of the hackers, the organized and highly specialized actions of the unidentified perpetrators of the hacker attack, the actions taken by the Company to minimize the effects of the hacker attack - the subject of evidence are to be circumstances that are irrelevant to the case due to the violations of the provisions of Regulation 2016/679 found by the supervisory authority, which are themselves the subject of the ruling in the decision, regardless of the issue of their impact on the course of the personal data protection violation, and regardless of the content of the ruling issued in this case by the competent authority regarding the commission or non-commitment of an act prohibited under criminal law, as such a ruling does not affect the assessment of the Company's actions as a controller in light of the provisions of Regulation 2016/679, made by the President of the Personal Data Protection Office; for the reasons indicated above, the outcome of the criminal proceedings does not affect the administrative proceedings concerning the infringement of the provisions of Regulation 2016/679. In addition, some of the above circumstances were confirmed by other evidence, i.e. described, among others, in the minutes of receiving oral explanations from the Company's employees during the inspection activities of the authority.
In connection with the above, it is impossible to agree with the Company's claim contained in the letter dated (...) 2023 that the issuance of this decision was based on "incomplete evidence, not allowing for a full reconstruction of the objective course of events, which would violate the principle of objective truth (Article 7 of the Code of Administrative Procedure) and the principle of citizens' trust in public authorities (Article 8 of the Code of Administrative Procedure), as well as standards of fair administrative proceedings".
Pursuant to Article 58 paragraph 2 letter i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of the measures referred to in Article 58 paragraph 2 of Regulation 2016/679, an administrative pecuniary penalty under Article 83 of Regulation 2016/679, depending on the circumstances of the specific case. Taking into account the identified violations of the provisions of Regulation 2016/679, the President of the UODO, exercising his authority specified in the aforementioned provision, found that in the case at hand there were grounds for imposing an administrative fine on the Company. In accordance with the content of Article 83 paragraph 2 of Regulation 2016/679, administrative fines are imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58 paragraph 2 letters a)-h) and letter j) of Regulation 2016/679.
According to Article 83 paragraph 4 letter a) of Regulation 2016/679, violations of the provisions shaping the obligations of the controller and the processor, referred to in Articles 8, 11, 25-39 and 42 and 43, are subject to, in accordance with paragraph 2 an administrative fine of up to EUR 10,000,000, or in the case of an undertaking – up to 2% of its total annual worldwide turnover in the previous financial year, whichever is higher.
Pursuant to Article 83 paragraph 5 letter a) of Regulation 2016/679, infringements of the provisions concerning the basic principles of processing, including the conditions for consent, referred to in Articles 5, 6, 7 and 9, shall be subject to an administrative fine of up to EUR 20,000,000, or in the case of an undertaking – up to 4% of its total annual worldwide turnover in the previous financial year, whichever is higher.
In turn, Article 83 paragraph 3 of Regulation 2016/679 provides that if the controller or processor intentionally or unintentionally infringes several provisions of Regulation 2016/679 within the same or related processing operations, the total amount of the administrative fine shall not exceed the amount of the fine for the most serious infringement.
In these proceedings, the administrative fine against the Company was imposed for infringement of Article 32 paragraphs 1 and 2 of Regulation 2016/679 on the basis of the above-mentioned Article 83 paragraph 4 letter a) of Regulation 2016/679, while for infringement of Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679 on the basis of Article 83 paragraph 5 letter a) of Regulation 2016/679. At the same time, the penalty imposed on the Company jointly for the infringement of all of the above provisions, pursuant to Article 83 paragraph 3 of Regulation 2016/679, shall not exceed the amount of the penalty for the most serious infringement identified during the proceedings, i.e. infringement of Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679, which, pursuant to Article 83 paragraph 5 letter a) of Regulation 2016/679, is subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise – of up to 4% of its total global turnover from the previous financial year.
When deciding to impose an administrative fine, the President of the Personal Data Protection Office – pursuant to Article 83 paragraph 2 letter a) – k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a) of Regulation 2016/679). The infringement of the provisions and principles concerning the protection of personal data in connection with their processing by the Company as part of its business activity in the field of medical services without implementing adequate technical and organizational measures, including the updates of the edge device system software supported by its manufacturer (infringement of Article 32 paragraph 1 and paragraph 2 of Regulation 2016/679), is of significant importance, due to the significant scale of data processing by The Company and the type of activity it conducts, and thus the scope of processed data (special category data, including health data). It should be emphasized once again that the Company provides medical services in Poland, including in the scope of (...). This fact determines the scope of data processed by it, the disclosure of which may cause particular damage to the persons concerned. It should also be noted that the data processed by the Company constitute medical confidentiality, which also affects the need to assume a significant nature and gravity of the breach.
Moreover, the infringements of the provisions of Regulation 2016/679 identified during the inspection and then as a result of the administrative proceedings resulted in a breach of the principle of integrity and confidentiality (Article 5 paragraph 1 letter f) of Regulation 2016/679), i.e. the obligation to process personal data in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures, as well as the principle of accountability (Article 5 paragraph 2 of Regulation 2016/679), which is why they were of significant importance and serious nature due to the fact that all the above-mentioned organisational and technical measures are fundamental to ensuring the security of data processing in technical (e.g. implementation of software updates) and organisational (implementation of a detailed procedure for regular testing, measuring and assessing the effectiveness of technical and organizational measures).
The violation of personal data protection regulations found in this case, which resulted in an increased risk of third parties obtaining unauthorized access to personal data processed by the Company in the IT system, is of a serious nature and significant importance also because it creates a high risk of negative legal consequences for, among others, (...) persons whose data lost confidentiality in connection with the breach of personal data protection. The Company's failure to comply with the obligation to apply appropriate measures to secure the processed data against unauthorized disclosure entailed not only a potential but also a real possibility of their use by third parties in breach of the provisions of Regulation 2016/679 without the knowledge and against the will of the data subjects, e.g. in order to establish legal relations or incur obligations on their behalf.
In this case, there is no evidence to indicate that the persons (patients, employees of the Company) to whose data third parties gained access suffered material damage, however, the breach of the confidentiality of their data itself constitutes non-material damage (harm) for them, e.g. by violating their personal rights, such as mental well-being, the right to privacy, etc. Natural persons whose data was obtained in an unauthorized manner as a result of a breach of personal data protection may at least feel a fear of losing control over their personal data, identity theft or identity fraud, discrimination (health data) or finally - financial loss. As indicated by the District Court in Warsaw in its judgment of 6 August 2020, file reference XXV C 2596/19, the fear, i.e. loss of security, constitutes real non-material damage associated with the obligation to repair it. In turn, the Court of Justice of the EU in its judgment of 14 December 2023 in Natsionalna agentsia za prihodite (C-340/21) emphasised that "Article 82(1) of the GDPR must be interpreted as meaning that the fear of possible use by third parties in a way that constitutes a misuse of personal data, which the data subject has as a result of an infringement of that regulation, may in itself constitute 'non-material damage' within the meaning of that provision". Data processing in breach of the provisions of Regulation 2016/679 took place from the date of application of the provisions of Regulation 2016/679, i.e. from 25 May 2018, due to the content of document "(...)" drawn up on (...) 2020 and document "(...)" drawn up on (...) 2018 with an update on (...) 2019 (whereas in connection with the use of the system (...) despite the lack of technical support from the manufacturer, the infringement of the provisions took place from (...) 2020) and is still ongoing due to the failure to remove all deficiencies in the scope of the applied security measures identified during the inspection. b) the unintentional nature of the infringement (Article 83 paragraph 2 letter b of Regulation 2016/679). The Company indicated in its written explanations dated (...) 2022 that its actions were not intentional and that it had taken corrective measures to minimize the risk of recurrence. The evidence collected during the inspection and the Company's explanations contained in the aforementioned letter indicate that the Company did not knowingly use IT resources without ongoing support from their manufacturers, because the members of its management board were not aware of the above, despite the fact that the employees of the Company's IT department were. In connection with the above, it should be stated that the members of the Company's management board should have also been aware of the above, so the fact that there was no internal communication between the Company's employees and its management board is in itself an additional circumstance that aggravates the Company in this case, and does not justify its attitude and at the same time mitigates it. The above seems to indicate errors in the management of the Company, which resulted in the violations of the provisions of Regulation 2016/679 indicated in this decision. The lack of appropriate, specific procedural provisions relating to the issue of regular testing, measurement and assessment of the effectiveness of the organizational and technical measures used in the Company in order to ensure proper protection of the data processed by it could also have had a potential impact on the above factual situation. The Company was aware that in the event of allowing the processing of personal data of such a broad scope, it should ensure appropriate security of such data, including protection against unauthorized or unlawful processing, using appropriate technical and organizational measures, i.e. in such a way that such processing takes place in accordance with the principle of integrity and confidentiality expressed in art. 5 sec. 1 letter f) of Regulation 2016/679.
Knowing the nature and specificity of such processes, the Company should have excluded the possibility of a potential breach of personal data protection due to the specificity of operation of IT systems, in which human error (lack of software updates, incorrect system configuration, etc.) should always be taken into account. Despite the adopted practice of using such systems to process personal data, the Company did not conduct a proper risk analysis in the area covered by the personal data protection breach not only until it occurred, but even after it (e.g. in the scope of using outdated software). In this case, the Company should have taken into account that the adopted solutions would not ensure an adequate level of personal data security, which could lead to a breach of the provisions on the protection of personal data.
Taking into account the findings in the case that is the subject of this decision, it should be stated that the Company was not aware of the above-mentioned circumstances, and therefore did not act intentionally, but nevertheless it was negligent, resulting in a significant increase in the risk of violating the availability and confidentiality of the processed data, which is a significant circumstance that has an aggravating effect on the amount of the administrative fine.
c) any relevant previous infringements by the controller (Article 83 paragraph 2 letter e of Regulation 2016/679). When deciding on the imposition and amount of an administrative fine, the supervisory authority is obliged to take into account any previous infringements of Regulation 2016/679. The EDPB in the Guidelines 04/2022 on the calculation of administrative fines under the GDPR adopted on 24 May 2023, hereinafter referred to as Guidelines 04/2022, explicitly states: "The existence of previous infringements may be considered an aggravating factor when calculating the amount of the fine. The weight given to this factor should be determined taking into account the nature and frequency of the previous infringements. However, the absence of previous infringements cannot be considered a mitigating circumstance, since compliance with the provisions of [Regulation 2016/679] is the norm”. And although, as indicated by the aforementioned guidelines, “greater importance should be attributed to infringements concerning the same subject matter, since they are closer to the infringement that is the subject of the current proceedings, in particular where the controller or processor has previously committed the same infringement (repeated infringements)” (point 88 of the guidelines), nevertheless “all previous infringements may constitute information about the controller’s or processor’s general approach to compliance with the provisions of Regulation 2016/679”.
The supervisory authority has already found in previously issued administrative decisions that the Company has violated the provisions on the protection of personal data: 1) in the decision of (...) 2022 (reference number (...)) – infringement of Article 6 paragraph 1, Article 5 paragraph 1 letter a) and letter b) b) of Regulation 2016/679;2) in the decision of (...) 2021 (reference number (...)) – infringement of Article 5 par. 1 letter c) and Article 9 par. 1 of Regulation 2016/679;3) in the decision of (...) 2021 (reference number (...)) – infringement of Article 5 par. 1 letter c) and Article 9 par. 1 of Regulation 2016/679;4) in the decision of (...) 2021 (reference number (...)) – infringement of Article 5 par. 1 letter a) and Article 9 par. 1 of Regulation 2016/679;5) in the decision of (...) 2021 (reference number (...)) – infringement of Article 5 sec. 1 letter a) and art. 9 sec. 1 of Regulation 2016/679.
The above-mentioned previous violations of the provisions of Regulation 2016/679 indicate a generally disregarding approach of the Company to the issue of data protection, and the remedial measures previously applied to it in the above-mentioned cases, i.e. the President of the Personal Data Protection Office issuing a warning to the Company for violating the provision of art. 6 sec. 1 of Regulation 2016/679, as was the case with reference number (...), and art. 9 sec. 1 of Regulation 2016/679 (cases with reference number (...) and (...)), fully justify the imposition of a financial penalty in these proceedings, as well as its amount.
In view of the above, in the present case it should be considered that there are grounds for treating the premise of art. 83 sec. 2 let. e) of Regulation 2016/679 as an aggravating factor.
d) the degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its potential negative effects (Article 83 let. 2 let. f of Regulation 2016/679). During the inspection, the Company provided complete and specific explanations in connection with the subject of the inspection and the identified deficiencies in the provisions on the protection of personal data, and furthermore, after the inspection by the President of the Personal Data Protection Office, it took actions and measures to improve the state of protection of the data processed by it in connection with the infringements of the provisions of Regulation 2016/679 identified during the inspection. However, the corrective actions were not taken to their full extent, i.e. as of the date of this decision, the Company had not developed a procedure for testing, measuring and assessing the effectiveness of organisational and technical measures for data protection, nor had it actually performed the above activities on a regular basis. For the above reason, the degree of cooperation between the Company and the supervisory authority in order to eliminate the breach and mitigate its possible negative effects should be assessed as not fully satisfactory, and therefore constitutes a factor aggravating the Company when determining the amount of the administrative fine.
e) categories of personal data concerned by the breach (Article 83 paragraph 2 letter g of Regulation 2016/679). Among the personal data processed by the Company, in addition to the so-called ordinary data, such as: first name, last name, parents' names, date of birth, bank account number, address of residence or stay, PESEL registration number, e-mail address, username or password, data on earnings or assets held, mother's maiden name, series and number of ID card and telephone number, there were also data of special categories, i.e. concerning health, referred to in art. 9 sec. 1 of Regulation 2016/679.
In view of the above, the Company, when processing personal data of the above categories, should demonstrate at least due, special diligence in complying with the provisions of the law on the protection of personal data, because any kind of violation of confidentiality, integrity or availability of the above data is associated for their entities with particularly high risks of violating their rights or freedoms, as well as the possibility of causing them damage. The Company, underestimating some of the above risks, implementing system software updates, procedures for regular testing, measuring and assessing the effectiveness of technical and organizational measures and proper configuration of the above. systems, thus did not exercise due diligence in ensuring the security of this data.
It should be noted that the personal data processed by the Company also includes the PESEL registration number. Although it does not belong to the category of special data referred to in art. 9 sec. 1 of Regulation 2016/679, it should be emphasized that, in particular, unauthorized disclosure of the PESEL registration number together with the name and surname, which unambiguously identify a natural person, may have a real and negative impact on the protection of the rights or freedoms of that person. As indicated by the Provincial Administrative Court in Warsaw in its judgment of 1 July 2022 (ref. II SA/Wa 4143/21, Legalis No. 2760091), "[i]n the event of a breach of data such as name, surname and PESEL number, it is possible to steal or falsify the identity by obtaining loans from non-bank institutions or insurance or insurance funds by third parties to the detriment of the persons whose data have been breached, which may result in negative consequences related to an attempt to attribute responsibility for such fraud to the data subjects".
It should therefore be recognized that the PESEL registration number, i.e. an eleven-digit numeric symbol, uniquely identifying a natural person, containing, among others, date of birth and gender designation, and therefore closely related to the private sphere of a natural person and also subject, as a national identification number, to protection under Article 87 of Regulation 2016/679, is a data of a special nature and as such requires equally special protection.
As indicated in the EDPB Guidelines 04/2022 (p. 22), "As regards the requirement to include categories of personal data affected by the breach (Article 83(2)(g) of the GDPR), the GDPR clearly indicates the types of data that are subject to special protection and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Articles 9 and 10 of the GDPR and to data outside the scope of these articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g. location data, private communications data, national identification numbers or financial data such as transaction records or credit card numbers). Generally speaking, the more such categories of data are affected by the breach or the more sensitive the data is, the more weight the supervisory authority may give to this factor."
When deciding to impose an administrative fine, the President of the Personal Data Protection Office took into account the following circumstances of the case, which have a mitigating effect on the amount of the administrative fine imposed:
a) actions taken by the controller to minimise the damage suffered by the data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679). In accordance with the content of the supplementary notification of a data protection breach, which was received by the President of the Personal Data Protection Office on (…) 2021, data subjects whose personal data were clearly identified as being covered by this breach received notifications indicating possible risks related to this breach and suggested remedies. In relation to persons whose PESEL number and ID card were confirmed to have been disclosed, the controller offered to pay for BIK reporting. The Company sent three types of notifications to data subjects – a notification to the patient, a notification to the employee and notifications to the employee also including a notification of the disclosure of the ID card number. The Company's employees received a message reminding them of their obligations in the scope of protected information, including the protection of personal data.
The above actions of the Company should be assessed as appropriate and proportionate to the degree of non-material damage (harm) caused to the data subjects, therefore they should have been assessed positively and taken into account when estimating the amount of the administrative fine imposed.
The other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the UODO to be neutral in his opinion, i.e. having neither an aggravating nor a mitigating effect on the amount of the administrative fine imposed.
a) the degree of responsibility of the controller, taking into account the technical and organisational measures implemented by it under Articles 25 and 32 (Article 83 paragraph 2 letter d of Regulation 2016/679). Some of the technical and organisational measures to protect personal data processed by the Company were insufficient and not implemented (primarily errors in the risk analyses conducted, IT equipment configuration errors, lack of system software updates and lack of procedures for testing, measuring and assessing the effectiveness of technical and organisational measures). For the above reason, the degree of responsibility of the Company for the existing factual situation is high. The Company was aware of the need, e.g. to update the system software. The above should also be referred to the issue of underestimating certain risks, lack of procedures for testing, measuring and assessing technical and organisational measures, as well as lack of proper configuration of the above systems. In this case, it is impossible to attribute liability for the breaches of the provisions of Regulation 2016/679 to entities other than the Company or to assume force majeure.
As indicated by the Article 29 Working Party (Guidelines on the application and setting of administrative pecuniary penalties for the purposes of Regulation No. 2016/679 adopted on 3 October 2017, 17/PL, WP 253, hereinafter referred to as the "WP 253 Guidelines"), when considering the above-mentioned premise, "the supervisory authority must answer the question to what extent the controller "did everything that could be expected", taking into account the nature, purposes or scope of the processing and in the light of the obligations imposed on it by the Regulation".
In this case, the supervisory authority found that the Company had violated the provisions of Article 32 paragraphs 1 and 2 of Regulation 2016/679. In his opinion, the Company bears a high degree of responsibility for failing to implement appropriate technical and organizational measures that could prevent a breach of personal data protection. It is therefore obvious that, in the context of the nature, purpose and scope of personal data processing under consideration, the Company did not do everything that could be expected, thereby failing to comply with the obligations imposed on it under Article 32 of Regulation 2016/679.
In this case, however, this circumstance constitutes the essence of the infringement itself – and is not merely a factor influencing – in an aggravating or mitigating manner – its assessment. For this reason, the lack of appropriate technical and organizational measures referred to in Article 32 of Regulation 2016/679 cannot be considered in this case as a circumstance that could additionally affect the assessment of the infringement and the amount of the administrative fine imposed on the Company.
(b) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller reported the breach (Article 83 paragraph 2 letter h of Regulation 2016/679). The President of the Personal Data Protection Office found that the Company had infringed the provisions on personal data protection as a result of the notification of a personal data breach made by the Company and the inspection carried out. By making the notification, the Company fulfilled its legal obligation, therefore there is no basis to consider that this fact constitutes a mitigating circumstance. As indicated by the EDPB in Guidelines 04/2022 (p. 32), "Pursuant to Article 83 paragraph 2 letter h), the manner in which the supervisory authority became aware of the breach may constitute a significant aggravating or mitigating factor. When assessing this aspect, particular weight may be given to the question of whether the controller or processor notified the breach on its own initiative, and if so, to what extent, before the supervisory authority was informed of the breach by way of, for example, a complaint or investigation. This circumstance is irrelevant where the controller is subject to specific obligations to notify breaches (such as the obligation to notify a personal data breach under Article 33). In such cases, the fact that a notification was made should be considered a neutral circumstance.”
c) if the controller concerned had previously been subject to measures referred to in Article 58 paragraph 2 in the same case – compliance with those measures (Article 83 paragraph 2 letter i of Regulation 2016/679). Before issuing this decision, the President of the UODO did not apply any measures referred to in Article 58 paragraph 2 to the Company in the case at issue. 2 of Regulation 2016/679, and therefore the Company was not obliged to take any action related to their application, and which actions, assessed by the supervisory authority, could have an aggravating or mitigating effect on the assessment of the established infringement.
d) application of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83 paragraph 2 letter j of Regulation 2016/679). As at the date of the decision, the Company did not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in the provisions of Regulation 2016/679 - mandatory for controllers, and therefore the circumstance of their non-application cannot be considered to the detriment of the Company in this case. On the other hand, the circumstance of adopting and applying such instruments could be taken into account in its favour, as means of guaranteeing a higher than standard level of protection of personal data processing.
e) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly in connection with the infringement or avoided loss (Article 83 paragraph 2 letter k of Regulation 2016/679). The President of the UODO did not find that the Company gained any financial benefits or avoided such losses in connection with the infringement. Therefore, there is no basis for treating this circumstance as aggravating the Company. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed decidedly negatively. The failure of the Company to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that cannot be mitigating for the Company by its nature. This interpretation is confirmed by the very wording of the provision of Article 83 paragraph 2 letter k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - incurred by the entity committing the infringement.
The President of the UODO, comprehensively considering the case in question, did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the imposed administrative fine.
In particular, in response to the Company's letter dated (...) 2022, in which it argued that, similarly to case reference (...), the personal data protection breach occurred during the COVID-19 pandemic, i.e. in the conditions of the involvement of the Company's staff in activities aimed at counteracting its effects, which constitutes a mitigating circumstance in this case, it should be noted that it is impossible to agree with the above view of the Company. The circumstance of a personal data breach during the COVID-19 pandemic does not constitute a mitigating circumstance in this case, because the negligence on the part of the Company, which constituted a breach of the provisions of Regulation 2016/679, found by the President of the Personal Data Protection Office, had no connection with the aforementioned pandemic, and the state of infringement existed before its commencement. Therefore, the pandemic circumstances could not have had an impact on all of the Company's omissions in the field of personal data security. The significant involvement of the Company's IT services in various activities related to the outbreak of the pandemic is therefore not an excuse due to the irregularities found, which occurred both before and during the pandemic. Taking into account all of the circumstances discussed above, the President of the Personal Data Protection Office considered that the imposition of an administrative fine on the Company is necessary and justified by the gravity, nature and scope of the violations alleged against the Company. It should be stated that the application of any other remedy to the Company provided for in Article 58 sec. 2 of Regulation 2016/679, in particular, limiting it to a warning (Art. 58 sec. 2 letter b) of Regulation 2016/679), would not be proportionate to the irregularities found in the process of processing personal data and would not guarantee that the Company will not commit further negligence in the future.
Referring to the amount of the administrative fine imposed on the Company, it should be noted that in the established circumstances of this case, in view of the finding of a violation of several provisions of Regulation 2016/679, i.e. the principle of data integrity and confidentiality, expressed in Art. 5 sec. 1 letter f) of Regulation 2016/679, and reflected in the form of the obligations specified in Art. 32 sec. 1 and 2 of Regulation 2016/679, and consequently also Art. 5 sec. 2 of Regulation 2016/679, regulating the principle of accountability, Article 83 paragraph 4 letter a and paragraph 5 letter a) of Regulation 2016/679 shall apply.
Pursuant to the content of Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the Act of 10 May 2018, the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679, is calculated in złoty at the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average euro exchange rate on 28 January – at the average euro exchange rate announced in the National Bank of Poland's exchange rate table closest after that date. In 2024, the average euro exchange rate was announced by the National Bank of Poland as of 29 January 2024 at EUR 1 = 4.3653.
Taking the above into account, the President of the UODO, on the basis of Article 83 paragraph 3 and Article 83 paragraph 5 letter a) of Regulation 2016/679 in conjunction with Article 103 of the Personal Data Protection Act, for the violations described in the operative part of this decision, imposed on the Company – using the average euro exchange rate announced by the National Bank of Poland on 29 January 2024 (1 EUR = 4.3653 PLN) – an administrative fine in the amount of PLN 1,440,549.00 (in words: one million four hundred forty thousand five hundred forty-nine zlotys), which is the equivalent of EUR 330,000 (in words: three hundred thirty thousand euros).
It is necessary to indicate that when determining the amount of the administrative fine in this case, the President of the UODO applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022. In accordance with the guidelines presented in this document:
1. The President of the Personal Data Protection Office has categorized the violations of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The provisions of Regulation 2016/679 violated by the Company include the provisions of Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679 specifying the basic principles of processing. Infringements of these provisions belong – in accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679 – to the category of violations punishable by the higher of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 20,000,000 or up to 4% of the total annual turnover of the enterprise in the previous financial year). They are therefore in abstracto more serious than other infringements (indicated in Article 83(4) of Regulation 2016/679).
2. The President of the UODO assessed the infringements found in this case (in particular the infringement of the basic principles of processing) as infringements of medium level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, the premises listed in Article 83 paragraph 2 of Regulation 2016/679 that concern the subject of the infringements (constitute the "seriousness" of the infringement) were taken into account, i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. It should be noted that considering their combined impact on the assessment of the infringement found in this case, considered as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is medium. The consequence of this is the adoption – as the starting amount for calculating the penalty – of a value within the range of 10% to 20% of the maximum amount of the penalty that may be imposed on the Company, i.e. – taking into account the limit specified in Article 83 paragraph 5 of Regulation 2016/679 – from EUR 2,000,000 to EUR 4,000,000 (see Subchapter 4.2.4 of Guidelines 04/2022). The President of the UODO considered the starting amount of EUR 3,000,000 (equivalent to PLN 13,095,900) to be adequate and justified by the circumstances of this case.
3. The President of the UODO adjusted the starting amount, corresponding to the average seriousness of the identified infringement, to the Company's turnover as a measure of its size and economic power (see Chapter 4.3 of the Guidelines 04/2022). In accordance with the Guidelines 04/2022, in the case of companies with an annual turnover of up to EUR 100-250 million, the supervisory authority may consider making further calculations of the amount of the fine based on a value within the range of 15% to 50% of the starting amount. Considering that the Company's turnover (revenue) in 2022 amounted to PLN (…),-, i.e. approx. EUR (…) (at the average EUR exchange rate of 29 January 2024), the President of the Personal Data Protection Office considered it appropriate to adjust the amount of the penalty to be calculated to the value corresponding to 20% of the starting amount, i.e. to EUR 600,000 (equivalent to PLN 2,619,180).
4. The President of the Personal Data Protection Office assessed the impact on the established infringement of the remaining circumstances (apart from those included above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The premises (from Article 83 paragraph 2 letters d), e), h), i), j), k) of Regulation 2016/679) – as indicated above – did not have an impact, neither mitigating nor aggravating, on the assessment of the infringement and, consequently, on the amount of the penalty.
5. The President of the UODO stated that the amount of the administrative fine determined in the manner presented above does not exceed – in accordance with Article 83 paragraph 3 Regulation 2016/679 – the legally defined maximum amount of the fine provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022). As indicated above, the most serious infringement in this case is the infringement of Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679, punishable by an administrative fine of up to EUR 20 000 000, and in the case of an undertaking - of up to 4% of its total annual worldwide turnover in the previous financial year, whichever is higher. The President of the UODO determined that the "dynamic maximum amount" for this infringement and for this perpetrator of the infringement expressed as a percentage (…%) of its turnover would amount to EUR (…), therefore, in this case – as higher – the "static maximum amount" should be applied, amounting to EUR 20,000,000 for the infringement in question. The above amount of EUR 600,000 clearly does not exceed EUR 20,000,000.
6. Despite the fact that the amount of the penalty determined in accordance with the above principles does not exceed the legally specified maximum penalty, the President of the UODO considered that it requires additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives on the assessment of the penalty (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine of EUR 600,000 would be an effective penalty (due to its severity, it would achieve its repressive purpose, which is to punish unlawful conduct) and a deterrent penalty (effectively discouraging both the Company and other controllers from committing future infringements of the provisions of Regulation 2016/679). However, in the opinion of the President of the Personal Data Protection Office, such a penalty would be disproportionate due to its excessive severity. The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to art. 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary). Therefore, taking into account the proportionality of the penalty, the President of the Personal Data Protection Office further reduced the amount of the penalty - to 55% of the amount obtained after taking into account aggravating and mitigating circumstances (see point 4 above), i.e. to EUR 330,000 (equivalent to PLN 1,440,549.00). In his assessment, such a determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is a threshold above which further increases in the amount of the fine will not increase its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the fine could be at the expense of its effectiveness and deterrent nature, as well as the coherent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities on the internal market of the EU and the EEA.
The deterrent nature of the administrative fine is related to preventing future infringements of the provisions of Regulation 2016/679 and attaching greater importance to the performance of the Company's tasks as a data controller. The penalty is to deter both the Company from repeating the infringement and other entities involved in data processing. When imposing this decision on an administrative fine for violating the provisions on personal data protection, the President of the Personal Data Protection Office took into account both aspects: firstly – the repressive nature (the Company violated the provisions of Regulation 2016/679), secondly – the preventive nature (both the Company and other entities involved in the processing of personal data will be more attentive and diligent in fulfilling their obligations under Regulation 2016/679). In other words, in the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function, as it will constitute a response to the Company's violation of the provisions of Regulation 2016/679, but also a preventive function, as the Company itself will be effectively discouraged from violating the provisions on personal data protection in this way in the future. The purpose of the imposed penalty is to oblige the Company to properly perform the obligations arising from Regulation 2016/679 and, consequently, to conduct data processing in accordance with applicable legal provisions. It should be emphasized that the penalty will be effective if its imposition leads to the Company adapting its data processing processes to a state consistent with the law. The application of an administrative fine in this case is also necessary considering that the Company processed the data of its patients (in particular health data) without properly conducting a risk analysis, without updating the system software, without implementing appropriate procedures for testing, measuring and assessing technical and organizational measures, as well as proper configuration of the above-mentioned systems.
The applied administrative fine, as shown above, is also proportionate to the identified violation, including in particular its gravity, effect, the circle of natural persons affected by it and the high risk of negative consequences that they may suffer in connection with the violation. In the opinion of the President of the UODO, the administrative fine imposed on the Company will not constitute an excessive burden for it. The amount of the fine was set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of breach of obligations by the Company, without, on the other hand, causing a situation in which the need to pay it will entail negative consequences in the form of a significant deterioration of the Company's financial situation. According to the President of the UODO, the Company should - and is able - to bear the consequences of its negligence in the area of data protection, and therefore he considers the imposition of a fine of PLN 1,440,549.00 (in words: one million four hundred forty thousand five hundred forty-nine zlotys) to be fully justified.
In the opinion of the President of the UODO, the administrative fine applied fulfils, in the established circumstances of this case, the functions referred to in Article 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case. In connection with the above, it should be indicated that the administrative fine of PLN 1,440,549.00 meets the conditions referred to in Article 83 paragraph 1 of Regulation 2016/679 due to the seriousness of the established breach in the context of the fundamental principles of Regulation 2016/679 – the principle of confidentiality and integrity and the principle of accountability.
In this factual and legal situation, the President of the Personal Data Protection Office decided as in the verdict.
[1] Standard PN-EN ISO/IEC 27002 Chapter 12.5.1 letter a) "Installation of software in production systems".
[2] European Data Protection Board Guidelines 01/2021 on examples of personal data breach reporting adopted on 14 December 2021, version 2.0., chapter 2.5 "Organizational and technical measures to prevent and mitigate the effects of ransomware attacks".
[3] Source: publications of The National Cyber Security Centre, information on the gov.pl website, NIST Digital Identity Guidelines materials published by the FBI as part of the Protected Voices campaign and CERT Polska.
