UODO (Poland) - DKN.5131.1.2024: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKN.5131.1.2024 |ECLI= |Original_Source_Name_1=UODO (Poland) |Original_Source_Link_1=https://www.uodo.gov.pl/decyzje/DKN.5131.1.2024 |Original_Source_Language_1=Polish |Original_Source_Language__Code_1=PL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_L...") |
mNo edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 65: | Line 65: | ||
}} | }} | ||
The DPA fined a bank PLN 4,053,173 (€928,498.06) and ordered it to notify data subjects of a data breach in accordance with [[Article 34 GDPR]] after personal data was erroneously transmitted to another bank. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
mBank ( | mBank (the controller) entrusted a third-party to perform processing activities (a processor). The processor’s employee, erroneously, sent the controller’s clients documents to another bank. The documents contained the following personal data: name, surname, national identification number (PESEL), financial data (clients’ assets), account number, ID number. | ||
According to the controller, the other bank sent back all the documents. The documents’ integrity was not affected, yet it was probable that the other bank’s employees read the documents. As the documents confidentiality was violated, a data breach under [[Article 4 GDPR#12|Article 4(12) GDPR]] occurred. Nevertheless, the controller was of the opinion that the risk posed by the breach was minimised by the statutory bank secrecy. Because of that, the controller didn't see a reason to notify the data subjects in accordance with [[Article 34 GDPR|Article 34 GDPR]]. | |||
However, the controller notified the Polish DPA (UODO) about the data breach. | |||
During the proceedings, the DPA requested the controller to notify the data subjects involved about the breach under [[Article 34 GDPR|Article 34 GDPR]]. The controller asked the DPA to reconsider their request. The controller emphasised the documents were shared with the other bank, the controller’s business partner, which should be treated as “a trusted party”. That was because the other bank, together with the controller, were part of banking sector in Poland. As such, both the controller and the other bank pursue highly regulated business activity, in particular in the field of data protection and cybersecurity. For this reason, the breach didn’t pose “a significant risk of negative consequences for the data subjects”. In addition the other bank’s employees made a statement confirming they didn’t possess the documents’ copies and were unable the identity of the data subjects. Moreover, the other bank’s employees were aware of duties associated with the bank secrecy, as well the liability for its breach under Article 171 para 5 of the Banking law (Prawo bankowe). | During the following proceedings, the DPA requested the controller to notify the data subjects involved about the breach under [[Article 34 GDPR|Article 34 GDPR]]. The controller asked the DPA to reconsider their request. The controller emphasised the documents were shared with the other bank, the controller’s business partner, which should be treated as “a trusted party”. That was because the other bank, together with the controller, were part of banking sector in Poland. As such, both the controller and the other bank pursue highly regulated business activity, in particular in the field of data protection and cybersecurity. For this reason, the breach didn’t pose “a significant risk of negative consequences for the data subjects”. In addition the other bank’s employees made a statement confirming they didn’t possess the documents’ copies and were unable the identity of the data subjects. Moreover, the other bank’s employees were aware of duties associated with the bank secrecy, as well the liability for its breach under Article 171 para 5 of [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU19971400939/U/D19970939Lj.pdf the Banking law] (Prawo bankowe). | ||
=== Holding === | === Holding === | ||
The DPA | The DPA found the controller violated [[Article 34 GDPR|Article 34 GDPR]]. | ||
The controller correctly identified the incident as the data breach under [[Article 4 GDPR#12|Article 4(12) GDPR]]. However, the controller failed to assess the risk of the data breach. Due to the character of data disclosed, the breach posed a high risk to rights and freedoms of data subjects, inter alia, an identity theft or banking frauds. | The controller correctly identified the incident as the data breach under [[Article 4 GDPR#12|Article 4(12) GDPR]]. However, the controller failed to assess the risk of the data breach. Due to the character of data disclosed, the breach posed a high risk to rights and freedoms of data subjects, inter alia, an identity theft or banking frauds. | ||
Latest revision as of 11:57, 17 September 2024
| UODO - DKN.5131.1.2024 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 4(12) GDPR Article 34 GDPR 171 para 5 of the Banking law (prawo bankowe)` |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 20.08.2024 |
| Published: | |
| Fine: | 4,053,173 PLN |
| Parties: | mBank |
| National Case Number/Name: | DKN.5131.1.2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (Poland) (in PL) |
| Initial Contributor: | wp |
The DPA fined a bank PLN 4,053,173 (€928,498.06) and ordered it to notify data subjects of a data breach in accordance with Article 34 GDPR after personal data was erroneously transmitted to another bank.
English Summary
Facts
mBank (the controller) entrusted a third-party to perform processing activities (a processor). The processor’s employee, erroneously, sent the controller’s clients documents to another bank. The documents contained the following personal data: name, surname, national identification number (PESEL), financial data (clients’ assets), account number, ID number.
According to the controller, the other bank sent back all the documents. The documents’ integrity was not affected, yet it was probable that the other bank’s employees read the documents. As the documents confidentiality was violated, a data breach under Article 4(12) GDPR occurred. Nevertheless, the controller was of the opinion that the risk posed by the breach was minimised by the statutory bank secrecy. Because of that, the controller didn't see a reason to notify the data subjects in accordance with Article 34 GDPR.
However, the controller notified the Polish DPA (UODO) about the data breach.
During the following proceedings, the DPA requested the controller to notify the data subjects involved about the breach under Article 34 GDPR. The controller asked the DPA to reconsider their request. The controller emphasised the documents were shared with the other bank, the controller’s business partner, which should be treated as “a trusted party”. That was because the other bank, together with the controller, were part of banking sector in Poland. As such, both the controller and the other bank pursue highly regulated business activity, in particular in the field of data protection and cybersecurity. For this reason, the breach didn’t pose “a significant risk of negative consequences for the data subjects”. In addition the other bank’s employees made a statement confirming they didn’t possess the documents’ copies and were unable the identity of the data subjects. Moreover, the other bank’s employees were aware of duties associated with the bank secrecy, as well the liability for its breach under Article 171 para 5 of the Banking law (Prawo bankowe).
Holding
The DPA found the controller violated Article 34 GDPR.
The controller correctly identified the incident as the data breach under Article 4(12) GDPR. However, the controller failed to assess the risk of the data breach. Due to the character of data disclosed, the breach posed a high risk to rights and freedoms of data subjects, inter alia, an identity theft or banking frauds.
Although the data was shared erroneously with the other bank, the status of the bank didn’t automatically mean it was “a trusted party”. The bank secrecy and the statements of the other bank’s employees were not a sufficient safeguard against a future misuse of the data. The DPA stressed there was no formal relationship between the controller and the other bank, nor internal procedures implemented to handle incidents of that kind. The controller also didn’t prove the knowledge of the other bank’s data protection safeguards in place, especially implemented policies. Hence, the controller had no authority to enforce the statements in practice, and consequently no safeguards to minimise the risk posed by the data breach.
Furthermore, the controller failed to reassess the risk of the data breach, as requested by the DPA. For the DPA the conduct of that kind meant the controller disregarded their duties, especially the duty to protect the data subjects.
The DPA fined the controller PLN 4,053,173 (€928,498.06) and ordered to notify the data subjects involved about the data breach and its consequences, in line with Article 34 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Based on Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2024, item 572), Article 7 par. 1 and 2 and Article 60, Article 101 and Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), as well as Article 57 par. 1 letters a) and h), Article 58 par. 2 letters e) and i), Article 83 par. 1 and 2, Article 83 par. 4 letter a) in conjunction with Article 34 par. 1, 2 and 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulations) (OJ EU L 119, 4.05.2016, p. 1, OJ EU L 127, 23.05.2018, p. 2 and OJ EU L 74, 4.03.2021, p. 35), hereinafter referred to as Regulation 2016/679, after conducting ex officio administrative proceedings regarding the infringement of personal data protection provisions by X. S.A. (…) The President of the Personal Data Protection Office,
finding that X. S.A. (…) has violated the provisions of art. 34 sec. 1 and 2 of Regulation 2016/679, consisting in failing to notify the data subjects of the breach of personal data protection without undue delay,
1) imposes on X. S.A. (…) an administrative fine in the amount of PLN 4,053,173 (in words: four million fifty-three thousand one hundred seventy-three zlotys),
2) orders X. S.A. (…) to notify, within 7 days from the date of delivery of this decision, the persons whose personal data were disclosed to an unauthorized recipient as a result of the personal data protection breach reported to the President of the Personal Data Protection Office on 7 July 2022, in order to provide them with the information required in accordance with art. 34 sec. 2 Regulation 2016/679, i.e.:a) description of the nature of the personal data breach;b) name and contact details of the data protection officer or another contact point from which more information can be obtained;c) description of the possible consequences of the personal data breach;d) description of the measures taken or proposed by the controller to remedy the breach – including measures to minimize its possible negative effects.
Justification
X. S.A. (...), hereinafter referred to as the "Bank" or "Administrator", on July 8, 2022, reported to the President of the Personal Data Protection Office, hereinafter also referred to as the "President of the Personal Data Protection Office" or "supervisory authority", a personal data breach that occurred on June 30, 2022.
In the "Report of a personal data breach" form, the Controller indicated that on July 7, 2022, it received information from Z. Sp. z o. o. (the entity processing personal data on behalf of the Administrator) that an employee of the processing entity "(...) incorrectly sent bank documents of the Bank's clients to another bank. The documents were eventually returned in their entirety to X. It is probable that employees of another bank have read them. However, the risk of a significant risk of violating the rights and freedoms of our clients is minimized by the obligation to apply bank secrecy to all information that the bank's employees become familiar with. Therefore, we did not decide to notify our clients of this event (...)".
The Administrator indicated that the cause of the breach was an external unintentional action. The nature of the breach was also determined - the Bank indicated that there was a breach of data confidentiality. The Administrator determined that the approximate number of persons affected by the breach is (...), and the categories of personal data that were breached include: surnames and first names, parents' first names, date of birth, bank account number, address of residence or stay, PESEL registration number, data on earnings and/or assets held, mother's maiden name, series and number of ID card, other (information on credit and real estate). In the content of the breach report, the Administrator specified the category of persons affected by the breach, indicating that it includes customers.
The President of the UODO conducted explanatory proceedings on the reported breach (registered under reference number: […]), and then on 9 January 2024 initiated ex officio administrative proceedings regarding the possibility of the Bank, as the data controller, violating the obligations arising from the provisions of Article 34 paragraphs 1 and 2 of Regulation 2016/679.
The President of the UODO, as a result of the explanatory proceedings conducted in the matter of the reported breach of personal data protection and the administrative proceedings, established the following factual circumstances.
I. The President of the UODO, acting on the basis of art. 52 sec. 1 of the Act of 10 May 2018 on the protection of personal data (hereinafter referred to as the Act) and art. 34 sec. 4 of Regulation 2016/679, by the motion of 12 July 2022 requested the Controller to take actions aimed at: 1) immediately notifying data subjects of the breach of their personal data protection, 2) providing these persons with recommendations on minimizing the potential negative effects of the breach, 3) eliminating similar irregularities in the future. In the content of the aforementioned of the application, the President of the UODO requested the Bank to inform the supervisory authority within 30 days from the date of receipt of this application about the performance of the actions indicated in its content.
II. In response to the above application, the Bank did not notify the persons whose data was breached, indicating in a letter dated 21 July 2022 that the entity to which the documents containing personal data were incorrectly sent in the opinion of the Bank is a trusted entity. The Administrator stated that "(...) analyzed the notification of the processing entity regarding the incorrectly sent bank client documents to an unauthorized recipient. In particular, we focused on assessing the entity that received the bank documentation as an unauthorized entity. This unauthorized entity that received the client documents was another bank with which we cooperate (...) As part of the actions taken to explain this event, we received without undue delay a complete set of incorrectly sent bank documentation. We also have statements from employees of another bank that they do not have copies of the documents received in error and are unable to identify the persons to whom they concerned. At the same time, these persons confirmed that they are aware of the consequences of processing personal data without a legal basis. Therefore, taking into account the above explanations, I ask you to re-verify the validity of notifying the injured person of this event. It seems that the risk of negative consequences of violating their rights and freedoms is not significant precisely because of the recipient of the incorrectly sent documents, which is another bank, i.e. a trusted entity (...)".
III. In connection with the position of the Administrator expressed in the above-mentioned letter, the President of the UODO requested additional explanations. In response to the request of the supervisory authority, in a letter dated August 12, 2022, the Administrator indicated that "(...) The Bank did not conclude an agreement in the strict sense with another bank - a trusted entity, to which the notification relates, in the scope of personal data protection, because there is no such need. Banks are bound by agreements concluded between themselves for the purposes of the functioning of the banking system. Banks are trust institutions and co-create a sector regulated by numerous legal provisions (...)".
The President of the UODO asked the Bank to answer the question: how long the administrator has been cooperating with the incorrect recipient, who was recognized as a trusted recipient; how this cooperation proceeded, in particular in terms of personal data protection. In the aforementioned letter, the Administrator explained that "(...) Banks that have received a license to conduct banking activities from the Polish Financial Supervision Authority [KNF] cooperate with each other. In connection with this, the bank cooperates with another bank, which is the subject of the notification, from the moment of establishing relations related to the need to ensure the functioning of the banking sector. The cooperation is manifested in various areas, e.g. cooperation in the field of counteracting banking crime or cybercrime. Both banks operate within the Polish Bank Association and on the forum develop [together with other members] standards of operation of entities in the banking sector. In the area of personal data protection, representatives of both banks operate within two Groups established in the Polish Bank Association (...). The cooperation is permanent and meetings are held regularly. They concern, among other things, the implementation of GDPR in banks and the exchange of experiences. I consider the cooperation with another bank – a trusted entity – as exemplary. In addition, our banks respect the Principles (...) adopted by banks, with chapters including the Principles (...) or Principles (...). The banks [including ours] have also adopted the Principles (...) [of the Polish Financial Supervision Authority] (...)".
The President of the UODO asked the Administrator to indicate whether the unauthorized recipient has developed standards for the protection of personal data. In this respect, the bank explained that "(...) another bank – a trusted entity, has standards and applicable regulations for the protection of personal data. Information on this subject is also available on the website of this other bank (...)".
In addition, in a letter dated August 12, 2022, the Bank stated that: "(...) it is in constant contact with another bank - a trusted entity. The bank trusts another bank, which has not read the documents and complied with the order to return them to the bank. This means that the effects of this breach will not be serious. Another bank - a trusted entity is part of the banking sector, which is one of the most regulated sectors. Among other things, with this trusted entity, we create a banking system that is subject to the supervision of the Polish Financial Supervision Authority. We are also subject to the Cybersecurity Act. The Polish Financial Supervision Authority did not issue a warning against this bank, so we consider that the second bank meets the conditions specified in the banking law or the Polish Financial Supervision Authority's recommendations (including those regarding information security). In doctrine and case law, banks are treated as institutions of public trust and therefore as trusted entities. Risk management systems and internal control systems are implemented in banks. This is in accordance with the provisions of the law, including the Banking Law, and the recommendations of the Polish Financial Supervision Authority. Additionally, pursuant to Article 104 of the Banking Law, all bank employees are obliged to maintain bank secrecy. In accordance with Article 171 section 5 of the Banking Law, disclosing or using information constituting bank secrecy, contrary to the authorization specified in the Act, is punishable by a fine of up to PLN 1,000,000 and imprisonment for up to 3 years. Bank employees are aware of this obligation and the related criminal sanctions for its violation (...)".
IV.On September 14, 2022, the Administrator was asked (via email) to provide information on what the Administrator understands by the indication in the explanations of August 12, 2022, quote: "The bank trusts another bank, which has not read the documents" and whether the correspondence was returned to the administrator intact or showed signs of being opened.
The Administrator explained that "(...) employees of another bank, who mistakenly received the shipment intended for X, opened it as standard, and only after opening it did they realize that the contents were not intended for them, i.e. another bank. There was no other way to determine the mistaken identity of the correct recipient of this shipment. This means that the employees of the other bank did not read all of this documentation. According to information from Z. S.A., their shipments are packed in plain white envelopes without a logo with an attached format indicating who the shipment is for – bank, customer name, contents of the shipment. A collective shipment going out to a specific bank contains several envelopes. The collective shipment is labeled with information about the type of documents being sent and the customer name. Collective shipments are packed in courier company foil bags with a label affixed (…) immediately after determining that the shipment was not intended for another bank, the other bank notified Z. of this fact and sent the secured shipment to our bank. At the same time, employees who had access to the shipment signed declarations that they did not have copies of these documents and were unable to identify the persons whose data were contained in these documents. They also declared that they were aware of the consequences of processing personal data without a legal basis (…)”. The supervisory authority assessed the evidence in terms of its credibility and probative value. The President of the Personal Data Protection Office considered the evidence submitted by the Administrator to be credible. This is supported by the fact that the Bank's explanations are logical, consistent and correlate with the entire evidence and confirmed by a number of documents provided by the Administrator.
In this factual situation, after reviewing all the evidence collected in the case, the President of the Personal Data Protection Office considered the following:
Pursuant to art. 34 sec. 1 of Regulation 2016/679, if a personal data breach may result in a high risk of violating the rights or freedoms of natural persons, the controller shall notify the data subject of such a breach without undue delay. Art. 34 sec. 2 of Regulation 2016/679 provides that the notification referred to in sec. 1 of this Article, it shall describe in clear and plain language the nature of the personal data breach and include at least the information and measures referred to in Article 33(3)(b), (c) and (d) of Regulation 2016/679. Accordingly, the notification shall include: - the name and contact details of the data protection officer or another contact point from which more information can be obtained; - a description of the possible consequences of the personal data breach; - a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimise its possible negative effects. As a result of the analysis of the personal data breach reported by the Administrator, in which the nature of the breach, its duration, data categories, the number of persons affected by the breach and the remedies applied were taken into account - the President of the UODO found that the breach of confidentiality of data, in particular data concerning surname and first name, address of residence or stay, PESEL registration number and series and number of the identity card, causes a high risk of violating the rights or freedoms of natural persons, and therefore it is necessary to notify the data subjects of the breach of their personal data protection and provide them with all the information specified in art. 34 sec. 2 of Regulation 2016/679.
It should be emphasized that in a situation where a personal data breach results in a high risk of violating the rights or freedoms of natural persons, the administrator is obliged under art. 34 sec. 1 of Regulation 2016/679 to notify the data subjects of such a breach without undue delay. This means that the controller must implement all appropriate technical and organisational measures to immediately identify a personal data breach and promptly inform the supervisory authority and, in cases of a high risk to the rights and freedoms of data subjects. The controller should fulfil this obligation as soon as possible. Recital 86 of Regulation 2016/679 explains: ‘The controller should inform the data subject without undue delay of a personal data breach that is likely to result in a high risk to the rights and freedoms of that data subject, in order to enable that data subject to take the necessary preventive measures. The information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimise the potential adverse effects. Information should be provided to data subjects as soon as reasonably possible, in close cooperation with the supervisory authority, respecting any guidance given by that authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimise the imminent risk of harm will require immediate notification to data subjects, while the implementation of appropriate measures against the same or similar data protection breaches may justify later notification”.
By notifying the data subject without undue delay, the controller enables data subjects to take the necessary preventive measures to protect the rights or freedoms from the negative effects of the breach. Article 34 paragraphs 1 and 2 of Regulation 2016/679 aims not only to ensure the most effective possible protection of the fundamental rights or freedoms of data subjects, but also to implement the principle of transparency, which results from Article 5 paragraph 1 letter a) of Regulation 2016/679 (cf. Chomiczewski Witold [in:] GDPR. General Data Protection Regulation. Commentary. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfilment of the obligation specified in Article Article 34 of Regulation 2016/679 is to provide data subjects with prompt and transparent information about a breach of their personal data protection, together with a description of the possible consequences of a breach of personal data protection and the measures they can take to minimise its potential negative effects. Acting in accordance with the law and demonstrating concern for the interests of data subjects, the controller should have provided these persons with the possibility of the best possible protection of their personal data without undue delay. To achieve this goal, it is necessary to indicate at least the information listed in Article 34 paragraph 2 of Regulation 2016/679, which the Controller failed to fulfil.
As it results from the content of the submitted notification of a personal data breach, the Bank did not notify the persons affected by this breach, arguing that the wrong recipient was recognised as a trusted entity. The President of the UODO did not agree with this argument presented by the Administrator as guaranteeing data subjects the protection of the rights and freedoms to which they are entitled and therefore, on 12 July 2022, he requested the Bank to take appropriate actions aimed at, among other things, immediately and properly notifying data subjects of the breach of their personal data. Despite the President of the UODO submitting a request in this regard, the Administrator did not take appropriate action, maintaining its position. A detailed description of the Bank's position was presented in the description of the factual circumstances.
In the opinion of the supervisory authority, the Administrator's argumentation does not merit consideration. The evidence collected shows that as a result of the erroneous sending of documents containing a number of personal data, the data was made available to a third party, which is another bank. As already indicated, pursuant to Article 34 sec. 1 of Regulation 2016/679, if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of such a breach without undue delay. Therefore, first of all, it should be pointed out that the most important thing is to analyse the likelihood of negative consequences for the persons affected by the breach and how serious these consequences may be, taking into account the scope of personal data (indicated in the content of the personal data breach notification). In fact, the bank that received the data package is a third party, and whether it can be treated as a trusted recipient in accordance with the Guidelines of the European Data Protection Board (EDPB) No. 9/2022[1] adopted on 28 March 2023, hereinafter referred to as Guidelines 9/2022, should be assessed taking into account all the circumstances of the case. There is no basis for assuming that whenever data is mistakenly shared with a bank, it can be assumed that we are dealing with a trusted entity within the meaning of the above guidelines.
In the personal data protection breach notification form – as “measures applied or proposed to remedy the breach and minimize the negative consequences for data subjects” (item 9C of the form) – he indicated that “(...) the Bank finally received a complete set of its clients’ documents. Bank employees are obliged to keep confidential all information concerning the banking activities they perform. They may not use it for purposes other than professional (...)”. By conducting an analysis of the consequences of the breach, the Administrator reduced the risk of violating the rights or freedoms of persons whose personal data were shared with another bank. The Administrator argued for mitigating this risk by obtaining statements from employees of another organization that they did not have copies of the documents received in error, were unable to identify the persons they concerned and that they were aware of the consequences of processing personal data without a legal basis (see item II of the factual justification). Despite the President of the Personal Data Protection Office addressing the Bank, the Administrator did not re-analyze the risk of violating the rights or freedoms of persons whose data were breached and did not change its position. In the opinion of the supervisory authority, declarations related to maintaining bank secrecy do not release the Administrator from the obligation to notify persons whose data were breached. It should be emphasized that such declarations do not guarantee that - as a result of a change in intention - the data was not or will not be used in the future.
The inadequacy of the guarantee of such statements and employee commitments in terms of ensuring the confidentiality of personal data is confirmed by numerous cases of violation of employee duties (even in situations where specific violations involve criminal liability). It is worth referring here to Guidelines 01/2021[2], and specifically to example no. 8, relating to "Exfiltration of business data by a former employee". The discussed example concerns a situation in which, during the notice period, an employee of a company copies business data from the company's database, to which he has the right to access and must fulfill his duties. A few months later, after resigning from work, he uses the data obtained in this way (mainly basic contact details) to contact the company's customers in order to attract them to the new company. Although the sole purpose of the former employee who maliciously copied the data may be limited to obtaining the contact details of the company's customers for their own commercial purposes, the controller does not have the authority to consider that the risk to data subjects is low, because the controller has no guarantee as to the employee's intentions. Thus, while the consequences of the breach may be limited to exposing data subjects to unwanted marketing by the former employee, it is not excluded that another, more serious breach of this data may occur.
A similar factual situation (a ZUS employee, during his employment, viewed the data of insured persons; he had access to it, but did not have the right to view it) has already been considered by the District Court in Elbląg, which in its judgment of 24 March 2021 in case file no. Act IV Pa 10/21 indicated that "(...) The plaintiff's conduct, consisting in obtaining unlawful access to the personal data of ZUS clients, unrelated to the performed employment duties, was a deliberate and conscious action and as such met the criteria for a serious breach of basic employment duties. It should be emphasized that the plaintiff was trained by the employer to perform her duties, repeatedly submitted written declarations confirming her knowledge of documents regarding the processing of personal data and information security at ZUS, repeatedly participated in training on compliance with the provisions on personal data protection, was aware of the consequences of a conscious breach of personal data protection, and yet with her conduct she violated not only internal regulations such as the <Information Security Policy at the Social Insurance Institution> and <Work Regulations of the Social Insurance Institution>, but also Art. 4 point 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ UEL 119 of 04.05.2016, p. 1; (...)".
In relation to the above-mentioned case, inferring from the justification of the above judgment, it should be stated that the lack of trust must be evidenced by the mere fact of logging into the system in the absence of authorization. In the case covered by the above-mentioned judgment, the lack of trust occurred despite the fact that the parties were bound by an obligation. However, referring the above to the case that is the subject of the decision in this decision, it should be noted that the lack of trust must be all the more present in a situation where a person an unauthorized person gains access to personal data and, what is more, is not bound by any obligation relationship with the Administrator. It should be emphasized that the Bank is not able to verify the declarations of employees of another bank (referred to in point II of the factual justification). In fact, the Administrator does not have any instruments that would enable it to verify such declarations.
The validity of the above position is confirmed by the judgment of the Provincial Administrative Court of January 21, 2022 (reference number II SA/Wa 1353/21), in which it was indicated that "(...) The assessment of the President of the Personal Data Protection Office was accurate and consistent with the content of Article 80 of the Code of Administrative Procedure, that the Company's request, also through the Contractor, to a Third Party - an unauthorized recipient - to permanently delete the received correspondence, and even the submission by that person of a declaration of its permanent deletion also did not affect the assessment of the risk of a personal data breach. The assessment of the President of the Personal Data Protection Office was rational, that there is no certainty that before these activities this person did not make e.g. a photocopy or record the personal data contained in the content of the document in another way, e.g. by writing them down. The mere performance of the activities indicated in the declarations submitted by the Third Party - an unauthorized recipient - does not guarantee that the intentions of such a person will not change now or in the future, and the possible consequences of using such categories of data may be significant for the persons whose data were subject to the breach (...) the President of the Personal Data Protection Office correctly indicates that the Company has no possibility of verifying it, although the Third Party is threatened with criminal sanctions and sanctions arising from the Personal Data Protection Office (...)". To sum up the above: the fact that legal regulations, including obligations related to maintaining confidentiality (such as, for example, authorization to process personal data on behalf of the Bank, statements confirming familiarization with the Bank's personal data processing policy and security and confidentiality standards), do not guarantee the data subject 100% certainty and protection against the materialization of negative effects, because the key factor is the relationship in which the entities remain.
In order to recognize that in a given situation we are dealing with unauthorized disclosure of personal data to a trusted entity, circumstances must occur in which the data controller will have permanent relations with the recipient and may know its procedures, history and other important details, thanks to which the recipient can be considered "trusted". The evidence collected indicates that employees of another bank were familiar with the package of documents, but it does not indicate that the administrator and the third party had concluded agreements or developed procedures for a given circumstance, which would be crucial to actually minimize the risk of consequences related to a breach of personal data protection and to be able to assume that the unauthorized recipient is a trusted recipient.
A thorough analysis of Guidelines 9/2022 clearly indicates that it is not the status of the recipient, recognizing it as a so-called institution (person) of public trust, or acting within the framework of applicable legal provisions, but the existence of a direct (permanent) relationship between the sender and the recipient of the erroneously sent correspondence that determines the admissibility of recognizing a specific entity as a so-called "trusted recipient". The cited guidelines emphasize the long-term relationship between the controller (the sender of the erroneously sent correspondence) and the recipient (of this correspondence) and – resulting from this long-term relationship – the controller's knowledge of the procedures, history and other relevant details regarding the recipient, allowing the controller to reasonably expect that an unauthorized recipient will not attempt to read or access the erroneously sent correspondence containing personal data, and even if access to the erroneously sent personal data occurs, the recipient will not take any further action and will immediately return the personal data to the controller (pp. 25-26 of Guidelines 9/2022). Recognition of a specific entity as a "trusted recipient" within the meaning of Guidelines 9/2022 is therefore conditioned by the knowledge of the controller (in this case the sender of erroneously delivered correspondence containing personal data) as to the existence of actual personal data protection procedures (e.g. data processing security policy) applicable to the unauthorized recipient (in this case the recipient of erroneously delivered correspondence containing personal data) providing - for example - the procedure to be followed in such cases, including the principles of securing erroneously received documents containing personal data until they are returned to the sender.
Adopting the opposite position, i.e. the position presented by the Controller, is therefore not justified by the content of the above-mentioned guidelines, what is more, it would consequently lead to the acceptance of a certain type of automatism - because in every case in which the unauthorized recipient was an entity acting within the framework of the law, it should be recognized as a trusted recipient. Such an approach could, however, lead to an unjustified departure from the obligation to notify the data subject of a breach of the protection of their personal data in the event of a high risk of infringement of their rights or freedoms. For this reason, as it should be recognized, the EDPB in the above-mentioned guidelines did not assume that the circumstance of an unauthorized recipient acting within the framework of the law qualifies them as a trusted recipient, but rather requires that they remain in a permanent relationship with such a recipient, thanks to which the controller will ensure that they are familiar with the procedures, history and other important details concerning them applicable to that recipient.
The Controller's assumption that banks are treated as institutions of public trust, and therefore as trusted entities, also does not merit consideration, and consequently it is excessive to conclude that since a bank is an institution of public trust, it will in principle also be a trusted recipient. The reliance on the trusted recipient argument should be supported by a thoroughly documented analysis, the consequences of the data breach should be examined and it should be borne in mind that breaches with similar characteristics may have different consequences for data subjects, depending on various factors. The analysis carried out by the controller must therefore be as detailed as possible and take into account the potential development of the breach, especially considering the fact that the Controller is not certain how many third parties had access to the erroneously transmitted data package.
In the opinion of the President of the UODO, the mere indication that the unauthorized recipient has a license to conduct banking activities from the Polish Financial Supervision Authority and that both banks operate within the Polish Bank Association is insufficient, because the Administrator has still not demonstrated the components of the analysis in which it would take into account the issue of a trusted recipient in the risk assessment carried out following a breach of personal data protection, and has not demonstrated the circumstances allowing for recognizing another bank as a trusted recipient, in accordance with Guidelines 9/2022. Moreover, the Administrator himself indicates that in the "(...) scope of personal data protection, representatives of both banks operate within two groups established in the Polish Bank Association (...). The cooperation is permanent, and meetings are regular. They concern, among others, the implementation of the GDPR in banks and the exchange of experiences. I assess the cooperation with another bank - a trusted entity as exemplary (...)". However, these explanations do not indicate that the entities cooperate with each other in the scope of data protection violations and developed procedures related to this.
It should be additionally pointed out that the fact that the Administrator recognized another bank as a trusted entity (which - as already justified above - has no legal basis) does not change the fact that unauthorized processing of personal data occurred. The fact that another bank meets specific requirements provided for in legal acts defining its obligations towards customers (data subjects) does not mean that there was no violation of personal data protection. The Administrator does not have any instruments in relation to another bank enabling it to enforce the implementation of measures mitigating the risk of violating the rights or freedoms of persons whose personal data have been violated. In fact, the Administrator is condemned to accepting the statements of another bank without any possibility of verifying them. Enforcing the liability of another bank (and its employees) would be possible only after the effects of the personal data protection violation are detected. In its explanations, the Bank seems to ignore the fact that Regulation 2016/679 introduced an approach in which risk management is the foundation of activities related to personal data protection and is a continuous process. When deciding to waive the implementation of its obligation under Article 34 paragraphs 1 and 2 of Regulation 2016/679, the Controller should base its decision on the analysis of the risk of violating the rights or freedoms of persons whose data have been breached, and not on the analysis of the consequences of violating the provisions of the law by employees of another bank, which would only be possible to draw after the risk of violating the rights or freedoms of persons whose data have been breached has materialised. In other words, the Bank's action in question means in practice that the implementation of measures aimed at minimising the potential negative effects of the breach could only take place after the data subjects had been informed of the actual consequences of the breach, such as, for example, incurring a financial obligation as a result of identity theft (more on the effects of a breach of personal data protection for individuals later in the decision). In fact, the persons whose data were breached were deprived of any possibility of remedying the effects of the breach and, to such an extent that in the event of its effects materialising, they were deprived of pursuing liability towards the Controller, e.g. in a civil trial.
In the opinion of the President of the UODO, the Bank's action should be assessed decidedly negatively. The Controller's attitude towards the persons whose data it processes was made evident in this case. The lack of the expected reaction of the Bank to subsequent letters from the supervisory authority, including failure to comply with the statement of the President of the UODO of 12 July 2022, leads to the assumption that the adopted practice of not informing persons whose data have been breached - justified in the same way as in the case of the discussed breach of personal data protection - is a manifestation of the Bank's systemic attitude (policy), i.e.: firstly, the Administrator a priori recognizes another bank as a trusted entity (even though it is unable to prove this), secondly, it does not intend to change its position (even though the supervisory authority indicates to the Administrator in the correspondence addressed to it that its position is not justified by the provisions of Regulation 2016/679). In the opinion of the supervisory authority, the Bank's action in question is an example of disregard for the rights of persons whose personal data are processed by the Administrator and not only those covered by the personal data protection breach in question. Notifying individuals whose data has been breached should not be excessive for an institution such as a bank, but would be an effective tool that would minimize the risk of negative consequences of the breach for individuals.
As indicated by Guidelines 9/2022, a personal data breach may potentially cause a number of negative consequences for individuals whose data is the subject of the breach. Among the possible consequences of a breach, the EDPB lists: physical harm, material or non-material damage. Examples of such damage include: discrimination, identity theft or identity fraud, financial losses, damage to reputation, breach of confidentiality of personal data, and significant economic or social damage. In this case, there is no doubt that due to the scope of data covered by the personal data breach in question (including the PESEL registration number together with the first and last name), there is a high probability of the above-mentioned damage occurring, which means that the aforementioned personal data breach involves a high risk of violating the rights or freedoms of individuals. There is also no doubt that the scope of personal data that was covered by the breach of personal data protection allows for the unambiguous identification of the persons to whom this data relates.
First of all, it should be emphasized that the breach of personal data protection concerned the PESEL registration number, i.e. an eleven-digit numerical symbol that unambiguously identifies a natural person, containing, among others: date of birth and gender designation, and therefore closely related to the private sphere of a natural person and also subject, as a national identification number, to exceptional protection under Article 87 of Regulation 2016/679 - being data of a special nature and requiring such special protection. The PESEL number serves as data identifying each person and is commonly used in contacts with various institutions and in legal circulation. The PESEL number together with the first and last name uniquely identifies a natural person, in a way that allows the negative effects of the breach (e.g. identity theft, loan fraud) to be attributed to that specific person. Such a combination of data is sometimes sufficient to "impersonate" the subject of this data and incur, for example, financial obligations in the name and to the detriment of such an entity (see: https://www.bik.pl/poradnik-bik/wyludzenie-kredytu-tak-dzialaja-oszusci - where a case was described in which: "Only the first and last name and the PESEL number were enough for fraudsters to fraudulently obtain several loans for a total of tens of thousands of zlotys. Nothing else matched: neither the ID card number nor the address of residence"). It is also impossible to ignore that the analyzed breach of personal data protection also concerned the address of residence or stay and the series and number of the ID card. In assessing the risk, the key factor is the type and sensitivity of the personal data disclosed as a result of a personal data breach. The Guidelines 9/2022 emphasize that a set of different personal data is usually more sensitive than individual data.
It is worth citing one of the examples in the Guidelines of the European Data Protection Board 01/2021 (case no. 14, p. 31), referring to the situation of "sending highly confidential personal data by post by mistake". In the case described in the above-mentioned guidelines, a social security number, the equivalent of the PESEL number used in Poland, was disclosed. In this case, the EDPB had no doubt that the disclosed data, including first name and last name, email address, postal address, social security number, indicate a high risk of violating the rights and freedoms of natural persons ("the involvement of their [affected persons'] social security number, as well as other, more basic personal data, further increases the risk, which can be described as high"). The EDPB recognises the importance of national identification numbers (in this case the PESEL number), while emphasising that this type of personal data breach, i.e. covering the data in the form of: first name and last name, email address, correspondence address and social security number, requires the implementation of actions, i.e.: notification of the supervisory authority and notification of the breach to data subjects. The European Data Protection Board has no doubt that an individually assigned number that uniquely identifies a natural person should be subject to special protection, and its disclosure to unauthorised entities may entail a high risk to the rights and freedoms of natural persons.
The fact that data uniquely identifying a natural person may entail a high risk to the rights and freedoms of natural persons is also indicated by the EDPB in other examples provided in Guidelines 01/2021. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unique identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by an attacker to guess customer passwords or to conduct a spear phishing campaign targeting bank customers. For these reasons, it was considered that the data protection breach is likely to entail a high risk to the rights and freedoms of all data subjects. As a result, both material damage (e.g. financial losses) and immaterial damage (e.g. identity theft or fraud) may occur.”
The Provincial Administrative Court in Warsaw also had no similar doubts (that disclosing the PESEL number together with other personal data may cause a high risk of violating the rights or freedoms of natural persons), which in its judgment of 22 September 2021, file reference II SA/Wa 791/21, stated that "There is no doubt that the examples of damage cited in the guidelines may occur in the case of persons whose personal data - in some cases together with the PESEL registration number or the series and number of the identity card - were recorded on the released recordings. The possibility of identifying persons whose data were affected by the breach based on the disclosed data is not without significance for such an assessment.". The Court further indicated in the cited judgment that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, which in some cases also includes the PESEL registration number or the series and number of the ID card, determines that there was a high risk of violating the rights or freedoms of natural persons." When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of 1 July 2022 issued in case reference II SA/Wa 4143/21. In the justification of this judgment, the Court stated that: "It is necessary to agree with the President of the UODO that the loss of confidentiality of the PESEL number in combination with personal data such as: first name and last name, registered address, bank account numbers and the identification number assigned to the Bank's customers - CIF number, is associated with a high risk of violating the rights or freedoms of natural persons. In the event of a breach of such data as first name, last name and PESEL number, it is possible to steal or falsify the identity, resulting in negative consequences for the data subjects. Therefore, in the present case, the Bank should have notified the data subjects without undue delay, in accordance with Art. 34 sec. 1 of the GDPR, of the breach of personal data protection, so as to enable them to take the necessary preventive measures" (emphasis added). Reference should also be made to the judgment of 31 August 2022, reference number II SA/Wa 2993/21, in which the Regional Administrative Court in Warsaw emphasized that "(...) the authority correctly found that there was a high risk of infringement of the rights and freedoms of persons covered by the infringement in question due to the possibility of easy identification, based on the disclosed data, of persons whose data were covered by the infringement. These data include the first and last name, correspondence address, telephone number, PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify the data subjects of the infringement without undue delay". The Regional Administrative Court in Warsaw expressed a similar opinion in its judgments of 15 November 2022, reference number II SA/Wa 546/22, 21 June 2023, reference number II SA/Wa 150/23, and 6 November 2023, reference number file no. II SA/Wa 996/23.
In light of the above, it is also worth recalling the judgment of the Supreme Administrative Court of December 6, 2023, file reference III OSK 2931/21: "The President of the Personal Data Protection Office correctly determined that data was disclosed, including, among others, first and last names, as well as PESEL numbers of natural persons, i.e. relatively permanent, unchangeable data, the disclosure of which may always pose a risk of negative consequences for the above persons. Similarly, residential addresses are personal data, the unauthorized disclosure of which creates the probability of a high risk of negative legal consequences, regardless of the fact that the disclosure of the addresses occurred several years after their update."
The infoDOK report[3] (which is prepared as part of the social Information Campaign of the RESTRICTED DOCUMENTS System, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation), shows that in the fourth quarter of 2023, 2,739 attempts to fraudulent loans and credits were recorded, for the amount of PLN 88.3 million. In the last twelve months, the total amount of thwarted attempts to fraudulent loans amounts to PLN 296.1 million. It should also be noted that in the fourth quarter of 2022, 2,269 attempts to fraudulent loans and credits were recorded, for the amount of PLN 40.2 million[4]. This means a significant increase in attempts to fraudulent loans and credits in the presented period. Moreover, as it results from court decisions, judgments in cases of loan fraud are not uncommon and have been issued by Polish courts in similar cases for a long time. An example is the judgment of the District Court in Łęczyca of 27 July 2016 (reference number I C 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). In the justification of the aforementioned judgment, the Court stated that: "The evidentiary proceedings conducted and the analysis of the documents attached by the plaintiff result in an unequivocal statement that in the case at hand, the defendant was not a party to the loan agreement concluded on 5 May 2014. Although the defendant J. R.'s PESEL number was used when concluding it, the indicated place of residence does not correspond to the defendant's place of residence. Defendant J. R. never lived in W. The loan amount was transferred to an account that was not owned by the defendant. On the date of conclusion of the loan agreement, ID card no. (...) expired on 15 March 2014. The mobile phone number indicated in the loan agreement and its annexes also does not match the actual phone numbers used and used by the defendant." In another case (I C 693/16), the District Court in Zgierz ruled in its judgment of 4 November 2016: "The defendant's personal data in the form of his first and last name and PESEL number, which were consistent with the defendant's data, did not prove that the defendant had submitted a declaration of intent to conclude a loan agreement on 17 December 2014. It is possible that a person who obtained unauthorized access to the defendant's personal data concluded a loan agreement on his account with the company (...) sp. z o.o. S.K.A. with its registered office in W. In the case in question, the defendant demonstrated that he never lived at the address indicated in the loan agreement and that the telephone number and e-mail address used to register on the website and submit the loan application belonged to him".
There are still many cases related to loan fraud, where unknown persons usually have only their first and last name and the correct PESEL number (the remaining data is false), which is confirmed by the judgments issued by the courts in these cases. Below are a few examples:
- Judgment of the District Court for Łódź-Widzew in Łódź of August 13, 2020 in case file no. II C 1145/19, in which a third party unknown to the defendant illegally came into possession of his PESEL number and personal identity card number, while the remaining address data - indicated in the loan agreement - were untrue - "In the Court's opinion, the evidence offered by the defendant - especially documents from the files of the criminal case pending before the District Court in Tarnowskie Góry with reference number VI K 383/16 - prove that the loan agreement of 8 November 2014 was concluded by a third party using some of Z. A.'s personal data. The third party provided a false residential address, where the defendant had never resided, and the loan amount was transferred to a bank account that did not belong to Z. A. [...] and the personal identity card number given in that agreement was the ID number that the defendant no longer used on the date of conclusion of the loan agreement, as that ID expired on approx. 8 months earlier”;
- Judgment of the District Court in Pisz of August 21, 2020, file reference I C 260/20 – “[…] The Court found that when concluding the agreement in question, the defendant's data were used in an unauthorized manner and entered as the borrower's data, while the defendant was not a party to the agreement. The defendant's position is confirmed by the notification he submitted about the commission of a crime of fraud to his detriment, as well as by the fact that the prosecutor's office is conducting proceedings in this case against the person indicated by the defendant. On the sidelines, it should be noted that also in the proceedings for payment pending before this court, file reference Act I C 1/19 and I C 482/19, where E. M. also acted as defendant, and where financial obligations were incurred in his name and surname in the same circumstances as in these proceedings, final judgments were also issued dismissing the claim. In the court's opinion, the circumstances of concluding the agreement with the plaintiff, where the first name and surname of the borrower and his PESEL number are identical, and there is a discrepancy as to the remaining data resulting from the content of the defendant's identity card, i.e. the series and number of this document, the address of residence, taking into account the fact that a criminal trial is being conducted against a person who was supposed to impersonate the defendant in order to conclude distance agreements and incur financial obligations in various institutions, clearly indicate that it was not the defendant who concluded the loan agreement no. (...) with the plaintiff's legal predecessor";
- Judgment of the District Court in Puławy of 7 April 2022 in case file reference I C 475/19, in which the Court clearly admitted that "[...] evidence allowing for the verification of the defendant as a party to the subject agreement is not the mere indication of his personal data: name, surname, PESEL number, as well as the series and number of the identity card in the content of the agreement - in particular in a situation where the loan is concluded via an online platform, and therefore, obviously, the lender has no possibility of directly verifying the identity of the other party, and the agreement itself is not confirmed by the signature of the borrower". It should also be borne in mind that the proper performance by the Administrator of its obligation arising from art. 34 sec. 1 of Regulation 2016/679, related to, among others, the necessity to provide all information required under Article 34 sec. 2 in conjunction with Article 33 sec. 1 of the Personal Data Protection Regulation as part of the personal data breach notification. 3 Regulation 2016/679, cannot be made contingent on the existence of a violation of the rights or freedoms of that person as a result of the materialisation of possible negative consequences of the violation (see judgments of the Regional Administrative Court in Warsaw of 22 September 2021, reference number II SA/Wa 791/21, of 1 July 2022, reference number II SA/Wa 4143/21, of 31 August 2022, reference number II SA/Wa 2993/21, of 15 November 2022, reference number II SA/Wa 546/22 and of 26 April 2023, reference number II SA/Wa 1272/22).
When applying the provisions of Regulation 2016/679, the purpose of this regulation (expressed in Article 1 paragraph 2) should be taken into account, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.
In turn, the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In the event of any doubts, e.g. as to the performance of obligations by controllers - including in a situation where a personal data protection breach has occurred - these values should be taken into account first.
It is worth emphasizing that when assessing the risk of a breach of the rights or freedoms of natural persons, on which the notification of a breach to data subjects is dependent, the probability factor and the gravity of the potential negative effects should be taken into account together. A high level of any of these factors affects the overall assessment on which the fulfilment of the obligations specified in Article 34 paragraph 1 depends. 1 of Regulation 2016/679. Considering that, due to the scope of the disclosed personal data in the analyzed case, there was a possibility of serious negative consequences for data subjects (as shown above), the significance of the potential impact on the rights or freedoms of natural persons should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. It should therefore be stated that a high risk of a breach of the rights or freedoms of data subjects occurred in connection with the breach in question, which consequently determines the obligation to notify the data subjects of the breach.
In the Guidelines 9/2022 of the EDPB, indicating the factors to be taken into account when assessing the risk, reference is made to recitals 75 and 76 of Regulation 2016/679, which suggest that the controller should take into account both the probability of occurrence and the seriousness of the threat to the rights or freedoms of the data subject. In the event of a personal data breach, the controller should focus on the risk of the breach affecting an individual resulting from the breach. Therefore, when assessing the risk to an individual arising from a personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence. Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as: the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk to individuals. The risk of violating the rights and freedoms of an individual in accordance with Guidelines 9/2022 will be greater when the consequences of the breach are more serious, as well as when the likelihood of their occurrence increases.
To sum up the above considerations, it should be stated that in the present case there is a high risk of violating the rights or freedoms of persons covered by the breach in question, which in turn results in the Bank's obligation to notify these persons of the breach, in accordance with Article 34 para. 1 of Regulation 2016/679, which must contain the information specified in Art. 34 sec. 2 of Regulation 2016/679.
It should be noted once again that in this case, at least until the date of issue of this administrative decision, the Bank did not provide the persons affected by the breach with information about the breach of personal data protection, thereby depriving them of guidance as to the actions they can take to effectively counteract the possible negative effects of the breach.
The improper performance by the controller of the obligation specified in Art. 34 sec. 1 and 2 of Regulation 2016/679, as a result of the failure to notify the persons whose data is concerned of the breach of their personal data protection due to the failure to provide them without undue delay with the information specified in the above provisions of Regulation 2016/679, does not therefore raise any doubts. Failure by the controller to fulfil this obligation towards data subjects shall result in the application of a corrective measure by the supervisory authority, since the existence of a breach of law in the above-mentioned scope is indisputable.
Pursuant to Article 34 paragraph 4 of Regulation 2016/679, if the controller has not yet notified the data subject of a personal data breach, the supervisory authority – taking into account the likelihood that this personal data breach results in a high risk – may require it to do so or may determine that one of the conditions referred to in paragraph 3 has been met. In view of the above, the President of the UODO, acting under Article 58 paragraph 2 letter e) of Regulation 2016/679, ordered the Controller to notify the persons affected by the breach to the extent and within the period specified in the operative part of this decision.
Pursuant to Article 58 paragraph 2 letter i) of Regulation 2016/679, each supervisory authority shall have the power to apply, in addition to or instead of other remedial measures provided for in Article 58 paragraph 2 of Regulation 2016/679, an administrative pecuniary penalty under Article 83 of Regulation 2016/679, depending on the circumstances of a specific case. The President of the UODO finds that in the case in question there were grounds for justifying the imposition of an administrative pecuniary penalty on the Bank based on Article 83 paragraph 4 letter a) of Regulation 2016/679, which provides, among other things, that a breach of the controller's obligations referred to in Article 34 of Regulation 2016/679, shall be subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise – of up to 2% of its total annual global turnover from the previous financial year, whichever is higher.
Pursuant to the content of Art. 83 sec. 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 sec. 2 letters a) - h) and letter j) of Regulation 2016/679.
When deciding to impose an administrative fine on the Bank, the President of the UODO – in accordance with the content of Art. 83 sec. 2 letter a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:
1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a of Regulation 2016/679). In this case, a violation of the provision of Article 34 paragraph 1 of Regulation 2016/679 was found (consisting of the failure to notify the data subjects of a breach of personal data protection without undue delay). It is related to an event consisting in the erroneous sending of documents by the entity processing personal data on behalf of the Controller. As a result of the personal data protection breach, there was an unauthorized disclosure of personal data in a broad scope, including, among others, the PESEL number together with the first and last name and address details, as well as the series and number of the ID card, which makes it of significant significance and serious nature, as this event may lead to property or non-property damage to the persons whose data was breached. As indicated by the District Court in Warsaw in its judgment of 6 August 2020, file reference XXV C 2596/19, the fear, and therefore the loss of security, constitutes real non-property damage giving rise to the obligation to redress it. In turn, the Court of Justice of the EU in its judgment of 14 December 2023 in Natsionalna agentsia za prihodite (C-340/21) emphasized that "Article 82 sec. 1 GDPR should be interpreted as meaning that the fear of possible use by third parties in a manner constituting a misuse of personal data, which the data subject has as a result of a breach of this regulation, may in itself constitute "non-material damage" within the meaning of this provision".
The President of the UODO considers the long duration of the Bank's infringement of the provisions of Regulation 2016/679 as an aggravating circumstance. More than two years have passed since the Controller became aware of the breach, i.e. from 7 July 2022, to the date of issue of this decision. During this time, the risk of infringement of the rights or freedoms of persons affected by the breach could have materialised, which these persons could not counteract due to the Bank's failure to fulfil its obligation to notify data subjects of the breach.
In the case, it was established that the breach concerned the personal data of (...) persons. Such a number of people affected by the breach, especially in view of the fact that the Bank – due to the scale and scope of its operations – processes the personal data of a very large number of customers, should be considered small, which undoubtedly speaks in favour of the Administrator. However, this does not affect the overall assessment of the impact of this premise – as an aggravating factor – on the amount of the penalty imposed.
2. Intentional nature of the breach (Article 83(2)(b) of Regulation 2016/679). In accordance with the Guidelines of the Article 29 Data Protection Working Party on the application and setting of administrative pecuniary penalties for the purposes of Regulation No. 2016/679 (hereinafter referred to as Guidelines WP253), confirmed by Guidelines 04/2022 on the calculation of administrative pecuniary penalties under the GDPR (hereinafter referred to as Guidelines 04/2022[5]), intentionality "includes both knowledge and deliberate action, in connection with the characteristics of the prohibited act". The Bank made a conscious decision not to notify the data subjects of the breach. There is no doubt that the Bank, processing personal data on a mass scale, should have knowledge in the field of personal data protection, including knowledge of the consequences of finding a breach of personal data protection resulting in a high risk of violating the rights or freedoms of natural persons (and this knowledge may be required not only from the controller, but also from the data protection officer appointed by him). It should therefore be considered that the Controller, being aware of the responsibility imposed on him, disregarded his obligations related to the data protection breach and failed to notify the data subjects of this breach. The intentionality in the Bank's conduct (i.e. deliberate action with the awareness that it was contrary to the position of the President of the UODO) certainly existed already from the date of receipt of the letter from the President of the UODO addressed to him on 12 July 2022. In this letter, the President of the UODO requested the Bank to notify the data subjects of the breach of personal data protection. The supervisory authority thus indicated to the Bank that its previous position in this respect is inconsistent with Article 34 paragraph 1 of Regulation 2016/679. Finally, the mere initiation by the President of the UODO of these proceedings regarding the obligation to notify data subjects of a breach should raise doubts in the Controller as to the correctness of the position adopted by him.
3. Actions taken by the controller to minimise the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679). Based on the evidence collected in the case, it was not established that the Controller took such actions. The Controller's inaction in this respect prevented data subjects from, among other things, taking any actions aimed at minimising the negative effects of the breach of their personal data protection. The above determines the necessity to recognise this premise as an aggravating factor for assessing the justification and amount of the administrative fine applied.
4. Any relevant previous infringements by the controller or processor (Article 83 paragraph 2 letter e of Regulation 2016/679). When deciding on the imposition and amount of the administrative fine, the supervisory authority is obliged to take into account any previous infringements of Regulation 2016/679. Guidelines 04/2022 indicate: "The existence of previous infringements may be considered an aggravating factor when calculating the amount of the fine. The weight assigned to this factor should be determined taking into account the nature and frequency of previous infringements. However, the absence of previous infringements cannot be considered a mitigating circumstance, since compliance with the provisions of [Regulation 2016/679] is the norm" (point 94 of the guidelines).
The supervisory authority, having found in other administrative decisions issued that the Controller violated the provisions on the protection of personal data, has already exercised its remedial and warning powers against the Bank. The President of the UODO issued the following decisions: - decision (...), warning for the infringement of art. 17 sec. 1 in connection with art. 12 sec. 3 of Regulation 2016/679 consisting in failure to comply with the request to delete personal data within the time limit specified in art. 12 sec. 3 of the aforementioned Regulation;- decision (...), admonition for the infringement of Art. 6 sec. 1 of Regulation 2016/679, consisting in the processing of personal data without a legal basis;- decision (...), admonition for irregularities in the process of personal data processing consisting in the infringement of Art. 6 sec. 1 of Regulation 2016/679 by processing personal data within the scope of an e-mail address without a legal basis;- decision (...), admonition for irregularities in the process of personal data processing consisting in the infringement of Art. 6 sec. 1 letter b) in connection with Art. 5 sec. 1 letter f) of Regulation 2016/679, by making the complainant's personal data available to an unauthorised person;- decision (...), an order to provide a paper copy of all personal data processed by the Bank; an order to provide information in electronic form regarding the categories of relevant personal data and a copy of the personal data processed by the Bank; issuing a warning for the infringement of Art. 12 sec. 1 and 3 and 15 sec. 1 and 3 of Regulation 2016/679 consisting in failure to timely fulfil the obligation to provide a copy of personal data;- decision (...), an order to provide a paper copy of the personal data processed by the Bank concerning turnover on the bank account and the customer number; warning for the infringement of Art. 12 sec. 1 and 3 and 15 sec. 3 of Regulation 2016/679;- decision (...), warning for the infringement of Art. 6 sec. 1 of Regulation 2016/679; an order to delete personal data;- decision (...), warning for the infringement of Art. 6 sec. 1 of Regulation 2016/679 consisting in the processing of personal data without a legal basis;- decision (...), an order to cease the processing of personal data on the basis of Art. 6 sec. 1 and Art. 58 sec. 2 letter c) and Art. 6 sec. 1 letter f) and Art. 58 of Regulation 2016/679 in connection with Art. 105a sec. 3 of the Banking Law Act;- decision (...), warning for an infringement of Art. 6 sec. 1 of Regulation 2016/679- decision (...), an order to fulfil the information obligation specified in Art. 15 sec. 1 of Regulation 2016/679 by providing the requested information, in accordance with the application, and an order to provide a copy of the data, in accordance with Art. 15 sec. 3 of Regulation 2016/679 in connection with the request included in the application;- decision (...), on the basis of Art. 6 sec. 1 of Regulation 2016/679 an order to delete personal data - decision (...), on the basis of Art. 6 sec. 1 of Regulation 2016/679 an order to delete personal data;- decision (...), based on art. 6 sec. 1 of Regulation 2016/679 an order to delete personal data;- decision (...), based on art. 6 sec. 1 of Regulation 2016/679 an order to stop processing personal data contained in the loan application, processed without a legal basis;- decision (...), an order to provide voice data from call recordings (art. 15 sec. 1 letter c of Regulation 2016/679);- decision (...), an order to provide information on the recipients of the data (art. 15 sec. 1 letter c of Regulation 2016/679);- decision (...), an order to provide voice data from call recordings (art. 15 sec. 3 of Regulation 2016/679).
The violations described above, resulting in the application of corrective measures by the supervisory authority, are not without significance for the final amount of the penalty imposed on the Administrator. The supervisory authority sees a connection between the previously identified violations and the currently analyzed violation of the provision of Regulation 2016/679, such as the Bank's similar modus operandi, consisting in the deliberate failure to provide entities authorized to do so with certain personal data and information, which occurred, for example, in the case of violations of Art. 15 sec. 1 of Regulation 2016/679.
Therefore, the issuing of numerous warnings to the Bank justifies not only the imposition of a financial penalty in these proceedings, but also its relatively high amount.
In view of the above, in the present case it should be considered that there are grounds to treat the premise of Art. 83 sec. 2 letter e) of Regulation 2016/679 as aggravating.
5. Degree of cooperation with the supervisory authority in order to eliminate the breach and mitigate its potential negative effects (Article 83 paragraph 2 letter f of Regulation 2016/679).
In this case, the President of the UODO considered the cooperation on the part of the Bank to be unsatisfactory. This assessment concerns the controller's response to the letters from the President of the UODO informing about the obligations incumbent on the controller in connection with the data protection breach. The Bank's actions revealed the lack of the expected response to the letter of the President of the UODO of 12 July 2022 indicating the method of eliminating the breach, i.e. notifying the persons affected by the personal data protection breach of this breach. It should be added that even the initiation of administrative proceedings regarding the obligation to notify data subjects of the breach did not change the Controller's conduct in this respect. The above determines the necessity to recognize this premise as an aggravating factor from the point of view of determining the amount of the administrative fine.
6. Categories of personal data concerned by the infringement (Article 83 paragraph 2 letter g of Regulation 2016/679).
Personal data made available to an unauthorized person do not belong to the special categories of personal data referred to in Article 9 paragraph 1 or Article 10 of Regulation 2016/679, however, the fact that the data were made available in the scope of: surnames and first names, parents' first names, date of birth, bank account number, address of residence or stay, PESEL registration number, data on earnings and/or assets held, mother's maiden name, series and number of ID card, other (information on credit and real estate) means the occurrence of a high risk of violating the rights or freedoms of natural persons. The PESEL number, an eleven-digit numerical symbol that uniquely identifies a natural person, containing the date of birth, serial number, gender designation and control number, and therefore closely linked to the private sphere of a natural person and also subject, as a national identification number, to exceptional protection under Article 87 of Regulation 2016/679, is data of a special nature and requires such special protection. There is no other such specific data that would uniquely identify a natural person. It is not without reason that the PESEL number serves as data identifying each person and is commonly used in contacts with various institutions and in legal circulation. The PESEL number, together with the first and last name, uniquely identifies a natural person, in a way that allows the negative effects of a violation (e.g. identity theft, loan fraud) to be attributed to this specific person.
In this context, it is worth referring to the EDPB Guidelines 04/2022, which indicate that: "As regards the requirement to take into account the categories of personal data concerned by the breach (Article 83(2)(g) of [Regulation 2016/679]), [Regulation 2016/679] clearly indicates the types of data that are subject to special protection and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Articles 9 and 10 of [Regulation 2016/679] as well as data not covered by those articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g. location data, private communications data, national identification numbers or financial data such as transaction records or credit card numbers). Generally speaking, the more categories of such data are concerned by the breach or the more sensitive the data is, the more weight the supervisory authority may give to such a factor." The amount of data relating to each data subject is also important, because the scale of the violation of the right to privacy and personal data protection increases with the amount of data relating to each data subject.”
It is also necessary to point out once again the case law emerging in this area, where, for example, in the judgment of 15 November 2022, file reference II SA/Wa 546/22, the Regional Administrative Court in Warsaw indicated: “It was also obvious that when determining the penalty, the authority had to take into account the fact that the violation concerned highly sensitive data (including PESEL, address, health data)”. This view was also shared by the above-mentioned Court in the judgment of 21 June 2023 in case reference no. Act II SA/Wa 150/23, where the Provincial Administrative Court in Warsaw stated: "To sum up, the Court is of the opinion that disclosure of the PESEL number indicates a high risk of violating the rights or freedoms of natural persons."
When determining the amount of the administrative fine, the President of the UODO found no grounds for taking into account mitigating circumstances that affect the final amount of the fine. All the circumstances listed in Article 83 paragraph 2 letters a)-j) of Regulation 2016/679, in the opinion of the supervisory authority, constitute either aggravating or merely neutral circumstances. Also, applying the premise listed in Article 83 paragraph 2 letter k) of Regulation 2016/679 (requiring that any other aggravating or mitigating factors applicable to the circumstances of the case be taken into account), no mitigating circumstances were found.
Other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were considered by the President of the UODO to be neutral in his assessment, i.e. they have neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine:
1. The degree of the controller's responsibility, taking into account the technical and organizational measures implemented by it under Art. 25 and 32 (Art. 83 sec. 2 letter d of Regulation 2016/679).
The infringement of the provisions of Regulation 2016/679 assessed in these proceedings is not related to the technical and organizational measures applied by the controller.
2. The manner in which the supervisory authority learned of the infringement (Art. 83 sec. 2 letter h of Regulation 2016/679).
The President of the Personal Data Protection Office found a breach of the provisions of Regulation 2016/679 as a result of the Controller reporting a personal data breach. By reporting, the Controller was only fulfilling its legal obligation, therefore there is no basis to consider this circumstance as a mitigating circumstance. According to Guidelines 04/2022, "(...) when assessing this aspect, particular importance may be given to the issue of whether the controller or processor notified the breach on its own initiative, and if so, to what extent, before the supervisory authority was informed of the breach by way of, for example, a complaint or investigation. This circumstance is irrelevant where the controller is subject to specific obligations to report breaches (such as the obligation to report a personal data breach under Article 33). In such cases, the fact of reporting should be considered a neutral circumstance." 3. Compliance with previously applied measures in the same case, referred to in Article 58 paragraph 2 of Regulation 2016/679 (Article 83 paragraph 2 letter i of Regulation 2016/679).
Before issuing this decision, the President of the UODO did not apply any measures listed in Article 58 paragraph 2 of Regulation 2016/679 to the Controller in the case at hand, and therefore the Controller was not obliged to take any actions related to their application, and which actions, assessed by the President of the UODO, could have an aggravating or mitigating effect on the assessment of the identified infringement.
4. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83 paragraph 2 letter j of Regulation 2016/679).
The Administrator does not apply the instruments referred to in Article 40 and Article 42 of Regulation 2016/679. However, their adoption, implementation and application is not – as provided for in the provisions of Regulation 2016/679 – mandatory for administrators and processors, therefore the circumstance of their non-application cannot be considered to the detriment of the Administrator in this case. On the other hand, the circumstance of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of the processed personal data could be considered to the benefit of the Administrator.
5. Financial benefits directly or indirectly achieved in connection with the infringement or losses avoided (Article 83 paragraph 2 letter k of Regulation 2016/679).
The President of the UODO did not find that the Administrator had gained any financial benefits or avoided such losses in connection with the infringement. There is therefore no basis for treating this circumstance as aggravating the Administrator. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed decidedly negatively. On the other hand, the failure of the Administrator to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be mitigating for the Administrator. This is confirmed by the very wording of the provision of Article 83 paragraph 2 letter k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - incurred by the entity committing the infringement.
The President of the UODO does not see any other aggravating or mitigating factors applicable to the circumstances of this case.
In the opinion of the President of the UODO, the administrative fine imposed fulfils the functions referred to in Article 83 paragraph 1 of Regulation 2016/679 in the established circumstances of this case, i.e. it is effective, proportionate and dissuasive in this individual case.
Taking into account all the circumstances discussed above, the President of the UODO considered that the imposition of an administrative fine on the Controller is necessary and justified by the gravity, nature and scope of the infringements of the provisions of Regulation 2016/679 alleged against this entity. It should be stated that the application of any other remedial measure provided for in Article 58 paragraph 2 of Regulation 2016/679, in particular, limiting it to a warning (Article 58 paragraph 2 letter b) of Regulation 2016/679), would not be proportionate to the irregularities found in the process of personal data processing and would not guarantee that the above entity will not commit similar negligence in the future as in this case.
Pursuant to the content of Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (hereinafter referred to as the Personal Data Protection Act), the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679, is calculated in złoty at the average euro exchange rate announced by the National Bank of Poland in the exchange rate table on 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average euro exchange rate on 28 January - at the average euro exchange rate announced in the exchange rate table of the National Bank of Poland closest after that date.
Taking the above into account, the President of the UODO, on the basis of art. 83 sec. 4 letter a) in connection with art. 103 of the UODO, for the violation described in the operative part of this decision, imposed on the Bank - using the average euro exchange rate of 29 January 2024 (1 EUR = 4.3653 PLN) - an administrative fine in the amount of PLN 4,053,173 (which is the equivalent of EUR 928,498.06).
In the opinion of the President of the UODO, the imposed fine of PLN 4,053,173 (in words: four million fifty-three thousand one hundred seventy-three zlotys) meets, in the established circumstances of this case, the conditions referred to in Article 83 paragraph 1 of Regulation 2016/679 due to the seriousness of the established violation in the context of the basic objective of Regulation 2016/679 – protection of fundamental rights and freedoms of natural persons, in particular the right to protection of personal data. Referring to the amount of the administrative fine imposed on the Bank, the President of the UODO considered that it is proportionate to the financial situation of the Administrator and will not constitute an excessive burden for it. The information provided by the Administrator indicates that the total annual turnover from the previous financial year in 2023 amounted to (...), therefore the amount of the administrative fine imposed in this case constitutes (...) of the above-mentioned amounts. At the same time, it is worth emphasizing that the amount of the fine imposed is only approximately (...) of the maximum amount of the fine that the President of the Personal Data Protection Office could – applying, in accordance with Article 83 paragraph 4 of Regulation 2016/679, the maximum fine of up to 2% of the total annual turnover from the previous financial year – impose on the Bank for the violations found in this case, i.e. (...). The amount of the fine was set at such a level that, on the one hand, it constituted an adequate response of the supervisory authority to the degree of breach of the administrator's obligations, but on the other hand, it did not result in a situation in which the need to pay the fine would entail negative consequences, such as a significant reduction in employment or a significant decrease in the Bank's turnover. According to the President of the UODO, the Bank should and is able to bear the consequences of its negligence in the area of data protection, as evidenced by, for example, the "Report (...)".
Finally, it is necessary to indicate that when determining the amount of the administrative fine in this case, the President of the UODO applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the guidelines presented in this document:
1. The President of the UODO categorized the violations of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The infringements of both provisions of Regulation 2016/679 (Article 34(1) and (2)) found in this case fall – in accordance with Article 83(4)(a) of Regulation 2016/679 – into the category of infringements punishable by the lower of the two penalties provided for in Regulation 2016/679 (with a maximum of up to EUR 10,000,000 or up to 2% of the undertaking's total annual turnover in the previous financial year). They were therefore considered in abstracto (isolated from the individual circumstances of a specific case) by the EU legislator to be less serious than the infringements indicated in Article 83(5) of Regulation 2016/679).
2. The President of the UODO assessed the infringements found in this case as infringements with a low level of seriousness (see Chapter 4.2 of Guidelines 04/2022). This assessment took into account the conditions listed in Article 83 paragraph 2 of Regulation 2016/679 that relate to the subject of the infringements (they constitute the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. At this point, it should be pointed out that considering their total impact on the assessment of the infringements identified in this case, taken as a whole, leads to the conclusion that their level of seriousness is also in concreto low (on the scale of seriousness of infringements presented in point 60 of Guidelines 04/2022). The consequence of this is to adopt – as the starting amount for calculating the penalty – a value within the range of 0 to 10% of the maximum amount of the penalty that can be imposed on the Bank. Considering that the provision of Art. 83 sec. 4 of Regulation 2016/679 obliges the President of the UODO to adopt as the maximum amount of the penalty for the infringements indicated in that provision the amount of EUR 10 000 000 or – if that value is higher than EUR 10 000 000 – an amount constituting 2% of the Bank's turnover in the previous financial year, the President of the UODO considered that the so-called dynamic maximum amount of the fine resulting from the application of a 2% rate applied to the Bank's turnover for 2023. Having the range (...) at his disposal, the President of the UODO adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the amount of the fine amounting to (...) (constituting 2% of the dynamic maximum amount of the fine).
3. In accordance with the advice of the European Data Protection Board presented in point 66 of Guidelines 04/2022 (in relation to companies with an annual turnover exceeding EUR 500 million), the President of the UODO did not consider it justified to use the possibility of reducing the starting amount based on the assessment of the seriousness of the infringement, which possibility these guidelines (in Chapter 4.3) provide for companies of smaller size and economic power. The EDPB indicates in them that in the case of large entities (and in this case the Bank is undoubtedly such, as evidenced by its turnover) "the size of the company is already reflected in the dynamic statutory maximum amount" (point 66 of Guidelines 04/2022).
4. The President of the UODO assessed the impact on the established infringement of the other circumstances (apart from those included above in the assessment of the seriousness of the infringement) indicated in Article Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The President of the UODO considered (as justified in the justification of the decision presented above) that the aggravating circumstances in this case, and therefore additionally increasing the amount of the penalty imposed in this decision, are the actions taken to minimise the damage (Article 83 paragraph 2 letter c) of Regulation 2016/679), relevant previous infringements on the part of the Bank identified by the President of the UODO (Article 83 paragraph 2 letter e) of Regulation 2016/679), as well as the degree of the Bank’s cooperation with the President of the UODO in order to eliminate the infringement and mitigate its possible negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). The remaining premises (under Article 83 sec. 2 letters d), h), i), j), k) of Regulation 2016/679) – as indicated above – had no influence, either mitigating or aggravating, on the assessment of the infringement and, consequently, on the amount of the penalty. Therefore, due to the existence of additional aggravating circumstances in the case, related to the subjective side of the infringements (assessment of the Bank's conduct before and after the infringements), the President of the UODO considered it justified to increase the amount of the penalty determined on the basis of the assessment of the seriousness of the infringements (item 2 above). In the opinion of the President of the UODO, its increase to the amount of EUR (...) is adequate to the influence of these premises on the assessment of the infringements.
5. The President of the UODO stated that the amount of the administrative fine determined in the manner presented above does not exceed – in accordance with Article 83 sec. 3 of Regulation 2016/679 – the legally defined maximum amount of the penalty provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022).
6. Despite the fact that the amount of the penalty determined in accordance with the above principles does not exceed the legally defined maximum penalty, the President of the UODO considered that it requires an additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives on the assessment of the penalty (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a financial penalty in the amount of (...) would be an effective penalty (due to its severity, it would allow to achieve its repressive purpose, which is to punish for unlawful conduct) and a deterrent (effectively discouraging both the Bank and other administrators from committing future infringements of the provisions of Regulation 2016/679). However, in the opinion of the President of the Personal Data Protection Office, such a penalty would be disproportionate both to the gravity of the identified infringements (which in abstracto and in concreto is low – see points 1 and 2 above), and due to its excessive severity in relation to this gravity. The principle of proportionality requires, among other things, that the measures adopted by the administrative body do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see point 137 and point 139 of the Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to art. 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary).
Therefore, taking into account the proportionality of the penalty, the President of the UODO further reduced the amount of the penalty - to the amount of (...) (equivalent of PLN [...]). In his opinion, such a determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is a threshold above which further increases in the amount of the penalty will not increase its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the penalty could be at the expense of its effectiveness and deterrent nature, as well as a coherent – in relation to other supervisory authorities and the EDPB – understanding, application and enforcement of Regulation 2016/679, and the principle of equal treatment of entities on the EU and EEA internal market.
To sum up the above, in the opinion of the President of the UODO, the administrative fine imposed on the Controller in this case meets, in the light of all the individual circumstances of the case, the conditions (functions of penalties) referred to in Article 83 sec. 1 of Regulation 2016/679, due to the seriousness of the identified breaches in the context of the basic requirements and principles of Regulation 2016/679.
Taking the above into account, the President of the Personal Data Protection Office decided as in the operative part of this decision.
[1] The aforementioned guidelines updated and supplemented the Guidelines of the Article 29 Working Party on the notification of personal data breaches in accordance with Regulation 2016/679 (Wp250 rev. 01), adopted on 3 October 2017.
[2] Guidelines of the European Data Protection Board 01/2021 on examples of notification of personal data breaches adopted on 14 December 2021, version 2.0 (hereinafter "Guidelines 01/2021").
[3] https://www.zbp.pl/getmedia/2f8a1812-dca0-4242-b460-5de48b66f719/infodok-2023-10-12-wydanie-56-sklad-240126-gk05 [4] https://www.zbp.pl/getmedia/6fdef6c1-3d63-43f6-a992- 179a333455c7/infodok422 [5] https://edpb.europa.eu/system/files/2024-01/edpb_guidelines_042022_calculationofadministrativefines_pl_0.pdf
