UODO (Poland) - DKN.5131.31.2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKN.5131.31.2022 |ECLI= |Original_Source_Name_1=DKN.5131.31.2022 |Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKN.5131.31.2022 |Original_Source_Language_1=Polish |Original_Source_Language__Code_1=PL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_...")
 
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 63: Line 63:
}}
}}


The Polish DPA fined the Disciplinary Ombudsman of the Polish Bar Association €5,400 for
The Polish DPA fined the Disciplinary Ombudsman of the Polish Bar Association €5,400 for failing to conduct an appropriate risk analysis, resulting in the loss of a flashdrive containing personal data.


== English Summary ==
== English Summary ==
Line 70: Line 70:
The Disciplinary Ombudsman of the Polish Bar association (the controller) self reported a data breach to the Polish DPA. The controller informed the DPA that a flash drive had gone missing. The flash drive contained a recording of a divorce hearing with personal data of 8 people in terms of name, surname, details of family life, relations of the parties and suspicions of marital infidelity.  
The Disciplinary Ombudsman of the Polish Bar association (the controller) self reported a data breach to the Polish DPA. The controller informed the DPA that a flash drive had gone missing. The flash drive contained a recording of a divorce hearing with personal data of 8 people in terms of name, surname, details of family life, relations of the parties and suspicions of marital infidelity.  


The controller clarified that, despite guidelines from the DPA, the lost flashdrive was not encrypted. The controller did however, have a GDPR policy and procedures (such as the procedure for reporting personal data breaches). In January 2021 a risk assessment had been conducted in connection with the processing of personal data on external data carriers. This assesment included the risk of destruction, theft and loss of data storage media. A re-run of the risk assesment was scheduled for June 2022. This was submitted to the DPA by the controller as evidence of technical and organisational measures.  
The controller clarified that, despite guidelines from the DPA, the lost flashdrive was not encrypted. The controller did however, have an internal GDPR policy and procedures (such as the procedure for reporting personal data breaches). In January 2021 a risk assessment had been conducted in connection with the processing of personal data on external data carriers. This assesment included the risk of destruction, theft and loss of data storage media. A re-run of the risk assesment was scheduled for June 2022. This was submitted to the DPA by the controller as evidence of technical and organisational measures.  


In connection with the reported breach and the explanations submitted by the controller, the DPA launched an ex officio investigation.
In connection with the reported breach and the explanations submitted by the controller, the DPA launched an ex officio investigation. During this investigation the DPA had to ask the controller to send in files multiple times, as evidence of their technical and organisational measures did not always align with their claims.  


=== Holding ===
=== Holding ===
The Polish DPA  
The Polish DPA fined the controller €5,400 for infringements of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 5 GDPR|5(2) GDPR]] as well as [[Article 25 GDPR|Article 25(1)]] and [[Article 32 GDPR|Article 32(1) GDPR.]] 


First,  
First, the controller did not ensure adequate security of the data nor protect the data against accidental loss. Their risk assessment policies focused only on minimising the consequences in the event of loss of data and did not include actions minimise the consequences of a breach of their confidentiality. For example, while they had policies to generate back-ups of personal data, they did not have policies about third parties accessing data. [[Article 5 GDPR|Article 5(1)(f) w]]<nowiki/>as, therefore, held to have been breached.


Second, given the sensitivity of the data on the lost external data carrier, the controller should have implemented higher level technical and organisational measures. The level of technical and organisational measures should result from a risk analysis. Nonetheless, an erroneus estimational of the level of risk (such as in this case) prevents the application of appropriate technical and organisational measures. The DPA considered the loss of the flashdrive to be a materialisation of the risk and due to being understimated, allowed an unauthorised person to gain access to the data.  
Second, the controller failed to show adequate accountability for the loss of data and subsequent breach. The controller did not provide any written evidence about the monitoring of their internal security procedures, but only declared the existence of the procedures to the DPA. The DPA considered this to be insufficient and held them to have breached [[Article 5 GDPR|Article 5(2) GDPR.]] 


Third, the GDPR requires continious risk management and monitoring of security threats. A detailed analysis of the risk is
Third, while the controller had measures to ensure the safe transport of the flashdrive, these were not followed by their employees when transporting the flashdrive. The controller did not check whether employees had read their measures nor complied with them. The controller did not ensure necessary safeguards for the processing and was held to have breached [[Article 25 GDPR|Article 25(1) GDPR.]]
 
Lastly, to determine a breach of [[Article 32 GDPR|Article 32(1) GDPR]] the DPA adopted a two step process. Firstly, whether the controller had correctly identified the level of risk involved in the processing and second whether they had then implemented appropriate technical and organisational measures. 
 
1) Given the sensitivity of the data the level of risk should have been high. The DPA considered the loss of the flashdrive to be a materialisation of the fact that the controller underestimated the risk of an unauthorised third person gaining access to the data. The DPA considered the risk analysis of the controller to be flawed and incomplete. The degree of risk for the category of processing was specified as "1" by the controller, which meant "acceptable risk, requiring no further action. 
 
2) Therefore, the controller should have implemented higher level technical and organisational measures to account for this higher level of risk. For example, they should have continuously monitored threats rather than implementing technical and organisational measures on a one time basis. Another measure of 'data back ups' were noted by the DPA as protecting the controller against consequences for the loss of data, but not protecting against third parties from accessing the data. For these reasons, the DPA held the controller to have breached [[Article 3 GDPR|Article 32(1) GDPR.]]


== Comment ==
== Comment ==

Latest revision as of 10:51, 22 January 2024

UODO - DKN.5131.31.2022
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 25(1) GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: 5,400 EUR
Parties: n/a
National Case Number/Name: DKN.5131.31.2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: DKN.5131.31.2022 (in PL)
Initial Contributor: sh

The Polish DPA fined the Disciplinary Ombudsman of the Polish Bar Association €5,400 for failing to conduct an appropriate risk analysis, resulting in the loss of a flashdrive containing personal data.

English Summary

Facts

The Disciplinary Ombudsman of the Polish Bar association (the controller) self reported a data breach to the Polish DPA. The controller informed the DPA that a flash drive had gone missing. The flash drive contained a recording of a divorce hearing with personal data of 8 people in terms of name, surname, details of family life, relations of the parties and suspicions of marital infidelity.

The controller clarified that, despite guidelines from the DPA, the lost flashdrive was not encrypted. The controller did however, have an internal GDPR policy and procedures (such as the procedure for reporting personal data breaches). In January 2021 a risk assessment had been conducted in connection with the processing of personal data on external data carriers. This assesment included the risk of destruction, theft and loss of data storage media. A re-run of the risk assesment was scheduled for June 2022. This was submitted to the DPA by the controller as evidence of technical and organisational measures.

In connection with the reported breach and the explanations submitted by the controller, the DPA launched an ex officio investigation. During this investigation the DPA had to ask the controller to send in files multiple times, as evidence of their technical and organisational measures did not always align with their claims.

Holding

The Polish DPA fined the controller €5,400 for infringements of Articles 5(1)(f) and 5(2) GDPR as well as Article 25(1) and Article 32(1) GDPR.

First, the controller did not ensure adequate security of the data nor protect the data against accidental loss. Their risk assessment policies focused only on minimising the consequences in the event of loss of data and did not include actions minimise the consequences of a breach of their confidentiality. For example, while they had policies to generate back-ups of personal data, they did not have policies about third parties accessing data. Article 5(1)(f) was, therefore, held to have been breached.

Second, the controller failed to show adequate accountability for the loss of data and subsequent breach. The controller did not provide any written evidence about the monitoring of their internal security procedures, but only declared the existence of the procedures to the DPA. The DPA considered this to be insufficient and held them to have breached Article 5(2) GDPR.

Third, while the controller had measures to ensure the safe transport of the flashdrive, these were not followed by their employees when transporting the flashdrive. The controller did not check whether employees had read their measures nor complied with them. The controller did not ensure necessary safeguards for the processing and was held to have breached Article 25(1) GDPR.

Lastly, to determine a breach of Article 32(1) GDPR the DPA adopted a two step process. Firstly, whether the controller had correctly identified the level of risk involved in the processing and second whether they had then implemented appropriate technical and organisational measures.

1) Given the sensitivity of the data the level of risk should have been high. The DPA considered the loss of the flashdrive to be a materialisation of the fact that the controller underestimated the risk of an unauthorised third person gaining access to the data. The DPA considered the risk analysis of the controller to be flawed and incomplete. The degree of risk for the category of processing was specified as "1" by the controller, which meant "acceptable risk, requiring no further action.

2) Therefore, the controller should have implemented higher level technical and organisational measures to account for this higher level of risk. For example, they should have continuously monitored threats rather than implementing technical and organisational measures on a one time basis. Another measure of 'data back ups' were noted by the DPA as protecting the controller against consequences for the loss of data, but not protecting against third parties from accessing the data. For these reasons, the DPA held the controller to have breached Article 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2022, item 2000, as amended) in connection with Art. 7, art. 60, art. 101 and art. 103 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and Art. 57 section 1 letter a) and letter h), art. 58 paragraph 2 lit. d) and letter i), art. 83 section 1 – 3, art. 83 section 4 lit. a) in connection with Art. 24 section 1, art. 25 section 1 and art. 32 section 1 and 2, as well as art. 83 section 5 lit. a) in connection with Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119 of 04/05/2016, p. 1, OJ EU L 127 of 23/05/2018, p. 2 and OJ EU L 74 of 4/03/2021, p. 35), following conducting administrative proceedings initiated ex officio regarding the processing of personal data by the Disciplinary Ombudsman of the Bar Association in X. (X., ul. (...)), President of the Personal Data Protection Office,

stating that the Disciplinary Spokesperson of the Bar Association in X. (X, ul. (…)) violated the provisions of Art. 5(1) 1 letter f), art. 5(1) 2, art. 24 section 1, art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation data) (OJ EU L 119 of 04/05/2016, p. 1, OJ L 127 of 23/05/2018, p. 2 and OJ L 74 of 4/03/2021, p. 35 ), hereinafter referred to as "Regulation 2016/679", consisting in the failure by the Disciplinary Ombudsman of the Bar Association in X.:

a) appropriate technical and organizational measures ensuring a level of security corresponding to the risk of data processing using external data carriers, in order to protect personal data stored there, including their protection against accidental loss, destruction or damage and disclosure to unauthorized persons;

b) appropriate technical and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, which resulted in a breach of the principle of data confidentiality and the principle of accountability;

1. fines the Disciplinary Spokesperson of the Bar Association in X. (X., ul. (…)) for violating Art. 5(1) 1 letter f), art. 5(1) 2, art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679, an administrative fine in the amount of PLN 23,580 (in words: twenty-three thousand five hundred and eighty zlotys).2. orders the Disciplinary Ombudsman of the Bar Association in X. (X., ul. (...)) to adapt processing operations to the provisions of Regulation 2016/679 by: a) implementing appropriate technical and organizational measures to minimize the risk associated with the processing of personal data using external means data carriers, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed using external data carriers, after conducting a risk analysis taking into account the state of the art technical, implementation cost, nature, scope, context and purposes of processing and the risk of violating the rights and freedoms of natural persons, including risks related to the processing of personal data using external data carriers, taking into account theft and loss of these carriers, b) implementation of appropriate technical and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, within 6 months from the date of delivery of this decision

Justification

The Disciplinary Ombudsman of the Bar Association in X. (X., ul. (...)), hereinafter also referred to as the Administrator, on (...) June 2021, reported a violation of personal data protection to the President of the Personal Data Protection Office (hereinafter also referred to as the "President of the Personal Data Protection Office"). personal data, which was registered under the reference number (...). In the report of a personal data protection breach, the Administrator indicated that (...) in May 2021, the defender of the accused in the disciplinary proceedings conducted before the Disciplinary Ombudsman of the Bar Association in guidebook was missing an attachment in the form of an external data carrier (pendrive). The media contained a recording of the divorce hearing with personal data of 8 people, including name, surname, details about family life, the parties' relationships and suspicions of marital infidelity.

In connection with the above-mentioned reporting the violation, in a letter of (...) March 2022, the President of the Office for Personal Data Protection asked the Administrator to provide additional explanations regarding whether the external data carrier (pendrive) that was the subject of the violation was encrypted in accordance with the procedures for the administrator referred to in point 9A of the breach reporting form of (...) June 2021, i.e. "encryption, passwording of files containing personal data". In response of (...) March 2022, the Administrator indicated that the medium in question was not encrypted.

On (...) April 2022, the Office here asked the Administrator to:

Indications whether, before the breach, the Administrator had an implemented procedure for managing external data media in terms of securing them and proceeding in the event of destruction or theft.

Indication of technical and organizational security measures previously used to secure external data media.

Indication whether a risk analysis has been carried out for the processing of personal data via external data carriers.

Indications whether the recording file located on the lost external data carrier was secured (e.g. with a password or encryption mechanism), since the carrier itself did not have appropriate security measures.

In response to the above-mentioned request The Administrator, in a letter of April 2022, informed that:

The Disciplinary Ombudsman, as a body of the Bar Association, has a common IT infrastructure with the District Bar Council in X. In this respect, the Instruction (implemented before the event) adopted by the Administrator on (...) August 2019, which describes the principles of media security, applies data. In addition, the Administrator has implemented a Policy (...) specifying the principles of personal data protection resulting from Regulation 2016/679 and procedures, such as the procedure for reporting personal data protection breaches.

A risk assessment was carried out in connection with the processing of personal data on external data carriers. The Administrator indicated (...) January 2021 as the date of its implementation. The Administrator has included the Procedure (...) as an attachment to this letter along with the results of the assessment conducted before processing. The analysis carried out takes into account the risk of destruction, theft and loss of data carriers on which processing takes place. Moreover, the Administrator indicated that the risk assessment for the processing of personal data was scheduled to be repeated in June 2022. A risk analysis was also carried out in connection with the breach, but, contrary to the information contained in the letter, it was not attached to the correspondence.

The file on the lost medium, as well as the medium, was not encrypted.

At the same time, the Administrator, referring to the question related to securing the external data carrier on which there was a video file with a recording of the divorce hearing, noted that the carrier belonged to the defense attorney accused in the proceedings conducted before the Disciplinary Ombudsman of the Bar Association in October. The data carrier was delivered to the Ombudsman's Office. Disciplinary Chamber of the Bar Association in X. in order to provide access to the recording of the hearing provided by one of the persons participating in the hearing.

In connection with the reported personal data protection breach and the explanations provided by the Administrator of the above-mentioned. letters, the President of the Office for Personal Data Protection on (...) May 2022 initiated ex officio administrative proceedings regarding the possibility of violation by the Disciplinary Ombudsman of the Bar Association of X., as the data controller, of the obligations arising from Art. 5(1) 1 letter f), art. 5(1) 2, art. 24 section 1, art. 25 section 1, art. 32 section 1 and 2 of Regulation 2016/679, in connection with a breach of the protection of personal data of persons whose data was included in the recording of the divorce hearing, placed on a lost external data carrier (letter reference number DKN.5131.31.2022.).

At the same time, due to the Administrator's failure to attach all attachments to the letter of (...) April 2022, on (...) June 2022, the President of the Personal Data Protection Office asked for the missing documents in the form of the Instruction (...) adopted by the Administrator on (…) August 2019 and the risk analysis conducted in connection with the breach. On (...) June 2022, the Administrator submitted the requested documents to the local Office.

Moreover, in connection with the information contained in the Administrator's letter of (...) April 2022 about the planned re-conducting of the risk analysis in connection with the processing of personal data, the supervisory authority asked the Disciplinary Ombudsman of the Bar Association on (...) August 2022 in X with a request to provide the results of this analysis, and in a letter of (...) January 2023. to provide information whether the Administrator verified compliance by his employees with the procedures contained in the Instruction (...) (including those regarding the shipment of data media), along with an indication of how and when the last such verification was carried out before the personal data protection breach occurred, and whether the effectiveness of these procedures was verified as part of regular testing of the adopted technical and organizational security measures. The Administrator provided the analysis in question in an attachment to the letter of (...) October 2022. In turn, in the letter of (...) January 2023, he indicated that "(...) the last verification of employees' compliance with the procedures contained in the Instruction (...), including the shipment of data carriers before the personal data protection breach in question took place during a regular check scheduled for (...) January 2021 based on the risk analysis procedure, in particular section (…) (attached in full to the letter of (…) April 2022 and to the letter of (…) June 2022)”.

In this factual situation, after reviewing all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:

Pursuant to Art. 39 point 3a) of the Act of May 26, 1982, Law on the Bar (Journal of Laws of 2022, item 1184, as amended), the disciplinary spokesman is a body of the bar association. Pursuant to Art. 51a section 1 of the Law on the Bar, the scope of activities of the disciplinary spokesman includes activities in disciplinary proceedings specified in the Act and the regulations issued on its basis. Based on Article. 58 point 5a and point 12 letter i) of the Law on the Bar, the Supreme Bar Council, by resolution No. 50/2018 of November 24, 2018, adopted the Regulations on the operation of disciplinary ombudsmen and deputy disciplinary ombudsmen, as well as the procedure and manner of their selection. Pursuant to § 4 section 1 above regulations, the scope of activities of the disciplinary spokesman of the Bar Association includes procedural activities in disciplinary proceedings in matters relating to members of the Bar Chamber that has elected the disciplinary spokesman of the Bar Chamber, with the exception of matters falling within the scope of activities of the Disciplinary Commissioner of the Bar and matters taken over by the Disciplinary Commissioner of the Bar or transferred to conduct to the Disciplinary Ombudsman of the Bar. Pursuant to § 11 section 1 of the above-mentioned regulations, the disciplinary spokesman conducts the proceedings ex officio. In turn, pursuant to § 41 section 1 of the above-mentioned regulations, the disciplinary spokesman runs an office whose financing is provided by the relevant bar council. In the office of the disciplinary spokesman, in accordance with § 41 section 2 lit. a) the above-mentioned regulations, files of disciplinary investigations are kept. In connection with the above provisions, it should be considered that the Disciplinary Spokesperson of the Bar Association in X. is the administrator, within the meaning of Art. 4(7) of Regulation 2016/679, data processed in connection with his disciplinary proceedings.

Pursuant to art. 34 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) - hereinafter referred to as: the Act of 10 May 2018, the President of the Personal Data Protection Office is the authority competent for data protection and the authority supervisory authority within the meaning of Regulation 2016/679. Pursuant to Art. 57 section 1 letter (a) and (h) of Regulation 2016/679, without prejudice to other tasks established under that Regulation, each supervisory authority in its territory shall monitor and enforce the application of this Regulation and investigate infringements of this Regulation, including on the basis of information received from another supervisory authority or other public authority.

Article 5 of Regulation 2016/679 sets out the principles regarding the processing of personal data that must be respected by all controllers, i.e. entities that, alone or jointly with others, determine the purposes and methods of processing personal data. Pursuant to Art. 5(1) 1 letter f) of Regulation 2016/679, personal data must be processed in a way that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("confidentiality and integrity "). Pursuant to Art. 5(1) 2 of Regulation 2016/679, the administrator is responsible for compliance with the provisions of paragraph. 1 and must be able to demonstrate compliance with them (“accountability”). Specification of the principle of confidentiality referred to in Art. 5(1) 1 letter f) of Regulation 2016/679, constitute further provisions of this Regulation, including Art. 24 section 1 of Regulation 2016/679, which indicates that, taking into account the nature, scope, context and purposes of processing and the risk of varying likelihood and severity of the rights and freedoms of natural persons, the controller implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with Regulation 2016/679 679 and to be able to demonstrate this. These measures are reviewed and updated as necessary. As stated in Art. 24 section 1 of Regulation 2016/679, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of violating the rights and freedoms of natural persons are factors that the controller is obliged to take into account in the process of building a data protection system, also in particular from the point of view of other obligations. indicated in Art. 25 section 1, art. 32 section 1 or art. 32 section 2 of Regulation 2016/679. The above-mentioned provisions specify the principle of confidentiality specified in Art. 5(1) 1 letter f) of Regulation 2016/679, and compliance with this principle is necessary for the proper implementation of the principle of accountability arising from Art. 5(1) 2 of Regulation 2016/679.

Pursuant to Art. 25 section 1 of Regulation 2016/679, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons arising from processing, the controller - both when determining the methods of processing and during the processing itself - implements appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement data protection principles, such as data minimization, and to provide the necessary safeguards to the processing in order to meet the requirements of this Regulation and protect the rights of persons whose data applies.

From the content of art. 32 section 1 of Regulation 2016/679 states that the administrator is obliged to apply technical and organizational measures corresponding to the risk of violating the rights and freedoms of natural persons with varying probability of occurrence and threat severity. The provision specifies that when deciding on technical and organizational measures, the state of technical knowledge, the cost of implementation, the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity of violating the rights and freedoms of natural persons should be taken into account. The above-mentioned provision shows that determining appropriate technical and organizational measures is a two-stage process. First of all, it is important to determine the level of risk associated with the processing of personal data, taking into account the criteria indicated in Art. 32 section 1 of Regulation 2016/679, and then it is necessary to determine what technical and organizational measures will be appropriate to ensure a level of security appropriate to this risk. These arrangements, where appropriate, should include measures such as the pseudonymisation and encryption of personal data, the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to quickly restore the availability and access to personal data in the event of a physical incident or technical, and regularly testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing. Pursuant to art. 32 section 2 of Regulation 2016/679, the controller, when assessing whether the level of security is adequate, takes into account in particular the risks associated with processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

Taking into account in particular the scope of personal data processed by the Administrator, contained in a file located on a stolen (lost) external data carrier, in order to properly fulfill the obligations imposed by the above. provisions of Regulation 2016/679, the Administrator was obliged to take actions to ensure an appropriate level of data protection by implementing appropriate technical and organizational measures to ensure the security of processed personal data. The nature and type of these activities should result from the risk analysis, which should identify vulnerabilities related to the resources used and the resulting threats, and then determine adequate security measures. An incorrect assessment of the risk level makes it impossible to apply appropriate security measures for a given resource and increases the likelihood of its occurrence. The result of the above was the materialization of a risk, as a result of which an unauthorized person(s) gained access to the data contained in a file located on a stolen (lost) external data carrier.

It should be noted that Regulation 2016/679 introduced an approach in which risk management is the foundation of activities related to the protection of personal data. Risk management is a continuous process requiring the data controller not only to ensure compliance with the provisions of Regulation 2016/679 through a one-time implementation of organizational and technical security measures, but also to ensure continuous monitoring of the level of threats and ensure accountability in terms of the level and adequacy of the introduced security measures. Therefore, it is necessary to prove to the supervisory authority that the solutions implemented to ensure the security of personal data are adequate to the level of risk and take into account the nature of the organization and the personal data processing mechanisms used. The administrator is therefore responsible for conducting a detailed analysis of the data processing processes and assessing the risk, and then applying measures and procedures that are adequate to the assessed risk. The consequence of this approach is the need to independently select security measures based on threat analysis. Administrators are not provided with specific security measures and procedures. It is the responsibility of the Administrator to conduct a detailed analysis of the data processing processes carried out and to assess the risk, who then, based on such analysis, should apply measures and procedures that will be adequate to the assessed risk.

Therefore, a properly conducted risk assessment provides the controller with the opportunity to determine and implement technical and organizational measures that will eliminate or at least significantly reduce the established level of risk of materialization of identified threats to the personal data being processed. The risk assessment carried out by the administrator should be documented and justified by the actual situation at the time it was carried out. The main factors contributing to the correct assessment that should be taken into account when conducting the analysis are the characteristics of the processing processes taking place, assets, vulnerabilities, threats and current security measures. It should be remembered that factors such as the scope and nature of personal data processed by the administrator are also important when assessing the risk, as they determine any negative effects for a natural person in the event of a breach of the protection of his or her personal data.

The "Procedure (...)" attached by the Administrator to the letter of (...) April 2022, together with a risk analysis sheet containing a risk assessment for data processing activities adopted by the Administrator, carried out on [...] January 2021, raises many doubts . The sheet includes, among other things, a risk assessment in the event of "failure, theft or loss of data media." The presented methodology assumes determining appropriate values for individual factors, which include: A. Probability of:a) event occurrenceb) exposurec) expected time for a breach to occurB. Impact on assets:a) confidentialityb) integrityc) availability

The risk level for this category of processing is defined as "1", which, after reading the procedure, means "acceptable risk, not requiring further action (taking mitigating measures)". In addition, the risk mitigation measures that were identified in the above risk assessment, i.e. “Data backups once a day. "Quick restoration time" in the opinion of the President of the Personal Data Protection Office is not adequate to the potential threats that the administrator has assumed for this processing process and for which the assessment is being carried out. Analyzing the preventive measures adopted by the administrator, it should be concluded that data backups are a means of minimizing the effects of loss of availability of data located on a lost (stolen) external data carrier, but they do not minimize the risk of possible consequences in the event of gaining access to the data carrier and processing the use of personal data by a third party and its use, i.e. situations in which data confidentiality is violated.

It should be emphasized that the protection of data located on external data carriers, in order to effectively counteract the threat of "loss of data carriers", must focus on properly securing the data located on such a carrier against unauthorized access by third parties in the event of loss of such a carrier as a result of theft or loss. Meanwhile, the Administrator, carrying out the above-mentioned risk assessment, in the opinion of the President of the Personal Data Protection Office, focused only on determining actions to minimize the consequences only in the event of a media failure, i.e. a violation of data availability, completely omitting actions to minimize the consequences of violating their confidentiality. Therefore, here you should refer to the judgment of the Provincial Administrative Court in Warsaw of August 26, 2020, ref. no. II SA/Wa 2826/19, in support of which the Court stated that "This provision [Art. 32 of Regulation 2016/679] does not require the data controller to implement any technical and organizational measures that are intended to constitute personal data protection measures, but requires the implementation of adequate measures. Such adequacy should be assessed in terms of the manner and purpose for which personal data are processed, but the risk associated with the processing of these personal data should also be taken into account, which may vary in level. (...) The adopted measures are to be effective, in specific cases some measures will have to be low-risk measures, others must be high-risk measures, but it is important that all measures (and each one individually) are adequate and proportionate to the degree of risk.”

The security measures adopted by the Administrator to minimize the effects of the threat described in the conducted risk analysis involving "failure, theft or loss of data media" are therefore not adequate to the identified risk related to processing, and this leads to the conclusion that the risk assessment in connection with data processing on external data carriers was carried out assuming incorrect values related to the risk of theft or loss of such carriers or their complete omission. The above is also supported by the fact that in the risk analysis submitted by the Administrator on (...) October 2022, which was carried out after the personal data protection breach occurred, the assessment of the effects on the processing of personal data on external data carriers in the event of "failure, theft or loss of data carriers” has been replaced only by an assessment of the effects in the event of “failure of data media”. Therefore, the Administrator refrained from conducting a risk analysis for the situation that resulted in the personal data protection breach reported to the President of the Personal Data Protection Office, which should be considered inconsistent with the above-mentioned provisions of Regulation 2016/679, in particular in a situation where the Administrator envisages the possibility of further processing of personal data on external media. data, and the event in question directly indicates what consequences may occur in the event of their loss or theft.

However, it should be noted that although in the risk analysis conducted, the Administrator did not specify security measures to minimize the risk of theft or loss of external data carriers, in practice it has introduced certain solutions focusing on the security of this category of personal data processing. These solutions are included in the "Instruction (...)" (hereinafter: I(...)), introduced on (...) August 2019, which includes a chapter on the security of information media. It is indicated there that the person who is currently the user of such a medium is responsible for ensuring the security of external data carriers. In the notification of a personal data protection breach, the Administrator indicated "(...) that the employees of the disciplinary spokesman's office, when packing the parcel containing a pendrive with a recording, took a number of actions aimed at securing this medium, including: the carrier was placed in a plastic sleeve that was tightly sewn, several people checked the tightness of this sleeve, the sleeve was sewn to the cover letter in a way that prevented the carrier from falling out without interrupting the above-mentioned process. protection or foil (plastic sleeve). The letter and the T-shirt were placed in an envelope, which was tightly sealed and sent via X. S.A. (…)”. The collected material shows that the employees of the Office of the Disciplinary Ombudsman of the Bar Association in The procedure resulting from this document "Method, place and period of storage of electronic information media" specifies the procedure in the case of using external data carriers, such as hard drives, CDs, DVDs and pendrives, and clearly indicates that in the case of transferring the media, containing personal data, "(...). In the response provided by the Administrator on (...) March 2022, the President of the Personal Data Protection Office received information that "(...) the medium in question was not encrypted (...)". In turn, in a letter of (...) April 2022, the Administrator stated that "(...) in response to the question regarding whether the recording file located on an external data carrier was secured with a password or encryption mechanism, I indicate that the subject the file has not been secured in this way (…).” The findings made in this regard clearly show that neither the file with personal data nor the data medium itself was secured in any way, which resulted in a very high probability of unauthorized persons gaining access to personal data contained on this medium in the event of loss of the shipment. .Furthermore, the above-mentioned the procedure provides for the use of deposit envelopes, which are commonly used to increase the security of transmitted content, including documents containing personal data, due to the appearance of visible signs in the event of tampering with the packaging (once the packaging is opened, it cannot be sealed again). The Administrator's explanations above indicate that the deposit envelope was replaced with a tightly stapled plastic sleeve, which was then attached to the cover letter and placed in a regular envelope. The shipment prepared in this way was sent via X. S.A. despite the clear provision in I(...) that "(...)". The Administrator's employees did not comply with the provisions of I(...), including the point indicating that "(...) persons using information media should be aware of the threats and are obliged to exercise due diligence by applying applicable organizational, technical and legal measures described in AND(…)(…)". It should be noted that the mere introduction of provisions regarding the use of organizational and technical measures in I(...) does not release the Administrator from verifying whether the security measures adopted in this way limit or completely eliminate the risks associated with data processing using external data carriers, including the risk of loss data confidentiality as a result of theft or loss of such a medium. This verification should first take place as part of a risk analysis, which in the case of the Disciplinary Ombudsman of the Bar Association of processed personal data.

In a letter of (...) April 2022, the Disciplinary Ombudsman of the Bar Association in (…)”. In connection with the above-mentioned In this statement, it should be noted that the data contained on a lost external data carrier are the subject of protection for which the Administrator is responsible. Therefore, even assuming that this medium was not the property of the Administrator, and therefore he may not have been able to properly secure it, the Disciplinary Spokesperson of the Bar Association in own procedure found in I(…) and what he did not do. Attention should also be paid to the judgment of the Provincial Administrative Court in Warsaw of January 19, 2021, ref. no. II SA/Wa 702/20, the justification for which stated that "(...) the data controller should appropriately protect personal data against accidental loss using appropriate technical and organizational measures. Personal data should be processed in a way that ensures appropriate security and appropriate confidentiality, including protection against unauthorized access to them and to the equipment used to process them, as well as against unauthorized use of these data and this equipment (recital 39 of Regulation 2016/679).” .

In connection with the above findings, it should be noted that the Disciplinary Spokesperson of the Bar Association in (...) January 2021 risk analysis, had procedures for the security of data processed using this type of media, including the transfer of external data media containing personal data to third parties outside the Administrator's office. However, the effectiveness of the implementation of the above is questionable. procedures due to the failure to comply with their provisions by the office's employees when sending an external data carrier with a recording of the divorce hearing, which led to a breach of personal data protection. As indicated by the Administrator in the letter of (...) January 2023, "the last verification of employees' compliance with the procedures contained in the Instruction (...), including those regarding the shipment of data media before the personal data protection breach in question, took place during the regular scheduled date (... ) January 2021, checking based on the risk analysis procedure, in particular section 10" and "regularly tested and verified the effectiveness of the adopted procedures in accordance with planned and organized as well as documented activities within specified time intervals, regardless of the course of data processing processes, in accordance with the implemented personal data protection documentation." However, the collected evidence shows that the verification of the adopted procedures carried out by the Administrator, contrary to his claims, was not effective considering the fact that the employees of the office of the Disciplinary Ombudsman of the Bar Association in , which (due to the failure to secure the file with the recording of the divorce hearing on this medium) led to a personal data protection breach. Moreover, the section (...) of the procedure (...) indicated by the Administrator states that "(...)". Despite a clear indication to provide explanations in this regard and evidence to confirm them in the letter sent by the supervisory authority to the Administrator on (...) January 2023, the Disciplinary Spokesperson of the Bar Association in X. did not provide any evidence in the form of a written report confirming the monitoring of the procedures applicable in his organization, and only declared the existence of procedures for regular testing of security measures. This means that the Administrator, contrary to the obligation arising from Art. 5(1) 2 of Regulation 2016/679 has not demonstrated that in this respect it fulfills the obligations arising from the provisions of Regulation 2016/679.

It should be emphasized that regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing is the basic obligation of each controller under Art. 32 section 1 letter d) Regulation 2016/679. The administrator is therefore obliged to verify both the selection and the level of effectiveness of the technical measures used at each stage of processing. The comprehensiveness of this verification should be assessed in terms of adequacy to the risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing. However, in the facts in question, it should be considered that the Administrator did not properly fulfill the obligation imposed on him to regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of personal data processing. As shown above, the Administrator did not monitor the effectiveness of the procedures introduced under I (...), regarding the obligations of the employees of the office of the Disciplinary Ombudsman of the Bar Association in X. related to securing personal data contained on the external data carrier sent. The period at which such reviews should be carried out, resulting from point (...) of the procedure, may also raise doubts in the case of an organization such as the Disciplinary Ombudsman of the Bar Association in X. As indicated in this point, "At least once a year (and in the event of modification or planned modifications in personal data processing processes), the risk should be reviewed in accordance with the above. points." Adopting such a period may result in the use of a measure (technical or organizational) that is no longer effective, i.e. one that no longer ensures the security of processed personal data, regardless of the reasons for the loss of effectiveness. As a side note, it should also be noted that the terminology adopted in point (...) of the procedure (...) and the description of individual activities to be performed as part of the review suggest a description of risk management, including the deadlines for conducting a risk analysis for personal data processing operations, rather than a description actions to be taken as part of regular testing, assessment and measurement of the effectiveness of technical and organizational measures to ensure the security of data processing. Meanwhile, testing, measurement and evaluation are advisable to meet the requirement arising from Art. 32 section 1 letter d) of Regulation 2016/679, must be carried out on a regular basis, which means conscious planning and organization, as well as documentation (in connection with the principle of accountability referred to in Article 5(2) of Regulation 2016/679) of this type of activities in specified time intervals, regardless of changes in the organization and course of data processing processes caused by, for example, an organizational change at the data controller or a change in the legal environment.

To demonstrate that compliance by the employees of the office of the Disciplinary Ombudsman of the Bar Association in the 10th above-mentioned procedures were subject to verification. In a letter of (...) January 2023, the Administrator informed that "Additionally, the Administrator regularly trained employees of the Disciplinary Ombudsman's Office (May 2020) on the procedures included in the documentation of the processing and protection of personal data applicable at the Disciplinary Ombudsman of the Bar Association in October and (August 2020) in the field of personal data protection breaches, their types and reporting procedures. From the above explanations show that the training in the scope of procedures specified in I (...) took place in May 2020, i.e. a year before the personal data protection breach was identified, consisting in the loss of an unsecured external data carrier with an unsecured file with a recording of the divorce hearing containing personal data, which took place on (...) May 2021. It should therefore be emphasized that the training will only be conducted on the date indicated in the above-mentioned. the Administrator's letter is not a sufficient means of influencing the awareness of persons obliged to protect personal data and apply procedures specifying security measures for this data. Correctly conducted training will allow the trained persons to properly understand the principles of personal data processing specified by the Administrator and, consequently, contribute to reducing the risk of violations in this area. It should also be noted that training in the field of personal data protection, in order to be considered an adequate security measure, must be carried out periodically, which will ensure constant reminders and, consequently, consolidation of the principles of processing personal data covered by the training. Moreover, all persons authorized to process personal data must participate in such training, and the training itself must include all issues related to the processing of personal data within the established training topic. Omission of any of these elements will result in the training not fulfilling its role, because some people will not be trained at all or the training participants will not receive full knowledge in a given field. The consequence of the above may be a violation of personal data protection, as in the case that is the subject of these proceedings. Moreover, the lack of training in the manner described above means that this security measure in practice does not reduce the risk of personal data protection breaches, which undoubtedly contributes to the weakening of the level of personal data protection and determines the need to recognize a violation of the provisions of Regulation 2016/679 relating to administrator's obligations in the field of data security.

In the light of the identified irregularities in carrying out the risk analysis, the selection of measures to ensure the security of personal data processed using external data carriers and the lack of documented regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, it should be considered that the Disciplinary Spokesperson of the Bar Association of October . violated the principle of data confidentiality (Article 5(1)(f) of Regulation 2016/679) in connection with the breach of the administrator's obligations when implementing technical and organizational measures to ensure that processing was carried out in accordance with Regulation 2016/679 (Article 24(1) 1 of Regulation 2016/679), in order to provide the processing with the necessary safeguards (Article 25(1) of Regulation 2016/679) and to ensure a level of security appropriate to the risk, including the ability to ensure continuous confidentiality (Article 32(1) of Regulation 2016/679). 679) and the obligation to take into account the risks associated with processing, resulting from unauthorized access to processed personal data, when assessing whether the level of security is adequate (Art. 32 section 2 of Regulation 2016/679). Violation of the principle of confidentiality expressed in Art. 5(1) 1 letter f) of Regulation 2016/679 is related to the violation of the principle of accountability referred to in Art. 5(1) 2 of Regulation 2016/679. As indicated by the Provincial Administrative Court in Warsaw in its judgment of February 10, 2021, ref. no. II SA/Wa 2378/20, "The principle of accountability is based on the controller's legal responsibility for the proper fulfillment of obligations and imposes on him the obligation to demonstrate, both to the supervisory authority and to the data subject, evidence of compliance with all data processing principles." The Provincial Administrative Court in Warsaw interprets the issue of the principle of accountability similarly in the judgment of August 26, 2020, ref. no. II SA/Wa 2826/19, "Taking into account all the standards of Regulation 2016/679, it should be emphasized that the administrator has considerable freedom in the scope of applied security measures, but at the same time he is responsible for violating the provisions on the protection of personal data. The principle of accountability clearly states that the data controller should demonstrate and therefore prove that it complies with the provisions set out in Art. 5(1) 1 of Regulation 2016/679”.

Taking into account the above irregularities, as well as the content of Art. 58 section 2 lit. d) of Regulation 2016/679, the President of the Personal Data Protection Office ordered the Administrator to adapt processing operations to the provisions of Regulation 2016/679 by performing a risk analysis taking into account the threats related to loss due to loss or theft of external data carriers on which personal data are processed, as well as implementing appropriate technical measures and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.

When assessing the circumstances of the personal data protection breach in question, it should be emphasized that when applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1(2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data and that the protection of natural persons with regard to the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - not only in the event of a personal data protection breach, but also when developing technical and organizational security measures to prevent them - these values should be taken into account in the first place.

Taking into account the above findings and the identified violations of the provisions of Regulation 2016/679, the President of the Personal Data Protection Office, using his powers specified in Art. 58 section 2 lit. i) Regulation 2016/679, according to which each supervisory authority has the power to apply, in addition to or instead of, other corrective measures provided for in Art. 58 section 2 lit. a)-h) and letters j) of this Regulation, an administrative fine under Art. 83 section 4 lit. a) and section 5 lit. a) of Regulation 2016/679, taking into account the circumstances established in the proceedings in question, stated that in the case under consideration there were premises justifying the imposition of an administrative fine on the Administrator.

Pursuant to Art. 83 section 4 lit. a) Regulation 2016/679, violation of the provisions regarding the obligations of the controller and processor referred to in Art. 8, 11, 25-39 and 42 and 43 are subject to paragraph. 2, an administrative fine of up to EUR 10,000,000, and in the case of an undertaking, up to 2% of its total annual worldwide turnover of the previous financial year, whichever is higher.

Pursuant to Art. 83 section 5 lit. a) Regulation 2016/679, violation of the provisions regarding the basic principles of processing, including the consent conditions referred to in Art. 5, 6, 7 and 9 are subject to paragraph. 2, an administrative fine of up to EUR 20,000,000, and in the case of an undertaking, up to 4% of its total annual worldwide turnover of the previous financial year, whichever is higher.

Art. 83 section 3 of Regulation 2016/679 states that if the controller or processor intentionally or unintentionally infringes, within the same or related processing operations, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount of the penalty for the most serious infringement.

In this case, an administrative fine was imposed on the Administrator for violating Art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679 pursuant to the above-mentioned Art. 83 section 4 lit. a) of Regulation 2016/679, while for violation of Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679 - pursuant to Art. 83 section 5 lit. (a) of this Regulation. At the same time, an administrative fine in the amount of PLN 28,296 (in words: twenty-eight thousand two hundred and ninety-six zlotys) imposed on the Administrator in total for violating all the above provisions - pursuant to Art. 83 section 3 of Regulation 2016/679 - does not exceed the amount of the penalty for the most serious violation found in this case, i.e. violation of Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679, which, pursuant to Art. 83 section 5 lit. a) of Regulation 2016/679 is subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year.

When deciding on the imposition of an administrative fine, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in the present case and having an aggravating effect on the amount of the administrative fine imposed:

1. The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679). Ascertained in the present case, the violation of personal data protection regulations, which resulted in the possibility of obtaining unauthorized access to data contained in the file with the recording of the divorce hearing, placed on a lost external data carrier, by an unauthorized person or persons (violation of the principle of confidentiality), is of significant importance and serious nature, as it creates a high risk of negative consequences for at least 8 data subjects. The violation by the Disciplinary Ombudsman of the Bar Association in with the provisions of Regulation 2016/679. Moreover, until this decision is issued, the missing external data medium has not been found, so an unauthorized person or persons may still have access to personal data contained on this medium. It is also worth emphasizing the long duration of the violation of personal data protection provisions, i.e. from (...) January 2021, when the Administrator carried out the risk analysis incorrectly, as shown above, until now.

In the present case, there is no evidence that the persons whose data could be accessed by an unauthorized person or persons suffered any property damage. Nevertheless, the very violation of the confidentiality of their data constitutes non-pecuniary damage (harm); natural persons whose data was obtained in an unauthorized manner may at least feel fear of loss of control over their personal data, discrimination or damage to their good name. It should also be noted that in accordance with Resolution No. 50/2018 of the Supreme Bar Council of November 24, 20218 Regulations on the operation of disciplinary spokespersons and deputy disciplinary spokespersons as well as the procedure and manner of their selection, correspondence in disciplinary matters is confidential, and the Disciplinary Ombudsman of the Chamber The attorney-at-law office in X. is covered by attorney-client privilege in the scope of proceedings conducted by him.

2. Intentional or unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679). Unauthorized access to the personal data of persons whose data are included in the recording of the divorce hearing placed on the lost external data carrier became possible as a result of failure to exercise due diligence by the Disciplinary Spokesperson of the Bar Association in X. In the opinion of the supervisory authority, this constitutes an unintentional violation resulting from the Administrator's negligence, because the Disciplinary Spokesperson of the Bar Association in specifying organizational measures that guarantee, in the Administrator's opinion, an appropriate level of security of data processed using these media. Despite its development, the Administrator's employees did not comply with its provisions regulating the actions to be taken to ensure the security of data sent on an external data carrier. This calls into question the effectiveness of employee training in this area conducted by the Administrator and periodic verification of compliance with the provisions of these procedures.

3. Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679). Personal data contained on a lost external data carrier, i.e. name and surname, voice, details of family life, relations of the parties and suspicions of marital infidelity, are generally not considered to belong to special categories of personal data, however, the context of the nature of the event in which they were recorded in the form of a recording, i.e. a divorce hearing, may determine that they will be subject to protection as special categories of personal data and, consequently, will involve a high risk of violating the rights and freedoms of natural persons affected by the breach. This is also evidenced by the level of risk assumed by the Administrator, who in point 8B of the personal data protection breach notification form indicated that the breach causes a high risk of violating the rights and freedoms of natural persons. Therefore, the occurrence of non-pecuniary damage (harm) cannot be ruled out, as natural persons whose data were stored on this medium may feel afraid of losing control over their personal data, discrimination, as well as damage to their good name.

When determining the amount of the administrative fine, the President of the Office for Personal Data Protection took into account as a mitigating circumstance, affecting the reduction of the amount of the fine imposed, the fact that when considering the case, he did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the imposed administrative fine [Article . 83 section 2(k) of Regulation 2016/679].

The other sanctions indicated in Art. had no influence on the fact that the President of the Personal Data Protection Office applied in this case sanctions in the form of an administrative fine, as well as on its amount. 83 section 2 of Regulation 2016/679, circumstances:

1. Actions taken to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679). Immediately after the personal data protection breach was disclosed, the Disciplinary Ombudsman of the Bar Association in X. filed a complaint with the postal operator . The controller has also provided data subjects with proper notice of the data breach, together with an indication of how they can protect their personal data against further use. However, it should be noted that notifying data subjects about a breach of the protection of their personal data constitutes the fulfillment of the legal obligation arising from Art. 34 section 1 and 2 of Regulation 2016/679, and as provided for in the Wp Guidelines. 253 (in relation to the condition "the manner in which the supervisory authority learned about the breach") "[t]he mere fulfillment of [...] the obligation by the Administrator cannot be interpreted as a weakening/mitigating factor."

2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 (Article 83(2)(d) of Regulation 2016/679). Guidelines of the Article 29 Data Protection Working Party adopted on 3 October 2017 on the application and determination of administrative fines for the purposes of Regulation No. 2016 /679 indicate that when considering this condition, "the supervisory authority must answer the question to what extent the controller has "done everything that could be expected", taking into account the nature, purposes or scope of processing and in the light of the obligations imposed on it by the Regulation."

In this case, the President of the Personal Data Protection Office found a violation of the provisions of Art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679. In his opinion, the controller is highly responsible for failing to implement appropriate technical and organizational measures that would prevent a breach of personal data protection. It is obvious that in the considered context of the nature, purpose and scope of personal data processing, the Administrator did not "do everything that could be expected of him"; thus, it did not comply with the provisions of Art. 25 and 32 of Regulation 2016/679 obligations.

In the present case, however, this circumstance constitutes the essence of the infringement itself; it is not just a factor that influences - mitigating or aggravating - his assessment. For this reason, the lack of appropriate technical and organizational measures referred to in Art. 25 and art. 32 of Regulation 2016/679, cannot be considered by the President of the Personal Data Protection Office in this case as a circumstance that may additionally result in a more severe assessment of the violation and the amount of the administrative fine imposed on the Administrator.

3. Any relevant previous violations on the part of the controller or processor (Article 83(2)(e) of Regulation 2016/679). The President of the Personal Data Protection Office did not find any relevant previous violations of Regulation 2016/679 by the Disciplinary Ombudsman of the Bar Association in X., in connection with there are no grounds to treat this circumstance as an aggravating circumstance, however, it is the duty of each administrator to comply with the provisions of law (including the provisions on the protection of personal data), therefore the lack of previous personal data protection violations cannot be considered a mitigating circumstance when imposing sanctions.

4. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). The Disciplinary Spokesman of the Bar Association in X. properly fulfilled his procedural obligations in during the administrative proceedings ending with the issuance of this decision.

5. The manner in which the supervisory authority learned about the infringement (Article 83(2)(h) of Regulation 2016/679). The President of the Personal Data Protection Office found the infringement as a result of reporting a personal data protection breach made by the Disciplinary Ombudsman of the Bar Association in X. The Administrator did so the notification was only fulfilling his legal obligation, therefore there are no grounds to consider that this circumstance constitutes a mitigating circumstance. According to the Guidelines on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 (Wp. 253), "The supervisory authority may become aware of the infringement as a result of proceedings, complaints, press articles, anonymous tips or notification by the data controller. Pursuant to the regulation, the administrator is obliged to notify the supervisory authority about a personal data protection breach. The mere fulfillment of this obligation by the controller cannot be interpreted as a weakening/mitigating factor.”

6. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679). Before issuing this decision, the President of the Personal Data Protection Office did not apply any measures listed in Art. to the controller in the case under consideration. 58 section 2 of Regulation 2016/679, therefore the administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.

7. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679). The Disciplinary Spokesman of the Bar Association in X. does not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application are not - as provided for in the provisions of Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.

8. Financial benefits obtained directly or indirectly in connection with the breach or losses avoided (Article 83(2)(k) of Regulation 2016/679). The President of the Personal Data Protection Office did not find that the controller obtained any financial benefits or avoided any such benefits in connection with the breach. precipitate. Therefore, there are no grounds to treat this circumstance as aggravating the administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - obtained on the part of the entity committing the infringement.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the circumstances of this case fulfills the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it will be effective, proportionate and dissuasive in this individual case. According to the President of the Personal Data Protection Office, the administrative fine imposed on the Disciplinary Ombudsman of the Bar Association of X. will be effective because it will lead to a situation in which the Disciplinary Ombudsman of the Bar Association of or freedom of data subjects and the gravity of the risks associated with the processing of these personal data. The effectiveness of the administrative fine is therefore equivalent to a guarantee that the Disciplinary Spokesperson of the Bar Association in X. will, from the moment of completion of these proceedings, approach the requirements set out in the provisions on the protection of personal data with the utmost diligence.

The administrative fine applied is also proportional to the identified violation, in particular its gravity, effect, the group of natural persons affected and the very high risk of negative consequences they suffer as a result of the violation. According to the President of the Personal Data Protection Office, the administrative fine imposed on the Disciplinary Spokesperson of the Bar Association in October will not constitute an excessive burden on him. The amount of the penalty was set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of violation of the administrator's obligations, but on the other hand, it does not result in a situation in which the need to pay it will result in negative consequences, in the form of a significant deterioration of the financial situation of the Administrator. . According to the President of the Personal Data Protection Office, the Disciplinary Ombudsman of the Bar Association in X. should and is able to bear the consequences of his negligence in the field of data protection, hence the imposition of an administrative fine in the amount of PLN 23,580 (in words: twenty-three thousand five hundred and eighty zlotys) is fully justified.

In the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function in these specific circumstances, as it will be a response to the violation of the provisions of Regulation 2016/679 by the Disciplinary Ombudsman of the Bar Association in X., but also a preventive function, as it will contribute to the prevention of future violation of the obligations arising from the provisions on the protection of personal data by the Disciplinary Ombudsman of the Bar Association of X.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the circumstances of this case meets the conditions referred to in Art. 83 section 1 of Regulation 2016/679, due to the importance of the identified violations in the context of the basic requirements and principles of Regulation 2016/679 - especially the principle of confidentiality expressed in Art. 5(1) 1 letter f) Regulation 2016/679.

Pursuant to the content of Art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in Art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28 each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the next exchange rate table of the National Bank of Poland after this date.

Taking the above into account, the President of the Personal Data Protection Office, pursuant to Art. 83 section 4 lit. a) and art. 83 section 5 lit. a) in connection with Art. 83 section 3 of Regulation 2016/679 and in connection with Art. 103 of the Act of May 10, 20218 on the protection of personal data, for the violation described in the operative part of this decision, imposed a fine on the Disciplinary Spokesperson of the Bar Association in X. - using the average euro exchange rate of January 30, 2023 (1EUR = PLN 4.7160 ) - administrative fine in the amount of PLN 23,580 (equivalent to EUR 5,000).

The purpose of the imposed administrative fine is to ensure that the Disciplinary Ombudsman of the Bar Association of X. in the future complies with the provisions of Regulation 2016/679 and, consequently, to conduct data processing processes in accordance with applicable law.

In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.