UODO (Poland) - DKN.5131.29.2023: Difference between revisions

UODO - DKN.5131.29.2023
Authority:	UODO (Poland)
Jurisdiction:	Poland
Relevant Law:	Article 5(1)(f) GDPR Article 24(1) GDPR Article 32(1) GDPR Article 32(2) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	26.09.2023
Decided:	29.04.2024
Published:
Fine:	238,345 PLN
Parties:	Res-Gastro M. Gaweł Sp. k.
National Case Number/Name:	DKN.5131.29.2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Polish
Original Source:	UODO (in PL)
Initial Contributor:	fb

The DPA fined a company €54,600 after a data breach occurred. The DPA found that the security measures implemented by the controller were insufficient.

English Summary

Facts

The controller is a company which operates restaurants. On 26 July 2023, the controller notified the DPA about a data breach occurred on 19 July 2023: an employee had lost a flash drive containing unencrypted data about another employee, such as their address, date of birth, passport, picture and salary data. Moreover, some financial data were stored in the drive in an encrypted way.

On 26 September 2023 the DPA initiated an ex officio proceeding.

The controller noted that it had instructed all employees to encrypt their files when stored in an external flash drive and that the loss occurred in the workplace premises.

Holding

Firstly, the DPA recalled that, according to Article 5(1)(f) GDPR personal data must be processed in a manner that ensures adequate security of personal data by means of appropriate technical or organizational measures. According to the DPA, a concretization of this principle is Article 24(1) GDPR, which poses on the controller an obligation to implement appropriate technical measures and organizational to carry out processing in accordance with the GDPR.

Moreover, the DPA pointed out that the controller must also comply with the obligation set by Article 32 GDPR. It noted that this article obliges the controller to carry out a 2-step analysis: firstly, it must determine the risks involved in the processing of personal data and, secondly, determine what technical and organizational measures will be appropriate to ensure a degree of security corresponding to that risk.

The DPA observed that the risk assessment analysis conducted by the controller did include the possibility of a flash drive theft, but not of a loss of it. Therefore, the DPA held that the controller failed to take into account all possible risks associated with the use of external data carriers by employees.

Moreover, the DPA focused on the fact that, even if the controller had considered this risk, it however did not implement sufficient security measures. The DPA acknowledged that the controller had instructed its employees to encrypt the data contained in flash drives. However, the DPA also noted that the controller simply relied on its employees and did not take any further measure. Furthermore, the DPA found that the controller failed in periodically reviewing the risk assessment. Therefore, the DPA found a violation of Article 32(1) and (2) GDPR.

As for the fine, the DPA believed that the violation is of significant gravity and serious nature (Article 83(1)(a) GDPR) and is unintentional (Article 83(1)(b) GDPR). Moreover, the DPA took into account the categories of personal data affected by the data breach. It recalled the EDPB Guidelines 04/2022, which state that a more stringent response is needed when the dissemination of data immediately causes harm or discomfort to the data subject, even if the data are not sensitive one. On these grounds, the DPA issued a fine of €54,600 (PLN 238,345).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775, as amended) in connection with Art. 7, art. 60, art. 101 and art. 103 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and Art. 57 section 1 letter a) and letter h), art. 58 paragraph 2 lit. d) and letter i), art. 83 section 1 – 3, art. 83 section 4 lit. a) in connection with Art. 24 section 1, art. 25 section 1 and art. 32 section 1 and 2, as well as art. 83 section 5 lit. a) in connection with Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119 of 04/05/2016, p. 1, OJ EU L 127 of 23/05/2018, p. 2 and OJ EU L 74 of 4/03/2021, p. 35), following conducting administrative proceedings initiated ex officio regarding the processing of personal data by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa (Kolbuszowa, ul. Obrońców Pokoju 85B), President of the Personal Data Protection Office,

stating a violation by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa (Kolbuszowa, ul. Obrońców Pokoju 85B) provisions of Art. 24 section 1, art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation data) (OJ EU L 119 of 04/05/2016, p. 1, OJ L 127 of 23/05/2018, p. 2 and OJ L 74 of 4/03/2021, p. 35 ), hereinafter referred to as "Regulation 2016/679", consisting in the failure of Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa: a) appropriate technical and organizational measures ensuring a level of security corresponding to the risk of data processing using external data carriers, in order to protect personal data stored there, including their protection against accidental loss, destruction or damage and disclosure to unauthorized persons ;b) appropriate technical and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, which resulted in a violation of Art. 5(1) 1 letter f) (principles of integrity and confidentiality) and art. 5(1) 2 of Regulation 2016/679 (principles of accountability):1. imposes on Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa (Kolbuszowa, ul. Obrońców Pokoju 85B) for violating Art. 5(1) 1 letter f), art. 5(1) 2, art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679, an administrative fine in the amount of PLN 238,345 (in words: two hundred thirty-eight thousand three hundred forty-five zlotys), 2. orders Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa (Kolbuszowa, ul. Obrońców Pokoju 85B) adapting processing operations to the provisions of Regulation 2016/679 by implementing appropriate technical and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing, within 3 months from the date of delivery of this decision.

Justification

Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa (Kolbuszowa, ul. Obrońców Pokoju 85B), hereinafter also referred to as the Administrator, is an entity whose basic activity is focused on running restaurants and other catering establishments (eight restaurants in total). On July 26, 2023 (date of submission: July 21, 2023), the Administrator reported a personal data protection breach to the President of the Personal Data Protection Office (hereinafter also referred to as the "President of the Personal Data Protection Office" or the "supervisory authority"), which was registered under the reference number DKN.5130.9144 .2023. In the report of a personal data protection breach, the Administrator indicated that on July 19, 2023, he received a report from an employee informing him about the loss of an external data carrier (work pendrive) containing partially encrypted personal data of another employee of the Administrator. In connection with the above-mentioned reporting the violation, in a letter of July 27, 2023, the President of the Personal Data Protection Office asked the Administrator to provide additional explanations regarding: 1) indicating detailed data or documents that were included in the above-mentioned data carrier (pendrive) and the employee's personal data, which were not encrypted;2) indication whether the data carrier (pendrive) in question was company-owned or owned by the employee;3) providing information regarding the procedure for using external data carriers, specifying the security of these media (including the data contained therein) and the method of monitoring compliance with the above. procedures by employees; 4) providing information whether the Administrator has conducted a risk analysis regarding the processing of personal data using external data carriers and submitting the results of the above. analysis.

In response to the inquiry, in a letter dated August 11, 2023 (date of receipt: August 21, 2023, date of sending: August 16, 2023), the Administrator indicated that the lost external data carrier (pendrive) contained unencrypted files with the employee's personal data in terms of name and surname, address of residence, citizenship, gender, date of birth, PESEL number, passport series and number, telephone number, e-mail address, photo (image) and data on the amount of earnings. Additionally, on the above-mentioned the data carrier also contained encrypted files with financial data. The administrator emphasized that quote (...) "the lost data carrier in the form of a pendrive was official and owned by Res-Gastro M. Gaweł Sp. k.” Moreover, he pointed out that the method of handling and securing electronic data media in the organization is regulated by the applicable "Instruction (...)". At the same time, the Administrator, referring to the question related to the method of monitoring compliance with the procedure related to the use of external data media by employees, submitted to the supervisory authority: - "Instruction (...)" (the last update of which took place (...) in April 2022, in accordance with attached scan of the above-mentioned document), - confirmation of monitoring of GDPR procedures from 2022 and 2023 in the form of a document entitled "List (...)" from 2022 and 2023, - register (...), - an anonymized e-mail of June 16, 2023 (informing about the principles of securing data media), - risk analysis.

In connection with the reported personal data protection breach and the explanations provided by the Administrator in a letter of August 11, 2023 and the documents provided, on September 26, 2023, the President of the Personal Data Protection Office initiated ex officio administrative proceedings regarding the possibility of a breach by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa, as the data controller, obligations arising from Art. 5(1) 1 letter f), art. 5(1) 2, art. 24 section 1, art. 25 section 1, art. 32 section 1 and 2 of Regulation 2016/679, in connection with a breach of the protection of personal data of a person whose data was on a lost external data carrier (pendrive) (letter reference number DKN.5131.29.2023). At the same time, due to the need to obtain additional information necessary to conduct a proper analysis of the proceedings in question, the President of the Personal Data Protection Office on September 26, 2023 asked the Administrator to provide the following explanations: 1) whether the Administrator, in addition to the Instructions (...), has developed and implemented a separate procedure specifying rules for encrypting files/data (including instructions on how to properly encrypt a file/data or what program to use for this activity), because in the above-mentioned the document provides general guidelines for encryption, quoting "(...) if media containing data are taken outside the organization's area, they should be encrypted first"; 2) whether the employee who lost the media in question (pendrive) had the Administrator's consent to copy personal data to this medium. In accordance with point (…) of the Instruction (…) to the above-mentioned activities require the consent of the Administrator; 3) how the Administrator verifies and monitors employees' compliance with the provisions of the Instruction (...) in the scope of point (...) quote "(...)" and point (...) quote "(...)".

In a letter of October 11, 2023 (date of receipt: October 17, 2023, date of sending: October 12, 2023), the Administrator responded to the issues included in the letter of September 26, 2023 (reference number DKN.5131.29.2023) and indicated that that in addition to the current "Instruction (...)", a separate instruction has been introduced regarding the method of encrypting files on data carriers. The instruction in question was prepared in the form of an instructional video, to which the website address (URL address) is indicated in this letter. Moreover, the Administrator noted that "Each employee to whom the pendrive was entrusted also received consent to copy data on the pendrive, including the employee who committed the violation, received such consent on February 4, 2020. The consent contains information about the above-mentioned link to an instructional video on encrypting pen drives. Additionally, about the above-mentioned encryption instructions, the administrator notified all employees who received company pendrives for use in e-mails dated June 14, 2018 and July 27, 2018 (...) The administrator regularly reminded employees about the obligation to encrypt pendrives and the encryption instructions on training and meetings.” To the above-mentioned the Administrator's letter of October 11, 2023 is attached: - a copy of the authorization to process personal data for the employee who lost the data medium in question (pendrive), - a copy of the consent to copy data to a pendrive for the above-mentioned. worker's.

After initiating administrative proceedings ex officio on September 26, 2023, the supervisory authority, wishing to clarify the facts in the case in question, in letters dated October 23, 2023 and December 1, 2023, asked the Administrator to: 1) provide detailed explanations and relevant evidence regarding the position adopted by the Administrator in the letter of October 11, 2023, that the data carrier in question (i.e. pendrive) quoted "(...) was lost by the employee not in a public place, but on the premises of the workplace in a part to which only employees have access administrator".2) Providing information regarding the re-analysis of the risk for personal data processing operations after the occurrence of the personal data protection breach in question.

In a letter dated November 7, 2023, the Administrator explained that "The Administrator's position that the pendrive in question was lost not in a public place, but on the premises of the workplace, in the part to which only the administrator's employees have access, results from the explanation of the employee who committed an infringement. On July 20, 2023, this employee provided detailed oral explanations of the situation, which he then confirmed in writing on November 3, 2023. The Administrator attached as an attachment to the letter of November 7, 2023 sent to the supervisory authority a copy of the employee's explanation of November 3, 2023, quoting "(...) presenting the course and circumstances of the loss of the pendrive". In turn, in a letter of December 18, 2023, the Administrator submitted to the President of the Personal Data Protection Office an updated risk analysis carried out on August 1, 2023 and indicated that (...) "pen drives are currently no longer used in the administrator's internal operations."

In this factual situation, after reviewing all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:

Pursuant to art. 34 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as: the Act of 10 May 2018, the President of the Personal Data Protection Office is the authority competent for data protection and the authority supervisory authority within the meaning of Regulation 2016/679. Pursuant to art. 57 section 1 letter (a) and (h) of Regulation 2016/679, without prejudice to other tasks established under that Regulation, each supervisory authority in its territory shall monitor and enforce the application of this Regulation and investigate infringements of this Regulation, including on the basis of information received from another supervisory authority or other public authority.

Article 5 of Regulation 2016/679 sets out the principles regarding the processing of personal data that must be respected by all controllers, i.e. entities that, alone or jointly with others, determine the purposes and methods of processing personal data. Pursuant to Art. 5(1) 1 letter f) of Regulation 2016/679, personal data must be processed in a way that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("confidentiality and integrity "). Pursuant to Art. 5(1) 2 of Regulation 2016/679, the administrator is responsible for compliance with the provisions of paragraph. 1 and must be able to demonstrate compliance with them (“accountability”). Specification of the principle of confidentiality referred to in Art. 5(1) 1 letter f) of Regulation 2016/679, constitute further provisions of this Regulation, including Art. 24 section 1 of Regulation 2016/679, which indicates that, taking into account the nature, scope, context and purposes of processing and the risk of varying likelihood and severity of the rights and freedoms of natural persons, the controller implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with Regulation 2016/679 679 and to be able to demonstrate this. These measures are reviewed and updated as necessary. As stated in Art. 24 section 1 of Regulation 2016/679, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of violating the rights and freedoms of natural persons are factors that the controller is obliged to take into account in the process of building a data protection system, also in particular from the point of view of other obligations. indicated in Art. 25 section 1, art. 32 section 1 or art. 32 section 2 of Regulation 2016/679. The above-mentioned provisions specify the principle of confidentiality specified in Art. 5(1) 1 letter f) of Regulation 2016/679, and compliance with this principle is necessary for the proper implementation of the principle of accountability arising from Art. 5(1) 2 of Regulation 2016/679.

Pursuant to Art. 25 section 1 of Regulation 2016/679, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons arising from processing, the controller - both when determining the methods of processing and during the processing itself - implements appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement data protection principles, such as data minimization, and to provide the processing with the necessary safeguards to comply with the requirements of this Regulation and to protect the rights of persons whose data applies.

From the content of art. 32 section 1 of Regulation 2016/679 states that the administrator is obliged to apply technical and organizational measures corresponding to the risk of violating the rights and freedoms of natural persons with varying probability of occurrence and threat severity. The provision specifies that when deciding on technical and organizational measures, the state of technical knowledge, the cost of implementation, the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity of violating the rights and freedoms of natural persons should be taken into account. The above-mentioned provision shows that determining appropriate technical and organizational measures is a two-stage process. First of all, it is important to determine the level of risk associated with the processing of personal data, taking into account the criteria indicated in Art. 32 section 1 of Regulation 2016/679, and then it is necessary to determine what technical and organizational measures will be appropriate to ensure a level of security appropriate to this risk. These arrangements, where appropriate, should include measures such as the pseudonymisation and encryption of personal data, the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to quickly restore the availability and access to personal data in the event of a physical incident or technical, and regularly testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing. Pursuant to Art. 32 section 2 of Regulation 2016/679, the controller, when assessing whether the level of security is adequate, takes into account in particular the risks associated with processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

Taking into account in particular the scope of personal data processed by the Administrator, contained in a file located on a lost external data carrier (i.e. pendrive), in order to properly fulfill the obligations imposed by the above. provisions of Regulation 2016/679, the Administrator was obliged to take actions to ensure an appropriate level of data protection by implementing appropriate technical and organizational measures to ensure the security of processed personal data. The nature and type of these activities should result from the risk analysis, which should identify vulnerabilities related to the resources used and the resulting threats, and then determine adequate security measures. An incorrect assessment of the risk level makes it impossible to apply appropriate security measures for a given resource and increases the likelihood of its occurrence. The result of the above was the loss of control over the personal data of the person whose data was on the lost external data carrier.

It should be noted that Regulation 2016/679 introduced an approach in which risk management is the foundation of activities related to the protection of personal data. Risk management is a continuous process that forces the data controller not only to ensure compliance with the provisions of Regulation 2016/679 through a one-time implementation of organizational and technical security measures, but also to ensure continuous monitoring of the level of threats and ensure accountability in terms of the level and adequacy of the introduced security measures. Therefore, it is necessary to prove to the supervisory authority that the solutions implemented to ensure the security of personal data are adequate to the level of risk and take into account the nature of the organization and the personal data processing mechanisms used. Therefore, the administrator himself must conduct a detailed analysis of the data processing processes and perform a risk assessment, and then apply measures and procedures that will be adequate to the assessed risk. The consequence of this approach is the need to independently select security measures based on threat analysis. Administrators are not provided with specific security measures and procedures. It is the responsibility of the Administrator to conduct a detailed analysis of the data processing processes carried out and to assess the risk, who then, based on such analysis, should apply measures and procedures that will be adequate to the assessed risk.

Therefore, a properly conducted risk assessment provides the controller with the opportunity to determine and implement technical and organizational measures that will eliminate or at least significantly reduce the established level of risk of materialization of identified threats to the personal data being processed. The risk assessment carried out by the administrator should be documented and justified by the actual situation at the time it was carried out. The main factors contributing to the correct assessment that should be taken into account when conducting the analysis are the characteristics of the processing processes taking place, assets, vulnerabilities, threats and current security measures. It should be remembered that factors such as the scope and nature of personal data processed by the administrator are also important when assessing the risk, as they determine any negative effects for a natural person in the event of a breach of the protection of his or her personal data.

Risk analysis presented by the Administrator in the form of a document titled: The "Register (...)" (date of execution: April 15, 2022) contains personal data processing activities in connection with the use of external data media. Analyzing the submitted document, it should be stated that among the threats mentioned, the Administrator did not indicate the possibility of an event involving the loss of an external data carrier (i.e. pendrive) by the employee to whom it was entrusted. The presented analysis indicates the threat of burglary and theft, but it should be noted that these are threats related to the active action of third parties aimed at removing things from the owner in order to misappropriate them, while according to the semantic meaning of the word "lose" it means leaving something behind. , somewhere unknowingly or inadvertently. Due to the above, it cannot be assumed that burglary and theft of a data medium are the same as its loss. To sum up, it should be assumed that the Administrator carried out the above-mentioned activities in an inadequate manner. analysis, thus not taking into account all possible risks related to the use of external data media by employees. Therefore, the Administrator refrained from conducting a risk analysis for the situation that resulted in the personal data protection breach reported to the President of the Personal Data Protection Office, which should be considered inconsistent with the above-mentioned provisions of Regulation 2016/679.  Meanwhile, as indicated by the Provincial Administrative Court in Warsaw in the judgment of May 13, 2021, ref. no. no. II SA/Wa 2129/20, "The data controller should therefore conduct a risk analysis and assess what threats he is dealing with."

It is also worth noting that the Administrator has provided technical security measures in the form of "(...)" for the identified threat of hacking and theft of equipment (including external data carriers), in order to eliminate or at least limit it. It should therefore be emphasized that the correct and effective use of this security measure would protect data processed using external data carriers against access by unauthorized persons, also in the event of loss of such a carrier. However, contrary to the risk analysis, the Administrator did not implement the adopted technical measure, i.e. did not implement cryptographic solutions to protect personal data processed using external business data carriers at the disposal of its employees.

It should also be mentioned here that the Administrator had an implemented procedure related to the use of external data media. "Instruction (...)", the last update of which was made on April 15, 2022 (in accordance with the document submitted by the Administrator). In point (...) it refers to the method, place and period of storage of electronic information media containing personal data, including external data carriers (pen drives). In the above-mentioned The chapter regulates, among others, the issue of forms of securing the above-mentioned. data carriers. In accordance with the rules introduced in Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa, quote: "(…) (…). Moreover, it is worth paying attention to points (...) and (...) of the document in question, according to which the quote "(...)" and "(...)". Despite the above provisions of the "Instruction (...)", the Administrator allowed the possibility of taking external data carriers outside its premises, but with the use of appropriate forms of security, quote: "If carriers containing data are taken outside the organization's area, they should be previously encrypted."

In the explanations submitted, the Administrator informed the supervisory authority that "in addition to the Instructions (...), it has prepared a separate instruction explaining how to encrypt files on a pendrive and what program to use for this purpose" and provided a link where you can read the above-mentioned information. instructions (prepared in the form of an instructional video). This instructional video explains how to encrypt the data files presented in the material using the program (...). Taking into account the form used by the Administrator (instructional video) of providing employees with key guidelines regarding the proper protection of external data carriers (pen drives), it is not possible to make a reliable assessment of it in terms of effectiveness and actually acquired knowledge and skills of employees in the discussed area (no follow-up verification activities familiarization of the Administrator's employees with the material).  

In the established factual situation, it should therefore be assumed that the Administrator has entrusted its employees with the implementation of security measures in the form of encryption of external data carriers (pen drives), and has not taken any actions in this respect aimed at applying appropriate technical measures to ensure the protection of this data, despite that in the conducted risk analysis for the threat of burglary and theft of equipment, which should be raised again, it provided for technical security in the form of the quote "(...)" and contrary to its obligations under Regulation 2016/679. It cannot be considered that introducing the obligation to encrypt external data carriers (pen drives) in the Administrator's internal document and providing employees using these carriers with a link to a video with instructions on encrypting them constitutes the proper implementation of these obligations, since ultimately the obligation to apply this specific security measure is technical nature rested with the employee. In this context, the judgment of the Provincial Administrative Court in Warsaw of February 15, 2022, ref. no. no. II SA/Wa 3309/21, in the justification of which it was emphasized that "The employee cannot replace the data controller in the implementation of his tasks arising from these provisions. Moreover, the employee may not have appropriate knowledge in this area, ignore the need to secure the medium (as was the case in this case) [...] or implement security measures that are inadequate to the scope and nature of the data and the risks occurring in this data processing process. The authority's conclusions are correct that such an organized process of defining and implementing security measures for processed personal data actually results in depriving the data controller of basic information necessary to properly conduct a risk analysis and, on this basis, build an effective data protection system necessary to continuously ensure data confidentiality, in accordance with with the requirement resulting in particular from Art. 32 section 1 letter b of Regulation 2016/679. He will not have knowledge as to what security measures exist in his organization, to what extent and in the case of which threats they will be effective, and he will be deprived of information and the ability to react to the implementation of security measures that are inadequate to the threats."

At this point, you should also refer to the Administrator's position regarding the potential location of the data carrier (pendrive) in question. According to the information provided in letters dated August 11 and November 7, 2023, "the pendrive in question was lost not in a public place, but on the premises of the workplace, in a part to which only the administrator's employees have access." The above statement of the Administrator results from the explanation provided by an employee who lost an external data carrier (pendrive). From the above the explanations attached to the Administrator's letter of November 7, 2023 show that the data carrier in question has not been found, quote: "When leaving home, I asked the Manager (...) and the Manager (...) while cleaning the restaurant to once again carefully check everything and search these the room, but they also found nothing. After a fruitless search, on July 19, 2023, I reported the loss of the pendrive to the coordinator. Due to the above, it cannot be ruled out not only that the data contained on the lost external data carrier (pen drive) could be accessed by an unauthorized person or persons, but also that it was taken outside the Administrator's organization. It should also be emphasized that even if it were assumed that the above-mentioned actually the medium was lost on the premises of the workplace, this does not change the assessment of the event in question. It contained personal data of the Administrator's employee that was not protected against access by unauthorized persons (e.g. by using an encryption mechanism), and therefore the risk of breaching the confidentiality of this data existed (and still exists) regardless of who (the Administrator's employee or an outsider) found or will find this data. carrier. It should be emphasized that not every employee of the Administrator is authorized to process personal data of other employees.

Therefore, it should be emphasized that examining the probability of a given event occurring should not be based solely on the frequency of occurrence of events in a given organization, because the fact that a given event did not occur in the past does not mean that it cannot occur in the future. In this context, it should be noted that the Provincial Administrative Court in Warsaw in its judgment of August 26, 2020, ref. no. no. II SA/Wa 2826/19, stated that "(...) activities of a technical and organizational nature are the responsibility of the personal data administrator, but cannot be selected in a completely free and voluntary manner, without taking into account the degree of risk and the nature of the protected personal data ". In the case in question - due to the failure to take into account the risk related to the loss of such a medium in the risk analysis carried out for personal data processing operations using external data carriers (pen drives) before the occurrence of the personal data protection breach, the Administrator did not specify (and, consequently, did not apply) appropriate security measures intended to reduce the risk of this threat materializing to an acceptable level. It should be emphasized that conducting a proper risk analysis before allowing the use of external data carriers (pen drives) by employees, and then monitoring the adopted security procedures, would minimize the risk of the personal data protection breach in question and would satisfy the accountability obligation imposed on the Administrator in Art. 5(1) 2 of Regulation 2016/679.

It should also be emphasized that new risks or threats may also materialize or be disclosed spontaneously, completely independently of the controller, and this is a fact that should also be taken into account both when designing the personal data protection system and during its implementation. . In connection with the above, the Administrator's obligation is to periodically carry out a risk analysis to verify whether there are any new threats to the personal data being processed, including using external data carriers (pen drives), and whether the security measures used so far are appropriate, i.e. whether they allow to eliminate them or at least reduce them to an acceptable level of risk.

The Administrator conducted another risk analysis after the personal data protection breach occurred, i.e. on August 1, 2023, in which it took into account the threats to the processing of personal data resulting from the loss of the external data carrier used for their processing. Moreover, in accordance with the declaration submitted in the letter of December 18, 2023, the Administrator has stopped using the above-mentioned. data media in your business.

Risk management (conducting risk analysis and implementing appropriate security measures on this basis) is one of the basic elements of the personal data protection system and is a continuous process. Therefore, both the adequacy and effectiveness of the applied safeguards should be periodically verified, in accordance with the requirement provided for in Art. 32 section 1 letter d) Regulation 2016/679. The data controller should therefore regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of processing. It should be emphasized that testing, measurement and evaluation are recommended to meet the requirement arising from Art. 32 section 1 letter d) of Regulation 2016/679, must be carried out on a regular basis, which means conscious planning and organization, as well as documentation (in connection with the principle of accountability referred to in Article 5(2) of Regulation 2016/679) of this type of activities in specified time intervals, regardless of changes in the organization and course of data processing processes. As indicated by the Provincial Administrative Court in Warsaw in its judgment of June 6, 2023, ref. no. no. II SA/Wa 1939/22, "(...) the obligation to regularly test technical and organizational measures, securing the processing of personal data, to ensure a level of security corresponding to this risk, within the meaning of Art. 32 section 1 sentence preliminary GDPR, results directly from the wording of point d referred to in Art. 32 section 1, and the obligation to document activities in a given scope is established by the principle of accountability (Article 5(2) of the GDPR).” The Provincial Administrative Court in Warsaw expressed a similar opinion in its judgment of June 21, 2023, ref. no. no. II SA/Wa 150/23, stating that "It should be emphasized that regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing is the basic obligation of every controller and processor resulting from Art. 32(1)(a) d) GDPR. The administrator is therefore obliged to verify both the selection and the level of effectiveness of the technical measures used at each stage of processing. The comprehensiveness of this verification should be assessed in terms of adequacy to the risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing.

It should therefore be noted that the described testing, measurement and evaluation must apply not only to the introduced technical measures, but also to those of an organizational nature, including: procedures specifying the rules for the processing of personal data, including using external data carriers (pen drives). Action in this area consists primarily in reviewing them in terms of effectiveness, which includes not only checking whether a specific procedure is followed by employees, but also examining whether the implemented security measures actually contribute to reducing the risk. However, in the facts in question, it should be considered that the Administrator did not properly fulfill the obligation imposed on him to regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of personal data processing. When analyzing the "List (...)" for 2022 submitted in the letter of August 11, 2023, prepared on March 7, 2022, it should be noted that the Administrator did not control compliance with the provisions regarding the use of external data carriers (i.e. pen drives). by employees specified in the "Instruction (...)". The only areas checked in relation to external data carriers were the areas described in point (...) quote "(...)", point (...) quote "(...)" and in point (...) quote "(...)". However, the "List (...)" for 2023 prepared on June 16, 2023 contains the same control points corresponding to points No. (...) and (...), respectively. An important change that was not included in the "Letter (...)" of March 7, 2022, but appeared in the document of June 16, 2023, is the statement that the quote "(...)" with a negative the answer and the information quoted "(...)" was indicated. It is worth noting here that in accordance with the provisions of point (...) of the "Instruction (...) quoted "(...)". above the facts therefore remain in opposition to the Administrator's declaration indicated in the letter of October 11, 2023, from which it should be concluded that the removal of data carriers outside the workplace did not take place, as "so far there has been no case of an employee submitting an application about the possibility of taking the pendrive outside the workplace, and the administrator did not grant such consent. Moreover, in the same letter, the Administrator informed that "there is a general prohibition on copying information containing any personal or confidential data concerning the administrator to a data carrier, as well as a general prohibition on taking data carriers containing personal or confidential data concerning the administrator outside the workplace." In connection with the above, it should be considered that the procedure related to the use of external data carriers (pen drives) indicated in the "Instruction (...)" was in no way enforced by the Administrator, because the personal data protection breach in question consisted in the loss of an external data carrier by an employee ( pendrive) which contained files with the employee's unencrypted personal data and encrypted financial data. The above also proves the ineffectiveness of this organizational security measure, since the ban on taking external data carriers (pen drives) outside the Administrator's organization without his consent was in practice violated by employees. This also determines the need to assume that the monitoring of compliance with procedures regarding the use of external data carriers (pen drives) by employees carried out in this way did not fulfill its function and, consequently, it cannot be considered as fulfilling the obligation specified in Art. 32 section 1 letter d) Regulation 2016/679.

It is also worth noting that the persons entrusted with external data carriers (pen drives) had appropriate authorization to process personal data and copy data to this particular carrier. Therefore, not all employees of the Administrator had access to employees' personal data. Due to the above, the group of people who should be subject to special control over compliance with the regulations was not large, which definitely made it easier for the Administrator to reliably comply with the requirement introduced in Art. 32 section 1 letter d) Regulation 2016/679. The administrator himself granted the appropriate authorizations to employees regarding the processing of personal data and their copying, thus he had knowledge about specific persons who should be subject to additional and more extensive supervision in the application of the adopted procedures related to the protection of personal data processed using external data carriers (pen drives). .

In the light of the findings made in the course of these proceedings, it should be noted that the Administrator did not apply technical and organizational measures to ensure the security of processed data, which resulted in a personal data protection breach reported to the President of the Personal Data Protection Office, and also did not regularly test, measure and evaluate the effectiveness of the applied security measures, violated Art. 5(1) 1 letter f) of Regulation 2016/679, reflected in the form of obligations specified in Art. 24 section 1, art. 25 section 1, art. 32 section 1 and art. 32 section 2. The consequence of violating Art. 5(1) 1 letter f) of Regulation 2016/679 is a violation of the principle of accountability expressed in Art. 5(1) 2 of Regulation 2016/679. As follows from the judgment of the Provincial Administrative Court in Warsaw of February 10, 2021, ref. no. no. II SA/Wa 2378/20, "The principle of accountability is based on the controller's legal responsibility for the proper fulfillment of obligations and imposes on him the obligation to demonstrate, both to the supervisory authority and to the data subject, evidence of compliance with all data processing principles." The issue of the principle of accountability is similarly interpreted by the Provincial Administrative Court in Warsaw in its judgment of August 26, 2020, ref. no. II SA/Wa 2826/19, "Taking into account all the standards of Regulation 2016/679, it should be emphasized that the administrator has considerable freedom in the scope of the security measures applied, but at the same time he is liable for violating the provisions on the protection of personal data. The principle of accountability clearly states that the data controller should demonstrate and therefore prove that it complies with the provisions set out in Art. 5(1) 1 of Regulation 2016/679”.

Taking into account the above irregularities, as well as the content of Art. 58 section 2 lit. d) of Regulation 2016/679, the President of the Personal Data Protection Office ordered the Administrator to adapt processing operations to the provisions of Regulation 2016/679 by implementing appropriate technical and organizational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.

When assessing the circumstances of the personal data protection breach in question, it should be emphasized that when applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1(2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data and that the protection of natural persons with regard to the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - not only in the event of a personal data breach, but also when developing technical and organizational security measures to prevent such breaches - these values should be taken into account in the first place.

Taking into account the above findings and the identified violations of the provisions of Regulation 2016/679, the President of the Personal Data Protection Office, using his powers specified in Art. 58 section 2 lit. i) Regulation 2016/679, according to which each supervisory authority has the power to apply, in addition to or instead of, other corrective measures provided for in Art. 58 section 2 lit. a)-h) and letters j) of this Regulation, an administrative fine under Art. 83 section 4 lit. a) and section 5 lit. a) of Regulation 2016/679, taking into account the circumstances established in the proceedings in question, stated that in the case under consideration there were premises justifying the imposition of an administrative fine on the Administrator.

Pursuant to Art. 83 section 4 lit. a) Regulation 2016/679, violation of the provisions regarding the obligations of the controller and processor referred to in Art. 8, 11, 25-39 and 42 and 43 are subject to paragraph. 2, an administrative fine of up to EUR 10,000,000, and in the case of an undertaking, up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher.

Pursuant to Art. 83 section 5 lit. a) Regulation 2016/679, violation of the provisions regarding the basic principles of processing, including the consent conditions referred to in Art. 5, 6, 7 and 9 are subject to paragraph. 2, an administrative fine of up to EUR 20,000,000, and in the case of an undertaking, up to 4% of its total annual worldwide turnover of the previous financial year, whichever is higher.

Art. 83 section 3 of Regulation 2016/679 states that if the controller or processor intentionally or unintentionally infringes, within the same or related processing operations, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount of the penalty for the most serious infringement.

In this case, an administrative fine was imposed on the Administrator for violating Art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679 pursuant to the above-mentioned Art. 83 section 4 lit. a) of Regulation 2016/679, while for violation of Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679 - pursuant to Art. 83 section 5 lit. (a) of this Regulation. At the same time, an administrative fine in the amount of PLN 238,345 (in words: two hundred thirty-eight thousand three hundred forty-five) imposed on the Administrator in total for violating all the above provisions - pursuant to Art. 83 section 3 of Regulation 2016/679 - does not exceed the amount of the penalty for the most serious violation found in this case, i.e. violation of Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679, which, pursuant to Art. 83 section 5 lit. a) of Regulation 2016/679 is subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year.

When deciding on the imposition of an administrative fine, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in this case and having an aggravating effect on the amount of the administrative fine imposed:

1. The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679). Ascertained in this case, the violation of personal data protection regulations, which resulted in (and still is) the possibility of obtaining unauthorized access to data located on an unsecured external data carrier (pendrive) by an unauthorized person or persons (violation of the principle of confidentiality), is of significant importance and serious nature , poses a high risk of negative consequences for the data subject. Infringement by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa, the obligation to apply measures securing the processed data against disclosure to unauthorized persons, entails not only the potential, but also the real possibility of using these data by third parties without the knowledge and against the will of the data subject, contrary to the provisions of the regulation 2016/679. Moreover, until this decision is issued, the lost external data medium has not been found, so an unauthorized person or persons may still have access to personal data contained on this medium. As indicated by the District Court in Warsaw in its judgment of August 6, 2020, ref. no. file XXV C 2596/19, fear, and therefore the loss of safety constitutes real non-pecuniary damage involving the obligation to repair it. In turn, the Court of Justice of the EU, in its ruling of December 14, 2023 in Natsionalna agentia za prihodite (C-340/21), emphasized that "Art. 82 section 1 GDPR must be interpreted as meaning that the data subject's fear of possible misuse of personal data by third parties as a result of a breach of that regulation may in itself constitute "non-pecuniary damage" within the meaning of that provision. .

It is also worth emphasizing the long duration of the violation of personal data protection provisions, i.e. from April 15, 2022, when the Administrator carried out an incorrect risk analysis, as shown above, and as a result did not apply appropriate security measures to ensure data protection. personal data processed using external data carriers (pen drives), until December 18, 2023, i.e. the date of preparation of the letter in which the Administrator informed about the discontinuation of the use of external data carriers (pen drives) in his organization.

In the present case, the breach concerned the personal data of only one person. This number of people affected by the violation should be considered small, which undoubtedly favors the Administrator, but it did not change the overall assessment, i.e. the recognition of the premises of Art. 83 section 2 lit. a) of Regulation 2016/679 as incriminating.

2. The unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679). The loss of control over the personal data of the person whose data is located on a lost external data carrier (pen drive) became possible as a result of Res. -Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa is obliged to apply appropriate security measures to ensure the protection of this data. In the opinion of the supervisory authority, this constitutes an unintentional breach resulting from the negligence of the Administrator, who incorrectly conducted a risk analysis for data processing operations using such media, as it did not cover the threat causing the personal data protection breach. In addition, the Administrator had an implemented procedure regarding the method, place and period of storing electronic information media containing personal data, specified in the document entitled "Instruction (...)", but it was not effectively enforced, and the Administrator's employees did not comply with its provisions regulating the actions to be taken to ensure the security of data processed on an external data carrier (pen drive). In the field of file encryption, the administrator also created a separate instruction in the form of an instructional video, which explained (...) "how to encrypt files on a pendrive and what program to use for this purpose." After analyzing this measure in the form of instructional material available at the link provided by the Administrator, the authority concluded that it is not possible to make a reliable assessment of it in terms of effectiveness and actually acquired knowledge and skills of employees in the discussed area due to the lack of follow-up activities to check that the Administrator's employees are familiar with the material. To sum up the above, it should be assumed that the Administrator has entrusted its employees with the implementation of security measures in the form of encryption of external data carriers (pen drives), and has not taken any actions in this respect aimed at applying appropriate technical measures to ensure the protection of data contained on such carriers. . This calls into question the effectiveness of the Administrator's activities monitoring employees' compliance with the introduced procedures and conducting training for employees in the field of personal data protection.

3. Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679). Personal data located on a lost external data carrier (pen drive), i.e. name and surname, residential address, citizenship, gender, date of birth, place of birth, PESEL number, passport series and number, telephone number, e-mail address, image (photo) and data on earnings do not include data subject to special protection under Art. 9(1) 1 and art. 10 of Regulation 2016/679. PESEL registration number, i.e. an eleven-digit numerical symbol that uniquely identifies a natural person, including, among others: date of birth and is also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, is data of a special nature and requires special protection.

 In this context, it is worth recalling the European Data Protection Board (EDPB) Guidelines No. 04/2022 on the calculation of administrative fines under the GDPR adopted on May 24, 2023 (hereinafter referred to as: "Guidelines 04/2022"), which indicate: " Regarding the requirement to take into account the categories of personal data affected by the breach (Article 83(2)(g) [Regulation 2016/679]), [Regulation 2016/679] clearly indicates the types of data that are subject to special protection and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Art. 9 and 10 [Regulation 2016/679] and data not covered by these articles, the dissemination of which immediately causes harm or inconvenience to the data subject (e.g. location data, private communications data, national identification numbers or financial data, such as statements transactions or credit card numbers). Generally speaking, the more such categories of data are affected by a breach or the more sensitive the data are, the more weight a supervisory authority can assign to such a factor. The amount of data relating to each data subject is also important, the scale of violations of the right to privacy and personal data protection is increasing.

When deciding to impose an administrative fine, the President of the Personal Data Protection Office took into account the following circumstances of the case, which had a mitigating effect on the amount of the administrative fine imposed:

1. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa properly fulfilled the administrator's procedural obligations during the administrative proceedings ending with the issuance of this decision. It is also worth pointing out that the data subject was notified of the breach in a manner consistent with the requirements of Art. 34 of Regulation 2016/679. The administrator also took specific actions that resulted in employees ceasing to use external data carriers (pen drives), thus eliminating the possibility of a similar personal data protection breach occurring in the future. In addition, the Administrator also carried out a new risk analysis after the personal data protection breach occurred, i.e. on August 1, 2023, in which he took into account the threats to the processing of personal data resulting from the loss of the external data carrier used for their processing.

2. Actions taken to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679). On July 21, 2023, the Controller provided the data subject with a correct notice of the data breach together with a registered letter. with an indication of how he can protect his personal data against further use and purchased the above-mentioned BIK report containing detailed credit history of this entity, in accordance with the Administrator's declaration expressed in the letter of October 11, 2023, quoting (...) "Gastro M. Gaweł Sp. k. purchased a BIK report for the data subject [...], as proof of which I am enclosing confirmation of sending the application by post on August 10, 2023 and confirmation of the transfer for the BIK report.

Other circumstances indicated below, referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the Personal Data Protection Office to be neutral in his opinion, i.e. having neither an aggravating nor mitigating effect on the amount of the administrative fine imposed.

1. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 (Article 83(2)(d) of Regulation 2016/679). In this case, the President of the Personal Data Protection Office found a violation by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa, provisions of Art. 25 section 1 and art. 32 section 1 and 2 of Regulation 2016/679. In his opinion, the controller is highly responsible for failing to implement appropriate technical and organizational measures that would prevent a breach of personal data protection. It is obvious that in the considered context of the nature, purpose and scope of personal data processing, the Administrator did not "do everything that could be expected of him"; thus, it did not comply with the provisions of Art. 25 and 32 of Regulation 2016/679 obligations.

In the present case, however, this circumstance constitutes the essence of the infringement itself; it is not just a factor that influences - mitigating or aggravating - his assessment. For this reason, the lack of appropriate technical and organizational measures referred to in Art. 25 and art. 32 of Regulation 2016/679, cannot be considered by the President of the Personal Data Protection Office in this case as a circumstance that may additionally result in a more severe assessment of the violation and the amount of the administrative fine imposed on the Administrator.

2. Any relevant previous violations on the part of the administrator (Article 83(2)(e) of Regulation 2016/679). The President of the Personal Data Protection Office did not find any previous violations of personal data protection provisions on the part of the Company, therefore there are no grounds for treating this circumstance as an aggravating one. It is the duty of every administrator to comply with the law, therefore the lack of previous violations cannot be a mitigating factor when imposing sanctions.

3. The manner in which the supervisory authority learned about the breach (Article 83(2)(h) of Regulation 2016/679). The President of the Personal Data Protection Office found the breach as a result of reporting a personal data protection breach made by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa. By making this notification, the Administrator fulfilled his legal obligation, therefore there are no grounds to consider that this circumstance constitutes a mitigating circumstance. According to the Guidelines on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 (Wp. 253), "The supervisory authority may become aware of the infringement as a result of proceedings, complaints, press articles, anonymous tips or notification by the data controller. Pursuant to the regulation, the administrator is obliged to notify the supervisory authority about a personal data protection breach. The mere fulfillment of this obligation by the controller cannot be interpreted as a weakening/mitigating factor.” Similarly, the EDPB in Guidelines 04/2022 indicates that "when the controller is subject to specific obligations regarding reporting of breaches (e.g. the obligation to report a personal data protection breach specified in Article 33 of the GDPR). In such cases, the fact of reporting should be considered a neutral circumstance.

4. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679). Before issuing this decision, the President of the Personal Data Protection Office did not apply any measures listed in Art. to the controller in the case under consideration. 58 section 2 of Regulation 2016/679, therefore the administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.

5. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679).Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa does not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.

6. Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly in connection with the breach or avoided losses (Article 83(2)(k) of Regulation 2016/679). The President of the Personal Data Protection Office did not state that that the controller derives any financial benefits or avoids such losses in connection with the breach. Therefore, there are no grounds to treat this circumstance as aggravating the administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - obtained on the part of the entity committing the infringement.

The President of the Personal Data Protection Office, comprehensively considering the case, did not note any circumstances other than those described above that may affect the assessment of the violation and the amount of the administrative fine imposed, which should be included in the consideration of the premises of Art. 83 section 2 lit. k) Regulation 2016/679.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the circumstances of this case fulfills the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it will be effective, proportionate and dissuasive in this individual case. According to the President of the Personal Data Protection Office, the imposed on Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa, the administrative fine will be effective because it will lead to a situation in which Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa will use such technical and organizational measures that will ensure a level of security for the processed data corresponding to the risk of violating the rights or freedoms of data subjects and the gravity of the threats accompanying the processing of these personal data. The effectiveness of the administrative fine is therefore equivalent to a guarantee that Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa, from the moment of completion of these proceedings, will approach the requirements set out in the provisions on the protection of personal data with the utmost care.

The administrative fine applied is also proportional to the detected violation, in particular its gravity, effect, the number of natural persons affected and the very high risk of negative consequences they suffer as a result of the violation. The amount of the penalty was set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of violation of the administrator's obligations, but on the other hand, it does not cause a situation in which the need to pay it will result in negative consequences, in the form of a significant deterioration of the financial situation of the Administrator. . According to the President of the Personal Data Protection Office, Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa should and is able to bear the consequences of its negligence in the field of data protection, hence the imposition of an administrative fine in the amount of PLN 238,345 (in words: two hundred thirty-eight thousand three hundred forty-five) is fully justified.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the amount of PLN 238,345 (in words: two hundred thirty-eight thousand three hundred forty-five) meets the conditions referred to in Art. 83 section 1 of Regulation 2016/679 due to the seriousness of the identified violation in the context of the fundamental objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data.

Referring to the amount of the administrative fine imposed on the Administrator, the President of the Personal Data Protection Office found that it is proportional to the financial situation of the Administrator and will not constitute an excessive burden for him. The financial report submitted by the Administrator on October 30, 2023 shows that net sales revenues as at the end of the 2022 financial year amounted to PLN (...) and therefore the amount of the administrative fine imposed in this case is approximately 0.21 % above amounts. At the same time, it is worth emphasizing that the amount of the imposed penalty of PLN 238,345 is only 0.27% of the maximum amount of the penalty that the President of the Personal Data Protection Office could - applying in accordance with Art. 83 section 5 of Regulation 2016/679, a static maximum penalty (i.e. EUR 20,000,000) - imposed on the Administrator for the violation of the provisions of Regulation 2016/679 found in this case.

In the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function in these specific circumstances, as it will be a response to the violation by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa, the provisions of Regulation 2016/679, but also preventive, because it will contribute to preventing future violations by Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa obligations arising from the provisions on the protection of personal data.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the circumstances of this case meets the conditions referred to in Art. 83 section 1 of Regulation 2016/679, due to the importance of the identified violations in the context of the basic requirements and principles of Regulation 2016/679 - especially the principle of confidentiality and integrity expressed in Art. 5(1) 1 letter f) Regulation 2016/679 and the principle of accountability referred to in Art. 5(1) 2 of Regulation 2016/679.

The purpose of the imposed penalty is to ensure that the Company complies with the provisions of Regulation 2016/679 in the future.

Finally, it is necessary to point out that when determining the amount of the administrative fine in this case, the President of the Personal Data Protection Office applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the guidelines presented in this document:

1. The President of the Personal Data Protection Office categorized the violations of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The provisions of Regulation 2016/679 violated by the Company include the provisions of Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679 specifying the basic principles of processing. Violations of these provisions include – in accordance with Art. 83 section 5 lit. a) of Regulation 2016/679 - to the category of infringements punishable by the higher of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 20,000,000 or up to 4% of the enterprise's total annual turnover from the previous financial year). Therefore, in abstracto, they are more serious than other violations (indicated in Article 83(4) of Regulation 2016/679). 

2. The President of the Personal Data Protection Office assessed the violations found in this case (in particular violations of the basic principles of processing) as violations of medium seriousness (see Chapter 4.2 of Guidelines 04/2022). As part of this assessment, the following conditions were taken into account, among those listed in Art. 83 section 2 of Regulation 2016/679, which concern the subject matter of the infringements (constituting the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83(2)(a) of Regulation 2016/679), intentional or unintentional nature of the breaches (Article 83(2)(b) of Regulation 2016/679) and the categories of personal data affected by the breaches (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. It should be noted here that considering their total impact on the assessment of the violation found in this case, treated as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is medium. The consequence of this is that - as the starting amount for calculating the penalty - a value ranging from 10% to 20% of the maximum amount of penalty that can be imposed on the Company, i.e. - taking into account the limit specified in Art. 83 section 5 of Regulation 2016/679 - from the amount of EUR 2,000,000 to the amount of EUR 4,000,000 (see Subchapter 4.2.4 of Guidelines 04/2022). The President of the Personal Data Protection Office considered EUR 2,400,000.00 (equivalent to PLN 10,481,280) to be an adequate starting amount, justified by the circumstances of this case.

3. The President of the Personal Data Protection Office adjusted the starting amount corresponding to the average seriousness of the detected infringement to the Company's turnover, as a measure of its economic strength (see Chapter 4.3 of the Guidelines 04/2022). In accordance with the Guidelines 04/2022, in the case of enterprises with an annual turnover of 10-50 million EUR, the supervisory authority may consider further calculation of the penalty amount based on a value ranging from 1.5% to 10% of the starting amount. Considering that the Company's turnover in 2022 amounted to (...) PLN, i.e. (...) EUR (according to the average exchange rate of January 30, 2024), the President of the Personal Data Protection Office found it appropriate to adjust the amount of the penalty to be calculated to the value corresponding to 5% of the starting amount, i.e. EUR 120,000.00 (equivalent to PLN 523,836).

4. The President of the Personal Data Protection Office assessed the impact of the other circumstances specified in Art. 83 section 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer - as assumed by Guidelines 04/2022 - to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its behavior before, during and after the infringement. . A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement is presented above. The President of the Personal Data Protection Office found that the mitigating circumstances in this case are the degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679) and the actions taken to minimize the damage suffered. by data subjects (Article 83(2)(c) of Regulation 2016/679). The remaining premises (from Article 83(2)(d), e), h), i), j), k) of Regulation 2016/679) - as indicated above - had no impact, neither mitigating nor aggravating, on the assessment violations and, consequently, the penalty. Due to the existence of two mitigating circumstances in the case, it is justified to further reduce the amount of the penalty determined taking into account the Company's turnover (point 3 above); adequate to the impact of these premises on the assessment of the violation, in the opinion of the President of the Personal Data Protection Office, is its reduction by 35% - to the amount of EUR 78,000.00 (equivalent to PLN 340,493.40).

5. The President of the Personal Data Protection Office stated that the amount of the administrative fine determined in the manner presented above does not exceed - pursuant to Art. 83 section 3 of Regulation 2016/679 - the legally defined maximum penalty for the most serious violation (see Chapter 6 of Guidelines 04/2022). As indicated above, the most serious violation in this case is a violation of Art. 5(1) 1 letter f) and art. 5(1) 2 of Regulation 2016/679, punishable by an administrative fine of up to EUR 20,000,000, and in the case of an undertaking - up to 4% of its total annual worldwide turnover from the previous financial year, whichever is higher. The President of the Personal Data Protection Office determined that the "dynamic maximum amount" for this infringement and for this infringer expressed as a percentage (4%) of its turnover would amount to EUR 1,033,069.23, therefore the "static maximum amount" should be applied in the present case - as a higher one "maximum amount" of EUR 20,000,000 for the infringement at issue. The amount of EUR 78,000.00 indicated above clearly does not exceed EUR 20,000,000.

6. Despite the fact that the amount of the penalty determined in accordance with the above principles does not exceed the legally defined maximum penalty, the President of the Personal Data Protection Office found that it requires additional correction due to the principle of proportionality mentioned in Art. 83 section 1 of Regulation 2016/679 as one of the three sentencing directives (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a financial penalty equivalent to EUR 78,000.00 would be an effective penalty (due to its severity, it would allow achieving its repressive goal, which is to punish illegal behavior) and deterrent (effectively discouraging both the Company and other administrators from committing violations of the provisions of the Regulation in the future 2016/679). However, such a penalty would be - in the opinion of the President of the Personal Data Protection Office - disproportionate due to its excessive severity. The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve legitimate goals (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 […] ; Comment on Article 83 [in] P. Litwiński (ed.) General Data Protection Regulation. Selected sectoral regulations. Therefore, taking into account the proportionality of the penalty, the President of the Personal Data Protection Office further reduced the amount of the penalty - to 70% of the amount obtained after taking into account aggravating and mitigating circumstances (see point 4 above), i.e. to the amount of EUR 54,600.00 (equivalent to PLN 238,345). In his opinion, such determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is the threshold above which a further increase in the amount of the penalty will not result in an increase in its effectiveness and deterrent nature. On the other hand, reducing the fine to a greater extent could be at the expense of its effectiveness and dissuasive nature, as well as the consistent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities in the EU and EEA internal market.

Pursuant to the content of Art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in Art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28 each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the next exchange rate table of the National Bank of Poland after this date.

Taking the above into account, the President of the Personal Data Protection Office, pursuant to Art. 83 section 4 lit. a) and art. 83 section 5 lit. a) in connection with Art. 83 section 3 of Regulation 2016/679 and in connection with Art. 103 of the Act of May 10, 2018 on the protection of personal data, for the violation described in the operative part of this decision, imposed on Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa - using the average euro exchange rate of January 29, 2024 (EUR 1 = PLN 4.3653) - an administrative fine in the amount of PLN 238,345 (equivalent to EUR 54,600).

The purpose of the imposed administrative fine is to ensure that Res-Gastro M. Gaweł Sp. k. with its registered office in Kolbuszowa in the future provisions of Regulation 2016/679, and consequently to conduct data processing processes in accordance with applicable law.

In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.