UODO (Poland) - DKN.5131.1.2021: Difference between revisions

From GDPRhub
mNo edit summary
Line 11: Line 11:


|Original_Source_Name_1=UODO (Poland)
|Original_Source_Name_1=UODO (Poland)
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKN.5131.1.2021https://uodo.gov.pl/decyzje/DKN.5131.1.2021
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKN.5131.1.2021
|Original_Source_Language_1=Polish
|Original_Source_Language_1=Polish
|Original_Source_Language__Code_1=PL
|Original_Source_Language__Code_1=PL
Line 127: Line 127:


<pre>
<pre>
Warsaw, 09 October 2024.
Decision
DKN.5131.1.2021


Pursuant to Article 104 § 1 of the Act of June 14, 1960 Code of Administrative Procedure (Journal of Laws of 2024, item 572), Article 7 (1) and (2), Article 60, Article 101 and Article 103 of the Law on Personal Data Protection (Journal of Laws of 2019, item 1781), and Article 57 (1) (a) and (h) and Article 58 (2) (d) and (i), Article 83 (para. 1 - 3, Article 83 (4) (a) in connection with Article 24 (1), Article 25 (1), Article 28 (1) and (3), Article 32 (1) and (2), and Article 34 (2) in connection with Article 33 (3) (c) and (d), and Article 83 (5) (a) in connection with Article 5 (1) (f) and Article 5 (2) of Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2, and Official Journal of the EU L 74 of 4.03.2021, p. 35), hereinafter referred to as “Regulation 2016/679”, having conducted ex officio administrative proceedings on violations of data protection regulations by Mr. AB, doing business under the name X, ul. (...) (as data controller), and Ms. CD, Mr. EF and Mr. GH, partners of the civil partnership Y, Al. (...) (as processors), the President of the Office for Personal Data Protection,
I. finding a violation by Mr. AB, doing business under the name X, Al (...), of the provisions of:
(a) Articles 24(1), 25(1) and 32(1) and (2) of Regulation 2016/679, consisting in:
- failure to implement appropriate technical and organizational measures to ensure the security of the processing of personal data in information systems and the protection of the rights of data subjects, on the basis of a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons,
- Failure to implement appropriate technical and organizational measures to ensure regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processing in information systems, in particular with regard to vulnerabilities, errors and their possible effects on such systems and the measures taken to minimize the risk of their occurrence,
- failure to implement appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data processed in information systems in the event of a physical or technical incident,
resulting in violation of the principle of confidentiality (Article 5(1)(f) of Regulation 2016/679) and the principle of accountability (Article 5(2) of Regulation 2016/679),
(b) Article 28(1) of Regulation 2016/679, by failing to verify that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects,
(c) Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679, by failing to provide data subjects with a description of the possible consequences of a personal data breach and a description of the measures taken or proposed by the controller to remedy the personal data breach,
1. imposes a fine on Mr. AB, doing business under the name of X, (...) Street, for violating Articles 5(1)(f), 5(2), 25(1), 28(1),32(1) and (2), and 34(2). 2 in connection with Article 33 (3) (c) and (d) of Regulation 2016/679, an administrative fine in the amount of PLN 353,589.00 (three hundred and fifty-three thousand five hundred and eighty-nine zlotys);
2. orders Mr. AB, doing business under the name of X, (...) Street, to bring the processing operations into compliance with the provisions of Regulation 2016/679, by conducting a risk analysis of the processing of personal data, taking into account the state of the art, the cost of implementation, the scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons, and on its basis:
(a) implementing appropriate technical and organizational measures to minimize the risks associated with the processing of personal data in information systems, in particular those arising from accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed,
(b) implement appropriate technical and organizational measures to ensure that the effectiveness of measures to ensure the security of personal data processing in information systems is regularly tested, measured and evaluated,
c) implement appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data processed in information systems in the event of a physical or technical incident.
Within 60 days from the date of delivery of this decision.
II. finding that Ms. CD, Mr. EF and Mr. GH, partners of Y s.c., Al. (...), violated Article 28(3)(f), in conjunction with Article 32(1) and (2) of Regulation 2016/679, by failing to assist the controller in complying with its obligation to implement adequate technical and organizational measures to ensure the security of the processing of personal data, imposes on Mr. EF and Mr. GH, partners of Y s.c., Al. (...) and on Ms. CD, former partner of Y s.c., all jointly and severally liable, an administrative fine in the amount of PLN 9,822 (in words: nine thousand eight hundred and twenty-two zlotys).
Justification
On December 3, 2019. Mr. AB, doing business at X, (...) Street, associated - according to the information on his website - with the nationwide production “(...)”. hereinafter referred to as the Administrator, made a preliminary notification to the President of the Office for the Protection of Personal Data, hereinafter referred to as the President of the Office for Personal Data Protection or the supervisory authority, of a personal data protection breach consisting of a ransomware attack carried out by undetermined perpetrators, as a result of which the availability of the following categories of personal data was lost, both “(...) customers who have purchased [Editor's note: from the Administrator] at least once (...)” as well as former and current employees of the Administrator “(...) in the number of approximately 200 (...)”: PESEL number, ID card series and number, first and last names, parents' names, date of birth, bank account number, residence or stay address, e-mail address, telephone number. In the aforementioned notification of a personal data protection breach, the Administrator stated that - in his opinion - “(...) the cause of the breach was most likely human error - an employee (...)”, at the same time, the modus operandi of the perpetrators allowed the Administrator to assume that “(...) the purpose of encrypting the data was not to steal it (...), but only ‘(...) to obtain a material benefit (...)’. The Administrator also indicated that due to the short duration of the incident in question and in view of the fact that “(...) access to the encrypted data was obtained”, he did not find a high risk of violation of the rights or freedoms of natural persons, and the technical and organizational security measures implemented prior to the occurrence of the personal data protection violation in question justified, in the Administrator's opinion, the lack of necessity to notify data subjects of the fact of violation of the protection of their personal data. In a supplementary notification made to the President of the DPA on January 8, 2020. The Administrator upheld its previous argumentation, while informing that it had made a notification to data subjects about the fact of the personal data protection breach in question in the form of a public announcement available at the Administrator's company headquarters, while presenting the anonymized content of the notification to data subjects in connection with the breach.
The notifications in question of a personal data breach provided the impetus for the supervisory authority to assess the Administrator's implementation of its obligations under the provisions of Regulation 2016/679 regarding proper data security and organization of the personal data protection system.
In view of the above, the President of the DPA, acting pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, in a letter dated February 24, 2020, asked the Administrator to provide additional explanations in the case, including:
1) provide the characteristics of the encrypted files, most importantly the file extension;
2) to provide the full content of the RTF file message, “(...) which indicates instructions for action to unlock the encrypted data.”
3) providing information on whether, in connection with the occurrence of the data breach in question, the Administrator considered reporting the incident to NASK's CSIRT (incident.cert.pl) to obtain more information on the malware based on the transmission of one of the encrypted files;
4) indicating whether the Administrator conducted an investigation that determined that personal data had not been disclosed to unauthorized persons;
5) providing information on the Administrator's analysis of the personal data breach that occurred, on the basis of which it was determined that the unavailability of data did not cause a high risk of violation of the rights or freedoms of individuals;
6) informing whether the Administrator has implemented the measures declared in point 9B of the January 8, 2020 notification form, to minimize the risk of a recurrence of a personal data breach, including, among other things, establishing cooperation with a professional IT entity to conduct “(...) at least twice a year an additional independent audit [of the Administrator's IT infrastructure - added. on...] (...)”, introducing ‘(...) a system (...) (...)’, completing work to establish ‘(...) network segmentation (...)’, or restricting its users from ‘(...) interfering with the operation of anti-virus software (...)’.
In a letter dated March 5, 2020, responding to the aforementioned summons from the President of the Office of the President of the Office for Electronic Communications, the Administrator explained that the notification of the “(...) incident in question to the NASK CSIRT (...)” was admittedly in his area of interest but he ultimately decided not to do so. Nevertheless, the Administrator indicated that “(...) conducted an investigation, but focused first on remediating the consequences of the breach (...)”, in which “(...) the nature of the attack carried out (...)”. indicated - in the Administrator's opinion - in all likelihood only a desire “(...) to extort a ransom for the decryption of the data, and not its further dissemination (...)”. In doing so, the Administrator mentioned that “(...) it does not have data that unequivocally excludes the possibility of downloading data by unauthorized third parties during the intrusion (...),” while assuring that the successful implementation of “(...) for the most part (...)” measures declared in paragraph 9B of the January 8, 2020 data breach notification form, mitigating the risk of a recurrence of a data breach, with the exception of “(...) the introduction of a system (...)”. Notwithstanding the above, the Administrator provided the content of the message contained in the RTF file, as well as the name and extension of the encrypted file, i.e. “(...)”.
Based on an analysis of the content of the notice provided to data subjects and the nature of the breach that occurred, its duration, the categories of data and categories of persons affected by the breach and the corrective measures applied, and in light of the additional explanations submitted by the Administrator in connection with the personal data protection breach in question, and, in particular, in view of the Administrator's failure to provide details of the investigation conducted and its results, including evidence that would make it plausible for the Administrator to make the relevant findings in order to actually identify the modus operandi of the malware, the President of the Office for the Protection of Personal Data (OPAP) found that there were insufficient grounds to make an assumption allowing an unequivocal conclusion that “(.... ) the purpose of encrypting the data was not to steal it (...)”. The above assessment was affected primarily by the Administrator's failure to provide details regarding the investigation conducted and its results, including, in particular, the lack of sufficient evidence of the steps taken by the Administrator to actually determine how the malware worked.
In this light, recognizing that in the case in question there may nevertheless have been a breach of the confidentiality of categories of personal data of the Administrator's employees and customers in the form of PESEL number, series and number of identity card, first and last names, parents' first names, dates of birth, bank account numbers, residence or stay addresses, e-mail addresses and telephone numbers, thus causing a high risk of violation of the rights or freedoms of natural persons, the President of the OFODO, acting pursuant to Art. 52(1) of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the PDPA, and Article 34(4) of Regulation 2016/679, requested the Controller to reissue a notice to data subjects in connection with violations of the protection of their personal data. In doing so, the Authority concluded that the notice sent to data subjects did not meet the conditions set forth in Regulation 2016/679 insofar as it did not contain information regarding the name and contact details of the Data Protection Officer or the designation of another point of contact from whom more information could be obtained, a description of the possible consequences of the personal data protection breach, and a description of the measures taken or proposed by the Controller to remedy the breach - including, where applicable, measures to minimize its possible negative effects. Pursuant to the provisions of Article 52(1) of the PDPA and Article 34(4) of Regulation 2016/679, the President of the DPA required the Administrator to inform the authority of the implementation of the measures in the scope presented above within 30 days from the date of receipt of the said request. Notwithstanding the above, acting pursuant to Article 58 (1) (a) and (e) of Regulation 2016/679, the authority also called on the Administrator to supplement the explanations submitted to date, by:
1) presenting the results of the investigation referred to in paragraph (...) of the letter of March 5, 2020, and, in particular, indicating the vulnerability that was used to carry out the attack in question, including the manner in which this breach occurred - whether it was caused by a human factor, resulting, for example, from opening an attachment in an email correspondence, and if so, whether the Administrator performed an analysis to determine how the malware worked, or rather, whether the breach of personal data protection was the result of a vulnerability that existed in the IT system, and if so, to indicate the period of existence of this vulnerability and what actions, if any, were taken in connection with this fact;
2) to provide information on whether, and if so, when and how the Administrator regularly tested, measured and evaluated the effectiveness of technical and organizational measures to ensure the security of personal data processing.
In response to the above-mentioned request from the President of the DPA, the Administrator, in a letter dated April 10, 2020, indicated that he had directly informed employees of the breach in the protection of their personal data, while due to “(...) the extraordinary and objective situation related to the COVID-19 epidemic (...)”. “(...) the Administrator's customers were informed through a public announcement (...)”. It also communicated the contents of the notices formulated again in connection with the occurrence of the data protection violation in question, addressed to data subjects. The administrator, in describing the possible consequences of this breach, pointed to the following negative consequences associated with it : “(...) [d]ane affected by the breach may be used for such purposes as an attempt to defraud others of your data, or an attempt to enter into a contract with you (for example, an online sale) using the data, to execute a hacking attack by sending a notification to your email or phone number. There is also a chance that you will receive commercial, marketing information to which you have not given your consent.” In turn, in an attempt to provide data subjects with a description of measures to minimize the possible negative consequences of the November 25, 2019 incident, the Administrator advised those persons to take the following action:"(...) [n]ie respond to emails and text messages whose origin you are not 'sure of, and do not open the links posted in them. Doing so may cause your equipment to become infected.”
In addition, the Administrator, also referring to a previous exchange of correspondence conducted with the supervisory authority, reported that “(...) performed the following actions aimed at strengthening the security of the processed personal data (...),” among which are: “(...) complete decommissioning of the system on which the infection occurred (...); updating operating systems to the latest available versions, including changing the operating system (...) to (...); basing control over access to data processing, including personal data on “(...)”, also by assigning users of the IT structure “(.... ) roles corresponding to their positions (...)”, while restricting access to other network resources;(...) ‘(...) between access to the applications on which users work and the database on which personal data and business data are stored (...)’; creating network users ‘(...) (...)’.
Notwithstanding the above, the Administrator indicated that he had made a change in the work model, by implementing the (...) solution, with the simultaneous closure of “(...) the [IT] infrastructure - added by the owner] from outside (...)”; introducing (...); scheduling (...) “(...) (...)”. The contents of the said letter also highlighted the circumstance of the progressive, successive replacement of “(...) (...) (...)” as well as the fact of taking away “(...) users' ability to control the antivirus software (...)”, which after the changes “(...) can only be disabled by the IT team (...)”. According to further assurances from the Administrator, there has been “(...) (...) (...)”, and “(...) software (...) (...) has been implemented”, intended by the Administrator to “(...) (...)”.
The Administrator also mentioned plans to appoint a data protection officer in his organization, “(...) who will be responsible for dealing with the DPA, but will also be able to propose a training plan for employees (...)” and about the need to “(...) anonymize the database modules (relating to personal data of individual customers and employees), so that in the electronic system the data would be encrypted, and would be readable only by a small group of employees with codes for the decryption program.”
In an attempt to establish the etiology of the personal data protection breach in question, in the aforementioned letter, the Administrator additionally indicated that - in his opinion - it was the result of “(...) the disabling of the licensed antivirus program A. by one of the (...) employees, as a result of which “(...) the (...) equipment was infected (...) (...)”, “(...) obtaining user credentials (...)”, followed by remote login of the perpetrators to the IT system and consequently encryption of personal data. The Administrator also reported that for the above criminal action, “(...) the vulnerability of the B. server, which had not been updated for a long time,” was exploited, as a result of the non-performance or improper performance of an obligation by entities that have provided IT services to the Administrator to date. Finally, the Administrator also provided information regarding the filing of the case in question with the NASK CSIRT.
The information presented by the Administrator in the aforementioned regard and contained in the correspondence exchanged with the supervisory authority to date constituted, in the opinion of the President of the Office for Harmonization in the Internal Market, sufficient grounds to initiate ex officio administrative proceedings for violation by the Administrator of the provisions on personal data protection within the meaning of Regulation 2016/679, i.e. Articles 5(1)(f), 5(2), 24(1), 25(1), 28(1) and 28(3), 32(1) and 32(2), and 34(2) in conjunction with 33(3)(c) and 33(3)(d) of Regulation 2016/679, of which the party was notified by letter dated January 29, 2021. At the same time, in the notice, the President of the DPA called on the Administrator to provide additional explanations, including, among others:
1) to indicate the service contract and the contract for entrustment of personal data processing concluded with the entities in the IT area referred to in the letter of April 10, 2020, including the period of provision of these services, together with the justification of how the Administrator verified the aforementioned entities to ensure sufficient guarantees of professional provision of these services;
2) describe the organizational complexity of the Administrator, including, among other things, the number of workstations, the organization of work, the number of employees operating the aforementioned workstations;
3) provide information, regarding the period of operation of the organization as presented in the letter of April 10, 2020, in particular, informing when the Administrator had been using B. software since;
4) indicate whether the Administrator had - as specified in the letter of April 10, 2020. - server in its own infrastructure, and whether these services were and are currently being provided by an external entity in the form of outsourcing, and in the case of a positive answer, to provide copies of contracts for the provision of services, including the contract for entrustment of personal data processing, concluded with this entity;
5) to inform on what basis access to the Administrator's IT environment took place prior to the occurrence of the personal data protection violation in question, and whether a risk analysis was carried out by the Administrator with regard to the security of personal data processing, while presenting its results;
6) indicate the rationale for granting administrative privileges to employees on workstations and allowing them to thereby disable anti-virus software;
7) indicate the names and dates of training courses conducted by the Administrator for employees on data protection regulations.
In response to the notice of initiation, in a letter dated February 16, 2021, the Administrator, referring to the issue of indicating the service contract and the entrustment agreement for personal data processing concluded with entities in the IT area, informed that “(...) it has entered into entrustment agreements for data processing with these entities (dates of the agreements on May 24, 2018) and service contracts. In doing so, he noted that “(...) the service agreement was not in writing, but nevertheless the parties to this agreement never doubted that Y s.c. CD, EF, GH (hereinafter: Y) was responsible for full IT support since at least 2010, ensuring the security of digitally processed data and providing hardware solutions that met the highest security standard.” Referring, in turn, to the issue of verification of the processor in terms of its compliance with the requirements of Regulation 2016/679, the Administrator indicated that the choice of the said partner was dictated by its long-standing experience obtained in the field of implementation in organizations (...), which was reflected in the status it held “(...) (...)”.
Describing his organizational structure, the Administrator explained that he has been conducting business operations, since 1992, in the form of a one-person business, in which each of the organization's 30 employees - involved in personal data processing processes - operates according to the authorizations granted, carrying out their tasks on 33 workstations. In addition, the Administrator outlined a picture in which each of the computers is equipped with up-to-date antivirus software recommended by the IT service provider, where access to resources “(...) is protected by passwords (...)” at the exclusive disposal of the company's staff members, and “(...) specialized IT service providers ensure the integrity and security of the computer system and the information contained therein.” In doing so, the administrator stated that although “(...) it is difficult from the perspective of 2021 to determine (...)” when specifically “(...) there was a change in the environment, firewalls, or antivirus software (...), to his knowledge ”(...) the operating system of B. [B. - add. on] was used in the Administrator's enterprise from October 2010, while this program enjoyed the support of (...) until January 14, 2020.”
With regard to the issue of the location of the server infected in the attack in question, the Administrator informed that it was located in the company's own structure, and that the correct operation of the server was supervised by Y s.c.. At the moment - according to the Administrator's statement - “(...) the server is being handled by [another entity from the IT support sector - own added] Z Sp. z o.o.”.
In the characteristics of access rules to the company's IT environment prior to the occurrence of the personal data protection violation in question, there were none related to solutions based on (...), and the risk analysis of the system so designed (privacy by design) “(...) was based on ongoing IT consulting provided by Y.”. At the same time, the Administrator assured that at the time of the data protection breach in question, “(...) employees had the status of standard users, without administrative rights to the server (...)”, and their level of knowledge of data protection regulations, gained through participation in two training courses conducted by the Administrator, i.e., respectively “(...) on June 30, 2018 on the subject of: RODO - general principles of application of the new regulations, and on May 20, 2020 on the subject of: RODO and the Personal Data Protection Act in the operation of an enterprise (...)” allowed - in the Administrator's opinion - to consider that the persons employed by it are aware that “(...) it is not permissible to configure hardware or software settings on their own”.
In order to supplement the explanations submitted so far in this case, the President of the DPA, in a letter dated July 1, 2021, asked the Administrator to respond to the following issues:
1) describe the Administrator's procedures for creating, storing and testing backups both before and after the breach in question;
2) indicate whether the Administrator has effectively implemented firewalls (...), as declared in the letters of March 5 and April 10, 2020, along with the date of their implementation;
3) provide a copy of the correspondence carried out - in accordance with the Administrator's declarations - with respect to the matter in question with NASK's CSIRT;
4) indicate what permissions the Administrator's employees had on the workstations;
5) provide information on whether the new entity providing IT services to the Administrator, i.e. Z Sp. z o.o., based in M., performed a security audit of the Administrator's IT environment, which it was obliged to perform by the contents of paragraph (...)of Appendix C “(...)” to “(...)”. to “(...)”, including the presentation of its results and to inform whether they were taken into account by the Administrator in its risk analysis for personal data processing processes;
6) to report whether the Administrator conducted training sessions for staff on data protection regulations in the second half of 2020 and in 2021, including the dates and names of these training sessions.
In a clarification dated August 16, 2021. The administrator submitted that backups are performed automatically, at 24-hour intervals, using (...) software (...), using C. (...), where a “(...) summary report is generated to administrators responsible for overseeing backups.” The administrator also stated that “(...) stores at least 90 recent backups locally (...)”, while"(...) after the completion of each backup cycle, a replica of the backup is performed to a repository held by Z. Ltd. (...)”. In turn, “(...) at least the last 7 restore points are stored in the remote repository.”
The Administrator also pointed to the circumstance of stopping work on the implementation of “(...) device (...) and changing the way the environment is protected (...)”, by implementing “(...) on all end computers [and servers with end-user access - added by the Administrator] software (...) in a version that allows the analysis of all workstations”. Moreover - according to the Administrator's declaration - users are currently deprived of the possibility of any influence on the effectiveness of the aforementioned software, which has been “(...) set up in a maximally aggressive manner, prioritizing security over end-user convenience (...)”, so as to “(...) actively block incoming connections from the analyzed endpoint (...)”.
Referring to the issue of the permissions held by the Administrator's employees on the workstations at the time of the data protection violation in question, the Administrator characterized them as “(...) standard user permissions.” On the other hand, with regard to the issue of the security audit of the Administrator's IT environment carried out by Z. Sp. z o. o., based in M., the Administrator was informed of the fact that the aforementioned action had been carried out, which resulted in the creation of “(...)”, which the Administrator intends to use as a benchmark for setting further IT security goals.
Notwithstanding the above, the Administrator acknowledged that in the second half of 2020 and in 2021 “(...) no additional training [in the area of data protection regulations - added by the Administrator] (...)”, however, the educational activities implemented to date in the aforementioned area have, in his opinion, translated into a due “(...) increase in the awareness of the Administrator's employees in the area of personal data protection.”
The Administrator also provided the contents of the correspondence exchanged with the NASK CSIRT on the subject matter.
Notwithstanding the above, the Administrator, in a letter dated November 9, 2021, again referred to the underlying causes of the personal data protection breach in question, identifying it as being the result of human error, “(...) which could not be avoided, despite the undertaking of measures to protect personal data (...),” and which materialized for fortuitous reasons on November 25, 2019, “(...) in the course of carrying out modernization work (...)”. and during the period when the transfer of “(...) responsibilities between two companies providing [IT - add...] services to Company X (...)” took place. At the same time, the Administrator highlighted the problem, which, in his opinion, every organization faces in its daily operations, concerning the human factor, as that risk factor which cannot be completely eliminated “(...) even extraordinary actions by the employer (...)”, citing a number of cases drawn from the history of the operation of his organization, which are examples of actions on the part of personnel, which openly deviate from the procedures in force in the Administrator's organization regarding the protection of personal data.
The findings made in the course of these proceedings made it possible to conclude that each of the partners of Y s.c. (Al. (...)), hereinafter also referred to as the Processor, was also responsible for the processing of personal data subject to the personal data protection violation in question. Consequently, in view of the fulfillment of the prerequisites set forth on the basis of Article 28 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2024, item 572), the President of the DPA weighed that in the present case there is a legitimate need for the authority to assess the implementation by Ms. CD, Mr. EF and Mr. GH, of the obligations of the Processor, to whom the Administrator entrusted, pursuant to § 2(1) of the agreement concluded on May 24, 2018. “(...)” to process on its behalf and for its benefit the personal data of its “(...) employees, temporary employees, contractors, employee's family members, trainees and interns, contractors (...)”, of which the parties were duly notified on June 10, 2022. In this regard, it should be noted that according to the wording of the May 19, 1998 agreement entered into by the Processor by letter dated May 24, 2022. “(...)”, with subsequent annexes, Ms. CD - pursuant to the dated December 28, 2021. “(...)” - withdrew “(...) [as of] December 31, 2021 from Y S.C. (...)”.
Notwithstanding the above, acting pursuant to Article 58 (1) (a) and (e) of Regulation 2016/679, the President of the DPA summoned on June 10, 2022, each person who was a partner of Y S.C. on the date of the data protection violation in question. (Al. (...)), i.e. Ms. CD, Mr. EF and Mr. GH to:
1) submit the security policy in effect at Y s.c. for the period from May 24, 2018 to December 3, 2019, affecting the processes of processing personal data entrusted by the Administrator;
2) characterize the actions taken by Y s.c. in the period from May 24, 2018 to December 3, 2019 to assist the Administrator in complying with its obligations set forth in Articles 32 - 36 of Regulation 2016/679, including whether Y s.c. performed a security audit of the Administrator's IT infrastructure, and in the event of a positive answer to provide the date and results of the evaluation, and in the event of a negative answer to provide the reasons for not performing such an audit;
3) provide a description of the reasons for the security incident of November 25, 2019, which resulted in a breach of the protection of personal data processed by the Administrator;
4) provide information on the privileges held by users of the Administrator's IT infrastructure to the infected server both before and after the occurrence of the personal data protection breach in question;
5) indicate the date of termination of cooperation between the Administrator and Y s.c.
In concurring statements submitted to the supervisory authority on June 27, 2022 and July 8, 2022, respectively, the aforementioned partners of Y s.c. indicated the following:
1) “(...) Company Y s.c. does not have and did not have a signed contract for the administration of the IT infrastructure at Company X.”, being responsible “(...) for the provision of the database server, licenses, implementation and maintenance work related to the d. system, hence ‘(...) has within the Administrator's IT infrastructure the authority to manage the d. system’;
2) “(...) in the period from May 24, 2018 to December 3, 2019 (...)”. a number of measures were taken to assist the Administrator in complying with its obligations under Articles 32-36 of Regulation 2016/679, in accordance with the May 25, 2018 Personal Data Processing Entrustment Agreement between the two entities, viz: “(...) - on June 25 and 27, 2019, a backup check was performed, unneeded USB drives were disconnected and a backup was configured to the location indicated by the Administrator on the N. server, which was not provided, configured and managed by Y s.c.; - on September 16, 2019, [Y s.c. - added on its own] delivered the Server (...), along with B. licenses for the d. system; - on November 13, 2019, it submitted a bid for a Router and UPS, after accepting the bid, on November 20, 2019, it physically delivered the equipment, but the installation at the premises of X (...) was not performed.”
3) “(...) after the occurrence of the ransomware attack on the Administrator's IT infrastructure from November 25 to December 3, 2019, the following actions were taken [Y, Al. (...) - add. on]: disconnect the server from the network; provide A. antivirus software licenses; decrypt the base; scan computers from branches and headquarters; install new (...) + basic configuration + (...); install the system on the new server; configure the system and install d. - Base restoration; start case analysis; scan with newly purchased A. server software.”
4) “(...) Company Y s.c. did not perform a security audit of the Administrator's IT infrastructure, and the reason for this was the lack of such an order on the part of the Administrator, and it was not part of the personal data entrustment agreement concluded on May 24, 2018.”
5) according to the Processor's assessment, made on the basis of “(...) actions taken to recover the Administrator's lost data availability (...) the main reasons [for the occurrence of the personal data protection breach in question - added by the Processor] were the negligence of employees with regard to compliance with the rules for the use of IT equipment inside Company X.”
At the same time, the Processor submitted the contents of the Security Policy in effect at its organization “(...) at the time of the incident” [of the personal data protection breach in question - added by the Processor - on its own], and submitted a copy of the “(...)” “(...) for the purpose of executing [this - add. on...] agreement with regard to the operation, operation and maintenance of the d. system at the Administrator's enterprise, and the due fulfillment of the obligation to statutory state authorities.”, while indicating that ”(...) the above Personal Data Entrustment Agreement has not been terminated by any party and is still in force.”
In order to supplement the explanations submitted so far in the course of these administrative proceedings, on May 25, 2023, the President of the DPA requested the Administrator, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, to:
1) identify the server on which the personal data breach in question occurred;
2) inform whether the “d.” system was seated on a server, using software (...);
In addition, given that the Administrator, in paragraph 3 of the letter of April 10, 2020, stated, among other things, that “(...) The previous company (whose services the Administrator was not satisfied with due to the lack of timely provision of maintenance services and security system audits) was replaced in September/October 2019 by the company Y s.c.”, the authority requested disclosure of the entity that provided IT system security services to the Administrator prior to the partners of the civil partnership Y, and called for an indication of whether the cooperation with the partners of Y s.c, Al. (...), was terminated, and in the event of a positive answer, asked the Administrator to provide the date of termination of this cooperation, including the relationship of entrustment of personal data processing.
Notwithstanding the above, the President of the DPA, by letters dated May 25, 2023, summoned both former and current partners of partnership Y, i.e. Ms. CD, Mr. EF and Mr. GH, to:
1) inform whether the server (...) delivered on September 16, 2019 was the server on which the data breach in question occurred, and if the answer is negative, to identify the server affected by the breach;
2) to indicate what licenses were provided by Y s.c. (Al. (...)) for the d. system;
3) to inform whether the d. system was seated on a server, using E software.
In response to the aforementioned issues, the aforementioned partners of Y s.c., in concurring statements submitted to the supervisory authority on June 5, 2023, indicated the following:
1) “(...) The data breach in question occurred on another server. The server on which the breach occurred is Server (...) .”
2) “(...) For the purposes of the system, d. Y s.c. provided the following licenses to X: d. (...) - 1 unit, d.(...) - 2 units, d. (...) - 1 unit, d. (...) - 23 units. d. (...) - server license, d. (...) - server license, system add-on d. (...), system add-on d. (...), system add-on d. (...), M. (...) - 1 unit, (...) - 15 units, (...) - 10 units, M. (...) - 35 units, (...) - 1 unit, E. - 20 units.”
3) “(...) On the server using the E. software there was an F.server installed with the database used by the d. system. The installation of the d. client application was done on the users' computers.”.
The Administrator, on the other hand, addressed the issues placed before him by the President of the DPA on May 25, 2023 only in a letter dated July 7, 2023, and this despite his written commitment before the authority on June 5, 2023 “(...) to submit the aforementioned response by June 15, 2023.”. Nevertheless, he explained that:
1) “(...) The personal data protection incident in question occurred on the server: (...).”
2) “(...) There was an F. server installed on the server using the E. software with the database used by the system d. The installation of the e. client application was done on the users' computers.”
3) “(...) In a letter dated February 16, 2021, the Administrator indicated that Y s.c. CD, EF, GH (hereinafter Y) was responsible for providing full IT support since at least 2010, ensuring the security of digitally processed data and providing hardware solutions that meet the highest security standard. V s.c. IJ, KL (hereinafter V), on the other hand, dealt with issues related to the alarm, Wi-fi network or telephone connections.”
4) “(...) The Administrator did not terminate the contract with Y for it continues to cooperate with this entity to some extent.”.
In an attempt to comprehensively consider the evidence gathered in the framework of the present administrative proceedings and the inconsistencies that have emerged in connection with this fact with regard to the findings regarding the server on which the personal data protection violation in question occurred, the President of the DPA asked all parties to this proceeding, by letters dated September 20, 2023, to unequivocally provide information on whether the “d.” system was seated on a “(...)” server using E. software, and in the event of a negative answer, to indicate the name of the software used to operate the server on which the personal data protection violation in question occurred.
In response to the question so posed by the authority, both the former and current partners of the partnership Y, as well as the Administrator, provided the same and precise explanations on September 29, 2023 and October 3, 2023, respectively, with the following wording, quote “(...) The system >>d. << was seated on a server “(...)”, using E. software”.
Having considered all the evidence gathered in the case, the President of the Office for Personal Data Protection has considered the following:
I. Violation of Articles 5(1)(f), 5(2), 24(1), 25(1), and 32(1) and (2) of Regulation 2016/679.
I.1 Risk management for personal data processing operations.
The supervisory authority, in its notice of January 29, 2021 on the initiation of administrative proceedings, indicated that the Controller failed, among other things, to comply with the obligation under Article 32 (1) of Regulation 2016/679 to select appropriate technical and organizational measures to ensure the security of the processed data, including the ability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services, with which it simultaneously failed to comply with its obligations to ensure and demonstrate compliance of the processing with the requirements of Regulation 2016/679, as referred to in Art. 24(1) of Regulation 2016/679 and the obligation to effectively implement the data protection principles set forth in Article 25(1) of Regulation 2016/679, and consequently violated the principle of integrity and confidentiality set forth in Article 5(1)(f) of Regulation 2016/679, which imposes on the Controller a duty of due care in ensuring an adequate (in relation to the risk) level of security for the processing of personal data.
Taking into account the wide range of categories of personal data subjected by the Administrator to the processing processes, which also included data that enabled unambiguous identification of natural persons, i.e. PESEL number and categories of persons concerned, in order to properly comply with the obligations imposed by the aforementioned provisions of the Regulation, the Administrator was all the more obliged to take measures to ensure an adequate level of personal data protection by implementing appropriate technical and organizational measures.
There is no doubt that according to the risk-based approach standardized in the provisions of Regulation 2016/679, it is the controller's burden to undertake the processes of identification and assessment of risk factors and on this foundation to formulate its own risk mitigation strategy. On the other hand, an erroneous estimation of the level of risk, or worse, the lack thereof, prevents the application of appropriate security measures for a given resource, which immanently contributes to the likelihood of materialization of negative consequences for the persons whose data are subject to processing as part of a specific process. Thus, in light of the above reasoning, it should be pointed out that Regulation 2016/679 introduced an approach in which risk management is the foundation of personal data protection activities and has the character of an uninterrupted process. In turn, the key condition for demonstrating compliance with the requirements imposed on controllers, in accordance with the principle of accountability referred to in Article 5(2) of Regulation 2016/679, remains not only the one-time implementation by them of technical and organizational measures to guarantee an adequate level of protection for personal data processing, but also - as part of a dynamic approach - ensuring continuous monitoring of the level of risks in relation to the adequacy of the safeguards put in place. Thus, the controller is obliged to make a detailed analysis of the personal data processing processes carried out on his own and comprehensively assess the potential threats to the privacy of the data subjects, and then apply measures that are adequate to the assessed risks. Consequently, it should be considered that the risk analysis forms the ground for appropriate management of possible vulnerabilities, understood as a weakness or security gap that, when exploited by a given threat, may disrupt the functioning of a given organization, or even lead to security incidents or breaches of personal data protection.
There is no doubt that in the presented facts of the present case, the main risk associated with the personal data processing processes carried out by the Administrator should have been identified with the threat emanating from the possibility of compromising, with the use of malware, its IT infrastructure, running foreign processes in it and starting the encryption process in order to obtain a financial benefit in exchange for the subsequent decryption of data, i.e. ransomware. The key prevention method against this type of attack, however, is to use up-to-date software for all elements of the IT infrastructure.
Applying the above statement to the circumstances of the case at hand, it should therefore be pointed out that the facts presented constitute a clear exemplification of the state of affairs opposite to that postulated by the provisions of Regulation 2016/679. This is because the findings made in the course of the present proceedings conclusively prove that the Administrator over an unusually wide time frame, since at least from the date of application of the provisions of Regulation 2016/679, i.e. from May 25, 2018. (adopting this perspective seems to be the most relative for the Administrator's assessment of its compliance with the principle of accountability) used outdated versions of the B. server to carry out personal data processing, and this despite the fact that, as he himself noted in a letter dated February 16, 2021. - “(...) this program benefited from E. support until January 14, 2020.” On the contrary: the evidence gathered in the present case does not show that the Administrator benefited during the period of support offered by the software manufacturer from the possibility of carrying out ongoing updates to the B server software. In this light, the sequence of events that took place on November 25, 2019. in the form of “(...) infecting the hardware (...) (...)”, obtaining on this basis “(.... ) user credentials, which made it possible to remotely log in and start the encryption process”, should not be doubted, as it constituted the materialization of a long-standing state of high risk of a data protection breach, triggered by the fact that the Administrator based the personal data processing processes on an IT architecture having, in the face of the failure to exercise due diligence in performing cyclic updates, a number of well-known security flaws.
Significantly, in letters dated April 10, 2020 and February 16, 2021, respectively. The Administrator admitted that, based on the investigation conducted to determine the causes of the data breach in question, “(...) assumes that a vulnerability of the B. server, which had not been updated for a long time, was exploited,” despite the fact that “(...) this program benefited from E. support until January 14, 2020.” It is therefore clear from the above statement that the event of November 25, 2019. was a logical consequence of the negligent omissions on the part of the Administrator, evidencing his gross negligence, manifested both by his proceeding with personal data processing operations without identifying the risks associated with the personal data processing processes taking place in his organization, and by his failure to regularly test, measure and evaluate the technical and organizational security measures implemented for these processes (and which the Administrator was obliged to comply with at least from the date of application of Regulation 2016/679), and this despite his knowledge of the updates offered by the software manufacturer. Consequently, it should be considered that the Administrator, when implementing technical and organizational measures to ensure the security of personal data processing processes in his organization, a priori was deprived of an effective tool for assessing whether they were sufficient, and the lack of periodic checks of the implemented tools and their assessment in terms of risk only compounded this state of ignorance.
There is no doubt that one of the key elements of risk analysis, in addition to determining the resources to be protected in the processing area, is, among other things, the identification of the possible types of risks associated with the aforementioned processing areas and the assignment of appropriate levels to them. Meanwhile, in the evidence gathered in the course of these proceedings, one can find in vain any mention of the actions taken by the Administrator to carry out an appropriate evaluation of the risk, after all, immanently associated with the personal data processing operations carried out in its organization, not to mention its consideration of the likelihood of updating the threat associated with an attack by cyber criminals on the IT infrastructure in order to encrypt the personal data processed therein and obtain material benefits on this basis for their subsequent decryption.
Undoubtedly, the obligation to ensure the security of processed data, arising from, among other things, Article 32(1) of Regulation 2016/679, is the cornerstone of an effective personal data protection system. Regulation 2016/679, while introducing a risk-based approach, at the same time indicates in Article 32(1) the criteria based on which the controller should select appropriate technical and organizational measures to ensure a degree of security corresponding to the risk. Thus, in addition to identifying the risk of infringement of the rights or freedoms of individuals, consideration should still be given to the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing. Consequently, it should be considered that the selection of security measures should be conditioned by the circumstances and conditions of data processing, as well as the likelihood and severity of events that may lead to a violation of the rights or freedoms of data subjects.
At the same time, it should be emphasized that security measures, selected taking into account the criteria arising from Article 32(1) of Regulation 2016/679, for their effectiveness, understood as adequate protection of the processes of personal data processed, must be based on a comprehensively carried out, i.e. taking into account all the risks that are realistically present in the given context of personal data processing, risk analysis, which was clearly missing in the present case. Indeed, as has already been indicated, the Administrator did not provide any evidence that would make it plausible that he carried out, both before and after the start of the personal data processing processes, in a comprehensive manner, i.e. also taking into account the likelihood of a ransomware attack, a risk analysis, which he was obliged to do, pursuant to the principle of accountability under Article 5(2) of Regulation 2016/679. Clearly, the risk analysis designed by the System Administrator, which “(...) was based on ongoing IT consulting provided by Company Y,” cannot be considered holistically. In this context, it should therefore come as no surprise that, in view of the Administrator's inability to select security measures adequate to the existing risks, the safeguards applied to its infrastructure, as presented, for example, in paragraph 9A of the supplementary data breach notification form dated January 8, 2020, i.e. “(...) Conclusion of data processing entrustment agreements with processors, limited scope authorizations for employees, computers with individual user accounts and passwords, screen savers changing passwords, use of anti-virus software, firewall, location of the server in an inaccessible place for unauthorized persons, alarm system, use of the services of a security company outside working hours”, in the case of an attack using the “M.” malware, proved ineffective. At the same time, there is no doubt that this unfavorable state of affairs could have been avoided by the Administrator if the personal data protection system in place in his organization had been based on realistic premises, that is, in particular, on a risk analysis conducted exhaustively and renewed periodically (cf. judgment of the WSA in Warsaw of May 13, 2021, ref. II SA/Wa 2129/20; judgment of the WSA in Warsaw of October 5, 2023, ref. II SA/Wa 502/23).
As demonstrated earlier, the Administrator did not identify a threat related to the possibility of breaking the security of the IT system used in the processing of personal data of both his former and current employees and contractors, and then encrypting it. In this context, therefore, some concern and surprise must be all the more aroused - in view of the Administrator's failure to provide any evidence documenting the actions it took, in accordance with the principle of accountability under Article 5(2) of Regulation 2016/679 - by its omission to perform a general risk analysis on the background of the personal data protection breach in question, and thus taking into account the risk of compromising its IT infrastructure with malware, via the workstation of one of its employees. According to the Administrator's declaration in its letter of November 9, 2021, the decisive “(...) cause of the November 2019 incident that triggered the President of the Office for Personal Data Protection to conduct [administrative proceedings in the case in question - added by the Administrator] was (probability bordering on certainty) human error (...).” (incidentally, in the unanimous opinion of the shareholders of Y s.c., i.e. the Processor responsible to the Administrator “(...) for full IT support since at least 2010, ensuring the security of digitally processed data and providing hardware solutions that meet the highest security standard” were considered to be the main cause of the occurrence of the personal data protection violation in question, precisely “(...) negligence of employees with regard to compliance with the rules of use of IT equipment inside company X.”). Of course, the technical and organizational security measures extensively described by the Administrator, inter alia, in its letter of April 10, 2020, and which are cited on pages 7 and 8 of the justification of this decision, may be considered as a certain remedy for the possibility of a repetition of a situation similar to the one that occurred on November 25, 2019. Nevertheless, the evidence gathered in the present case does not provide grounds for assuming that these measures to mitigate the risk of a recurrence of a personal data protection breach were implemented taking into account the laws of logic and life experience.
On the basis of the evidence established in the course of these proceedings, it is also impossible to determine unequivocally whether the remedial measures implemented by the Administrator after the occurrence of the personal data protection violation in question were based on conducting any security tests of the resources held by the Administrator. The mere mention appearing in the Administrator's explanations of August 16, 2021, of a security audit of the Administrator's IT environment conducted by Z Sp. z o.o., based in M., which resulted in the creation of “(...)”, intended by the Administrator to be only a certain point of reference for setting further goals in the company's IT security, especially since the Administrator did not disclose the contents of the aforementioned document, despite the request addressed to it in this regard on July 1, 2021.
In the opinion of the supervisory authority, the comprehensive identification of potential threats to personal data processing processes and their appropriate classification, and then the implementation on this basis of appropriate technical and organizational measures to guarantee a proper level of protection for personal data processing processes constitutes, in addition to their proper verification, both before and after the activation of the said processes, the foundation on which the personal data protection system in any organization should be based. In this context, it should be noted that the Controller has not presented any evidence unequivocally probative of the fact that after the occurrence of the personal data protection violation in question, the Controller implemented technical and organizational security measures, taking into account the risks associated with the possibility of breaking the security of the IT system used by the Controller in the personal data processing processes, and then encrypting them. Thus, the above constitutes a circumstance in which the Administrator is unable to demonstrate beyond any doubt, in accordance with the principle of accountability referred to in Article 5(2) of Regulation 2016/679, that the selection of these measures did not occur, as it were, in an arbitrary manner, i.e. without due consideration of the risks arising from the context of the processing processes carried out. Consequently, the measures so implemented to mitigate the likelihood of a personal data protection breach expose the Controller to a real danger that the measures envisaged by it will, in effect, constitute an inadequate attempt to respond to the inherent risks to the personal data processing processes. In turn, its continued refraining from carrying out their regular evaluation (as there is no evidence that such activities were undertaken by the Administrator at all) and the updates required by the circumstances, creates a real danger that a personal data protection violation will occur in the future.
Taking into account the above-mentioned reasoning, in the opinion of the President of the Office for Personal Data Protection, the Administrator's inability to show documentation relating to the analyses it carried out does not provide grounds for concluding that the risk mitigation performed both before and after the occurrence of the personal data protection breach in question took place at all. From an analysis of the evidence gathered in the course of these proceedings, it is clear that although the Administrator was tempted to assess the security status of the IT systems used to process personal data (vide: “(...)”), he nevertheless disclosed neither the content of the said document nor the date on which it was drawn up. Only from the date of the letter in which the declaration of its creation was included, i.e. August 16, 2021, can it be presumed that it concerns the state of the IT infrastructure operating in the Administrator's organization long after the malware attack in question, M. Thus, in the absence of the Administrator's presentation of the results of the analyses made, it is impossible to assess their completeness. In turn, a reliable description of all vulnerabilities and resistance to security breach attempts due to unauthorized third party and malware would have been a reason to make a proper qualification in this regard. For this reason, the mere mention of the evaluation of the state of the IT environment at company X by Z Sp. z o.o., based in M., at the Administrator's request, does not have any evidentiary force and certainly cannot constitute a risk analysis performed by the Administrator, especially since the Administrator himself sees the aforementioned document as a kind of benchmark, based on which “(...) goals have been set for implementation in the coming years.”, and therefore - purely hypothetically - it can only be treated as an element of a future risk analysis.
In an attempt to recapitulate the considerations so far, it should be pointed out that the analysis of the facts presented clearly excludes the proper fulfillment of the principle of accountability (Article 5(2) of Regulation 2016/679) by the Administrator both before and after the occurrence of the personal data protection breach in question. This is because at no stage of its personal data processing processes did it accurately identify all identifiable vulnerabilities, so that the security measures it implemented prior to the occurrence of the personal data protection breach in question proved ineffective, leading to the compromise of its IT infrastructure on November 25, 2019. In turn, the technical and organizational measures to mitigate the risk of a recurrence of a personal data protection breach implemented after that date also lack the attribute of adequacy, as the Administrator is unable to objectively demonstrate that they constitute an adequate response to the existing risk.
Moreover, the Administrator, on the backdrop of the events of November 25, 2019, identified the source of the cyber-attack on the basis of the investigation, nevertheless, it should be noted that this identification was made to determine the possibility of a data leak and to assess the risk of violating the rights or freedoms of individuals in connection with the ransomware attack that occurred, and was not documented as part of the overall risk assessment for personal data processing processes. The Administrator also did not bother to describe the vulnerability in the security of the IT system that existed at the time of the personal data breach in question, and which, had it been identified, could have been important in the selection of instruments to mitigate the risk of a repeat of the data breach.
However, the above does not prejudice the argument that the fact that the Controller, both prior to the date of November 25, 2019, and thereafter, failed to carry out a risk analysis, including an assessment of all the risks associated with his processing of personal data, as explicitly required of him by Article 32(2) of Regulation 2016/679, prejudices his violation of this provision. On the other hand, its implementation of technical and organizational measures to ensure the security of the processing of personal data taking place in its structure, as presented in the letters of April 10, 2020 and August 16, 2021, in isolation from this analysis, and then - in the absence of evidence to the contrary - refraining from subjecting them to cyclical reviews, puts a question mark over the Administrator's ability to demonstrate continuous assurance of the confidentiality, integrity, availability and resilience of the processing systems and services (cf. judgments of the WSA in Warsaw of August 26, 2020, ref. II SA/Wa 2826/19, and October 5, 2023, ref. II SA/Wa 502/23).
I.2 Technical and organizational measures used to ensure the protection of processed personal data.
As shown so far, the revealed circumstances of the case in question highlight the necessity for controllers to base the processing of personal data on a risk-based approach, knowledge of its magnitude and the likelihood of negative consequences for the rights or freedoms of data subjects. Thus, the controller's refraining from performing, with respect to the personal data processing processes carried out, an analysis covering all the elements listed in recitals 76 and 83 of the preamble to Regulation 2016/679 clearly prejudices the controller's inability to manage the objectively existing risks associated with the personal data processing processes.
The inability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services on the basis of the technical and organizational security measures implemented by the controller therefore constitutes a failure by the controller to comply with the obligations set forth in Articles 24(1), 25(1) and 32(1) of Regulation 2016/679. At the same time, failure to comply with the aforementioned excludes the possibility of the controller to demonstrate compliance with the rules expressed in Article 5(1)(f) of Regulation 2016/679, in accordance with the principle of data security and, consequently, also with the principle of accountability set forth in Article 5(2) of Regulation 2016/679 (cf. judgment of the WSA of August 26, 2020, II SA/Wa 2826/19, and February 10, 2021, II SA/Wa 2378/20).
In this context, it is indisputable that the use of operating systems and information systems used for personal data processing activities without exercising due diligence to ensure that they are updated to the latest stable version significantly reduces the security level of the processing processes carried out in this way. In particular, the lack of built-in and updated security features increases the risk of infection by malware and attacks through the creation of new security vulnerabilities.
In order for controllers to ensure an adequate level of security for personal data processing processes, it remains necessary at the same time for them to design technical measures in accordance with the principle of least privilege, taking into account the classification of persons employed in their organization. This means putting not only appropriate restrictions on the rights of end users, but - equally important - exercising supervision over their activities. However, it is only when the controller links the aforementioned measures to a regular investment in the competence of the people employed in its organization, both in terms of personal data protection regulations and knowledge regarding the risks associated with their operation on the Internet, that the completeness of the measures and means implemented by the controller to ensure an adequate level of protection for personal data processing processes is established.
The requirements set forth in the provisions of Articles 24(1) and 25(1) of Regulation 2016/679 and addressed exclusively to controllers, manifested in the obligation of controllers to implement technical and organizational measures, make it necessary to consider this activity not as a one-time activity, but as a certain process in which the controller reviews and, if necessary, updates the safeguards previously adopted. Not only technical measures, but also organizational measures in the form of procedures implemented by the controller, concerning the processing of personal data, including procedures for making changes to the IT systems used to process personal data, should be subject to such evaluation. Regular evaluation of the aforementioned procedure, as required by Article 32(1)(d) of Regulation 2016/679, allows the controller to verify whether such procedures are deficient, and if not, whether such procedure is effective, i.e. whether it ensures that appropriate measures are taken to ensure the protection of personal data during the process of making changes to the IT system, and whether it is followed at all by those responsible for carrying out such changes. Thus, it should be noted that the provision by the controller of oversight and monitoring of IT systems over which custody has been outsourced is one of the basic organizational measures that the controller should effectively implement to ensure the security of personal data in accordance with the requirements under Regulation 2016/679 (cf. ruling of the WSA in Warsaw of June 6, 2023, ref. II SA/Wa 1939/22, ruling of the WSA in Warsaw of June 21, 2023, ref. II SA/Wa 150/23).
As a consequence of the Administrator's failure to comply with the aforementioned principles, it cannot effectively demonstrate that the risks immanent to the personal data processing processes carried out on its behalf and for its benefit were continuously minimized by it. A contrario, the application of appropriate security standards for the operation of the IT systems used by the Administrator in the personal data processing processes, including their verification from the security point of view and, in particular, the fulfillment of the requirements under Article 24(1), Article 25(1) and Article 32(1) and (2) of Regulation 2016/679, as well as the effective verification of the processor's activities in this regard, can significantly minimize this risk.
The Administrator's failure to implement procedures for making changes to the IT systems used to process personal data deprived the Administrator of tools for effective verification of the means and methods of the Processor's performance of its obligations “(...) to operate, maintain and operate the system d. at the Administrator's enterprise (...)”. This is because it should be pointed out that the Administrator at no stage of the changes made, both before and after the date of November 25, 2019, conducted no supervision of whether the changes were actually carried out properly and whether the processed personal data was secured against unauthorized access, and yet such supervision constitutes the implementation of an organizational measure to ensure the security of the personal data processing processes. Thus, the above omissions on the part of the Administrator adversely affected its ability to minimize the objective risk of unauthorized persons gaining access to the data processed in this system. Consequently, the demonstrated negligence, which is an example of the Administrator's failure to comply with the obligations addressed solely to it under Art. 24 and Art. 25 of Regulation 2016/679, must meet with a proportionate response from the supervisory authority regardless of the fact that they did not constitute the direct cause of the personal data protection breach in question, which was the infection of one of the employee computers “(...) (...) (...)”, “(...) due to the (probably accidental) disabling of the licensed A. antivirus program by one of the Administrator's employees.”
The evidence gathered in the case also does not show that the Administrator conducted audits, including inspections, at the Processor to verify whether the associates of Y s.c. are properly implementing their obligations under Regulation 2016/679, including whether they ensure the application of the measures required under Article 32 of this legal act. The possibility of conducting such audits, including inspections, derives from Article 28(3)(h) of Regulation 2016/679, according to which, the contract for entrustment of processing of personal data is to provide that the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations set forth in this Article, and shall allow and contribute to the controller or an auditor authorized by the controller to conduct audits, including inspections.
Thus, this provision equips controllers with an instrumentality that allows them to demonstrate that the processing of entrusted data will comply with the provisions of Regulation 2016/679, and they will avoid liability for violating them. At the same time, it should be emphasized that the performance of audits, including inspections, by the controller at the processor should be regarded as one of the most important security measures that the controller should apply in order to properly comply with its obligations under Article 32(1) of Regulation 2016/679, which was lacking in the present case. This fact, moreover, shines through clearly from the explanations submitted by the Administrator on April 10, 2020, in which he notes that it was only after the investigation into the data protection violation in question “(...) that it turned out that this entity [Y s.c. - added on its own] had also failed to perform its obligations (...).” Meanwhile, the Administrator should have had knowledge at the time of its use of the Processor's services whether and how the entity to which it entrusted the processing of personal data complied with the requirements of Regulation 2016/679. There is no doubt that the most effective way to assimilate it would have been for the Administrator to take advantage of the opportunity offered in § (...)of the agreement between it and the Processor “(...)”. the possibility to perform relevant audits, including inspections, at the Processor's organization. However, such security measures were not applied by the Administrator, which consequently also constitutes a violation by the Administrator of Article 32(1)(d) of Regulation 2016/679.
Moreover, as demonstrated above, the application of the aforementioned measures is linked to the controller's obligation under Article 28(1) of Regulation 2016/679, which in turn means that its implementation is also to confirm whether the processor continues to provide guarantees that appropriate technical and organizational measures have been implemented so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. Failure to implement audits, including inspections, at the Processor consequently means that the Controller violates not only the provision of Article 28(1) of Regulation 2016/679, but also the provision of Article 25(1) of Regulation 2016/679, which obliges it to implement appropriate technical and organizational measures, both in determining the means of processing and during the processing itself.
Thus, the continuity inherent in this obligation may in practice manifest itself, among other things, in the need to ensure regular monitoring of the safeguards applied and to conduct continuous supervision of the processor, through, for example, the audits and inspections referred to in Article 28(3)(h) of Regulation 2016/679, which was lacking in the circumstances of the present case. Despite the fact that - as is evident from the established evidence - the personal data processing entrustment relationship between the Administrator and the partners of Y s.c. has not been formally terminated to this day, the Administrator has not presented any evidence to substantiate the conduct of audits, including inspections, at the Processor.
Considering the above-mentioned reasoning, the Administrator's failure to implement appropriate procedures to ensure the security of the personal data processed in the IT system d. and the lack of supervision of the Processing Entity “(...) with regard to the conduct, operation and maintenance of the system d. in the Administrator's enterprise (...).” prejudges the violation of the requirements of Article 32 of Regulation 2016/679.
I.3 Regular training of persons employed in the Administrator's structure.
It should be pointed out that the analysis of the case of the personal data protection violation in question once again emphatically shows - as the Administrator himself also seems to recognize - “(...) that in similar situations the human factor remains the weakest link (...)”. However, the thesis raised by him in his letter of November 9, 2021 about human error, “(...) which could not be avoided [on November 25, 2019 - added by him], despite the undertaking of measures to protect personal data (...)”, is no longer reflected in the facts. After all, it should be noted that according to the information provided on February 16, 2021, the Administrator “(...) conducted two training sessions in general [on data protection regulations - added by him]: on June 30, 2018 on the subject of: RODO - general principles of application of the new regulations, and on May 20, 2020 on the subject of: RODO and the Law on Personal Data Protection in the Operation of an Enterprise.” Thus, it is clear from the above that prior to the occurrence of the data protection breach in question, the Administrator provided only one training on data protection regulations for the people employed in his organization, in addition taking place 17 months before the date on which the successful attack on his IT infrastructure occurred. In turn, attributing a certain rationality to the Administrator's actions, which were probably in part the result of his observations, based on which he weighed that “(...) [o]f a relatively small production facility, X has grown to the size of an enterprise employing a larger number of people, needing a larger equipment base, premises, professionalizing certain departments in the company's structure (.... )”, it is impossible to assume that the educational initiatives undertaken by the Administrator bore the hallmarks of activities other than those aimed, in effect, at increasing the security level of personal data processing operations and properly fulfilling the obligations incumbent upon it under the regulations on the protection of personal data.
Thus, it can be considered that he perceived - although no risk analysis in this direction was made by the Administrator - a connection between the technical and organizational measures implemented in his organization in the form of training for personnel to ensure that personal data processing operations have an adequate level of security. Nevertheless, for unknown reasons after the date of June 30, 2018. The Administrator discontinued any initiatives in his organization covering the issue of personal data protection, only to briefly yet return to the desired practice on May 20, 2020, and then depart from it definitively, recognizing that “(...) the previously conducted [trainings on the aforementioned dates - added by the Administrator] resulted in increased awareness of the Administrator's employees in the area of personal data protection.” Given that prior to the occurrence of the data protection breach in question, the Administrator had conducted only one training course on data protection regulations for the people employed in his organization, the agenda of which, moreover, did not cover issues related to the issues of how its personnel can safely navigate the Internet, it is therefore difficult to consider as credible the declaration contained in the aforementioned letter of February 16, 2021, that “(...) [p]rayees had the knowledge that it is not permissible to configure hardware or software settings on their own.” Assuming hypothetically that the implementation of such a measure of an organizational nature actually occurred in the Administrator's organization - which, however, is not supported by the evidence it cites - this is, after all, still not tantamount to employees having knowledge of how to actually guard against cyber threats.
Moreover, since the Administrator identified a vulnerability in the data protection system operating within its structure in the form of a “human factor,” so it should strive all the more to eliminate this “security gap,” especially since, at the time of the data protection breach in question, it could not yet demonstrate that it had mechanisms in place to exercise effective oversight over the ways and purposes for which members of staff use business equipment (o “(.... ) implemented (...), which assigned users to roles corresponding to their positions, and then restricted their access to other resources. (...)” as one of the security measures to mitigate the risk of a recurrence of a data breach, the Administrator indicated only in a letter dated April 10, 2020). With the above in mind, it should be emphasized that the Administrator's conduct of just one training course for the people employed in his organization prior to the occurrence of the data protection breach in question cannot be considered as the implementation of a measure that effectively mitigates the risk of a ransomware attack. This is the case not only due to the fact that the Administrator referred therein only to the general principles of the application of the provisions of Regulation 2016/679. It is also clear from the Administrator's explanations as quoted that this training took place on June 30, 2018, and thus took place 17 months before the occurrence of the “M.” malware attack on November 25, 2019.
Thus, in this light, it cannot be concluded that the organizational measure applied by the Administrator sufficiently shaped the awareness of those obliged to protect personal data and to apply the procedures defining security measures for such data. Indeed, in seeking to mitigate the risks associated with a ransomware attack, the Administrator should have ensured that the training conducted on June 30, 2019, allowed its participants not only to acquire at least the necessary basic knowledge regarding the types of cyber threats and the relevant prevention techniques, but also to initiate further educational sessions to solidify the acquired skills. In this context, such an organization of training sessions for all those involved in these processes, which, in addition to the relevant subject matter, would be characterized by a certain cyclicity, should be considered an adequate security measure, and thus an expedient response to the ransomware risk associated with personal data processing processes. On the other hand, the omission of any of the elements highlighted above will result in the training not fulfilling its role, the consequence of which may be - as in the present case - a violation of personal data protection. In conclusion, conducting only one training prior to the occurrence of the personal data protection breach in question, in addition in the manner described above, resulted in the fact that the organizational security measure applied by the Administrator did not contribute to reducing the risk of occurrence of the personal data protection breach in question, which determines the Administrator's inability to demonstrate compliance with the requirements set forth under Regulation 2016/679 to ensure a level of protection adequate to the risk for personal data processing processes and, consequently, a violation of the principle of accountability (Article 5(2) of Regulation 2016/679).
I.4 Software used to process personal data.
The analysis of the evidence gathered in the present case clearly shows that measures were not taken to ensure the most up-to-date versions of the software in use. Although the Administrator undertook appropriate actions in this regard in the form of, among other things, “(...) updating[i] operating systems to the latest available versions, change[i] (...) on (...); (...)”, but only after the occurrence of the personal data protection violation in question, thus allowing the data to be processed using outdated IT systems, i.e. systems that do not warrant an adequate level of security, prior to its occurrence. At the same time, there is no doubt that lowering the objectively persistent “(...) since October 2010 (...)” elevated level of risk, could not be positively affected by the fact, cited by the Administrator in the document dated February 16, 2021, that as late as “(...) in June 2018 a new server was acquired together with licensed software.” Indeed, as he indicated in an earlier letter dated April 10, 2020. “(...) activities to strengthen the security of processed personal data (...)”, as a consequence of which, among other things: “(...) assigned users to roles corresponding to their positions, and then restricted their access to other resources (...)”; including ‘(...) taking away administrative rights from users of workstations (...)’, ‘(...) taking away the ability of users to control antivirus software (...)’, and there was an elimination of rights allowing ‘(...) to control antivirus (...)’, so that ‘(...) antivirus protection (...)’. could “(...) disable only the IT team (...)”, were effectively implemented by the Administrator only in the context of the data protection violation in question. In turn, the use of “(...) licensed A. (...) antivirus program” by workstation users. could not, in the present case, constitute a fulfillment of the Administrator's obligations under Articles 5(1)(f), 24(1), 25(1) and 32(1) of Regulation 2016/679, since these persons had an unfettered opportunity to interfere with the operation of this software during the period in which the personal data protection violation in question occurred. As the outcome of the proceedings initiated to determine the causes of the personal data protection breach in question has emphatically shown, it was directly caused by “(...) the disabling of the licensed A.antivirus program by one of the (...) employees,” following which third-party processes “(...) were started on the server and the encryption process began.” Thus, in this light, it should be pointed out that the event of November 25, 2019. The Administrator could have avoided it if he had not only ensured in good time that the operating systems he used were updated to the latest available and stable versions, but also timely revoked the privileges of workstation users that allowed them to interfere with the operation of the A. system, which combines - depending on the version used - the functions of a firewall and an antivirus program, i.e. software that is crucial from the point of view of protecting the systems used in the processing of personal data, and, above all, exercised regular supervision over the use of company resources.
Thus, the reasoning presented by the Administrator in its letter of February 16, 2021, according to which “(...) [d]ocess to computers is protected by passwords. Only the staff member directly using the specific equipment has access to the computer password. Specialized IT service providers ensure the integrity and security of the computer system and the information contained therein. If you leave your workstation and the computer system is temporarily idle, a screen saver is automatically activated, which can only be deactivated by entering the appropriate password. (...)”, does not stand up to scrutiny when juxtaposed with the disclosed circumstances of this particular case, on the basis of which it is indisputable that the technical measures implemented by the Administrator did not continuously ensure an adequate degree of security of the data processed through the computer systems used by it, if the personal data protection violation in question nevertheless occurred.
In conclusion, it should be pointed out that having even the most technically advanced solutions, which, in light of the explanations submitted by the Administrator on April 10, 2020, was not the case anyway (the Administrator indicated that, as part of the corrective measures after the occurrence of the personal data protection violation in question, it made “(...) changes[y] to versions of antivirus software to provide more complete protection ((...)) (...)”, thus admitting that the previously used solution did not constitute a sufficient security measure for the personal data processing processes), will not continuously ensure an adequate degree of security of the data processed through these IT systems, if the controller not only fails to ensure that cyclic updates are carried out and their configuration is optimized, but also fails to limit the rights of end users and, equally importantly, fails to supervise their activities.
The findings made so far do not provide a basis for concluding that the technical and organizational measures applied by the Administrator to ensure the security of personal data processing were adequate to the state of the art, the cost of implementation and the nature, scope, context and purposes of processing. In addition, these measures - in the opinion of the President of the DPA - were not adequately reviewed and updated, which consequently did not ensure effective implementation of the data protection principles.
I.5 The lack of the Administrator's ability to quickly restore the availability of personal data in the context of the failure to regularly test, measure and evaluate the effectiveness of technical and organizational measures.
From the analysis of the evidence gathered in the present case, the sluggishness of the Administrator in its efforts to fulfill the obligations set forth in Article 32(1)(c) and (d) of Regulation 2016/679, and related to the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident, as well as the regular testing of the security copies created, also shines through. Indeed, it should be noted that the Administrator's recovery of access to the data occurred after as many as 4 days after the data had been encrypted. This circumstance therefore gives rise to the thesis that - in view of the Administrator's failure to implement adequate procedures for recovering data from backups in the event of a personal data breach - it was deprived of any real ability to quickly restore temporarily lost data.
Additional justification for the assumption made by the supervisory authority in the above form should be provided by the circumstance of the Administrator's failure to provide explanations - as requested by the President of the DPA in a letter dated July 1, 2021. - regarding the description of its procedures for creating, storing and testing backups prior to the occurrence of the personal data protection breach in question. Although he addressed the aforementioned issue in a letter dated August 16, 2021, nevertheless the explanations provided by the Administrator only cover the period after November 25, 2019, which only strengthens the argument related to the Administrator's failure to implement adequate procedures for the recovery of data from backups before the aforementioned date, and clearly negates its ability to quickly restore the availability of personal data. As a consequence of this negligence, the restoration of personal data turned out to be possible only 4 days after it was encrypted, which the Administrator could not have foreseen beforehand, for in the disclosed facts of this case there is also no evidence that attempts were made by the Administrator to measure and assess its ability to quickly restore the availability of personal data. In this light, the Administrator's violation of the obligation set forth in Article 32(1)(c) of Regulation 2016/679 should therefore not be in doubt.
The Administrator's failure to comply with the requirement to have the capacity to quickly restore the availability of and access to personal data in the event of a physical or technical incident, moreover, is part of the broader context of the Administrator's improper implementation of the obligation provided for in Article 32(1)(d) of Regulation 2016/679. For by refraining from regularly testing, measuring and evaluating the effectiveness of the technical and organizational measures in place to ensure the security of the personal data processing processes taking place within its structure, the Controller could not, prior to the date of the personal data protection breach in question, demonstrate its knowledge of network segmentation solutions. Meanwhile, implementing them as cited by the Administrator in its letter of April 10, 2020, i.e. “(...) introducing network segments, and separating them from each other through firewall rules, separating the network for guests (...)”, and thus only after the occurrence of the ransomware attack in question, could have, if not prevented, at least significantly reduced the magnitude of the negative effects on individuals in connection with the 4-day unavailability of their personal data. In this context, it also remains reasonable to charge the Administrator with the inability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services (Article 32(1)(b) of Regulation 2016/679).
I.6 Order to bring processing operations into compliance with Regulation 2016/679.
It should be noted that it was only the occurrence of the personal data protection breach in question on November 25, 2019 that prompted the Administrator to implement technical security measures, the description of which is cited on pages 7 and 8 of the justification and in paragraph 1 of the letter of August 16, 2021, consisting of changing the logical topology of its IT structure and establishing a backup policy. Nonetheless, it should be noted that the Administrator has not presented any evidence unequivocally probable of the fact that the above-described technical security measures have been implemented, taking into account the risks associated with the possibility of breaking the security of the IT system used by the Administrator in the processing of personal data, and subsequently encrypting it.
Thus, he is unable to demonstrate beyond any doubt that these measures constitute not an arbitrary, but a truly adequate response to the existing risk associated with the possibility of a renewed loss of availability of the personal data processed by him. Moreover, the detachment of the implemented technical measures as described above from the risk analysis, while there is no evidence that the Administrator subjects them to periodic evaluations, again calls into question its ability to demonstrate continuous assurance of the confidentiality, integrity, availability and resilience of its processing systems and services. Consequently, the reasoning outlined above and the related allegation of the Administrator's failure to comply with the accountability principle set forth in Article 5(2) of Regulation 2016/679 remain valid.
With the above in mind, the President of the DPA could not act otherwise than to issue a notice to the Administrator - pursuant to the content of Article 58(2) lit. (d) of Regulation 2016/679 - an order to bring the processing operations into compliance with the provisions of Regulation 2016/679, by performing a risk analysis taking into account the risks associated with the installation of malware interfering with the availability of personal data, then implementing, on the basis of the risk analysis performed, adequate solutions to fully secure the servers used by the Administrator in the processing of personal data, and implementing appropriate technical and organizational measures to ensure regular testing, measuring and assessing the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.
II. Responsibility of the Processor.
It goes without saying that a comprehensive consideration of the entire body of evidence gathered in the present case would not be possible without the supervisory authority taking into account the circumstance relied upon by the Administrator in its letter of April 10, 2020, in which the occurrence of the personal data protection breach in question was allegedly “(...) caused doubly by a human factor - [faulty behavior - add. on...] of the Administrator's employees and the company hitherto providing IT services to the Administrator.” Indeed, in the course of the explanations provided, the Administrator indicated that “(...) [t]he former company (whose services the Administrator was not satisfied with due to its failure to provide maintenance services and security system audits in a timely manner) was replaced in late September/early October 2019 by Y s.c.” This new entity in the Administrator's opinion (meanwhile, the evidence gathered in the present case clearly shows that Y s.c. and the Administrator were connected by a contract concluded as recently as May 24, 2018. “(...)”, and the informal cooperation lasted ‘(...) since at least 2010 (...)’, ‘(...) was to take over the security of the Administrator's IT systems, perform a security audit and prepare a report in this regard (...)’. As the Administrator further communicated, “(...) it turned out that this entity also failed to perform its duties and misled the Administrator, because (unbeknownst to the Administrator at the time), at the same time this new entity was performing another very large order for a third party, which translated into the occurrence of the incident in November 2019.”
Undoubtedly, the credibility of the facts cited in the above form, indicating - according to the Administrator - the co-responsibility of the partners of Y s.c., i.e. Ms. CD, Mr. EF and Mr. GH, for the occurrence of the personal data protection violation in question, must be considered - in the absence of a written contract for the provision of services that were to have been performed by the partners of Y s.c. for the Administrator “(...) since at least 2010 (...)”. - with regard to the disclosed content of the contract concluded on May 24, 2018. “(...)”. Thus, it should be pointed out that it follows from § (...)pt. (...) of the aforementioned document that the Administrator's entrustment of the processing of personal data in its name and on its behalf to the partners of Y s.c. took place for the purpose of executing the contract with regard to the operation, operation and maintenance of the d. system. in the Administrator's enterprise and the proper fulfillment of the obligation to statutory state authorities, which, after all, is not equivalent to exercising custody over the entire IT infrastructure within the Administrator's structure, a circumstance that was, moreover, referred to by the Processor in the letter of July 8, 2022.
Of course, it remains to consider the eventuality in which, as it were, in addition to the main relationship of entrustment of personal data processing, there would be the provision by Y s.c. of IT services on behalf of the Administrator. However, this hypothesis is not supported by the collected evidence, in which no trace of the existence of informal even initiatives on the part of the Administrator to obtain assistance from the Processor in fulfilling the Administrator's obligations set forth in Articles 32-36 of Regulation 2016/679 has been recorded. It is also difficult to reasonably assume that the Processor would act outside the mandate set forth in Article 28(3)(a) of Regulation 2016/679, arising solely from the documented instruction of the Administrator. For the aforementioned reasons, it is also impossible to recognize the veracity of the Administrator's statement regarding the existence of the Processor's obligation to perform a security audit and prepare a report in this regard, since the aforementioned “(...)” in no way required it to do so. Finally, it is impossible not to notice that the direct cause of the security incident on November 25, 2019, which led to a breach in the protection of personal data processed in the Administrator's IT systems, was the infection of one of the employee computers “(...) (...) (...)”, “(...) due to the (probably accidental) disabling of the licensed A. antivirus program by one of the Administrator's employees”, for which the Administrator is responsible. This is because he allowed a situation in which the granting of privileges to end-users inconsistent with their official classification enabled them to interfere with the operation of the antivirus software, which the Administrator could not have been aware of, for, as demonstrated in the earlier pages of the justification for this decision, at the time of the personal data protection violation in question, he did not yet have the technical instrumentation to exercise effective supervision over the use of official resources by his employees.
The issue of the lack of cyber security awarness training for the people employed in the Administrator's organization, which, had it been conducted by the Administrator, would have constituted the implementation of organizational security measures adequate to the risks associated with the personal data processing processes, is also not without significance, for which the Administrator is also solely responsible. In turn, the use by the perpetrators of the vulnerability “(...) of the B. server, which had not been updated for a long time” is another manifestation, on the part of the Administrator, of negligence, who, as the host of personal data processing processes, failed to take adequate care of the ongoing updating of the software, the implementation of which is not the responsibility of the partners of Y s.c., since in light of the provisions of the “(...)” connecting them with the Administrator. dated May 24, 2018, confirmed by the content of their concurring statements dated July 8, 2022, they were responsible not for the operation and maintenance - remaining within the Administrator's own structure - of the B. server, but for the activities of “(...) for the operation, operation and maintenance of the d.system in the Administrator's enterprise,” which, significantly, after all, did not include the authority to interfere with the technical security measures implemented by the Administrator.
It should also be noted that, in the opinion of the supervisory authority, the facts of the case do not provide grounds for concluding that the maintenance and security of the IT infrastructure of the server “(...) >>(...)<< [on which the personal data protection violation in question occurred - added on its own]. (...)” on which the d. system was hosted, did not - contrary to its own assertions - belong to the Administrator. This is implicitly confirmed by the fact that it was the Administrator himself who undertook after November 25, 2019. - in terms of technical safeguards - a number of measures to remove the effects of the personal data protection breach in question and prevent the occurrence of similar ones in the future (in particular, he changed the outdated system (...) to (...)).
In light of the above-mentioned reasoning, the fact that the Processing Entity was entrusted with processing personal data in the d. system, in the scope of the work of which, by the way, no lack of adequate measures to mitigate the risk of a personal data protection breach was found (in contrast to the work of the server software on which the d. program was installed), excludes - in the opinion of the President of the PDPA - the possibility of attributing to the Processing Entity responsibility for failure to implement organizational and technical security measures within the framework of the processing process entrusted to it. For the above reasons, it is also impossible to attempt to shape joint and several liability of the Processing Entity for the negligence shown to the Administrator with regard to the organizational and technical security measures implemented by the Administrator.
Nevertheless, the lack of grounds for assuming joint and several liability of Ms. CD, Mr. EF and Mr. GH for the negligence demonstrated to the Administrator with respect to the selection of ineffective security measures for the IT system used to process personal data and the failure to adequately test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of the processed personal data in the affected IT systems, in particular with respect to vulnerabilities, errors and their possible effects on these systems and the measures taken to minimize the risk of their occurrence, does not in any way obviate the need to seek liability of the associates of Y s. c. for failing to assist the Administrator in complying with its obligation to implement adequate technical and organizational measures to ensure the security of personal data processing, i.e. for violation of Art. 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679.
The legitimacy of the allegation so formulated with respect to the Processor should not raise any doubts, since the evidence established in the present case unequivocally shows (which, by the way, was informed in unison by both the Processor and the Administrator in letters dated September 29, 2023 and October 3, 2023, respectively), “(...) that the >>d.<< system was seated on the >>(...)<< server [on which the personal data protection violation in question occurred - added. ], using E. software,” and thus - as already demonstrated in this decision - an IT architecture with a number of well-known security flaws, of which the partners of Y s.c. must have been aware, having, after all, not only ‘(...) many years of experience in implementing systems based on the (...) platform and customizing them (...)’, or ‘(...) the most experienced implementation team in Poland (...)’, but also the status of ‘(...) (...)’. Unfortunately, despite the competence undoubtedly possessed by the above-mentioned persons and the knowledge that “(...) [n]a server using E.software was installed (...) with the database used by the d.system. The installation of the d.client application was performed on users' computers” they refrained from providing the Administrator with information about the vulnerabilities present in E.software.
In this context, it is all the more vain to look for a justification for the failure of the partners of Y s.c. over the years to take any initiatives related to even an attempt to communicate to the Administrator about the need to update the operating system to the possibly latest version or even to implement newer, and therefore more adequate response to the inherent risks associated with the personal data processing processes carried out, solutions (e.g. in the form of the implementation of the B. system, which ultimately occurred in the Administrator's structure only after the occurrence of the personal data protection violation in question). At the same time, there is no doubt that the use of this software, which incidentally had its world premiere (...), to operate “(...) server[a] (...) with the database used by the d. system”, would have significantly mitigated the risk of materialization of such even an attack on the Administrator's IT infrastructure, which had just occurred on November 25, 2019. Thus, for the reasons demonstrated above, the occurrence of the personal data protection breach in question was materially contributed to by the grossly negligent actions on the part of the partners of Y s.c., who, as established, provided IT support services to the Administrator with respect to the d. system. Indeed, in the normal course of business and in accordance with a risk-based approach, they should have anticipated, especially as IT professionals, on the basis of the risk analysis carried out, the consequences that the security of the personal data entrusted to them might entail, basing their processing processes on solutions that do not provide sufficient security guarantees.
The above argumentation is not diminished by the fact that the partners of Y s.c. could not, on their own and as part of the IT services provided to the Administrator, remove the software vulnerabilities of the server on which system d was installed. However, being aware of their existence, they did not notify the Administrator of this fact, which excludes the possibility of assuming that the Processor complied with the obligation to provide the Administrator with “assistance” taking into account the “information available to it”, which constitutes a violation by the partners of Y s. c. exclusively addressed to the Processor, of the obligations set forth in Article 28(3)(f) of Regulation 2016/679. In turn, the failure of the Processor to comply with its obligations in the aforementioned respect, statutes on the basis of the aforementioned provision of Regulation 2016/679 its separate liability of a public law nature, i.e. remaining separate from its obligatory obligations and constituting a self-contained basis for the application of sanctions by the supervisory authority, pursuant to Article 83(4)(a) of the said Regulation.
III. Administrator-Processor relationship.
The findings to date, however, do not preclude the need for a more detailed examination of the allegation made by the Administrator against the aforementioned Processor regarding the inadequate fulfillment by the Processor of its obligations related to ensuring “(...) security of IT systems at the Administrator (...)”, performing security audits and preparing relevant reports on this basis.
Indeed, as it follows from Article 28(1) of Regulation 2016/679, if the processing is to be carried out on behalf of the Controller, the Controller shall use only such processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. The implementation of this principle, in turn, is ensured by the obligation introduced in Article 28(3) of Regulation 2016/679 to conclude a contract between the controller and the processor specifying the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller, which contract shall contain, in particular, the elements indicated in points (a) through (h) of this provision.
In the factual state under consideration, the contract connecting, as of May 24, 2018. The Administrator and the Processor “(...)” did contain all the elements indicated in the aforementioned provision, nevertheless, based on the explanations provided by the aforementioned entities, it remains impossible to determine whether the actions taken by the partners of Y s.c. “(...) in order to implement the agreement with respect to the operation, operation and maintenance of the d. system at the Administrator's company (...)” presented by the Processor in its letter of July 8, 2022, were carried out according to predetermined rules to ensure the security of personal data. In addition to the general formulations contained in § (...) of the referenced document, on the grounds of which the Processor undertook, among other things, to secure the personal data processing processes entrusted to it “(...) through the application of appropriate technical and organizational measures ensuring an adequate degree of security corresponding to the risks involved in the processing of personal data, as referred to in Article 32 of the Regulation [Regulation 2016/679 - added on its own]”, the technical and organizational measures to ensure this security were not specified either in the general regulations implemented by the Controller or in the relevant agreement concluded with the Processor.
Thus, based on the facts thus outlined, a picture emerges in which the means and methods of the implemented solutions “(...) for the running, operation and maintenance of the d.system at the Administrator's enterprise (...)” was in fact decided by the partners of Y s.c.. However, the Processor's arbitrariness in the choice of applied solutions should not come as a surprise, since the Administrator, who should have positioned himself in the role of the host of personal data processing processes carried out on his behalf and for his benefit, did not outline a precise framework for cooperation with the Processor, while the lack of implemented procedures for controlling the correctness of activities undertaken by the Processor only deepened this state of affairs, characterized by the lack of adequate knowledge of the above-mentioned entity's activities on the part of the Administrator.
In view of the fact that the Processor was left, as it were, with discretionary authority to decide how to carry out activities “(...) with regard to the operation, operation and maintenance of the d. system at the Administrator's enterprise (...)”, it should be further analyzed whether such action by the Administrator could have resulted from reasonable certainty about the Processor's competence. In the case at hand, the Administrator indicated that the cooperation with the Processor began long before the provisions of Regulation 2016/679 came into force, i.e. it lasted “(...) since at least 2010 (...)”. From the explanations provided by the Administrator, in which it stated that based on the information available on the Processor's website, it determined that the Processor has been operating “(...) on the market since 2004, has numerous staff and a significant portfolio of clients (...)”, it does not appear that the verification of the competence of the partners of Y s.c. bears the hallmarks of a formalized process. Nonetheless, in the Administrator's opinion, it exercised “(...) due diligence in selecting the entity providing IT support to the company,” as “(...) [t]he conclusion of the contract with this entity was therefore preceded by an analysis of its professional experience in the area of providing IT solutions.”
Referring to the above-mentioned explanation of the Administrator, it should be pointed out that in the previous legal state, defined under the PDPA, different requirements were defined with respect to the processor, while others apply from May 25, 2018, i.e. from the start of the application of Regulation 2016/679. Therefore, the previous, positively assessed cooperation can only be a starting point when verifying whether the processor provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and, above all, protects the rights of data subjects. Indeed, the requirement set forth in Article 28(1) of Regulation 2016/679 absolutely applies to any data controller that, in the course of its business, uses the resources or services of a processor when processing personal data. At the same time, it should be emphasized that the fact of long-standing cooperation and use of the services of a given Processor prior to May 25, 2018, i.e. prior to the commencement of the application of the provisions of Regulation 2016/679, does not exempt the Administrator from the obligation to carry out such an assessment. The Administrator has not carried out such verification, contenting itself with a positive assessment of the Processor as a result of previous cooperation established long before the commencement of the provisions of Regulation 2016/679. The Administrator's failure to carry out such assessment is tantamount to a breach of the obligation set forth in Article 28(1) of Regulation 2016/679.
At the same time, it should be noted that the mere signing of a personal data processing entrustment agreement without an appropriate evaluation of the Processor cannot be viewed from the perspective of the proper implementation by the Administrator of its obligation to carry out proceedings verifying the Processor for compliance with the requirements of Regulation 2016/679. Long-term cooperation of the parties not supported by periodic, systematic audits or inspections does not guarantee that the Processor will properly perform the tasks required by law and arising from the concluded entrustment agreement. Such as in the case at hand, where the allegation made by the Administrator against the partners of Y s.c., concerning the non-performance or improper performance by this entity of its obligations, appeared only in the letter of April 10, 2020, putting - contrary to the Administrator's intentions - into question the issue of the Administrator's prior inspection of the compliance of the personal data processing processes carried out on its behalf and for its benefit, consequently putting to rest the strength of the theses so formulated by the Administrator. Moreover, they become even more incomprehensible when juxtaposed with the “(...)” stipulated by the parties. of May 24, 2018, stipulating in § (...) the right of the Administrator to perform inspections to determine “(...) whether the measures applied by the Processor in processing and securing the entrusted personal data comply with the provisions of the agreement”, where the circumstances of the exercise of the said right - in light of the evidence gathered in the course of these proceedings - the Administrator is not able to effectively demonstrate with respect to the entire duration of the agreement connecting it with the Processor. Meanwhile, the control mechanisms implemented by the controllers responsible for assessing the adequacy of the guarantees provided by the Processor are the primary tool for verifying the Processor, particularly in terms of the technical and organizational measures implemented by the Processor to ensure an adequate level of protection for personal data processing.
The issue of criteria for evaluating a processor was also considered by the EROD. As indicated in the “Guidance 07/2020 on the concepts of controller and processor contained in the RODO,” hereinafter referred to as Guidance 07/2020, referring to the content of Article 28(1) and recital 81 of Regulation 2016/679, (quoted): “The controller is (...) responsible for assessing the adequacy of the guarantees provided by the processor and should be able to prove that it has seriously taken into account all the elements provided for in the RODO. The warranties “provided” by the processor are those that the processor is able to demonstrate to the satisfaction of the administrator, as these are the only warranties that the administrator can effectively take into account when assessing the fulfillment of its obligations. This will often require the exchange of relevant documentation (e.g., privacy policies, terms of service, register of processing activities, records management policies, information security policies, external data protection audit reports, internationally recognized certifications such as ISO 27000 standards). The administrator's assessment of the sufficiency of the safeguards is a form of risk assessment that largely depends on the type of processing entrusted to the processor and must be made on a case-by-case basis, taking into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of individuals. (...) The controller should consider the following elements (...) to assess whether the safeguards are sufficient: expertise (e.g., technical knowledge of security measures and data breaches); reliability of the processor; resources of the processor. The reputation of the processor in the market may also be an important factor for controllers to consider. In addition, adherence to an approved code of conduct or certification mechanism can be used as an element to demonstrate sufficient guarantees. (...) The obligation to use only processors “providing sufficient guarantees” in Article 28(1) of the RODO is an ongoing obligation. It does not end when the administrator and the processor enter into a contract or other legal act. Rather, the controller should verify the processor's guarantees at appropriate intervals, including through audits and inspections where appropriate (...).”
Relating the EROD's opinion presented above to the circumstances of the disclosed facts, it can be noted that the Administrator, when entrusting the partners of Y s.c. with the processing of personal data of its employees, temporary employees, contractors, contractors, family members of employees, trainees, interns and interns, and contractors, was guided by faith in the expertise of the Processor “(...) in providing and optimizing IT business solutions that enhance the efficiency of the organization's operations (...)”. He trusted that it has “(...) years of experience in implementing systems based on the (...) platform and customizing them to meet individual customer needs (...)” and that it is distinguished not only by “(...) the most experienced implementation team in Poland (...)”, but also by its status as “(...) (...)”. In light of the EROD's recommendations cited above, the above beliefs held by the Administrator towards the Processor should, in the normal course of activities, only become a reason for the Administrator to conduct - at least on the basis of the exchange of relevant documentation - a study of the adequacy, as an element of a broader risk analysis, of the guarantees provided by the Processor to ensure the level of protection of the aforementioned categories of persons entrusted to it, which, in the disclosed circumstances of the present case, did not take place. Therefore, in this context, the emergence of a circumstance in which the activities carried out by the partners of Y s.c. related to the operation and maintenance of the d. system, with the use of a system that is not updated and therefore does not constitute an adequate response to the objectively occurring risk to the security of personal data processing processes located in the (...) database of the “(...) (...) (...)” server software, should not come as a surprise, directly contributed to the occurrence on November 25, 2019 of the personal data protection breach in question. Perception of irregularities occurring in the Administrator's structure related to the organization and management of the process of implementing new solutions in the IT infrastructure or making changes to it, may take place even after taking into account the efforts made by the Processor after the said date (vide: pages 14 and 15 of the justification of this decision).
IV. Co-responsibility of the Administrator and the Processor for omissions to conduct a risk analysis for the “(...) operation, operation and maintenance of the system d. (...)”, the identification and application of adequate technical and organizational measures to ensure the security of the processing carried out using this software, and verification of the effectiveness of the Administrator's IT infrastructure safeguards in place.
Undoubtedly, the responsibility for the application of appropriate, i.e. adequate to the existing risk, technical and organizational measures to ensure the security of the processed personal data extends to all entities involved in the processing of personal data, so in this particular case to the Administrator and the persons who are, as of November 25, 2019, partners of Y s.c.. As a consequence of this assumption, it should be concluded that both the Administrator and the Processor should have verified that the personal data was adequately protected against a possible ransomware attack. The lack of such verification and the failure to implement, on its basis, technical and organizational measures to effectively secure the personal data processed in the d. system, which, after all, cannot be considered as such the use in the processing of personal data of outdated software of the server on which the database containing personal data was hosted, was instrumental in the occurrence of the personal data protection violation in question. And the measures, the shape of which was recorded in the explanations submitted on April 10, 2020 and August 16, 2021, were taken only after the incident of November 25, 2019, and were aimed only at minimizing the risk of recurrence of the breach.
Therefore, in light of the above findings, it must be concluded that the omissions on the part of both the Administrator and the Processor to conduct a risk analysis for the “(...) operation, operation and maintenance of the system d. (...)”, identification and application of adequate technical and organizational measures to ensure the security of the processing carried out with the use of this software, and verification of the effectiveness of the Administrator's IT infrastructure safeguards in place, resulted in a violation by the aforementioned entities of Article 32(1) and (2) of Regulation 2016/679.
It should be pointed out that the findings in the present case do not provide a basis for concluding that the organizational measures applied by the Administrator to ensure the security of personal data were adequate to the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, which consequently did not ensure effective implementation of the principles of personal data protection. As a result - in the opinion of the President of the DPA - the Administrator failed to implement adequate organizational measures to ensure the security of the processing of personal data located in the IT system d. on an uninterrupted basis, which in turn constitutes a violation of Article 32(1) and (2) of Regulation 2016/679. At the same time, the implementation of such a measure cannot be considered as the Administrator's stopping at the conclusion with the Processor on May 24, 2018. “(...)”, for in Guideline 07/2020, the EROD clearly indicated that (quote): “While the elements set forth in Article 28 of the Regulation constitute its core content, the contract should be a way for the controller and processor to further clarify how to implement these essential elements through detailed instructions.” It goes without saying that the formulation of these detailed instructions should be attributed to the controllers, who determine, on the basis of Article 4(7) of Regulation 2016/679, the purposes and means of processing personal data, including with regard to processes carried out on their behalf and for their benefit by external entities.
Thus, referring the above to the context of the case at hand, it should be pointed out that the Administrator, in the absence of the application of procedures ensuring the security of the processed data in the process of changes made to the d. computer system in which the data is processed, and the lack of supervision of the Processor “(...) with regard to the running, operation and maintenance of the d. system at the Administrator's enterprise (...)” improperly fulfilled its role in implementing appropriate technical and organizational measures so that the processing is carried out in accordance with Regulation 2016/679 and to give the processing the necessary safeguards to meet the requirements of this act, thereby failing to comply with the obligations provided for in Articles 24(1) and 25(1) of Regulation 2016/679.
As a consequence of the above omissions, it must be concluded that the principle of integrity and confidentiality expressed in Article 5(1)(f) of Regulation 2016/679 was violated by the Administrator. By failing, in turn, to demonstrate that the personal data processing processes taking place in its organization correspond to an adequate level of security, the Administrator violated the principle of accountability referred to in Article 5(2) of Regulation 2016/679.
Notwithstanding the above, as demonstrated in the earlier part of the justification of this decision, the reasons for the occurrence of the personal data protection violation in question should also be sought in the processes directly related to the inadequate fulfillment by the partners of Y s.c. of their contractual obligations “(...) with regard to the running, operation and maintenance of the d. system at the Administrator's company (...)”. In this context, the attribution of joint responsibility to the above-mentioned persons for the materialization on November 25, 2019 of the risk of a ransomware attack on the Administrator's IT infrastructure is determined by the circumstance that, on the basis of the contract concluded on May 24, 2018. “(...)”, confirmed by their unanimous statements submitted to the President of the DPA on July 8, 2022. “(...) [s]hare Y was responsible for the provision of the database server, licenses, implementation and maintenance work related to the d. system”. The logical consequence of the existence of a set of duties of the Processor in the aforementioned scope, which, moreover, follows from the concurring statements of the partners of Y s.c. disclosed in the course of these proceedings, quote “(...) [n]a server [”(...)“] using the E. software was installed (...) with the database used by the d. system”, was therefore their full awareness of the fact that the software of this server, i.e. B., had not been updated for a long time. Despite this, they allowed with full knowledge that “(...) the server (...) with the database used by the d. system (...)” was seated on a server operated by E. software, which has numerous security vulnerabilities, where one of these vulnerabilities was successfully exploited by undetermined perpetrators to carry out a successful attack on November 25, 2019 and fully encrypt the said database containing personal data.
Meanwhile, both the Administrator and the associates of Y s.c. acting on his behalf and in his name should have demonstrated the implementation of technical measures to ensure the security of the personal data processed in the d. system, which, as shown, did not occur. Thus, the findings made in the course of these proceedings give rise to a reasonable thesis that, by refraining from implementing appropriate technical and organizational measures to ensure that the processing is carried out in accordance with Regulation 2016/679 and to give the processing the necessary safeguards, the Administrator did not adequately mitigate the inherent risks of the personal data processing processes. The partners of Y s.c., on the other hand, despite their knowledge regarding the outdated and hence vulnerable (which eventually materialized) “(...)” server software used in the data processing processes, did nothing to counteract the said state of affairs. This constitutes their failure to comply with the requirements under Article 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679, understood as an obligation to support the controller in its efforts to implement technical and organizational security measures for the personal data processing processes that are adequate to the existing risks. At the same time, the above reasoning does not diminish, in view of the proven omissions on the part of the Processor, the necessity to impute to the Controller a violation of the provision of Article 28(1) of Regulation 2016/679, since, as shown earlier, it did not monitor the associates of Y s.c., in terms of whether these persons provide sufficient guarantees for the implementation of adequate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects.
V. Violation of Article 34(2) of Regulation 2016/679.
Notwithstanding the findings so far, it should be pointed out that in the course of the present administrative proceedings, the President of the DPA also found deficiencies on the part of the Controller in notifying its former as well as current employees of the fact that the protection of their personal data had been violated. Indeed, according to the wording of Article 34(1) of Regulation 2016/679, if a personal data breach is likely to result in a high risk of infringement of the rights or freedoms of natural persons, the controller shall notify the data subject of such breach without undue delay. Paragraph 2, in turn, contains a closed catalog of elements that the controller should include in the notification to data subjects if it wants, in accordance with the principle of accountability (Article 5(2) of Regulation 2016/679), to demonstrate the correctness of its obligation to inform data subjects. Thus, the notification referred to in paragraph 1 of the aforementioned article shall, in clear and simple language, describe the nature of the personal data protection breach and contain, at a minimum, the information and measures referred to in Article 33 (3) lit. (b), (c) and (d) of Regulation 2016/679, that is, those relating to the name and contact details of the data protection officer or the designation of another point of contact from whom more information can be obtained; a description of the possible consequences of the personal data protection breach; and a description of the measures applied or proposed by the controller to remedy the data protection breach, including, where appropriate, measures to minimize its possible adverse effects.
In this regard, referring to the issue of the Administrator's broadly subjecting to processing personal data relating to its former and current employees, among which, based on the explanations provided by the Administrator in its letter of April 10, 2020, are such categories as: “(...) first name(s), last name, parents' first names, date of birth, bank account number, address of residence or domicile, PESEL, email, series and number of identity card, telephone number”, consequently, it is impossible to pass by the failure on the part of the Administrator to carry out the notification of data subjects, taking into account all the elements indicated in Article 34(2) of Regulation 2016/679. As if in reference to the argumentation raised so far, it should be pointed out that the “risk-based approach” adopted on the grounds of the aforementioned legal act also creates obligations on the part of controllers related to personal data protection violations.
Therefore, it follows from the analysis of the aforementioned legislation that, depending on what level of risk of violation of the rights or freedoms of natural persons the controller is dealing with, its obligations towards the supervisory authority, as well as towards the data subjects, are shaped differently. If, as a result of the analysis, the controller has determined that the likelihood of a risk of violation of the rights or freedoms of individuals is low, it is not obliged to report the violation to the President of the DPA. He only has to enter the indicated violation in the internal record of violations. If a risk of violation of the rights or freedoms of individuals is identified, it is the controller's obligation to report the data protection violation to the President of the DPA, as well as make an entry in the internal record of violations. The occurrence of a high risk of violation of the rights or freedoms of individuals, in addition to an entry in the record of violations, requires the controller to take appropriate actions, both towards the supervisory authority (notification of a data protection breach), but also towards the data subjects. Indeed, in the case of data protection breaches that are likely to result in a high risk of infringement of the rights or freedoms of the data subject, Regulation 2016/679 introduces an additional obligation for the controller to notify the data subject immediately, unless the controller has taken either preventive measures before the breach occurred or remedial measures after the breach occurred (Article 34(3) of Regulation 2016/679).
Adopting this very optics, the President of the DPA, having analyzed both the content of the notice originally provided by the Administrator on January 10, 2020 to data subjects, and the nature of the breach that occurred, its duration, the category of data and the categories of persons affected by the breach, and the remedial measures taken, asked the Administrator on March 13, 2020 to promptly, again and correctly notify data subjects of the breach of their personal data, and to take measures to eliminate similar irregularities in the future. Pursuant to the provisions of Article 52(1) and (3) of the PDPA and Article 34(4) of Regulation 2016/679, he also obliged him to provide, within 30 days from the date of receipt of that request, information on the actions taken, and in particular those related to providing data subjects with a description of the possible consequences of the personal data breach and a description of the measures applied or proposed by the Controller to remedy the breach - including, where applicable, measures to minimize its possible negative effects. The President of the DPA then weighed in that there were insufficient grounds for the assumption formulated by the Administrator, according to which “the purpose of encrypting the data was not to steal it.” Considering the information provided by the Administrator in its letter of March 5, 2020, that the Administrator “(...) does not have data that unequivocally excludes the possibility of data retrieval by unauthorized third parties during a break-in,” the President of the DPA, guided by far-reaching caution, therefore considered it legitimate to conclude that, with a very high degree of probability, the confidentiality of the personal data processed by the Administrator could also have been breached in the case in question. Undoubtedly, the Administrator's failure in the explanations it has submitted so far to provide details of the investigation conducted and its results, including in particular the lack of sufficient evidence to make adequate findings to actually determine the modus operandi of the malware, confirmed the supervisory authority in this conviction. At the same time, it should be pointed out that a comprehensive analysis of the content of the documentation submitted by the Administrator in the present case shows that, to date, he has not submitted convincing evidence in support of the claims he makes. Consequently, the position of the President of the DPA, expressed on March 13, 2020, regarding the reasonable suspicion that the confidentiality of the datasets processed by the Administrator may have been violated as a result of the November 25, 2019 ransomware attack, remains valid.
Therefore, in light of the cited argument, it is impossible to conclude that the Administrator, by providing on March 21, 2020 to former and current employees (i.e., a total of “(...) approximately 200 (...)” persons) the “Data Breach Notification” did so taking into account all the elements required by the regulation contained in Article 34 (2) of Regulation 2016/679, as it was obliged to do when identifying the high risk of the personal data protection breach that occurred on November 25, 2019 (the authority is led to make such a conclusion by the Administrator's issuance on March 21, 2020 to the data subjects of a renewed notification of a breach of the protection of their personal data), in accordance with Art. 34(1) of Regulation 2016/679. Without being able to exclude beyond any doubt that the confidentiality of a wide range of data in the aforementioned shape of the aforementioned categories of persons was not breached in the case in question, the Administrator should have therefore, taking the perspective of protecting the interests of data subjects and exercising far-reaching caution, provided them with all the information required by law. Meanwhile, an analysis of the content of the notice sent on March 21, 2020 to data subjects shows that, although the Administrator indicated to former as well as current employees certain possible consequences of the breach and the remedies they can take to minimize the negative consequences of the data protection breach in question, which are listed on page 7 of the justification of this decision, however, in the opinion of the supervisory authority, these measures remain inadequate in relation to the risk that occurred in connection with the breach in question. This is because, by failing to address all disclosed categories of data, in particular those whose unauthorized disclosure entails a high risk of infringement of the rights or freedoms of individuals, i.e. the data set in terms of PESEL no., first and last name, they do not sufficiently minimize its negative consequences.
Besides, regardless of the Administrator's assessment of the risk of infringement of the rights or freedoms of individuals, the above argumentation is strengthened after taking into account that the data breach in question may have resulted in a breach of the confidentiality of the PESEL number, which is an 11-digit numerical symbol that allows not only for the unambiguous identification of individuals, but also contains the date of birth and the gender designation of these individuals, i.e. information closely related to the sphere of their privacy. In addition, it should also be taken into account that as a result of the occurrence of a breach of personal data protection - with a high degree of probability - the confidentiality of this registration number, along with the names of former and current employees of the Administrator, could have been lost to the benefit of undetermined perpetrators of an attack on its IT infrastructure, and after all, this combination of personal data alone is sometimes enough to “impersonate” the person to whom the data relates and incur on his behalf and to his detriment, for example, monetary obligations (vide: https://www.bik.pl/poradnik-bik/wyludzenie-kredytu-tak-dzialaja-oszusci - where a case is described in which: “Just a first name, last name and PESEL number were enough for the scammers to extort more than a dozen loans totaling tens of thousands of zlotys. Nothing else matched: neither the ID number nor the address of residence”, accessed 2.9.2024.). It should not be overlooked that the data protection violation in question involved an even broader catalog of personal data of former and current employees of the Administrator, covering - according to its declaration - also such categories of data as: “(...) parents' names, date of birth, bank account number, address of residence or domicile, (...) , email, series and number of identity card, telephone number,” which, combined with the criminal actions of those who potentially came into possession of the aforementioned information on the Administrator's staff members, only raises the potential seriousness of the risk of violation of the rights or freedoms of data subjects.
The issue of violations of the confidentiality of national identification numbers and the resulting obligations of controllers both to the supervisory authority and to data subjects was also addressed by the EROD in the “Guidelines 01/2021” adopted on December 14, 2021. “Guideline 01/2021 on Examples of Data Protection Breach Notification, Version 2.0” (hereinafter EROD Guideline 01/2021). Discussing in the cited document a case of “sending highly confidential personal data by mistake by mail,” in which a social security number, incidentally the equivalent of the PESEL number used in Poland, was disclosed, the EROD found beyond any doubt that the disclosure of data regarding: first and last name, e-mail address, postal address and social security number, indicates a high risk of infringement of the rights or freedoms of individuals (“the involvement of their [the victims'] social security number, as well as other, more basic personal data, further increases the risk, which can be described as high”), thus implying the need to notify the supervisory authority and notify the data subjects of the breach. A similar position was also expressed several times by the WSA in Warsaw (vide: judgment of July 1, 2022, ref. no. II SA/Wa 4143/21, judgment of September 22, 2021, ref. no. II SA/Wa 791/21, judgment of November 15, 2022, file II SA/Wa 546/22, judgment of June 21, 2023, file II SA/Wa 150/23, and judgment of November 6, 2023, file II SA/Wa 996/23), as well as the Supreme Administrative Court in its judgment of December 6, 2023, file III OSK 2931/21).
Thus, referring the above-quoted reasoning to the presented facts, it should be emphasized that in case of any doubts about the fulfillment of obligations by controllers - including in a situation where there has been a violation of personal data protection - one should first of all, referring to the purposive interpretation of Regulation 2016/679, take into account the rule expressed in Article 1(2) of this legal act, according to which the primary purpose of the norms contained therein always remains the protection of fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. Thus, in an attempt to comply with the above postulate, the Administrator should have analyzed, following the occurrence of the personal data protection violation in question, the risks that the fact of its occurrence poses to the legally protected values concerning these individuals. He was therefore obliged to take into account, following the Guidelines of the Working Group Art. 29 “on the notification of personal data protection breaches in accordance with Regulation 2016/679,” hereinafter referred to as the “WP250 Guidelines” (the EROD 9/2022 Guidelines “on the notification of personal data protection breaches in accordance with the RODO,” hereinafter referred to as the “9/2022 Guidelines” are currently in use) - the criteria of the type of personal data protection breach, the nature, sensitivity and amount of personal data, the ease of identification of natural persons, the severity of the consequences for data subjects due to the breach, the number of data subjects affected by the breach in question, the specific circumstances of the personal data protection breach, including, in accordance with recitals 75 and 76 of the preamble to Regulation 2017/679, the severity of the potential consequences and the likelihood of their occurrence. This is because a high level of any of these factors affects the overall assessment on which compliance with the obligations set forth in Articles 33(1) and 34(1) of Regulation 2016/679 depends.
Bearing in mind that due to the scope of the potentially disclosed personal data in the case under review, there was, as shown above, the possibility of momentous negative consequences materializing with respect to former and current employees of the Administrator, the severity of the potential impact on the rights or freedoms of an individual must be considered high. At the same time, the probability of a high risk following the violation in question is not low and has not been eliminated. Thus, it must be concluded that a high risk of infringement of the rights or freedoms of data subjects has occurred as a result of the breach in question, which consequently determines, among other things, the obligation to notify former and current employees of the Controller of the breach of the protection of their personal data, pursuant to Article 34(1) of Regulation 2016/679, taking into account all the elements indicated in Article 34(2) of Regulation 2016/679 (the premise of high risk does not exist in the case of “(...) customers who have made a purchase at least once (...)” at the Administrator's enterprise due to the scope of information concerning these persons, i.e. name, surname, bank account number, residential address, business address, TIN, e-mail, telephone number, data on orders placed).
Thus, as an exemplification of the state of affairs opposite to that advocated by the EU legislator, it is necessary to point to the content of the notice of a breach of protection of their personal data provided by the Administrator to data subjects on March 21, 2020, in which the Administrator did not list all the foreseeable consequences of the personal data breach that occurred, and did not formulate corresponding recommendations based on them regarding the actions that data subjects can take to fully secure their privacy sphere, thus depriving them of the opportunity to effectively counteract the potential damage. The above constitutes a violation by the Controller of the provision of Article 34(2) of Regulation 2016/679, which, after all, is intended not only to ensure the most effective protection of the fundamental rights or freedoms of data subjects, but also to implement the principle of transparency, which follows from Article 5(1)(a) of Regulation 2016/679 (cf. Chomiczewski Witold (in:) RODO. General Data Protection Regulation. Commentary. ed. by E. Bielak - Jomaa, D. Lubasz, Warsaw 2018).
The proper fulfillment of the obligation set forth in Article 34 of Regulation 2016/679 is to ensure that data subjects are promptly and transparently informed of a breach of the protection of their personal data, together with a description of the possible consequences of the personal data breach and the measures they can take to minimize its possible negative effects, which - taking into account both the scope of the categories of personal data covered by the personal data breach in question and the context of the processing in which it occurred - may prove to be fraught with consequences, e.g. by incurring financial liabilities to the detriment of former and current employees of the Administrator. An excellent example of the materialization of the aforementioned risk is contained in the infoDOK report (vide: https://www.zbp.pl/raporty-i-publikacje/raporty-cykliczne/raport-infodok), prepared as part of the public information campaign of the RESTRICTED DOCUMENTS system, organized by the Polish Bank Association and some banks, under the auspices of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation. It shows that in the fourth quarter of 2019, i.e., at the time of the personal data protection breach in question, 1,607 attempts to defraud loans and credits for a total of PLN 58.4 million were recorded, which means that each day there were 18 attempts to steal on someone else's personal data for a total of PLN 642 thousand, which, in turn, in view of the demonstrated negligence on the part of the Administrator in providing the data subjects with an incomplete message regarding all the potential consequences of the personal data breach in question and recommendations to minimize the likelihood of their updating, is undoubtedly of considerable importance. In comparison, in the fourth quarter of 2020, 1,943 loans were already attempted to be defrauded, with a total amount of PLN 67.3 million, while in the fourth quarter of 2021, 2,075 attempts to defraud loans were recorded, with a total amount of PLN 91.3 million, which is a perfect illustration of the alarming upward trend in the risk of using other people's personal data for criminal acts. Moreover, according to case law, judgments in cases of extortionate credit are not uncommon and have been issued by Polish courts in similar cases for a long time - for confirmation: the judgment of the District Court in Leczyca of July 27, 2016. (ref. I C 566/15), the judgment of the District Court for Łódź - Widzew in Łódź of August 13, 2020. (Ref. II C 1145/19), judgment of the District Court in Pisz dated August 21, 2020. (ref. I C 260/20), or the judgment of the District Court in Pulawy dated April 7, 2022 (ref. I C 475/19).
It should therefore be emphasized that, acting in accordance with the law and demonstrating concern for the interests of data subjects, the Controller should therefore have ensured, without further delay, that data subjects were able to protect their personal data in the best possible way. In turn, in order to achieve this goal, it was necessary to at least indicate the information listed in Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679, an obligation that the Controller failed to comply with, and this despite the request addressed to him in this regard on March 13, 2020 by the President of the DPA.
Thus, on the basis of the evidence gathered in the case, and in light of the above-mentioned reasoning, the allegation that the Administrator violated its obligation under Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679, due to its failure to properly notify former and current employees of a breach in the protection of their personal data, should not raise any doubts. The analysis of the facts presented also revealed that the Controller has made no further attempts to date to provide its former as well as current employees with a full-fledged, i.e. including all those listed on the grounds of Article 34(2) of Regulation 2016/679 in conjunction with Art. 33(3)(c) and (d) of Regulation 2016/679, the communication, despite the fact that, after reading the speech addressed to him on March 13, 2020 by the President of the DPA, he should have already demonstrated his knowledge regarding the laws of notifying data subjects of a breach of the protection of their personal data.
VI. Administrative monetary penalty.
In view of the above findings, the President of the Office for the Protection of Human Rights, exercising his authority set forth in Article 58(2)(i) of Regulation 2016/679, taking into account the circumstances established in the proceedings in question, concluded that in the case under consideration there were prerequisites justifying the imposition of administrative fines on the Controller and the Processor.
Pursuant to Article 83(4)(a) of Regulation 2016/679, violations of the provisions relating to the obligations of the Controller and the Processor referred to in Articles 8, 11, 25 - 39, and 42 and 43 shall be subject, in accordance with paragraph 2, to an administrative fine of up to EUR 10,000,000, or, in the case of an enterprise, up to 2% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying.
Pursuant to Article 83(5)(a) of Regulation 2016/679, violations of the provisions on the basic principles of processing, including the conditions of consent referred to in Articles 5, 6, 7 and 9, are subject to an administrative fine of up to EUR 20,000,000, and in the case of a company, up to 4% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying, according to paragraph 2.
Article 83(3) of Regulation 2016/679, on the other hand, stipulates that if a controller or processor intentionally or unintentionally violates several provisions of this Regulation in the same or related processing operations, the total amount of the administrative monetary penalty shall not exceed the amount of the penalty for the most serious violation.
In the present case, the administrative monetary penalty against Mr. AB, doing business at X, (...) Street, was imposed for violation of Articles 25(1), 28(1), 32(1) and (2), and 34(2) in conjunction with 33(3)(c) and (d). 3(c) and (d) of Regulation 2016/679 on the basis of Article 83(4)(a) of Regulation 2016/679 cited above, and for violation of Article 5(1)(f) and Article 5(2) of Regulation 2016/679 - on the basis of Article 83(5)(a) of that Regulation.
The administrative fine imposed on Mr. EF and Mr. GH, partners of Y s.c., Al (...), and Ms. CD, former partner of Y s.c., all jointly and severally liable, for violation of Article 28 (3) (f) in conjunction with Article 32. paragraphs (1) and (2) of Regulation 2016/679, finds its basis in Article 83 (4) (a) of the Regulation.
In addition, it should be pointed out that in accordance with the wording of Article 58 (2) (d) of Regulation 2016/679, each supervisory authority shall have the remedial power of ordering the controller or processor to bring the processing operations into compliance with the provisions of this Regulation, and, where applicable, to indicate the manner and time limit.
I. Rationale affecting the imposition of an administrative fine against the Administrator (Article 83(2) in fine of Regulation 2016/679).
In deciding to impose an administrative monetary penalty on Mr. AB, doing business under the name X, ul. (...), the President of the DPA - pursuant to the wording of Article 83(2)(a-k) of Regulation 2016/679 - took into account the following circumstances of the case, affecting aggravating factors and influencing the size of the imposed administrative monetary penalty:
1. the nature, gravity and duration of the violation, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679).
When imposing the administrative fine, the fact that the violation of the provisions of Regulation 2016/679, which impose obligations on the Administrator to apply appropriate technical and organizational measures to ensure the security of personal data processed in connection with its nationwide business activities, the form of which is cited on p. 3 of the statement of reasons for this decision, affected at least the violation of the availability of “(...) database[s] of customers who have made a purchase at least once (...)”, as well as data on both former and current employees of the Administrator “(...) in the number of approximately 200 (...)” persons. persons. In turn, the logical consequence of the deficiencies of the Administrator identified in the course of this investigation in the aspect of its compliance with the provisions of Articles 24(1), 25(1), 32(1) and 32(2) of Regulation 2016/679 was the personal data protection breach that arose on November 25, 2019, consisting of unauthorized access by undetermined perpetrators to the Administrator's IT infrastructure and encryption of the following categories of personal data of its former as well as current employees: “(...) first name(s), last name, parents' first names, date of birth, bank account number, residence or domicile address, PESEL, email, ID card series and number, telephone number.” Thus, the violations of the aforementioned provisions of Regulation 2016/679, as demonstrated to the Administrator, should be attributed to considerable gravity and seriousness, since the resulting event may lead to property or non-property damage to the categories of persons whose data were violated in the aforementioned scope, and the probability of their occurrence still remains high. Indeed, it should be emphasized that the evidence gathered in the present case does not show indications that would make it likely that the Administrator would make appropriate arrangements to actually identify the mode of operation of the malware. Consequently, in view of the Administrator's failure to provide details of the investigation conducted and its results, including, in particular, the lack of sufficient evidence of the steps taken by the Administrator to actually identify the mode of operation of the malware, it is impossible to unequivocally recognize the veracity of the assumption made by the Administrator, according to which “(...) the purpose of encrypting the data was not to steal it (...)”. On the contrary: in light of the cited facts, it is impossible to reject the scenario in which the confidentiality of the above-mentioned category of personal data may nevertheless have been breached in the case in question, creating a high risk of materialization of negative consequences for the rights or freedoms of former as well as current employees of X, ul. (...), which risk, significantly, was identified by the Administrator himself, informing on March 21, 2020. these individuals of the potential consequences of the data protection breach in question, quoting “(...) The data affected by the breach may be used for such purposes as an attempt to defraud others of your data, or an attempt to enter into a contract with you (for example, an online sale) using the data, to execute a hacking attack by sending a notification to your email or phone number. There is also a chance that you will receive commercial, marketing information to which you have not given your consent.”
Leaving aside even the consideration of real pecuniary damage, which may be - taking into account the set of categories of personal data and the context of processing - the consequence of a breach of confidentiality of personal data (and their further access to unauthorized entities, which, after all, cannot be excluded in the case at hand either), it should be pointed out that the very breach of availability of personal data constitutes a non-pecuniary damage (harm). This is because the data subject may, at the very least, feel the fear associated with the loss of control over his or her personal data, which inconvenience is a direct result of the nature of the violation of the attribute of availability of such data, the psychological suffering associated with the uncertainty of further possible consequences of this violation, such as identity theft, identity fraud, or, finally, financial loss, not to mention, and as rightly noted by the District Court in Warsaw in its judgment of August 6, 2020, ref. no. XXV C 2596/19, fear, and therefore loss of a sense of security, constitutes a real non-pecuniary damage involving an obligation to compensate for it. In turn, the Court of Justice of the EU, in its ruling of December 14, 2023 w/s Natsionalna agentsia za prihodite (C-340/21), stressed that “Article 82(1) of the RODO must be interpreted to mean that the fear of possible misuse of personal data by third parties by the data subject following a breach of that regulation may itself constitute ‘non-pecuniary damage’ within the meaning of that provision.”
Particular emphasis should be placed on the fact of the long duration of the violation of the regulations of interest to the President of the DPA within the framework of the authority's investigation. Indeed, it should be pointed out that the state of violation of the provisions of Article 5(1)(f), Article 5(2), Article 25(1), Article 32(1) and (2) of Regulation 2016/679, manifested by: the failure to select effective technical measures to ensure the degree of security corresponding to the risk of personal data processing, in particular by using an outdated server with B. software. ; failure to regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of personal data processed in the controller's IT system, and thus inadequate consideration of the risks associated with the processing of personal data in the system; inadequate selection and failure to monitor organizational measures providing for the possibility of employees modifying the work of the A. antivirus software, or, finally, the failure to implement appropriate organizational measures in the form of ensuring sufficient accountability in terms of the training provided to employees, which together constitute the basic premise for the occurrence of the personal data protection violation in question, began on May 25, 2018, i.e. on the date of application of Regulation 2016/679, and is - in the absence of evidence that the Administrator conducted a risk analysis to identify and assess the appropriate level of risk associated with the processing of personal data - continuing to this day. A similar optics should be adopted with respect to the persistent violation of the provision of Article 28(1) of the Regulation from May 24, 2018, i.e. from the moment the Administrator signed an agreement for the entrustment of personal data processing with the Processor, until today, since, as the Administrator admitted in a letter dated July 7, 2023. “(...) has not terminated the contract with Y for it continues to cooperate with this entity to a certain extent.”
2 Unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679).
Unauthorized access to the Administrator's IT infrastructure, including personal data processed in the system d. became possible as a result of the negligent omissions on the part of the Administrator, evidencing its gross negligence, manifested both by its failure to perform any risk analysis for the personal data processing processes it designed even before starting them, and by its failure to conduct periodic evaluations in this regard after commencing personal data processing operations based on regular testing, measuring and evaluating the technical and organizational security measures implemented in its organization for personal data processing processes, and this despite its knowledge of the updates offered by the software manufacturer. As a logical consequence of the gross negligence on the part of the Administrator, it was established that he implemented such technical and organizational measures to ensure the security of personal data processing processes in his organization, which, already at the design stage, could not constitute an adequate response to the inherent risks associated with the personal data processing processes implemented in his structure. Moreover, by refraining from basing the security architecture designed in his organization on the previously performed risk analysis, the Administrator was a priori deprived, as has been shown, of an effective tool for assessing whether the technical and organizational security measures implemented by him are sufficient, while the lack of periodic checks of the tools in his possession and their assessment in terms of risk further compounded this state of ignorance. A contrario,the Administrator, knowing the nature of the personal data processing processes taking place in his organization, should show awareness of the specifics of the operation of IT systems and the impact that the “human factor” has on their functioning. Despite the use of such systems to process personal data, the Administrator not only failed to conduct a risk analysis in the area of the personal data protection breach, but in designing and implementing changes aimed at mitigating the risk of reoccurrence of the personal data protection breach, he once again neglected to conduct an appropriate risk evaluation. Thus, the characteristics of his actions should again be attributed to a lack of awareness of potential threats to the personal data processing processes implemented in his structure, and the technical and organizational processing security measures implemented by the Administrator cannot be attributed to adequacy in relation to the objectively existing risks. From this point of view, no accusation can be formulated against the Administrator other than regarding “gross negligence”, understood as failure to observe, in a specific state of facts, at least elementary principles of behavior in a given situation, in other words, acting or omitting to act in a manner that does not meet the basic standards of Art. 5(1)(f) of Regulation 2016/679 the principle of integrity and confidentiality, which consequently supports, in the opinion of the authority, the intentional nature of the violation of Articles 25(1), 28(1), 32(1) and (2), which the Administrator has not remedied to date.
(3) Actions taken to minimize harm to data subjects (Article 83(2)(c) of Regulation 2016/679).
In the present case, the Administrator's action of recovering the availability of the encrypted data after 4 days cannot be considered as one that would actually promote the minimization of damage of a pecuniary or non-pecuniary nature to the property of the data subjects. Indeed, it should be pointed out that the primary purpose of this action was to restore the possibility of operation of the Administrator's business, and not consideration of the rights or interests of the persons affected by the violation in question. Such an assessment of the authority, moreover, stems from the assumption made by the Administrator, but not supported by any facts, according to which “(...) the purpose of encrypting the data was not to steal it.” Meanwhile, the actual purpose of the perpetrators remains unknown, while the modus operandi presented by them allows a conclusion contrary to the reasoning of the Administrator, who downplayed ill-will as a motive for criminal action. Consequently, the actions taken by the Administrator do not in any way meet the postulate of minimizing damage of a material and immaterial nature to the property of data subjects. Instead, the fulfillment of this obligation would be an initiative - feasible by the Administrator - related, in particular, to an apology or monetary compensation to the data subjects. Clearly, therefore, the focus of its activities only on attempts to regain access to the database, which, importantly, does not prejudge the proper protection of the data from further consequences of the violation, such as from being downloaded by further unauthorized entities, does not fit into this context. In light of the above circumstances, it becomes all the more difficult to look for a rational justification for the pragmatics adopted by the Controller to refrain from providing data subjects with a correct description of the possible consequences of a personal data protection breach and a description of the measures applied or proposed by it to remedy the personal data protection breach, including, where appropriate, measures to minimize its possible negative effects, which constitutes a failure by it to comply with the obligation set forth in Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679.
4 The degree of cooperation with the supervisory authority to remedy the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).
The deficiencies demonstrated in the course of these proceedings and on the part of the Administrator are part of the context of its flagrant - due to its persistence - lack of cooperation with the supervisory authority, resulting in the failure to remedy to date the state of violation of Articles 24(1), 25(1), 32(1) and (2), and 34(2) in connection with Article 33(3)(c) and (d) of Regulation 2016/679, despite the formal initiation of administrative proceedings by the President of the DPA in this case.
5 Categories of personal data affected (Article 83 (2) (g) of Regulation 2016/679).
The personal data processed in the d. system did not belong to the special categories of personal data referred to in Article 9(1) of Regulation 2016/679; however, its broad scope, including such categories of data of individuals as PESEL number, ID card series and number, first and last names, parents' first names, date of birth, bank account number, address of residence or stay, email address, and telephone number, entails a high risk of violation of the rights or freedoms of individuals affected by the breach in question. It should be emphasized that the unauthorized disclosure of such a category of data of a special nature as the PESEL number, which is an eleven-digit numeric symbol uniquely identifying an individual, including date of birth, sequence number, gender designation and check number, remaining closely linked to the sphere of privacy of the individual and also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, particularly when combined - as it was in the case at hand - with a broader set of personal data, can realistically and negatively affect the protection of individuals' rights or freedoms. Moreover, the issue of the special nature of identifying information, such as the PESEL identification number, and the related demand for its special protection, was not different in the opinion of the Provincial Administrative Court in Warsaw, which stated in its judgment of July 1, 2022, that “in the case of violation of such data as first name, last name and PESEL number, it is indeed possible to steal or falsify identity resulting in negative consequences for data subjects.” Significantly, a similar view was expressed by the Supreme Administrative Court, which, in a ruling issued on December 6, 2023 (judgment of the Supreme Administrative Court of December 6, 2023, file no. III OSK 2931/21), ruled that the disclosure of “(...) data on, among other things, first and last names, as well as PESEL numbers of individuals, i.e. relatively permanent, unchangeable data (...) may always give rise to a risk of negative consequences for the above-mentioned persons.”
As pointed out in the ERO Guidelines 04/2022 on the calculation of administrative fines under the RODO (p. 22; version 2.1; adopted May 24, 2023), hereinafter Guidelines 04/2022, “As for the requirement to take into account the categories of personal data affected by the violation (Article 83(2)(g) of the RODO), the RODO clearly identifies the types of data that are subject to special protection and thus a more stringent response when imposing fines. At a minimum, this applies to the types of data covered by Articles 9 and 10 of the RODO, as well as data not covered by those articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g., location data, private communication data, national identification numbers, or financial data such as transaction statements or credit card numbers). Generally speaking, the greater the number of such categories of data affected by the breach or the more sensitive the data, the more weight the supervisory authority can assign to this factor.”
In determining the amount of the administrative fine for the Administrator, the President of the DPA found no basis for taking into account mitigating circumstances affecting the final penalty. In the opinion of the supervisory authority, all prerequisites listed in Article 83 (2) (a) - (j) of Regulation 2016/679 are either aggravating or merely neutral. Also, applying the premise listed in Article 83(2)(k) of Regulation 2016/679 (ordering consideration of any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found, only neutral ones (as noted below in paragraph 7).
The other following circumstances referred to in Article 83(2) of Regulation 2016/679, after assessing their impact on the violation found in the present case, were found by the President of the DPA to be neutral in his assessment, that is, to have neither an aggravating nor mitigating effect on the size of the administrative fine imposed.
1 The degree of responsibility of the administrator, taking into account the technical and organizational measures it has implemented under Articles 25 and 32 (Article 83(2)(d) of Regulation 2016/679).
As the EROD pointed out in Guideline 04/2022, when considering the aforementioned premise, “the supervisory authority must answer the question of the extent to which the controller has ‘done everything that could be expected’ given the nature, purposes or scope of the processing and in light of the obligations imposed on it by the regulation.”
In the present case, the supervisory authority found that the Administrator had violated the provisions of Article 25(1) and Article 32(1) and (2) of Regulation 2016/679. In the opinion of the President of the DPA, the Administrator bears a high degree of responsibility for failing to implement appropriate technical and organizational measures that could have prevented a personal data protection breach. It is clear that in the considered context of the nature, purpose and scope of the processing of personal data, the Controller has not done everything that could be expected, thus failing to comply with the obligations imposed on him under Articles 25 and 32 of Regulation 2016/679.
In this case, however, this circumstance constitutes the essence of the violation itself and is not merely a factor affecting - either aggravating or mitigating - its assessment. For this reason, the lack of appropriate technical and organizational measures, as referred to in Articles 25 and 32 of Regulation 2016/679, cannot be considered in the present case as a circumstance that may further affect the assessment of the violation and the size of the administrative fine imposed on the Administrator.
2 Any relevant prior violations by the Administrator (Article 83(2)(e) of Regulation 2016/679).
The President of the DPA has not found any previous violations of data protection regulations on the part of the Administrator, and therefore there is no basis for treating this circumstance as aggravating. It is the duty of every Administrator to comply with the law, and therefore the lack of previous violations cannot be a mitigating circumstance when imposing sanctions either.
3 How the supervisory authority learned of the violation, in particular, whether and to what extent the administrator reported the violation (Article 83(2)(h) of Regulation 2016/679).
The President of the DPA found that the Controller had violated data protection regulations as a result of the Controller's notification of a data breach. By making the notification, the Administrator was fulfilling its legal obligation, so there are no grounds to consider this fact as a mitigating circumstance. The EDPS points out in Guideline 04/2022 that “the manner in which the supervisory authority became aware of the breach may constitute either a significant aggravating or mitigating circumstance. In assessing this aspect, particular weight may be given to whether the controller or processor notified the supervisory authority of the breach on its own initiative and, if so, to what extent, before the supervisory authority was informed of the breach through - for example - a complaint or proceeding. This circumstance is not relevant when the controller is subject to specific breach notification obligations (such as the data breach notification obligation set forth in Article 33 of the RODO). In such cases, the fact of reporting should be considered a neutral circumstance.”
(4) If the measures referred to in Article 58(2) have been previously applied to the controller concerned in the same case - compliance with those measures (Article 83(2)(i) of Regulation 2016/679).
Prior to the issuance of this decision, the President of the DPA did not apply any of the measures listed in Article 58(2) of Regulation 2016/679 to the Administrator in the case at hand, and therefore the Administrator was not required to take any actions related to their application, which, subject to the assessment of the supervisory authority, could have an aggravating or mitigating effect on the assessment of the identified violation.
5 Use of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83(2)(j) of Regulation 2016/679).
The Administrator does not apply the approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application are not, as the provisions of Regulation 2016/679 state, mandatory for administrators, and therefore the circumstance of their non-application cannot be read against the Administrator in the present case. On the other hand, the circumstance of the adoption and application of such instruments, as measures that guarantee a higher than standard level of protection for the processing of personal data, could be taken into account in its favor.
6. financial benefit achieved directly or indirectly due to the breach or avoidance of loss (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA has not established that the Administrator has achieved any financial benefit or avoided such loss in connection with the violation. Therefore, there is no basis for treating this circumstance as incriminating the Administrator. The finding of the existence of tangible financial benefits resulting from the violation of Regulation 2016/679 would have to be viewed in a strongly negative light. In turn, the Administrator's failure to achieve such benefits, as a natural state of affairs, independent of the violation and its consequences, is a circumstance that, by its very nature, cannot be mitigating for the Administrator. This interpretation is confirmed by the very wording of the provision of Article 83(2)(k) of Regulation 2016/679, which directs the supervisory authority to pay due attention to benefits “achieved” - occurring on the part of the violator.
7 Other aggravating or mitigating factors applicable to the circumstances of the case (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA, while comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the administrative monetary penalty imposed.
Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection found that the imposition of an administrative monetary penalty on the Administrator is necessary and justified by the gravity and nature and scope of the violations of Regulation 2016/679 alleged against these entities. It should be noted that the application to these entities of any other remedy provided for in Art. 58(2) of Regulation 2016/679, in particular, to stop at a warning (Article 58(2)(b) of Regulation 2016/679), would not be proportionate to the irregularities found in the processing of personal data, and would not guarantee that the aforementioned entities will not commit similar negligence as in the present case in the future.
II. The method of calculating the penalty against the Administrator based on Guideline 04/2022 on the calculation of administrative fines under the RODO.
It is necessary to point out that in determining the amount of the administrative monetary penalty against the Administrator in the present case, the President of the DPA applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022. In accordance with the guidelines set forth therein:
1. the President of the DPA categorized the violations of Regulation 2016/679 found in the present case (vide Chapter 4.1 of Guidelines 04/2022). The violations found in the present case of Article 5(1)(f) and Article 5(2) of Regulation 2016/679 fall - in accordance with Article 83(5) of Regulation 2016/679 - into the category of violations punishable by the higher of the two penalty dimensions provided for in Regulation 2016/679 (with a maximum of up to EUR 20,000,000 or up to 4% of the company's total annual turnover from the previous fiscal year). Thus, they were in abstracto (in isolation from the individual circumstances of a particular case) considered by the EU legislator to be more serious than the violations indicated in Article 83(4) of Regulation 2016/679.
(2) The President of the DPA assessed the violations found in the present case as violations of medium seriousness (vide Chapter 4.2 of Guideline 04/2022). This assessment took into account those prerequisites among those listed in Article 83(2) of Regulation 2016/679 that pertain to the subject side of the violations (make up the “seriousness” of the violation), namely: the nature, gravity and duration of the violations (Article 83(2)(a) of Regulation 2016/679), the unintentional nature of the violations (Article 83(2)(b) of Regulation 2016/679), and the categories of personal data affected by the violations (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. At this point, it should be pointed out that consideration of their combined impact on the assessment of the violations found in the present case taken as a whole leads to the conclusion that the level of their severity also in concreto is average (in the scale of severity of violations presented in paragraph 60 of Guideline 04/2022). The consequence of this, in turn, is the adoption - as the starting amount for the calculation of the penalty - of a value within the range from 10 to 20% of the maximum amount of the penalty possible to be imposed on the Administrator. Given that the provision of Article 83(5) of Regulation 2016/679 obliges the President of the DPA to adopt as the maximum amount of the penalty for violations indicated in this provision the amount of EUR 20,000,000 or - if this value is higher than EUR 20,000,000 - the amount representing 4% of the company's turnover from the previous fiscal year, the President of the DPA considered that the so-called static maximum amount of the penalty, i.e. EUR 20,000,000, which is the amount higher than - resulting from the application of the 4% ratio applied to the Administrator's turnover for 2023, applies in the present case, whose value amounted to EUR (...). With a range of EUR 2,000,000 to EUR 4,000,000 available, the President of the DPA adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the penalty amount of EUR (...) (representing (...)% of the static maximum penalty amount).
(3) Pursuant to the European Data Protection Board's guidance set forth in paragraph 65 of Guideline 04/2022 (for companies with an annual turnover between EUR 10 and 50 million), the President of the DPA considered it reasonable to take advantage of the possibility to reduce the starting amount adopted based on the assessment of the seriousness of the violation, which the Guideline (in Chapter 4.3) provides for companies of smaller size and economic strength. In paragraph 65 of Guideline 04/2022, the ERO indicates that “(...) For companies with an annual turnover of between €10 million and €50 million, supervisory authorities may consider making calculations based on values in the range of 1.5 to 10% of the identified starting amount.” Consequently, the President of the OFODO, taking into account the size of the Administrator's organization as measured by its turnover, weighed that it is justified to make an adjustment to (...) % of the starting amount of the administrative fine, i.e. to the amount of EUR (...) (equivalent to PLN (...),-).
4. the President of the Office for the Protection of Human Rights assessed the impact on the identified violation of the other circumstances (in addition to those taken into account above in the assessment of the seriousness of the violation) indicated in Article 83(2) of Regulation 2016/679 (vide Chapter 5 of the Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the violation, relate - as assumed by Guideline 04/2022 - to the subjective side of the violation, that is, to the violator himself and to his behavior before, during, and after the violation. A detailed assessment and justification of the impact of each of these premises on the assessment of the violation are presented above. The President of the Office for the Protection of Human Rights considered (as justified in the above-presented part of the justification for the decision) that the aggravating circumstances in the present case, and therefore further increasing the size of the penalty imposed by this decision, are the actions taken by the Administrator to minimize the damage suffered by the data subjects (Art. 83(2)(c) of Regulation 2016/679), as well as the degree of cooperation between the Administrator and the President of the DPA to remedy the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). The other prerequisites (from Article 83(2)(d), (e), (h), (i), (j), (k) of Regulation 2016/679) - as indicated above - had no impact, either mitigating or aggravating, on the assessment of the violation and, consequently, on the penalty. Thus, due to the existence of additional aggravating circumstances in the case, related to the subjective side of the violations (assessment of the Administrator's conduct before and after the violations), the President of the DPA considered it reasonable to increase the amount of the penalty determined on the basis of the assessment of the seriousness of the violations (item 2 above) and the size and economic strength of the Administrator (item 3 above). Adequate to the impact of these premises on the assessment of violations is, in the opinion of the President of the OFODO, its increase to the amount of PLN (...), equivalent to EUR (...).
5. the President of the Office for the Protection of Human Rights stated that the amount of the administrative monetary penalty, determined in the manner presented above, does not exceed - pursuant to Article 83(3) of Regulation 2016/679 - the legally defined maximum amount of the penalty provided for the most serious violation (vide Chapter 6 of the 04/2022 Guidelines). In the case of the most serious violation, that is, a violation of Article 5(1)(f) and Article 5(2) of Regulation 2016/679, the legally specified maximum (static) penalty amount is, as indicated above in point 1, EUR 4,000,000. Thus, the penalty amount listed above, equivalent to EUR (...), clearly does not exceed the maximum penalty risk provided for the most serious of the violations found.
(6) Despite the fact that the amount of the penalty determined in accordance with the above rules does not exceed the legally defined maximum penalty, the President of the Office for the Protection of Human Rights considered that it requires additional adjustment due to the principle of proportionality listed in Article 83(1) of Regulation 2016/679 as one of the three penalty assessment directives (vide Chapter 7 of Guidelines 04/2022). Undoubtedly, a monetary penalty in the amount of EUR (...) would be an effective penalty (by its severity it would achieve its repressive purpose, which is to punish unlawful behavior) and a deterrent (allowing to effectively discourage both this particular Administrator and other Administrators from committing future violations of Regulation 2016/679). However, such a penalty would be - in the opinion of the President of the DPA - disproportionate both in relation to the gravity of the violations found (which, although in abstracto is greater, but in concreto remains average - vide points 1 and 2 above) and due to its excessive - in relation to this gravity - severity. Indeed, the principle of proportionality requires, among other things, that the measures adopted by the administrative authority do not go beyond what is appropriate and necessary to achieve legitimate objectives (vide paragraph 137 and paragraph 139 of the 04/2022 Guidelines). In other words, “A sanction is proportionate if it does not exceed the threshold of annoyance determined by taking into account the circumstances of the particular case” (P. Litwinski (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. [...]; Commentary to Article 83 [in:] P. Litwinski (ed.) General Data Protection Regulation. Law on personal data protection. Selected sector regulations. Commentary). Thus, taking into account the consideration of proportionality of the penalty, the President of the Office for Harmonization in the Internal Market further reduced the amount of the penalty - to EUR 81,000 (equivalent to PLN 353,589.00). In his opinion, such determination of the final amount of the penalty imposed will not reduce its effectiveness and deterrent character. This is because this amount is the threshold above which further increases in the amount of the penalty will not be associated with an increase in its effectiveness and deterrent character. On the other hand, reducing the amount of the penalty to a greater extent could be at the expense of its effectiveness and deterrent character, as well as the consistent - in relation to other supervisory authorities and the EROD - understanding, application and enforcement of Regulation 2016/679, and the principle of equal treatment of entities in the EU and EEA internal market.
III. Directives of effectiveness, proportionality and dissuasiveness of the sanction applied to the Administrator (Article 83(1) of Regulation 2016/679).
In the opinion of the President of the Office for Harmonization in the Internal Market, the administrative fine applied to Mr. AB, doing business under the name X, (...) Street, fulfills, in the established circumstances of the case, the functions referred to in Article 83(1) of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.
The penalty will be effective if its imposition leads to the Administrator's future compliance with its data protection obligations, in particular in the aspect of: the implementation of appropriate technical and organizational measures to ensure the security of data processing in information systems and the protection of the rights of data subjects, based on a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing and the risk of violation of the rights or freedoms of individuals; Implementation of appropriate technical and organizational measures to ensure regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processed in IT systems, in particular with regard to vulnerabilities, errors and their possible effects on these systems and the measures taken to minimize the risk of their occurrence; implementation of appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.
In the opinion of the President of the DPA, the administrative fine will fulfill a repressive function, as it will be a response to the Administrator's violation of Regulation 2016/679. It will also fulfill a preventive function, as, in the opinion of the President of the Office for Harmonization in the Internal Market, it will indicate to this particular Administrator, as well as to other controllers, the reprehensibility of disregarding their obligations related to: implementing appropriate technical and organizational measures to ensure the security of data processing in IT systems and the protection of the rights of data subjects, on the basis of a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons; implementation of appropriate technical and organizational measures to ensure regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processed in information systems, in particular with regard to vulnerabilities, errors and their possible effects on these systems and the measures taken to minimize the risk of their occurrence; implementation of appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident;
verification of the processor that it provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects; with the occurrence of a personal data protection breach, and aimed, after all, at preventing its negative and often severe consequences for the persons affected by the breach, as well as at removing those consequences or at least reducing them.
Pursuant to the content of Article 103 of the PDPA, the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in zlotys according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of January 28 of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on January 28 - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest to that date.
With the above in mind, the President of the Office for the Protection of Human Rights, pursuant to Article 83(5) in connection with Article 103 of the PDPA, for the violation described in the operative part of this decision, imposed on the Administrator - using the average exchange rate of the euro on January 29, 2024 (EUR 1 = PLN 4.3653) - an administrative fine of PLN 353,589 (equivalent to EUR 81,000).
In the opinion of the President of the OFODO, the administrative pecuniary penalty applied to the Administrator in the amount of PLN 353,589 (in words: three hundred and fifty-three thousand five hundred and eighty-nine zlotys), meets, in the established circumstances of the case, the prerequisites referred to in Article 83(1) of Regulation 2016/679 due to the seriousness of the identified violation in the context of the fundamental objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative monetary penalty imposed on Mr. AB, doing business at X, (...) Street, the President of the DPA found that it is proportionate to the financial situation of the Administrator and will not constitute an undue burden on him.
The statement submitted by the Administrator on March 8, 2024 shows that “(...) revenue for 2023 amounted to (...) PLN”, so the amount of the administrative monetary penalty imposed in the present case is approximately (...)% of the aforementioned value. At the same time, it should be emphasized that the amount of the penalty imposed is only (...)% of the maximum amount of the penalty that the President of the Office for Harmonization in the Internal Market could - applying the maximum penalty of up to EUR 20,000,000 pursuant to Article 83(5) of Regulation 2016/679 - impose on the Administrator for the violations found in the present case.
This is because the amount of the penalty was set at such a level so that, on the one hand, it would constitute an adequate reaction of the supervisory authority to the degree of violation of the Administrator's obligations, but, on the other hand, it would not cause a situation in which the necessity to pay the financial penalty would entail negative consequences, in the form of a significant reduction in employment or a significant decrease in its turnover. In the opinion of the President of the OFODO, the Administrator should and is able to bear the consequences of its negligence in the sphere of data protection, as evidenced, for example, by the aforementioned statement dated March 8, 2024.
At the same time, the President of the Office for the Protection of Human Rights, pursuant to Article 83(3) of Regulation 2016/679, decided to impose a single penalty for the entirety of the violations attributed to the Administrator in the proceedings under DKN.5131.1.2021. This is because the events exemplifying them are so contextually, spatially and temporally interconnected that, in accordance with Guideline No. 4/2022, they should be treated as a single behavior of the Administrator, leading to the imposition of a single fine (paragraph 28 of the Guidelines). Indeed, in light of the evidence gathered in the course of these proceedings, it should be pointed out that the materialization of the risk, which resulted in the loss of availability of the Administrator's resources on November 25, 2019, at the very least, was the result of the Administrator's inadequately designed security system for the processing of personal data and the lack of regular testing of possible vulnerabilities in the IT infrastructure. In turn, the issuance of a defective notice to data subjects should be considered in the context of the Administrator's response to the fact of the personal data protection breach in question.
IV. Factors affecting the imposition of an administrative fine against the Processor (Article 83(2) in fine of Regulation 2016/679).
In deciding to impose an administrative monetary penalty on Ms. CD, Mr. EF and Mr. GH, i.e. persons who were partners of Y s.c. at the time of the violations found in the present case, the President of the DPA - pursuant to the content of Article 83(2)(a)-(k) of Regulation 2016/679 - took into account the following circumstances of the case, affecting aggravatingly and having an impact on the size of the administrative penalty imposed.
1 The nature, gravity and duration of the violation taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679).
The circumstance determining the imposition of an administrative fine against the persons who were partners of Y s.c. at the time of the violations found in the present case was the failure of Ms. CD, Mr. EF and Mr. GH to comply with the provisions of Regulation 2016/679 imposing obligations on the processor to assist the Controller in maintaining adequate safeguards for the processing of personal data, i.e. Article 28(3)(f) in conjunction with Article 32(1) and (2) of the Regulation. This assistance should consist of informing him of the lack of adequate security measures for the server used by him in the processing of personal data, regardless of whether or not this lack resulted in its use by the perpetrators of the ransomware attack and, as in the case at hand, the occurrence of a personal data protection breach. As stipulated in Article 28(3)(f) of Regulation 2016/679, this assistance should be provided to the Controller based on the “information available to it” (possessed by the Processor in this case in connection with the services provided to the Controller) and due to the “nature of the processing” (this is the same personal data - processed in the d. system, stored on the Controller's server and used by the Controller in its business activities, the nature of which is approximated on page 4 of the grounds of this decision). Contrary to the literal wording of the provision of Article 28(3)(f) of Regulation 2016/679, the assistance referred to therein extends beyond the obligatory relations arising from the agreement concluded on May 24, 2018 between the Administrator and the Processor “(...)”, which statutes the processor's responsibility for the activities “(...) with regard to the running, operation and maintenance of the d.system in the Administrator's enterprise.” The broader understanding of the concept of “assistance” applies here, i.e. (following the PWN Dictionary of the Polish Language): “an action taken for the benefit of another person.” “Helping,” on the other hand, is (again following the PWN Polish Language Dictionary) ”making some effort for the good of some person, in order to make something easier for him or to help him in a difficult situation; also: giving someone something.” Meanwhile, the indolence manifested by the Processor in its cooperation with the Administrator, not only did not facilitate its discernment (which, as a non-professional entity, it did not have to have) of the technical and organizational security measures it maintained for the personal data processing processes taking place in its structure, but contributed directly to the occurrence of the November 25, 2019 event. The passivity found in the present case on the part of the Processor, manifested in its failure over the years to inform the Administrator about the vulnerabilities present in the server software (while one of them was successfully exploited by the perpetrators of the criminal action) and the need to upgrade the operating system to the latest possible version, or to use other, newer logical solutions, is directly related to the materialization of the risk in the form of unauthorized access by undetermined perpetrators to the Administrator's IT infrastructure. In turn, the consequence of the occurrence of the said violation of the protection of personal data processed on the Administrator's servers was, at the very least, the encryption of “(...) database[s] of customers who have purchased (...) at least once,” as well as data on both former and current employees of the Administrator “(...) in the number of approximately 200 (...)” persons. persons. The demonstrated Processor's violation of the aforementioned provisions of Regulation 2016/679 should be attributed at the same time - due to the categories of data of former and current employees of the Administrator covered, i.e. “(...) first name(s), surname, parents' names, date of birth, bank account number, residence or stay address, PESEL, email, ID card series and number, telephone number”. - significant importance and serious nature. This is because the personal data protection violation that occurred on November 25, 2019, to which the persons, who were partners of Y s.c. at the time of its occurrence, contributed with their - excluding the possibility of exercising real support towards the Administrator - attitude, may lead to property or non-property damage to the data subjects, and the probability of their occurrence still remains high. Indeed, it should be emphasized that the evidence gathered in the present case does not show indications of the likelihood of the Administrator making appropriate arrangements to actually identify the modus operandi of the malware. Consequently, in relation to the above-mentioned categories of persons whose data has been breached, there is still a high risk of unlawful use of their personal data, since the purpose of the unauthorized persons' actions remains unknown. The above argumentation is reinforced given the modus operandi of criminal perpetrators, for whom, due to their modus operandi, ill will must be assumed as a motive for action. Thus, data subjects may still suffer pecuniary damage, and the mere violation of the availability of their data also constitutes non-pecuniary damage (harm). This is because the data subject may, at the very least, suffer the anxiety associated with the loss of control over their personal data, an inconvenience that stems directly from the nature of the violation of the attribute of availability of that data, with psychological distress associated with the uncertainty of further possible consequences of the violation, such as. in the form of identity theft, identity fraud, or, finally, financial loss, not to mention, and as the Regional Court in Warsaw rightly noted in its judgment of August 6, 2020, ref. no. XXV C 2596/19, the fear, and therefore the loss of a sense of security, constitutes a real non-pecuniary damage involving the obligation to compensate for it. In turn, the Court of Justice of the EU, in its ruling of December 14, 2023 w/s Natsionalna agentsia za prihodite (C-340/21), stressed that “Article 82(1) of the RODO must be interpreted to mean that the fear of possible misuse of personal data by third parties by the data subject following a breach of that regulation may itself constitute ‘non-pecuniary damage’ within the meaning of that provision.”
Notwithstanding the above, the fact of the long duration of the state of violation by the Processor of the provisions of Article 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679 also demands emphasis. On the basis of the findings made in the course of these proceedings, it should be assumed that the state of violation characterized above existed from at least May 24, 2018, i.e. from the moment the Administrator signed the agreement for entrustment of personal data processing with the Processor, until April 10, 2020 at the latest, when the Administrator informed the authority that it had performed actions aimed at“(...) strengthening the security of the processed personal data (...)”, among which the following should be mentioned, among others: “(...) complete decommissioning of the system on which the infection occurred (...); updating operating systems to the latest available versions, including changing the operating system (...) to a system (...) (...)”. At the same time, it should be emphasized that the updating of the risk in the form of running third-party processes on the Administrator's server could have been avoided if the Processor, pursuant to Article 28(3)(f) of Regulation 2016/679, had duly fulfilled the obligation addressed solely to it to provide “assistance” to the Administrator taking into account the actual “information available to it”.
(2) Unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679).
The Processor, having provided professional services in, among other things, the operation of IT systems and having adequate knowledge in this regard, failed to comply with one of its primary obligations, required of it under Article 28(3)(f) of Regulation 2016/679, to provide the Administrator with “assistance” taking into account “information available to it.” Despite their knowledge regarding the outdated (and hence vulnerable, which eventually materialized) “(...)” server software used by the Administrator in the processing of personal data, the partners of Y s.c. did nothing, in addition in the long term, to counteract the said state of affairs. Their omissions therefore preclude the possibility of providing assistance, understood as giving the Administrator real support in terms of the technical and organizational security measures he implemented, about which, as a non-professional in the IT field, he did not have to have a full understanding. Undoubtedly, from a professional entity, especially one with: “(...) many years of experience in the implementation of systems based on (...) and customization (...)” and distinguished not only by “(...) the most experienced implementation team in Poland (...)”, but also by its status as “(...) (...)”, can be required to support its partner's expertise based “on the information available to it” (which it must have had, if only due to the fact that it had custody of the d. system hosted on the said server).
Thus, the findings made by the President of the DPA allow the conclusion that the attitude of the partners of Y s.c. cannot be described in categories other than those relating to gross negligence, which, given the professional nature of the services provided by this entity, must constitute an aggravating circumstance.
3 Categories of personal data affected by the violation (Article 83(2)(g) of Regulation 2016/679).
The personal data processed in the d. system did not belong to the special categories of personal data referred to in Article 9(1) of Regulation 2016/679, however, their wide scope, which includes such categories of data of individuals as PESEL number, series and number of identity card, names and surnames, parents' names, date of birth, bank account number, address of residence or stay, email address and telephone number, entails a high risk of violation of the rights or freedoms of individuals affected by the breach in question. It should be emphasized that the unauthorized disclosure of such a category of data of a special nature as the PESEL number (which, in view of evidence to the contrary, cannot be ruled out in the facts presented), i.e. an eleven-digit numeric symbol, uniquely identifying an individual, including date of birth, sequence number, gender designation and check number, remaining closely linked to the sphere of privacy of an individual and also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, particularly when combined - as it was in the case at hand - with a broader set of personal data, can realistically and negatively affect the protection of individuals' rights or freedoms. Moreover, the issue of the special nature of identifying information, such as the PESEL identification number, and the related demand for its special protection, was not different, as expressed by the Provincial Administrative Court in Warsaw, which, in its judgment of July 1, 2022, noted that “in the case of violation of such data as first name, last name and PESEL number, it is possible to steal or falsify identity resulting in negative consequences for the data subjects.” Significantly, a similar view was expressed by the Supreme Administrative Court, which, in a ruling issued on December 6, 2023 (judgment of the Supreme Administrative Court of December 6, 2023, ref. III OSK 2931/21), ruled that the disclosure of “(...) data on, inter alia, first and last names, as well as PESEL numbers of natural persons, i.e. relatively permanent, unchangeable data (...) may always give rise to a risk of negative consequences for the aforementioned persons.”
As indicated in the ERO Guidance 04/2022, “As for the requirement to take into account the categories of personal data affected by the violation (Article 83(2)(g) of the RODO), the RODO clearly identifies the types of data that are subject to special protection and thus a more stringent response when imposing fines. At a minimum, this applies to the types of data covered by Articles 9 and 10 of the RODO, as well as data not covered by those articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g., location data, private communication data, national identification numbers, or financial data such as transaction statements or credit card numbers). Generally speaking, the greater the number of such categories of data affected by the breach or the more sensitive the data, the more weight the supervisory authority can assign to this factor.”
In determining the amount of the administrative fine, the Chairman of the DPA found no grounds to take into account mitigating circumstances affecting the final penalty. In the opinion of the supervisory authority, all the prerequisites listed in Article 83 (2) (a) - (j) of Regulation 2016/679 are either aggravating or merely neutral. Also, applying the premise listed in Article 83(2)(k) of Regulation 2016/679 (ordering consideration of any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found, only neutral ones (as noted below in paragraph 9).
The other below-mentioned circumstances referred to in Article 83(2) of Regulation 2016/679, after assessing their impact on the violation found in the present case, were found by the President of the DPA to be neutral in his assessment, that is, to have neither an aggravating nor mitigating effect on the size of the administrative fine imposed.
(1) Actions taken to minimize harm to data subjects (Article 83(2)(c) of Regulation 2016/679).
In the present case, the characterization cited in the letter of July 8, 2022 by the former and current partners of Y s.c., Al (...), of the actions they took after the personal data protection violation in question cannot be considered as one that would actually promote the minimization of damage of a pecuniary or non-pecuniary nature to the property of data subjects. The action of “(...) disconnect[ing] the server from the network (...)” could not, after all, contribute in any way to the minimization of such damages, since the unauthorized access to the Administrator's IT infrastructure, as a result of which the availability and - as demonstrated and which cannot be excluded - the confidentiality of the personal data processed with its use was lost, took place prior to the action taken by the Processor. Consequently, the technical measure applied by the Processor, without in any way contributing to the decryption of personal data, much less being able to constitute the restoration of the attribute of their confidentiality, cannot, in the established circumstances of this case, be viewed in terms of a measure that would eliminate the likelihood of a high risk of violation of the rights or freedoms of individuals. Similarly, the information provided by the Processor about “(...) decrypt[ing] the database [containing personal data - added on]” should be treated similarly. Indeed, the Authority refused to recognize the evidentiary force of the circumstance cited by the former and current partners of Y s.c., guided by the premises of both the type of malware used by the perpetrators and bearing in mind that before the date of November 25, 2019, the Administrator's IT infrastructure did not use solutions based on network segmentation, which, as a consequence of the ransomware attack in question, must have led to its effects covering the entire structure, including backups, making it impossible to reconstruct processed personal data other than with the use of decryption codes. On the other hand, the other remedial actions described by the Processor in the content of the aforementioned letter - in the opinion of the President of the DPA - should be considered rather in the aspect of technical and organizational measures to mitigate the risk of recurrence of a personal data protection breach, rather than those taken to minimize the damage suffered by data subjects in the context of this particular breach.
2 Degree of responsibility taking into account the technical and organizational measures implemented (Article 83(2)(d) of Regulation 2016/679).
As the EROD pointed out in Guideline 04/2022, when considering the aforementioned premise, “the supervisory authority must answer the question of the extent to which the controller has ‘done all that could be expected’ given the nature, purposes or scope of the processing and in light of the obligations imposed on it by the regulation.” The above rationale also allows the assignment of possible liability and its degree to the processor. Consequently, the assessment of the processor under the aforementioned Guidelines in the context of the application of an appropriate remedy may refer to Article 32 of Regulation 2016/679 and include the issue of ensuring an adequate level of security. In the present case, the supervisory authority found a violation by the Processor of the provisions of Article 32(1) and (2) of Regulation 2016/679. In the opinion of the President of the DPA, the Processor bears a high degree of responsibility for failing to implement appropriate technical and organizational measures that could have prevented a personal data protection breach. It is clear that in the considered context of the nature, purpose and scope of the processing of personal data, the Processor has not done everything that could be expected, thus failing to comply with the obligations imposed on it by Article 32 of Regulation 2016/679. However, in the present case, this circumstance constitutes the essence of the breach itself - and is not merely a factor affecting - either aggravatingly or mitigatingly - its assessment. For this reason, the lack of appropriate technical and organizational measures referred to in Article 32 of Regulation 2016/679 cannot be considered in the present case as a circumstance that may additionally affect the assessment of the violation and the size of the administrative fine imposed on the Processor.
3 Any relevant prior violation by the Controller (Article 83(2)(e) of Regulation 2016/679).
The President of the DPA has not found any previous violations of data protection regulations on the part of Ms. CD, Mr. EF and Mr. GH, i.e. former and current partners of Y s.c., Al (...), and therefore there are no grounds to treat this circumstance as aggravating. It is the duty of every processor to comply with the law, and therefore the lack of previous violations cannot be a mitigating circumstance in the imposition of sanctions either.
4 The degree of cooperation with the supervisory authority to remedy the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).
During the course of the proceedings, the former and current partners of Y s.c. did not take any additional actions in connection with the supervisory authority's statements. On the other hand, prior to the initiation of the present proceedings, independent actions were taken by the above-mentioned persons aimed at eliminating the source of the personal data protection violation. However, these actions - cited on pages 14 and 15 of the justification for this decision - were of an autonomous nature, and therefore the President of the DPA cannot treat them as having been taken in cooperation with the authority, and therefore cannot assess the “degree” of such cooperation. Regardless, these actions were taken into account above and qualified by the supervisory authority as a neutral circumstance as defined in Article 83(2)(c) of Regulation 2016/679.
5 How the supervisory authority became aware of the violation, in particular, whether and to what extent the controller reported the violation (Article 83(2)(h) of Regulation 2016/679).
The President of the DPA found that the Processor had violated data protection regulations as a result of the Controller's notification of a personal data breach. The Controller, by making the notification, was fulfilling its legal obligation, so there are no grounds to consider this fact as a mitigating circumstance. The EROD in Guideline 04/2022 indicates that “the manner in which the supervisory authority became aware of the breach may constitute either a significant aggravating or mitigating circumstance. In assessing this aspect, particular weight may be given to whether the controller or processor notified the supervisory authority of the breach on its own initiative and, if so, to what extent, before the supervisory authority was informed of the breach through - for example - a complaint or proceeding. This circumstance is not relevant when the controller is subject to specific breach notification obligations (such as the data breach notification obligation set forth in Article 33 of the RODO). In such cases, the fact of reporting should be considered a neutral circumstance.”
6 Compliance with measures previously applied in the same case, as referred to in Article 58(2) of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679)
Prior to the issuance of this decision, the President of the DPA did not apply any measures listed in Article 58(2) of Regulation 2016/679 to the Processor in the case under review, and therefore the Processor was not obliged to take any actions related to their application, which, when assessed by the supervisory authority, could have an aggravating or mitigating effect on the assessment of the identified violation.
7 Use of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83(2)(j) of Regulation 2016/679).
The processor does not apply the approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not, as the provisions of Regulation 2016/679 state, mandatory for processors, and therefore the circumstance of their non-application cannot be read in the present case to the disadvantage of Ms. CD, Mr. EF and Mr. GH, i.e. former and current partners of Y s.c.. In favor of the aforementioned persons, on the other hand, the circumstance of the adoption and application of such instruments, as measures that guarantee a higher than standard level of protection for the processing of personal data, could be taken into account.
8. financial benefit achieved directly or indirectly due to the violation or avoidance of loss (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA has not established that Ms. CD, Mr. EF and Mr. GH have achieved any financial benefit or avoided any such loss in connection with the breach in question. Thus, there is no basis for treating this circumstance as an aggravating one with respect to the former and current partners of Y s.c., Al (...). The finding of the existence of tangible financial benefits resulting from the violation of the provisions of Regulation 2016/679 would have to be viewed in a strongly negative light. In turn, the failure of the aforementioned persons to obtain such benefits, as a natural state of affairs, independent of the violation and its consequences, is a circumstance that, by its very nature, cannot be mitigating for the Processor. This interpretation is confirmed by the very wording of the provision of Article 83(2)(k) of Regulation 2016/679, which directs the supervisory authority to pay due attention to benefits “achieved” - occurring on the part of the infringer.
9 Other aggravating or mitigating factors applicable to the circumstances of the case (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA, while comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the administrative monetary penalty imposed.
Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection found that the imposition of an administrative monetary penalty on the Processor is necessary and justified by the gravity, nature and scope of the violations of Regulation 2016/679 alleged against these entities. It should be stated that the application of any other remedy provided for in Art. 58(2) of Regulation 2016/679, and in particular, to stop at a warning (Article 58(2)(b) of Regulation 2016/679), would not be proportionate to the irregularities found in the processing of personal data, and would not guarantee that the above-mentioned entities will not commit similar negligence as in the present case in the future.
V. How to calculate the penalty against the Processor under Guideline 04/2022 on the calculation of administrative fines under the RODO.
It is necessary to point out that in determining the amount of the administrative monetary penalty against the Processor in the present case, the President of the DPA applied the methodology adopted by the European Data Protection Board in Guideline 04/2022. In accordance with the guidance provided therein:
1. the President of the DPA has categorized the violations of Regulation 2016/679 found in the present case (vide Chapter 4.1 of the Guidelines 04/2022). The violation found in the present case of Article 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679 falls - in accordance with Article 83(4)(a) of Regulation 2016/679 - into the category of violations punishable by the lower of the two penalty dimensions provided for in Regulation 2016/679 (with a maximum of up to EUR 10,000,000 or up to 2% of the company's total annual turnover from the previous fiscal year). Thus, it was considered in abstracto (in isolation from the individual circumstances of a specific case) by the EU legislator to be less serious than the violations indicated in Article 83(5) of Regulation 2016/679.
(2) The President of the DPA assessed the violation found in the present case as a violation with a low level of seriousness (vide Chapter 4.2 of Guideline 04/2022). This assessment took into account those prerequisites among those listed in Article 83(2) of Regulation 2016/679 that pertain to the subject side of the violation (make up the “seriousness” of the violation), namely: the nature, gravity and duration of the violation (Article 83(2)(a) of Regulation 2016/679), the intentional or unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679), and the categories of personal data affected by the violation (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. At this point, it should be pointed out that consideration of their combined impact on the assessment of the violation found in the present case leads to the conclusion that the level of its severity in concreto is low (in the scale of the severity of violations presented in paragraph 60 of Guideline 04/2022). The consequence of this, in turn, is the adoption - as the starting amount for the calculation of the penalty - of a value within the range from 0 to 10% of the maximum amount of the penalty possible to be imposed on the Processor. Given that the provision of Article 83(4) of Regulation 2016/679 obliges the President of the Office for Harmonization in the Internal Market to adopt as the maximum amount of the penalty for the violation indicated in this provision, the amount of EUR 10,000,000 or, if this value is higher than EUR 10,000,000, the amount constituting 2% of the Processor's turnover from the previous fiscal year, the President of the Office for Harmonization in the Internal Market considered that the so-called “static maximum penalty amount” applies in the present case. static maximum amount of the penalty, i.e. EUR 10,000,000, which is an amount higher than the amount resulting from the application of the 2% ratio applied to the Processor's turnover for 2023, which amounted to EUR (...). With a range of EUR 1,000,000 to EUR 2,000,000 available, the President of the DPA adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the penalty amount of EUR (...) (representing (...)% of the static maximum penalty amount).
3 The President of the DPA adjusted the starting amount corresponding to the low seriousness of the identified violation to the turnover of the Processor as a measure of its size and economic strength (vide Chapter 4.3 of the Guidelines 04/2022). According to the 04/2022 Guidelines, for companies with an annual turnover of less than or equal to €2 million, the supervisory authority may consider further calculating the amount of the penalty based on a value between 0.2% and 0.4% of the starting amount. Given that the Processor's turnover in 2023 amounted to PLN (...), i.e. EUR (...) (according to the average EUR exchange rate as of January 29, 2024), the President of the OFODO deemed it appropriate to adjust the amount of the penalty to be calculated to a value corresponding to (...)% of the starting amount, i.e. to the amount of EUR (...) (equivalent to PLN (...)).
4 The President of the DPA assessed the impact on the identified violation of the other circumstances (in addition to those taken into account above in assessing the seriousness of the violation) indicated in Article 83(2) of Regulation 2016/679 (vide Chapter 5 of the 04/2022 Guidelines). These circumstances, which may have an aggravating or mitigating effect on the assessment of the violation, relate - as assumed by Guideline 04/2022 - to the subjective side of the violation, that is, to the violator himself and to his behavior before, during, and after the violation. A detailed assessment and justification of the impact of each of these premises on the assessment of the violation are presented above. The President of the Office for the Protection of Human Rights found (as justified in the above-presented part of the justification for the decision) that the other prerequisites of Article 83(2)(c), (d), (e), (f), (h), (i), (j), (k) of Regulation 2016/679 - as indicated above - had no impact, either mitigating or aggravating, on the assessment of the violation and, consequently, on the penalty. Due to the absence of additional mitigating or aggravating circumstances in the case, related to the subjective side of the violations (assessment of the Processor's conduct before and after the violations), the President of the OFODO considered it reasonable to leave the amount of the penalty determined on the basis of the assessment of the seriousness of the violation (point 2 above) unchanged at the level of EUR 2,250.
5. the President of the Office for the Protection of Human Rights considered that the amount of the aforementioned penalty does not require any additional adjustment due to the principle of proportionality listed in Article 83(1) of Regulation 2016/679, which is one of the three directives for penalty assessment (vide Chapter 7 of the 04/2022 Guidelines). A fine of the equivalent of €2,250 will be an effective penalty (by its severity it will achieve its repressive purpose, which is to punish unlawful behavior) and a deterrent (allowing to effectively discourage both the Processor and other processors from committing future violations of Regulation 2016/679). The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (vide paragraph 137 and paragraph 139 of Guideline 04/2022). In other words, “A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of the specific case” (P. Litwinski (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. [...]; Commentary to Article 83 [in:] P. Litwinski (ed.) General Data Protection Regulation. Law on personal data protection. Selected sector regulations. Commentary). The amount of PLN 9,822, which is the equivalent of EUR 2,250, is the threshold above which further increases in the amount of the penalty will not, in the opinion of the President of the Office for Personal Data Protection, be associated with an increase in its effectiveness and deterrent character. On the other hand, reducing the amount of the penalty to a greater extent could be at the expense of its effectiveness and deterrent character, as well as the consistent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities in the EU and EEA internal market.
VI. Directives of effectiveness, proportionality and deterrence of the sanction applied to the Processor (Article 83(1) of Regulation 2016/679).
In the opinion of the President of the Office for Harmonization in the Internal Market, the administrative fine applied against Mr. EF and Mr. GH, partners of Y s.c., Al (...), and Ms. CD, former partner of Y s.c., all jointly and severally liable, fulfills in the established circumstances of the present case the functions referred to in Article 83 (1) of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.
The penalty will be effective if its imposition leads the Processor to comply with its personal data protection obligations in the future, in particular with regard to the issue of implementing appropriate technical and organizational measures, duly mitigating the risk of a personal data protection breach.
In the opinion of the President of the OFODO, the administrative fine will fulfill a repressive function, as it will constitute a response to the Processor's violation of the provisions of Regulation 2016/679. It will also fulfill a preventive function, as - in the opinion of the President of the OFODO - it will indicate both to this particular Processor and to other processors the reprehensibility of disregarding their duties related to providing assistance to controllers in fulfilling their obligations set forth in Articles 32-36 of Regulation 2016/679.
Pursuant to the content of Article 103 of the PDPA, the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in zlotys according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of January 28 of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on January 28 - according to the average exchange rate of the euro announced in the National Bank of Poland's table of exchange rates nearest to that date.
With the above in mind, the President of the DPA, pursuant to Article 83(4)(a)
in connection with Article 103 of the PDPA, for the violation described in the operative part of this decision, imposed on the Processor - using the average exchange rate of the Euro on January 29, 2024 (EUR 1 = PLN 4.3653) - an administrative fine in the amount of PLN 9,822 (equivalent to EUR 2,250).
In the opinion of the President of the OFODO, the applied fine in the amount of PLN 9,822 (in words: nine thousand eight hundred and twenty-two zlotys), meets the prerequisites in the established circumstances of this case, referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the found violation in the context of the fundamental purpose of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative fine imposed on the Processor, the President of the DPA found that it is proportionate to the Processor's financial situation and will not constitute an excessive burden for the Processor.
The processing entity's submitted “(...)” shows that the revenue for 2023 amounted to PLN (...), therefore the amount of the administrative fine imposed in the present case is approximately (...)% of the aforementioned value. At the same time, it is worth emphasizing that the amount of the imposed penalty of PLN 9,822.00 is only (...)% of the maximum amount of the penalty that the President of the Office for Harmonization in the Internal Market could - applying the maximum penalty of up to EUR 10,000,000 pursuant to Article 83(4) of Regulation 2016/679 - impose on the Processor for the violation found in the present case.
This is because the amount of the penalty has been set at such a level so that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of violation of the Processor's obligations, but on the other hand, it does not cause a situation in which the necessity to pay the financial penalty will entail negative consequences, in the form of a significant reduction in employment or a significant decrease in its turnover. In the opinion of the President of the DPA, the Processor should and is able to bear the consequences of its negligence in the sphere of data protection, as evidenced, for example, by “(...)”, the content of which was disclosed to the President of the DPA on March 15, 2024.
Summing up the above, in the opinion of the President of the Office for the Protection of Human Rights, both administrative fines imposed in the present case meet, in light of the totality of the individual circumstances of the case, the prerequisites (functions of the fines) referred to in Article 83(1) of Regulation 2016/679, due to the gravity of the violations found in the context of the basic requirements and principles of Regulation 2016/679.
Taking into account the above, the President of the Office for Personal Data Protection resolved as in the operative part of this decision.
</pre>
</pre>

Revision as of 10:36, 22 November 2024

UODO - DKN.5131.1.2021
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 28(1) GDPR
Article 28(3) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 33(3)(c) GDPR
Article 33(3)(d) GDPR
Article 34(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.10.2024
Published: 12.11.2024
Fine: 353,589 PLN
Parties: n/a
National Case Number/Name: DKN.5131.1.2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (Poland) (in PL)
Initial Contributor: w.p.

The DPA fined a controller PLN 353,589 and a processor PLN 9,822 for violation of data security duties that led to a data breach, affecting approximately 200 people.

English Summary

Facts

An individual, being a sole entrepreneur (the controller) was attacked with a ransomware software. The attackers encrypted the personal data of the controller’s customers and employees, approximately 200 people. The encrypted data consisted of, in particular, national identification number (PESEL), name and surname, address, current account number, e-mail and phone number. Shortly after the attack, the controller restored access to the data. The identity of the attackers remained unknown.

The controller indicated that the breach sourced in a human error. Supposedly, one of the controller’s employees turned off the antivirus software. Moreover, the attackers also used the server’s vulnerability. The controller explained that a third party, responsible for the server maintenance and IT services (the processor), failed to update the server’s software for certain time. That made the vulnerability being present when the data breach took place.

The controller notified the Polish DPA (UODO) about the data breach. Due to immediate restoration of data access, the controller found the breach didn’t result in high risk to data subjects’ rights and freedoms. Allegedly, the attackers’ only purpose was to obtain ransom from the controller in exchange for access to the data, not to access and to share the data. Initially, the controller didn’t notify the data subjects under Article 34 GDPR, because of the technical and organisational measures implemented in response to the breach. Eventually, a month following the DPA notification, the controller notified the data subject by publishing an announcement within their premises.

The DPA found no evidence that the data confidentiality was not affected by the breach. Thus, the DPA ordered the controller to renotify the data subjects. The DPA claimed the original notification was incomplete, as it was lacking, inter alia, contact data of the DPO or the description of measures applied by the controller after the breach.

The DPA decided to initiate ex officio proceedings against the controller.

During the proceedings the controller stated that all the employees went under training of data protection duties prior to the breach. Moreover, the controller regularly made backups of processed data.

Holding

The DPA found the controller violated GDPR.

The categories of data processed by the controller required increased data security. Specifically, the controller didn’t introduce measures preventing their IT assets from being infected by the ransomware. For the DPA such a preventive measure amounted to the up-to-date software.

The controller didn’t update the server software for approximately two years. Moreover, the controller failed to regularly test and improve the risk posed by undertaken processing activities. In particular, the DPA emphasised that the controller failed to demonstrate the risk assessment covering potential ransomware attack.

The DPA expressed doubts over the security measures implemented by the controller after the breach. As stated by the DPA, there was no evidence that any security audit of the controller’s IT assets was performed following the breach. Furthermore, the DPA was uncertain whether the controller supervised the implementation of new security measures. At the same time, the DPA noted lacking backup management procedure. Consequently, the controller was unable to restore access to data without undue delay.

Thus, according to the DPA, the controller didn’t perform the risk assessment under Article 32 GDPR neither prior to, nor afterwards the breach. Insufficient security measures in place led to the data breach and subsequent violation of data confidentiality and integrity principles.

Additionally, the controller didn’t verify nor audit how the processor fulfilled their data security and other duties stemming from the GDPR. For the DPA, such a omission amounted to violation of Article 28(1) GDPR. Also, the controller didn’t demonstrate how the processor assisted the controller in maintaining data security under Article 32-36 GDPR. Hence, the processor violated Article 28(3)(f) GDPR and Article 32(2) GDPR.

In addition, the controller violated Article 34(2) GDPR. The controller didn’t provide affected data subjects with enough information, in particular, about the consequences of the breach and available remedies.

In consequence, the DPA found violation of Article 5(1)(f) GDPR, 5(2) GDPR, 24(1) GDPR, 25(1) GDPR, 28(1) GDPR, 28(3) GDPR, 32(1) GDPR, 32(2) GDPR, 33(3) GDPR and 34(2) GDPR.

The controller was fined PLN 353,589 (approximately €81,000). Separately, the processor was fined PLN 9,822.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Warsaw, 09 October 2024.
Decision
DKN.5131.1.2021

Pursuant to Article 104 § 1 of the Act of June 14, 1960 Code of Administrative Procedure (Journal of Laws of 2024, item 572), Article 7 (1) and (2), Article 60, Article 101 and Article 103 of the Law on Personal Data Protection (Journal of Laws of 2019, item 1781), and Article 57 (1) (a) and (h) and Article 58 (2) (d) and (i), Article 83 (para. 1 - 3, Article 83 (4) (a) in connection with Article 24 (1), Article 25 (1), Article 28 (1) and (3), Article 32 (1) and (2), and Article 34 (2) in connection with Article 33 (3) (c) and (d), and Article 83 (5) (a) in connection with Article 5 (1) (f) and Article 5 (2) of Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2, and Official Journal of the EU L 74 of 4.03.2021, p. 35), hereinafter referred to as “Regulation 2016/679”, having conducted ex officio administrative proceedings on violations of data protection regulations by Mr. AB, doing business under the name X, ul. (...) (as data controller), and Ms. CD, Mr. EF and Mr. GH, partners of the civil partnership Y, Al. (...) (as processors), the President of the Office for Personal Data Protection,

I. finding a violation by Mr. AB, doing business under the name X, Al (...), of the provisions of:
(a) Articles 24(1), 25(1) and 32(1) and (2) of Regulation 2016/679, consisting in:
- failure to implement appropriate technical and organizational measures to ensure the security of the processing of personal data in information systems and the protection of the rights of data subjects, on the basis of a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons,
- Failure to implement appropriate technical and organizational measures to ensure regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processing in information systems, in particular with regard to vulnerabilities, errors and their possible effects on such systems and the measures taken to minimize the risk of their occurrence,
- failure to implement appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data processed in information systems in the event of a physical or technical incident,

resulting in violation of the principle of confidentiality (Article 5(1)(f) of Regulation 2016/679) and the principle of accountability (Article 5(2) of Regulation 2016/679),
(b) Article 28(1) of Regulation 2016/679, by failing to verify that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects,
(c) Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679, by failing to provide data subjects with a description of the possible consequences of a personal data breach and a description of the measures taken or proposed by the controller to remedy the personal data breach,

1. imposes a fine on Mr. AB, doing business under the name of X, (...) Street, for violating Articles 5(1)(f), 5(2), 25(1), 28(1),32(1) and (2), and 34(2). 2 in connection with Article 33 (3) (c) and (d) of Regulation 2016/679, an administrative fine in the amount of PLN 353,589.00 (three hundred and fifty-three thousand five hundred and eighty-nine zlotys);

2. orders Mr. AB, doing business under the name of X, (...) Street, to bring the processing operations into compliance with the provisions of Regulation 2016/679, by conducting a risk analysis of the processing of personal data, taking into account the state of the art, the cost of implementation, the scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons, and on its basis:
(a) implementing appropriate technical and organizational measures to minimize the risks associated with the processing of personal data in information systems, in particular those arising from accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed,
(b) implement appropriate technical and organizational measures to ensure that the effectiveness of measures to ensure the security of personal data processing in information systems is regularly tested, measured and evaluated,
c) implement appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data processed in information systems in the event of a physical or technical incident.
Within 60 days from the date of delivery of this decision.

II. finding that Ms. CD, Mr. EF and Mr. GH, partners of Y s.c., Al. (...), violated Article 28(3)(f), in conjunction with Article 32(1) and (2) of Regulation 2016/679, by failing to assist the controller in complying with its obligation to implement adequate technical and organizational measures to ensure the security of the processing of personal data, imposes on Mr. EF and Mr. GH, partners of Y s.c., Al. (...) and on Ms. CD, former partner of Y s.c., all jointly and severally liable, an administrative fine in the amount of PLN 9,822 (in words: nine thousand eight hundred and twenty-two zlotys).

Justification

On December 3, 2019. Mr. AB, doing business at X, (...) Street, associated - according to the information on his website - with the nationwide production “(...)”. hereinafter referred to as the Administrator, made a preliminary notification to the President of the Office for the Protection of Personal Data, hereinafter referred to as the President of the Office for Personal Data Protection or the supervisory authority, of a personal data protection breach consisting of a ransomware attack carried out by undetermined perpetrators, as a result of which the availability of the following categories of personal data was lost, both “(...) customers who have purchased [Editor's note: from the Administrator] at least once (...)” as well as former and current employees of the Administrator “(...) in the number of approximately 200 (...)”: PESEL number, ID card series and number, first and last names, parents' names, date of birth, bank account number, residence or stay address, e-mail address, telephone number. In the aforementioned notification of a personal data protection breach, the Administrator stated that - in his opinion - “(...) the cause of the breach was most likely human error - an employee (...)”, at the same time, the modus operandi of the perpetrators allowed the Administrator to assume that “(...) the purpose of encrypting the data was not to steal it (...), but only ‘(...) to obtain a material benefit (...)’. The Administrator also indicated that due to the short duration of the incident in question and in view of the fact that “(...) access to the encrypted data was obtained”, he did not find a high risk of violation of the rights or freedoms of natural persons, and the technical and organizational security measures implemented prior to the occurrence of the personal data protection violation in question justified, in the Administrator's opinion, the lack of necessity to notify data subjects of the fact of violation of the protection of their personal data. In a supplementary notification made to the President of the DPA on January 8, 2020. The Administrator upheld its previous argumentation, while informing that it had made a notification to data subjects about the fact of the personal data protection breach in question in the form of a public announcement available at the Administrator's company headquarters, while presenting the anonymized content of the notification to data subjects in connection with the breach.

The notifications in question of a personal data breach provided the impetus for the supervisory authority to assess the Administrator's implementation of its obligations under the provisions of Regulation 2016/679 regarding proper data security and organization of the personal data protection system.

In view of the above, the President of the DPA, acting pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, in a letter dated February 24, 2020, asked the Administrator to provide additional explanations in the case, including:
1) provide the characteristics of the encrypted files, most importantly the file extension;
2) to provide the full content of the RTF file message, “(...) which indicates instructions for action to unlock the encrypted data.”
3) providing information on whether, in connection with the occurrence of the data breach in question, the Administrator considered reporting the incident to NASK's CSIRT (incident.cert.pl) to obtain more information on the malware based on the transmission of one of the encrypted files;
4) indicating whether the Administrator conducted an investigation that determined that personal data had not been disclosed to unauthorized persons;
5) providing information on the Administrator's analysis of the personal data breach that occurred, on the basis of which it was determined that the unavailability of data did not cause a high risk of violation of the rights or freedoms of individuals;
6) informing whether the Administrator has implemented the measures declared in point 9B of the January 8, 2020 notification form, to minimize the risk of a recurrence of a personal data breach, including, among other things, establishing cooperation with a professional IT entity to conduct “(...) at least twice a year an additional independent audit [of the Administrator's IT infrastructure - added. on...] (...)”, introducing ‘(...) a system (...) (...)’, completing work to establish ‘(...) network segmentation (...)’, or restricting its users from ‘(...) interfering with the operation of anti-virus software (...)’.

In a letter dated March 5, 2020, responding to the aforementioned summons from the President of the Office of the President of the Office for Electronic Communications, the Administrator explained that the notification of the “(...) incident in question to the NASK CSIRT (...)” was admittedly in his area of interest but he ultimately decided not to do so. Nevertheless, the Administrator indicated that “(...) conducted an investigation, but focused first on remediating the consequences of the breach (...)”, in which “(...) the nature of the attack carried out (...)”. indicated - in the Administrator's opinion - in all likelihood only a desire “(...) to extort a ransom for the decryption of the data, and not its further dissemination (...)”. In doing so, the Administrator mentioned that “(...) it does not have data that unequivocally excludes the possibility of downloading data by unauthorized third parties during the intrusion (...),” while assuring that the successful implementation of “(...) for the most part (...)” measures declared in paragraph 9B of the January 8, 2020 data breach notification form, mitigating the risk of a recurrence of a data breach, with the exception of “(...) the introduction of a system (...)”. Notwithstanding the above, the Administrator provided the content of the message contained in the RTF file, as well as the name and extension of the encrypted file, i.e. “(...)”.

Based on an analysis of the content of the notice provided to data subjects and the nature of the breach that occurred, its duration, the categories of data and categories of persons affected by the breach and the corrective measures applied, and in light of the additional explanations submitted by the Administrator in connection with the personal data protection breach in question, and, in particular, in view of the Administrator's failure to provide details of the investigation conducted and its results, including evidence that would make it plausible for the Administrator to make the relevant findings in order to actually identify the modus operandi of the malware, the President of the Office for the Protection of Personal Data (OPAP) found that there were insufficient grounds to make an assumption allowing an unequivocal conclusion that “(.... ) the purpose of encrypting the data was not to steal it (...)”. The above assessment was affected primarily by the Administrator's failure to provide details regarding the investigation conducted and its results, including, in particular, the lack of sufficient evidence of the steps taken by the Administrator to actually determine how the malware worked.

In this light, recognizing that in the case in question there may nevertheless have been a breach of the confidentiality of categories of personal data of the Administrator's employees and customers in the form of PESEL number, series and number of identity card, first and last names, parents' first names, dates of birth, bank account numbers, residence or stay addresses, e-mail addresses and telephone numbers, thus causing a high risk of violation of the rights or freedoms of natural persons, the President of the OFODO, acting pursuant to Art. 52(1) of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the PDPA, and Article 34(4) of Regulation 2016/679, requested the Controller to reissue a notice to data subjects in connection with violations of the protection of their personal data. In doing so, the Authority concluded that the notice sent to data subjects did not meet the conditions set forth in Regulation 2016/679 insofar as it did not contain information regarding the name and contact details of the Data Protection Officer or the designation of another point of contact from whom more information could be obtained, a description of the possible consequences of the personal data protection breach, and a description of the measures taken or proposed by the Controller to remedy the breach - including, where applicable, measures to minimize its possible negative effects. Pursuant to the provisions of Article 52(1) of the PDPA and Article 34(4) of Regulation 2016/679, the President of the DPA required the Administrator to inform the authority of the implementation of the measures in the scope presented above within 30 days from the date of receipt of the said request. Notwithstanding the above, acting pursuant to Article 58 (1) (a) and (e) of Regulation 2016/679, the authority also called on the Administrator to supplement the explanations submitted to date, by:
1) presenting the results of the investigation referred to in paragraph (...) of the letter of March 5, 2020, and, in particular, indicating the vulnerability that was used to carry out the attack in question, including the manner in which this breach occurred - whether it was caused by a human factor, resulting, for example, from opening an attachment in an email correspondence, and if so, whether the Administrator performed an analysis to determine how the malware worked, or rather, whether the breach of personal data protection was the result of a vulnerability that existed in the IT system, and if so, to indicate the period of existence of this vulnerability and what actions, if any, were taken in connection with this fact;
2) to provide information on whether, and if so, when and how the Administrator regularly tested, measured and evaluated the effectiveness of technical and organizational measures to ensure the security of personal data processing.

In response to the above-mentioned request from the President of the DPA, the Administrator, in a letter dated April 10, 2020, indicated that he had directly informed employees of the breach in the protection of their personal data, while due to “(...) the extraordinary and objective situation related to the COVID-19 epidemic (...)”. “(...) the Administrator's customers were informed through a public announcement (...)”. It also communicated the contents of the notices formulated again in connection with the occurrence of the data protection violation in question, addressed to data subjects. The administrator, in describing the possible consequences of this breach, pointed to the following negative consequences associated with it : “(...) [d]ane affected by the breach may be used for such purposes as an attempt to defraud others of your data, or an attempt to enter into a contract with you (for example, an online sale) using the data, to execute a hacking attack by sending a notification to your email or phone number. There is also a chance that you will receive commercial, marketing information to which you have not given your consent.” In turn, in an attempt to provide data subjects with a description of measures to minimize the possible negative consequences of the November 25, 2019 incident, the Administrator advised those persons to take the following action:"(...) [n]ie respond to emails and text messages whose origin you are not 'sure of, and do not open the links posted in them. Doing so may cause your equipment to become infected.”

In addition, the Administrator, also referring to a previous exchange of correspondence conducted with the supervisory authority, reported that “(...) performed the following actions aimed at strengthening the security of the processed personal data (...),” among which are: “(...) complete decommissioning of the system on which the infection occurred (...); updating operating systems to the latest available versions, including changing the operating system (...) to (...); basing control over access to data processing, including personal data on “(...)”, also by assigning users of the IT structure “(.... ) roles corresponding to their positions (...)”, while restricting access to other network resources;(...) ‘(...) between access to the applications on which users work and the database on which personal data and business data are stored (...)’; creating network users ‘(...) (...)’.

Notwithstanding the above, the Administrator indicated that he had made a change in the work model, by implementing the (...) solution, with the simultaneous closure of “(...) the [IT] infrastructure - added by the owner] from outside (...)”; introducing (...); scheduling (...) “(...) (...)”. The contents of the said letter also highlighted the circumstance of the progressive, successive replacement of “(...) (...) (...)” as well as the fact of taking away “(...) users' ability to control the antivirus software (...)”, which after the changes “(...) can only be disabled by the IT team (...)”. According to further assurances from the Administrator, there has been “(...) (...) (...)”, and “(...) software (...) (...) has been implemented”, intended by the Administrator to “(...) (...)”.

The Administrator also mentioned plans to appoint a data protection officer in his organization, “(...) who will be responsible for dealing with the DPA, but will also be able to propose a training plan for employees (...)” and about the need to “(...) anonymize the database modules (relating to personal data of individual customers and employees), so that in the electronic system the data would be encrypted, and would be readable only by a small group of employees with codes for the decryption program.”

In an attempt to establish the etiology of the personal data protection breach in question, in the aforementioned letter, the Administrator additionally indicated that - in his opinion - it was the result of “(...) the disabling of the licensed antivirus program A. by one of the (...) employees, as a result of which “(...) the (...) equipment was infected (...) (...)”, “(...) obtaining user credentials (...)”, followed by remote login of the perpetrators to the IT system and consequently encryption of personal data. The Administrator also reported that for the above criminal action, “(...) the vulnerability of the B. server, which had not been updated for a long time,” was exploited, as a result of the non-performance or improper performance of an obligation by entities that have provided IT services to the Administrator to date. Finally, the Administrator also provided information regarding the filing of the case in question with the NASK CSIRT.

The information presented by the Administrator in the aforementioned regard and contained in the correspondence exchanged with the supervisory authority to date constituted, in the opinion of the President of the Office for Harmonization in the Internal Market, sufficient grounds to initiate ex officio administrative proceedings for violation by the Administrator of the provisions on personal data protection within the meaning of Regulation 2016/679, i.e. Articles 5(1)(f), 5(2), 24(1), 25(1), 28(1) and 28(3), 32(1) and 32(2), and 34(2) in conjunction with 33(3)(c) and 33(3)(d) of Regulation 2016/679, of which the party was notified by letter dated January 29, 2021. At the same time, in the notice, the President of the DPA called on the Administrator to provide additional explanations, including, among others:
1) to indicate the service contract and the contract for entrustment of personal data processing concluded with the entities in the IT area referred to in the letter of April 10, 2020, including the period of provision of these services, together with the justification of how the Administrator verified the aforementioned entities to ensure sufficient guarantees of professional provision of these services;
2) describe the organizational complexity of the Administrator, including, among other things, the number of workstations, the organization of work, the number of employees operating the aforementioned workstations;
3) provide information, regarding the period of operation of the organization as presented in the letter of April 10, 2020, in particular, informing when the Administrator had been using B. software since; 
4) indicate whether the Administrator had - as specified in the letter of April 10, 2020. - server in its own infrastructure, and whether these services were and are currently being provided by an external entity in the form of outsourcing, and in the case of a positive answer, to provide copies of contracts for the provision of services, including the contract for entrustment of personal data processing, concluded with this entity;
5) to inform on what basis access to the Administrator's IT environment took place prior to the occurrence of the personal data protection violation in question, and whether a risk analysis was carried out by the Administrator with regard to the security of personal data processing, while presenting its results;
6) indicate the rationale for granting administrative privileges to employees on workstations and allowing them to thereby disable anti-virus software;
7) indicate the names and dates of training courses conducted by the Administrator for employees on data protection regulations.

In response to the notice of initiation, in a letter dated February 16, 2021, the Administrator, referring to the issue of indicating the service contract and the entrustment agreement for personal data processing concluded with entities in the IT area, informed that “(...) it has entered into entrustment agreements for data processing with these entities (dates of the agreements on May 24, 2018) and service contracts. In doing so, he noted that “(...) the service agreement was not in writing, but nevertheless the parties to this agreement never doubted that Y s.c. CD, EF, GH (hereinafter: Y) was responsible for full IT support since at least 2010, ensuring the security of digitally processed data and providing hardware solutions that met the highest security standard.” Referring, in turn, to the issue of verification of the processor in terms of its compliance with the requirements of Regulation 2016/679, the Administrator indicated that the choice of the said partner was dictated by its long-standing experience obtained in the field of implementation in organizations (...), which was reflected in the status it held “(...) (...)”.

Describing his organizational structure, the Administrator explained that he has been conducting business operations, since 1992, in the form of a one-person business, in which each of the organization's 30 employees - involved in personal data processing processes - operates according to the authorizations granted, carrying out their tasks on 33 workstations. In addition, the Administrator outlined a picture in which each of the computers is equipped with up-to-date antivirus software recommended by the IT service provider, where access to resources “(...) is protected by passwords (...)” at the exclusive disposal of the company's staff members, and “(...) specialized IT service providers ensure the integrity and security of the computer system and the information contained therein.” In doing so, the administrator stated that although “(...) it is difficult from the perspective of 2021 to determine (...)” when specifically “(...) there was a change in the environment, firewalls, or antivirus software (...), to his knowledge ”(...) the operating system of B. [B. - add. on] was used in the Administrator's enterprise from October 2010, while this program enjoyed the support of (...) until January 14, 2020.”

With regard to the issue of the location of the server infected in the attack in question, the Administrator informed that it was located in the company's own structure, and that the correct operation of the server was supervised by Y s.c.. At the moment - according to the Administrator's statement - “(...) the server is being handled by [another entity from the IT support sector - own added] Z Sp. z o.o.”.

In the characteristics of access rules to the company's IT environment prior to the occurrence of the personal data protection violation in question, there were none related to solutions based on (...), and the risk analysis of the system so designed (privacy by design) “(...) was based on ongoing IT consulting provided by Y.”. At the same time, the Administrator assured that at the time of the data protection breach in question, “(...) employees had the status of standard users, without administrative rights to the server (...)”, and their level of knowledge of data protection regulations, gained through participation in two training courses conducted by the Administrator, i.e., respectively “(...) on June 30, 2018 on the subject of: RODO - general principles of application of the new regulations, and on May 20, 2020 on the subject of: RODO and the Personal Data Protection Act in the operation of an enterprise (...)” allowed - in the Administrator's opinion - to consider that the persons employed by it are aware that “(...) it is not permissible to configure hardware or software settings on their own”.

In order to supplement the explanations submitted so far in this case, the President of the DPA, in a letter dated July 1, 2021, asked the Administrator to respond to the following issues:
1) describe the Administrator's procedures for creating, storing and testing backups both before and after the breach in question;
2) indicate whether the Administrator has effectively implemented firewalls (...), as declared in the letters of March 5 and April 10, 2020, along with the date of their implementation;
3) provide a copy of the correspondence carried out - in accordance with the Administrator's declarations - with respect to the matter in question with NASK's CSIRT;
4) indicate what permissions the Administrator's employees had on the workstations;
5) provide information on whether the new entity providing IT services to the Administrator, i.e. Z Sp. z o.o., based in M., performed a security audit of the Administrator's IT environment, which it was obliged to perform by the contents of paragraph (...)of Appendix C “(...)” to “(...)”. to “(...)”, including the presentation of its results and to inform whether they were taken into account by the Administrator in its risk analysis for personal data processing processes;
6) to report whether the Administrator conducted training sessions for staff on data protection regulations in the second half of 2020 and in 2021, including the dates and names of these training sessions.

In a clarification dated August 16, 2021. The administrator submitted that backups are performed automatically, at 24-hour intervals, using (...) software (...), using C. (...), where a “(...) summary report is generated to administrators responsible for overseeing backups.” The administrator also stated that “(...) stores at least 90 recent backups locally (...)”, while"(...) after the completion of each backup cycle, a replica of the backup is performed to a repository held by Z. Ltd. (...)”. In turn, “(...) at least the last 7 restore points are stored in the remote repository.”

The Administrator also pointed to the circumstance of stopping work on the implementation of “(...) device (...) and changing the way the environment is protected (...)”, by implementing “(...) on all end computers [and servers with end-user access - added by the Administrator] software (...) in a version that allows the analysis of all workstations”. Moreover - according to the Administrator's declaration - users are currently deprived of the possibility of any influence on the effectiveness of the aforementioned software, which has been “(...) set up in a maximally aggressive manner, prioritizing security over end-user convenience (...)”, so as to “(...) actively block incoming connections from the analyzed endpoint (...)”.

Referring to the issue of the permissions held by the Administrator's employees on the workstations at the time of the data protection violation in question, the Administrator characterized them as “(...) standard user permissions.” On the other hand, with regard to the issue of the security audit of the Administrator's IT environment carried out by Z. Sp. z o. o., based in M., the Administrator was informed of the fact that the aforementioned action had been carried out, which resulted in the creation of “(...)”, which the Administrator intends to use as a benchmark for setting further IT security goals.

Notwithstanding the above, the Administrator acknowledged that in the second half of 2020 and in 2021 “(...) no additional training [in the area of data protection regulations - added by the Administrator] (...)”, however, the educational activities implemented to date in the aforementioned area have, in his opinion, translated into a due “(...) increase in the awareness of the Administrator's employees in the area of personal data protection.”

The Administrator also provided the contents of the correspondence exchanged with the NASK CSIRT on the subject matter.

Notwithstanding the above, the Administrator, in a letter dated November 9, 2021, again referred to the underlying causes of the personal data protection breach in question, identifying it as being the result of human error, “(...) which could not be avoided, despite the undertaking of measures to protect personal data (...),” and which materialized for fortuitous reasons on November 25, 2019, “(...) in the course of carrying out modernization work (...)”. and during the period when the transfer of “(...) responsibilities between two companies providing [IT - add...] services to Company X (...)” took place. At the same time, the Administrator highlighted the problem, which, in his opinion, every organization faces in its daily operations, concerning the human factor, as that risk factor which cannot be completely eliminated “(...) even extraordinary actions by the employer (...)”, citing a number of cases drawn from the history of the operation of his organization, which are examples of actions on the part of personnel, which openly deviate from the procedures in force in the Administrator's organization regarding the protection of personal data.

The findings made in the course of these proceedings made it possible to conclude that each of the partners of Y s.c. (Al. (...)), hereinafter also referred to as the Processor, was also responsible for the processing of personal data subject to the personal data protection violation in question. Consequently, in view of the fulfillment of the prerequisites set forth on the basis of Article 28 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2024, item 572), the President of the DPA weighed that in the present case there is a legitimate need for the authority to assess the implementation by Ms. CD, Mr. EF and Mr. GH, of the obligations of the Processor, to whom the Administrator entrusted, pursuant to § 2(1) of the agreement concluded on May 24, 2018. “(...)” to process on its behalf and for its benefit the personal data of its “(...) employees, temporary employees, contractors, employee's family members, trainees and interns, contractors (...)”, of which the parties were duly notified on June 10, 2022. In this regard, it should be noted that according to the wording of the May 19, 1998 agreement entered into by the Processor by letter dated May 24, 2022. “(...)”, with subsequent annexes, Ms. CD - pursuant to the dated December 28, 2021. “(...)” - withdrew “(...) [as of] December 31, 2021 from Y S.C. (...)”.

Notwithstanding the above, acting pursuant to Article 58 (1) (a) and (e) of Regulation 2016/679, the President of the DPA summoned on June 10, 2022, each person who was a partner of Y S.C. on the date of the data protection violation in question. (Al. (...)), i.e. Ms. CD, Mr. EF and Mr. GH to:
1) submit the security policy in effect at Y s.c. for the period from May 24, 2018 to December 3, 2019, affecting the processes of processing personal data entrusted by the Administrator;
2) characterize the actions taken by Y s.c. in the period from May 24, 2018 to December 3, 2019 to assist the Administrator in complying with its obligations set forth in Articles 32 - 36 of Regulation 2016/679, including whether Y s.c. performed a security audit of the Administrator's IT infrastructure, and in the event of a positive answer to provide the date and results of the evaluation, and in the event of a negative answer to provide the reasons for not performing such an audit;
3) provide a description of the reasons for the security incident of November 25, 2019, which resulted in a breach of the protection of personal data processed by the Administrator;
4) provide information on the privileges held by users of the Administrator's IT infrastructure to the infected server both before and after the occurrence of the personal data protection breach in question;
5) indicate the date of termination of cooperation between the Administrator and Y s.c.

In concurring statements submitted to the supervisory authority on June 27, 2022 and July 8, 2022, respectively, the aforementioned partners of Y s.c. indicated the following:
1) “(...) Company Y s.c. does not have and did not have a signed contract for the administration of the IT infrastructure at Company X.”, being responsible “(...) for the provision of the database server, licenses, implementation and maintenance work related to the d. system, hence ‘(...) has within the Administrator's IT infrastructure the authority to manage the d. system’;
2) “(...) in the period from May 24, 2018 to December 3, 2019 (...)”. a number of measures were taken to assist the Administrator in complying with its obligations under Articles 32-36 of Regulation 2016/679, in accordance with the May 25, 2018 Personal Data Processing Entrustment Agreement between the two entities, viz: “(...) - on June 25 and 27, 2019, a backup check was performed, unneeded USB drives were disconnected and a backup was configured to the location indicated by the Administrator on the N. server, which was not provided, configured and managed by Y s.c.; - on September 16, 2019, [Y s.c. - added on its own] delivered the Server (...), along with B. licenses for the d. system; - on November 13, 2019, it submitted a bid for a Router and UPS, after accepting the bid, on November 20, 2019, it physically delivered the equipment, but the installation at the premises of X (...) was not performed.”
3) “(...) after the occurrence of the ransomware attack on the Administrator's IT infrastructure from November 25 to December 3, 2019, the following actions were taken [Y, Al. (...) - add. on]: disconnect the server from the network; provide A. antivirus software licenses; decrypt the base; scan computers from branches and headquarters; install new (...) + basic configuration + (...); install the system on the new server; configure the system and install d. - Base restoration; start case analysis; scan with newly purchased A. server software.”
4) “(...) Company Y s.c. did not perform a security audit of the Administrator's IT infrastructure, and the reason for this was the lack of such an order on the part of the Administrator, and it was not part of the personal data entrustment agreement concluded on May 24, 2018.”
5) according to the Processor's assessment, made on the basis of “(...) actions taken to recover the Administrator's lost data availability (...) the main reasons [for the occurrence of the personal data protection breach in question - added by the Processor] were the negligence of employees with regard to compliance with the rules for the use of IT equipment inside Company X.”

At the same time, the Processor submitted the contents of the Security Policy in effect at its organization “(...) at the time of the incident” [of the personal data protection breach in question - added by the Processor - on its own], and submitted a copy of the “(...)” “(...) for the purpose of executing [this - add. on...] agreement with regard to the operation, operation and maintenance of the d. system at the Administrator's enterprise, and the due fulfillment of the obligation to statutory state authorities.”, while indicating that ”(...) the above Personal Data Entrustment Agreement has not been terminated by any party and is still in force.”

In order to supplement the explanations submitted so far in the course of these administrative proceedings, on May 25, 2023, the President of the DPA requested the Administrator, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, to:
1) identify the server on which the personal data breach in question occurred;
2) inform whether the “d.” system was seated on a server, using software (...);

In addition, given that the Administrator, in paragraph 3 of the letter of April 10, 2020, stated, among other things, that “(...) The previous company (whose services the Administrator was not satisfied with due to the lack of timely provision of maintenance services and security system audits) was replaced in September/October 2019 by the company Y s.c.”, the authority requested disclosure of the entity that provided IT system security services to the Administrator prior to the partners of the civil partnership Y, and called for an indication of whether the cooperation with the partners of Y s.c, Al. (...), was terminated, and in the event of a positive answer, asked the Administrator to provide the date of termination of this cooperation, including the relationship of entrustment of personal data processing.

Notwithstanding the above, the President of the DPA, by letters dated May 25, 2023, summoned both former and current partners of partnership Y, i.e. Ms. CD, Mr. EF and Mr. GH, to:
1) inform whether the server (...) delivered on September 16, 2019 was the server on which the data breach in question occurred, and if the answer is negative, to identify the server affected by the breach;
2) to indicate what licenses were provided by Y s.c. (Al. (...)) for the d. system;
3) to inform whether the d. system was seated on a server, using E software.

In response to the aforementioned issues, the aforementioned partners of Y s.c., in concurring statements submitted to the supervisory authority on June 5, 2023, indicated the following:
1) “(...) The data breach in question occurred on another server. The server on which the breach occurred is Server (...) .”
2) “(...) For the purposes of the system, d. Y s.c. provided the following licenses to X: d. (...) - 1 unit, d.(...) - 2 units, d. (...) - 1 unit, d. (...) - 23 units. d. (...) - server license, d. (...) - server license, system add-on d. (...), system add-on d. (...), system add-on d. (...), M. (...) - 1 unit, (...) - 15 units, (...) - 10 units, M. (...) - 35 units, (...) - 1 unit, E. - 20 units.”
3) “(...) On the server using the E. software there was an F.server installed with the database used by the d. system. The installation of the d. client application was done on the users' computers.”.

The Administrator, on the other hand, addressed the issues placed before him by the President of the DPA on May 25, 2023 only in a letter dated July 7, 2023, and this despite his written commitment before the authority on June 5, 2023 “(...) to submit the aforementioned response by June 15, 2023.”. Nevertheless, he explained that:
1) “(...) The personal data protection incident in question occurred on the server: (...).”
2) “(...) There was an F. server installed on the server using the E. software with the database used by the system d. The installation of the e. client application was done on the users' computers.”
3) “(...) In a letter dated February 16, 2021, the Administrator indicated that Y s.c. CD, EF, GH (hereinafter Y) was responsible for providing full IT support since at least 2010, ensuring the security of digitally processed data and providing hardware solutions that meet the highest security standard. V s.c. IJ, KL (hereinafter V), on the other hand, dealt with issues related to the alarm, Wi-fi network or telephone connections.”
4) “(...) The Administrator did not terminate the contract with Y for it continues to cooperate with this entity to some extent.”.

In an attempt to comprehensively consider the evidence gathered in the framework of the present administrative proceedings and the inconsistencies that have emerged in connection with this fact with regard to the findings regarding the server on which the personal data protection violation in question occurred, the President of the DPA asked all parties to this proceeding, by letters dated September 20, 2023, to unequivocally provide information on whether the “d.” system was seated on a “(...)” server using E. software, and in the event of a negative answer, to indicate the name of the software used to operate the server on which the personal data protection violation in question occurred.

In response to the question so posed by the authority, both the former and current partners of the partnership Y, as well as the Administrator, provided the same and precise explanations on September 29, 2023 and October 3, 2023, respectively, with the following wording, quote “(...) The system >>d. << was seated on a server “(...)”, using E. software”.

Having considered all the evidence gathered in the case, the President of the Office for Personal Data Protection has considered the following:
I. Violation of Articles 5(1)(f), 5(2), 24(1), 25(1), and 32(1) and (2) of Regulation 2016/679.

I.1 Risk management for personal data processing operations.
The supervisory authority, in its notice of January 29, 2021 on the initiation of administrative proceedings, indicated that the Controller failed, among other things, to comply with the obligation under Article 32 (1) of Regulation 2016/679 to select appropriate technical and organizational measures to ensure the security of the processed data, including the ability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services, with which it simultaneously failed to comply with its obligations to ensure and demonstrate compliance of the processing with the requirements of Regulation 2016/679, as referred to in Art. 24(1) of Regulation 2016/679 and the obligation to effectively implement the data protection principles set forth in Article 25(1) of Regulation 2016/679, and consequently violated the principle of integrity and confidentiality set forth in Article 5(1)(f) of Regulation 2016/679, which imposes on the Controller a duty of due care in ensuring an adequate (in relation to the risk) level of security for the processing of personal data.

Taking into account the wide range of categories of personal data subjected by the Administrator to the processing processes, which also included data that enabled unambiguous identification of natural persons, i.e. PESEL number and categories of persons concerned, in order to properly comply with the obligations imposed by the aforementioned provisions of the Regulation, the Administrator was all the more obliged to take measures to ensure an adequate level of personal data protection by implementing appropriate technical and organizational measures.

There is no doubt that according to the risk-based approach standardized in the provisions of Regulation 2016/679, it is the controller's burden to undertake the processes of identification and assessment of risk factors and on this foundation to formulate its own risk mitigation strategy. On the other hand, an erroneous estimation of the level of risk, or worse, the lack thereof, prevents the application of appropriate security measures for a given resource, which immanently contributes to the likelihood of materialization of negative consequences for the persons whose data are subject to processing as part of a specific process. Thus, in light of the above reasoning, it should be pointed out that Regulation 2016/679 introduced an approach in which risk management is the foundation of personal data protection activities and has the character of an uninterrupted process. In turn, the key condition for demonstrating compliance with the requirements imposed on controllers, in accordance with the principle of accountability referred to in Article 5(2) of Regulation 2016/679, remains not only the one-time implementation by them of technical and organizational measures to guarantee an adequate level of protection for personal data processing, but also - as part of a dynamic approach - ensuring continuous monitoring of the level of risks in relation to the adequacy of the safeguards put in place. Thus, the controller is obliged to make a detailed analysis of the personal data processing processes carried out on his own and comprehensively assess the potential threats to the privacy of the data subjects, and then apply measures that are adequate to the assessed risks. Consequently, it should be considered that the risk analysis forms the ground for appropriate management of possible vulnerabilities, understood as a weakness or security gap that, when exploited by a given threat, may disrupt the functioning of a given organization, or even lead to security incidents or breaches of personal data protection.

There is no doubt that in the presented facts of the present case, the main risk associated with the personal data processing processes carried out by the Administrator should have been identified with the threat emanating from the possibility of compromising, with the use of malware, its IT infrastructure, running foreign processes in it and starting the encryption process in order to obtain a financial benefit in exchange for the subsequent decryption of data, i.e. ransomware. The key prevention method against this type of attack, however, is to use up-to-date software for all elements of the IT infrastructure.

Applying the above statement to the circumstances of the case at hand, it should therefore be pointed out that the facts presented constitute a clear exemplification of the state of affairs opposite to that postulated by the provisions of Regulation 2016/679. This is because the findings made in the course of the present proceedings conclusively prove that the Administrator over an unusually wide time frame, since at least from the date of application of the provisions of Regulation 2016/679, i.e. from May 25, 2018. (adopting this perspective seems to be the most relative for the Administrator's assessment of its compliance with the principle of accountability) used outdated versions of the B. server to carry out personal data processing, and this despite the fact that, as he himself noted in a letter dated February 16, 2021. - “(...) this program benefited from E. support until January 14, 2020.” On the contrary: the evidence gathered in the present case does not show that the Administrator benefited during the period of support offered by the software manufacturer from the possibility of carrying out ongoing updates to the B server software. In this light, the sequence of events that took place on November 25, 2019. in the form of “(...) infecting the hardware (...) (...)”, obtaining on this basis “(.... ) user credentials, which made it possible to remotely log in and start the encryption process”, should not be doubted, as it constituted the materialization of a long-standing state of high risk of a data protection breach, triggered by the fact that the Administrator based the personal data processing processes on an IT architecture having, in the face of the failure to exercise due diligence in performing cyclic updates, a number of well-known security flaws.

Significantly, in letters dated April 10, 2020 and February 16, 2021, respectively. The Administrator admitted that, based on the investigation conducted to determine the causes of the data breach in question, “(...) assumes that a vulnerability of the B. server, which had not been updated for a long time, was exploited,” despite the fact that “(...) this program benefited from E. support until January 14, 2020.” It is therefore clear from the above statement that the event of November 25, 2019. was a logical consequence of the negligent omissions on the part of the Administrator, evidencing his gross negligence, manifested both by his proceeding with personal data processing operations without identifying the risks associated with the personal data processing processes taking place in his organization, and by his failure to regularly test, measure and evaluate the technical and organizational security measures implemented for these processes (and which the Administrator was obliged to comply with at least from the date of application of Regulation 2016/679), and this despite his knowledge of the updates offered by the software manufacturer. Consequently, it should be considered that the Administrator, when implementing technical and organizational measures to ensure the security of personal data processing processes in his organization, a priori was deprived of an effective tool for assessing whether they were sufficient, and the lack of periodic checks of the implemented tools and their assessment in terms of risk only compounded this state of ignorance.

There is no doubt that one of the key elements of risk analysis, in addition to determining the resources to be protected in the processing area, is, among other things, the identification of the possible types of risks associated with the aforementioned processing areas and the assignment of appropriate levels to them. Meanwhile, in the evidence gathered in the course of these proceedings, one can find in vain any mention of the actions taken by the Administrator to carry out an appropriate evaluation of the risk, after all, immanently associated with the personal data processing operations carried out in its organization, not to mention its consideration of the likelihood of updating the threat associated with an attack by cyber criminals on the IT infrastructure in order to encrypt the personal data processed therein and obtain material benefits on this basis for their subsequent decryption.

Undoubtedly, the obligation to ensure the security of processed data, arising from, among other things, Article 32(1) of Regulation 2016/679, is the cornerstone of an effective personal data protection system. Regulation 2016/679, while introducing a risk-based approach, at the same time indicates in Article 32(1) the criteria based on which the controller should select appropriate technical and organizational measures to ensure a degree of security corresponding to the risk. Thus, in addition to identifying the risk of infringement of the rights or freedoms of individuals, consideration should still be given to the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing. Consequently, it should be considered that the selection of security measures should be conditioned by the circumstances and conditions of data processing, as well as the likelihood and severity of events that may lead to a violation of the rights or freedoms of data subjects.

At the same time, it should be emphasized that security measures, selected taking into account the criteria arising from Article 32(1) of Regulation 2016/679, for their effectiveness, understood as adequate protection of the processes of personal data processed, must be based on a comprehensively carried out, i.e. taking into account all the risks that are realistically present in the given context of personal data processing, risk analysis, which was clearly missing in the present case. Indeed, as has already been indicated, the Administrator did not provide any evidence that would make it plausible that he carried out, both before and after the start of the personal data processing processes, in a comprehensive manner, i.e. also taking into account the likelihood of a ransomware attack, a risk analysis, which he was obliged to do, pursuant to the principle of accountability under Article 5(2) of Regulation 2016/679. Clearly, the risk analysis designed by the System Administrator, which “(...) was based on ongoing IT consulting provided by Company Y,” cannot be considered holistically. In this context, it should therefore come as no surprise that, in view of the Administrator's inability to select security measures adequate to the existing risks, the safeguards applied to its infrastructure, as presented, for example, in paragraph 9A of the supplementary data breach notification form dated January 8, 2020, i.e. “(...) Conclusion of data processing entrustment agreements with processors, limited scope authorizations for employees, computers with individual user accounts and passwords, screen savers changing passwords, use of anti-virus software, firewall, location of the server in an inaccessible place for unauthorized persons, alarm system, use of the services of a security company outside working hours”, in the case of an attack using the “M.” malware, proved ineffective. At the same time, there is no doubt that this unfavorable state of affairs could have been avoided by the Administrator if the personal data protection system in place in his organization had been based on realistic premises, that is, in particular, on a risk analysis conducted exhaustively and renewed periodically (cf. judgment of the WSA in Warsaw of May 13, 2021, ref. II SA/Wa 2129/20; judgment of the WSA in Warsaw of October 5, 2023, ref. II SA/Wa 502/23).

As demonstrated earlier, the Administrator did not identify a threat related to the possibility of breaking the security of the IT system used in the processing of personal data of both his former and current employees and contractors, and then encrypting it. In this context, therefore, some concern and surprise must be all the more aroused - in view of the Administrator's failure to provide any evidence documenting the actions it took, in accordance with the principle of accountability under Article 5(2) of Regulation 2016/679 - by its omission to perform a general risk analysis on the background of the personal data protection breach in question, and thus taking into account the risk of compromising its IT infrastructure with malware, via the workstation of one of its employees. According to the Administrator's declaration in its letter of November 9, 2021, the decisive “(...) cause of the November 2019 incident that triggered the President of the Office for Personal Data Protection to conduct [administrative proceedings in the case in question - added by the Administrator] was (probability bordering on certainty) human error (...).” (incidentally, in the unanimous opinion of the shareholders of Y s.c., i.e. the Processor responsible to the Administrator “(...) for full IT support since at least 2010, ensuring the security of digitally processed data and providing hardware solutions that meet the highest security standard” were considered to be the main cause of the occurrence of the personal data protection violation in question, precisely “(...) negligence of employees with regard to compliance with the rules of use of IT equipment inside company X.”). Of course, the technical and organizational security measures extensively described by the Administrator, inter alia, in its letter of April 10, 2020, and which are cited on pages 7 and 8 of the justification of this decision, may be considered as a certain remedy for the possibility of a repetition of a situation similar to the one that occurred on November 25, 2019. Nevertheless, the evidence gathered in the present case does not provide grounds for assuming that these measures to mitigate the risk of a recurrence of a personal data protection breach were implemented taking into account the laws of logic and life experience.

On the basis of the evidence established in the course of these proceedings, it is also impossible to determine unequivocally whether the remedial measures implemented by the Administrator after the occurrence of the personal data protection violation in question were based on conducting any security tests of the resources held by the Administrator. The mere mention appearing in the Administrator's explanations of August 16, 2021, of a security audit of the Administrator's IT environment conducted by Z Sp. z o.o., based in M., which resulted in the creation of “(...)”, intended by the Administrator to be only a certain point of reference for setting further goals in the company's IT security, especially since the Administrator did not disclose the contents of the aforementioned document, despite the request addressed to it in this regard on July 1, 2021. 

In the opinion of the supervisory authority, the comprehensive identification of potential threats to personal data processing processes and their appropriate classification, and then the implementation on this basis of appropriate technical and organizational measures to guarantee a proper level of protection for personal data processing processes constitutes, in addition to their proper verification, both before and after the activation of the said processes, the foundation on which the personal data protection system in any organization should be based. In this context, it should be noted that the Controller has not presented any evidence unequivocally probative of the fact that after the occurrence of the personal data protection violation in question, the Controller implemented technical and organizational security measures, taking into account the risks associated with the possibility of breaking the security of the IT system used by the Controller in the personal data processing processes, and then encrypting them. Thus, the above constitutes a circumstance in which the Administrator is unable to demonstrate beyond any doubt, in accordance with the principle of accountability referred to in Article 5(2) of Regulation 2016/679, that the selection of these measures did not occur, as it were, in an arbitrary manner, i.e. without due consideration of the risks arising from the context of the processing processes carried out. Consequently, the measures so implemented to mitigate the likelihood of a personal data protection breach expose the Controller to a real danger that the measures envisaged by it will, in effect, constitute an inadequate attempt to respond to the inherent risks to the personal data processing processes. In turn, its continued refraining from carrying out their regular evaluation (as there is no evidence that such activities were undertaken by the Administrator at all) and the updates required by the circumstances, creates a real danger that a personal data protection violation will occur in the future.

Taking into account the above-mentioned reasoning, in the opinion of the President of the Office for Personal Data Protection, the Administrator's inability to show documentation relating to the analyses it carried out does not provide grounds for concluding that the risk mitigation performed both before and after the occurrence of the personal data protection breach in question took place at all. From an analysis of the evidence gathered in the course of these proceedings, it is clear that although the Administrator was tempted to assess the security status of the IT systems used to process personal data (vide: “(...)”), he nevertheless disclosed neither the content of the said document nor the date on which it was drawn up. Only from the date of the letter in which the declaration of its creation was included, i.e. August 16, 2021, can it be presumed that it concerns the state of the IT infrastructure operating in the Administrator's organization long after the malware attack in question, M. Thus, in the absence of the Administrator's presentation of the results of the analyses made, it is impossible to assess their completeness. In turn, a reliable description of all vulnerabilities and resistance to security breach attempts due to unauthorized third party and malware would have been a reason to make a proper qualification in this regard. For this reason, the mere mention of the evaluation of the state of the IT environment at company X by Z Sp. z o.o., based in M., at the Administrator's request, does not have any evidentiary force and certainly cannot constitute a risk analysis performed by the Administrator, especially since the Administrator himself sees the aforementioned document as a kind of benchmark, based on which “(...) goals have been set for implementation in the coming years.”, and therefore - purely hypothetically - it can only be treated as an element of a future risk analysis.

In an attempt to recapitulate the considerations so far, it should be pointed out that the analysis of the facts presented clearly excludes the proper fulfillment of the principle of accountability (Article 5(2) of Regulation 2016/679) by the Administrator both before and after the occurrence of the personal data protection breach in question. This is because at no stage of its personal data processing processes did it accurately identify all identifiable vulnerabilities, so that the security measures it implemented prior to the occurrence of the personal data protection breach in question proved ineffective, leading to the compromise of its IT infrastructure on November 25, 2019. In turn, the technical and organizational measures to mitigate the risk of a recurrence of a personal data protection breach implemented after that date also lack the attribute of adequacy, as the Administrator is unable to objectively demonstrate that they constitute an adequate response to the existing risk.

Moreover, the Administrator, on the backdrop of the events of November 25, 2019, identified the source of the cyber-attack on the basis of the investigation, nevertheless, it should be noted that this identification was made to determine the possibility of a data leak and to assess the risk of violating the rights or freedoms of individuals in connection with the ransomware attack that occurred, and was not documented as part of the overall risk assessment for personal data processing processes. The Administrator also did not bother to describe the vulnerability in the security of the IT system that existed at the time of the personal data breach in question, and which, had it been identified, could have been important in the selection of instruments to mitigate the risk of a repeat of the data breach.

However, the above does not prejudice the argument that the fact that the Controller, both prior to the date of November 25, 2019, and thereafter, failed to carry out a risk analysis, including an assessment of all the risks associated with his processing of personal data, as explicitly required of him by Article 32(2) of Regulation 2016/679, prejudices his violation of this provision. On the other hand, its implementation of technical and organizational measures to ensure the security of the processing of personal data taking place in its structure, as presented in the letters of April 10, 2020 and August 16, 2021, in isolation from this analysis, and then - in the absence of evidence to the contrary - refraining from subjecting them to cyclical reviews, puts a question mark over the Administrator's ability to demonstrate continuous assurance of the confidentiality, integrity, availability and resilience of the processing systems and services (cf. judgments of the WSA in Warsaw of August 26, 2020, ref. II SA/Wa 2826/19, and October 5, 2023, ref. II SA/Wa 502/23).

I.2 Technical and organizational measures used to ensure the protection of processed personal data.
As shown so far, the revealed circumstances of the case in question highlight the necessity for controllers to base the processing of personal data on a risk-based approach, knowledge of its magnitude and the likelihood of negative consequences for the rights or freedoms of data subjects. Thus, the controller's refraining from performing, with respect to the personal data processing processes carried out, an analysis covering all the elements listed in recitals 76 and 83 of the preamble to Regulation 2016/679 clearly prejudices the controller's inability to manage the objectively existing risks associated with the personal data processing processes.

The inability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services on the basis of the technical and organizational security measures implemented by the controller therefore constitutes a failure by the controller to comply with the obligations set forth in Articles 24(1), 25(1) and 32(1) of Regulation 2016/679. At the same time, failure to comply with the aforementioned excludes the possibility of the controller to demonstrate compliance with the rules expressed in Article 5(1)(f) of Regulation 2016/679, in accordance with the principle of data security and, consequently, also with the principle of accountability set forth in Article 5(2) of Regulation 2016/679 (cf. judgment of the WSA of August 26, 2020, II SA/Wa 2826/19, and February 10, 2021, II SA/Wa 2378/20).

In this context, it is indisputable that the use of operating systems and information systems used for personal data processing activities without exercising due diligence to ensure that they are updated to the latest stable version significantly reduces the security level of the processing processes carried out in this way. In particular, the lack of built-in and updated security features increases the risk of infection by malware and attacks through the creation of new security vulnerabilities.

In order for controllers to ensure an adequate level of security for personal data processing processes, it remains necessary at the same time for them to design technical measures in accordance with the principle of least privilege, taking into account the classification of persons employed in their organization. This means putting not only appropriate restrictions on the rights of end users, but - equally important - exercising supervision over their activities. However, it is only when the controller links the aforementioned measures to a regular investment in the competence of the people employed in its organization, both in terms of personal data protection regulations and knowledge regarding the risks associated with their operation on the Internet, that the completeness of the measures and means implemented by the controller to ensure an adequate level of protection for personal data processing processes is established.

The requirements set forth in the provisions of Articles 24(1) and 25(1) of Regulation 2016/679 and addressed exclusively to controllers, manifested in the obligation of controllers to implement technical and organizational measures, make it necessary to consider this activity not as a one-time activity, but as a certain process in which the controller reviews and, if necessary, updates the safeguards previously adopted. Not only technical measures, but also organizational measures in the form of procedures implemented by the controller, concerning the processing of personal data, including procedures for making changes to the IT systems used to process personal data, should be subject to such evaluation. Regular evaluation of the aforementioned procedure, as required by Article 32(1)(d) of Regulation 2016/679, allows the controller to verify whether such procedures are deficient, and if not, whether such procedure is effective, i.e. whether it ensures that appropriate measures are taken to ensure the protection of personal data during the process of making changes to the IT system, and whether it is followed at all by those responsible for carrying out such changes. Thus, it should be noted that the provision by the controller of oversight and monitoring of IT systems over which custody has been outsourced is one of the basic organizational measures that the controller should effectively implement to ensure the security of personal data in accordance with the requirements under Regulation 2016/679 (cf. ruling of the WSA in Warsaw of June 6, 2023, ref. II SA/Wa 1939/22, ruling of the WSA in Warsaw of June 21, 2023, ref. II SA/Wa 150/23).

As a consequence of the Administrator's failure to comply with the aforementioned principles, it cannot effectively demonstrate that the risks immanent to the personal data processing processes carried out on its behalf and for its benefit were continuously minimized by it. A contrario, the application of appropriate security standards for the operation of the IT systems used by the Administrator in the personal data processing processes, including their verification from the security point of view and, in particular, the fulfillment of the requirements under Article 24(1), Article 25(1) and Article 32(1) and (2) of Regulation 2016/679, as well as the effective verification of the processor's activities in this regard, can significantly minimize this risk.

The Administrator's failure to implement procedures for making changes to the IT systems used to process personal data deprived the Administrator of tools for effective verification of the means and methods of the Processor's performance of its obligations “(...) to operate, maintain and operate the system d. at the Administrator's enterprise (...)”. This is because it should be pointed out that the Administrator at no stage of the changes made, both before and after the date of November 25, 2019, conducted no supervision of whether the changes were actually carried out properly and whether the processed personal data was secured against unauthorized access, and yet such supervision constitutes the implementation of an organizational measure to ensure the security of the personal data processing processes. Thus, the above omissions on the part of the Administrator adversely affected its ability to minimize the objective risk of unauthorized persons gaining access to the data processed in this system. Consequently, the demonstrated negligence, which is an example of the Administrator's failure to comply with the obligations addressed solely to it under Art. 24 and Art. 25 of Regulation 2016/679, must meet with a proportionate response from the supervisory authority regardless of the fact that they did not constitute the direct cause of the personal data protection breach in question, which was the infection of one of the employee computers “(...) (...) (...)”, “(...) due to the (probably accidental) disabling of the licensed A. antivirus program by one of the Administrator's employees.”

The evidence gathered in the case also does not show that the Administrator conducted audits, including inspections, at the Processor to verify whether the associates of Y s.c. are properly implementing their obligations under Regulation 2016/679, including whether they ensure the application of the measures required under Article 32 of this legal act. The possibility of conducting such audits, including inspections, derives from Article 28(3)(h) of Regulation 2016/679, according to which, the contract for entrustment of processing of personal data is to provide that the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations set forth in this Article, and shall allow and contribute to the controller or an auditor authorized by the controller to conduct audits, including inspections.

Thus, this provision equips controllers with an instrumentality that allows them to demonstrate that the processing of entrusted data will comply with the provisions of Regulation 2016/679, and they will avoid liability for violating them. At the same time, it should be emphasized that the performance of audits, including inspections, by the controller at the processor should be regarded as one of the most important security measures that the controller should apply in order to properly comply with its obligations under Article 32(1) of Regulation 2016/679, which was lacking in the present case. This fact, moreover, shines through clearly from the explanations submitted by the Administrator on April 10, 2020, in which he notes that it was only after the investigation into the data protection violation in question “(...) that it turned out that this entity [Y s.c. - added on its own] had also failed to perform its obligations (...).” Meanwhile, the Administrator should have had knowledge at the time of its use of the Processor's services whether and how the entity to which it entrusted the processing of personal data complied with the requirements of Regulation 2016/679. There is no doubt that the most effective way to assimilate it would have been for the Administrator to take advantage of the opportunity offered in § (...)of the agreement between it and the Processor “(...)”. the possibility to perform relevant audits, including inspections, at the Processor's organization. However, such security measures were not applied by the Administrator, which consequently also constitutes a violation by the Administrator of Article 32(1)(d) of Regulation 2016/679.

Moreover, as demonstrated above, the application of the aforementioned measures is linked to the controller's obligation under Article 28(1) of Regulation 2016/679, which in turn means that its implementation is also to confirm whether the processor continues to provide guarantees that appropriate technical and organizational measures have been implemented so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. Failure to implement audits, including inspections, at the Processor consequently means that the Controller violates not only the provision of Article 28(1) of Regulation 2016/679, but also the provision of Article 25(1) of Regulation 2016/679, which obliges it to implement appropriate technical and organizational measures, both in determining the means of processing and during the processing itself.

Thus, the continuity inherent in this obligation may in practice manifest itself, among other things, in the need to ensure regular monitoring of the safeguards applied and to conduct continuous supervision of the processor, through, for example, the audits and inspections referred to in Article 28(3)(h) of Regulation 2016/679, which was lacking in the circumstances of the present case. Despite the fact that - as is evident from the established evidence - the personal data processing entrustment relationship between the Administrator and the partners of Y s.c. has not been formally terminated to this day, the Administrator has not presented any evidence to substantiate the conduct of audits, including inspections, at the Processor.

Considering the above-mentioned reasoning, the Administrator's failure to implement appropriate procedures to ensure the security of the personal data processed in the IT system d. and the lack of supervision of the Processing Entity “(...) with regard to the conduct, operation and maintenance of the system d. in the Administrator's enterprise (...).” prejudges the violation of the requirements of Article 32 of Regulation 2016/679.

I.3 Regular training of persons employed in the Administrator's structure.
It should be pointed out that the analysis of the case of the personal data protection violation in question once again emphatically shows - as the Administrator himself also seems to recognize - “(...) that in similar situations the human factor remains the weakest link (...)”. However, the thesis raised by him in his letter of November 9, 2021 about human error, “(...) which could not be avoided [on November 25, 2019 - added by him], despite the undertaking of measures to protect personal data (...)”, is no longer reflected in the facts. After all, it should be noted that according to the information provided on February 16, 2021, the Administrator “(...) conducted two training sessions in general [on data protection regulations - added by him]: on June 30, 2018 on the subject of: RODO - general principles of application of the new regulations, and on May 20, 2020 on the subject of: RODO and the Law on Personal Data Protection in the Operation of an Enterprise.” Thus, it is clear from the above that prior to the occurrence of the data protection breach in question, the Administrator provided only one training on data protection regulations for the people employed in his organization, in addition taking place 17 months before the date on which the successful attack on his IT infrastructure occurred. In turn, attributing a certain rationality to the Administrator's actions, which were probably in part the result of his observations, based on which he weighed that “(...) [o]f a relatively small production facility, X has grown to the size of an enterprise employing a larger number of people, needing a larger equipment base, premises, professionalizing certain departments in the company's structure (.... )”, it is impossible to assume that the educational initiatives undertaken by the Administrator bore the hallmarks of activities other than those aimed, in effect, at increasing the security level of personal data processing operations and properly fulfilling the obligations incumbent upon it under the regulations on the protection of personal data.

Thus, it can be considered that he perceived - although no risk analysis in this direction was made by the Administrator - a connection between the technical and organizational measures implemented in his organization in the form of training for personnel to ensure that personal data processing operations have an adequate level of security. Nevertheless, for unknown reasons after the date of June 30, 2018. The Administrator discontinued any initiatives in his organization covering the issue of personal data protection, only to briefly yet return to the desired practice on May 20, 2020, and then depart from it definitively, recognizing that “(...) the previously conducted [trainings on the aforementioned dates - added by the Administrator] resulted in increased awareness of the Administrator's employees in the area of personal data protection.” Given that prior to the occurrence of the data protection breach in question, the Administrator had conducted only one training course on data protection regulations for the people employed in his organization, the agenda of which, moreover, did not cover issues related to the issues of how its personnel can safely navigate the Internet, it is therefore difficult to consider as credible the declaration contained in the aforementioned letter of February 16, 2021, that “(...) [p]rayees had the knowledge that it is not permissible to configure hardware or software settings on their own.” Assuming hypothetically that the implementation of such a measure of an organizational nature actually occurred in the Administrator's organization - which, however, is not supported by the evidence it cites - this is, after all, still not tantamount to employees having knowledge of how to actually guard against cyber threats.

Moreover, since the Administrator identified a vulnerability in the data protection system operating within its structure in the form of a “human factor,” so it should strive all the more to eliminate this “security gap,” especially since, at the time of the data protection breach in question, it could not yet demonstrate that it had mechanisms in place to exercise effective oversight over the ways and purposes for which members of staff use business equipment (o “(.... ) implemented (...), which assigned users to roles corresponding to their positions, and then restricted their access to other resources. (...)” as one of the security measures to mitigate the risk of a recurrence of a data breach, the Administrator indicated only in a letter dated April 10, 2020). With the above in mind, it should be emphasized that the Administrator's conduct of just one training course for the people employed in his organization prior to the occurrence of the data protection breach in question cannot be considered as the implementation of a measure that effectively mitigates the risk of a ransomware attack. This is the case not only due to the fact that the Administrator referred therein only to the general principles of the application of the provisions of Regulation 2016/679. It is also clear from the Administrator's explanations as quoted that this training took place on June 30, 2018, and thus took place 17 months before the occurrence of the “M.” malware attack on November 25, 2019.

Thus, in this light, it cannot be concluded that the organizational measure applied by the Administrator sufficiently shaped the awareness of those obliged to protect personal data and to apply the procedures defining security measures for such data. Indeed, in seeking to mitigate the risks associated with a ransomware attack, the Administrator should have ensured that the training conducted on June 30, 2019, allowed its participants not only to acquire at least the necessary basic knowledge regarding the types of cyber threats and the relevant prevention techniques, but also to initiate further educational sessions to solidify the acquired skills. In this context, such an organization of training sessions for all those involved in these processes, which, in addition to the relevant subject matter, would be characterized by a certain cyclicity, should be considered an adequate security measure, and thus an expedient response to the ransomware risk associated with personal data processing processes. On the other hand, the omission of any of the elements highlighted above will result in the training not fulfilling its role, the consequence of which may be - as in the present case - a violation of personal data protection. In conclusion, conducting only one training prior to the occurrence of the personal data protection breach in question, in addition in the manner described above, resulted in the fact that the organizational security measure applied by the Administrator did not contribute to reducing the risk of occurrence of the personal data protection breach in question, which determines the Administrator's inability to demonstrate compliance with the requirements set forth under Regulation 2016/679 to ensure a level of protection adequate to the risk for personal data processing processes and, consequently, a violation of the principle of accountability (Article 5(2) of Regulation 2016/679).

I.4 Software used to process personal data.
The analysis of the evidence gathered in the present case clearly shows that measures were not taken to ensure the most up-to-date versions of the software in use. Although the Administrator undertook appropriate actions in this regard in the form of, among other things, “(...) updating[i] operating systems to the latest available versions, change[i] (...) on (...); (...)”, but only after the occurrence of the personal data protection violation in question, thus allowing the data to be processed using outdated IT systems, i.e. systems that do not warrant an adequate level of security, prior to its occurrence. At the same time, there is no doubt that lowering the objectively persistent “(...) since October 2010 (...)” elevated level of risk, could not be positively affected by the fact, cited by the Administrator in the document dated February 16, 2021, that as late as “(...) in June 2018 a new server was acquired together with licensed software.” Indeed, as he indicated in an earlier letter dated April 10, 2020. “(...) activities to strengthen the security of processed personal data (...)”, as a consequence of which, among other things: “(...) assigned users to roles corresponding to their positions, and then restricted their access to other resources (...)”; including ‘(...) taking away administrative rights from users of workstations (...)’, ‘(...) taking away the ability of users to control antivirus software (...)’, and there was an elimination of rights allowing ‘(...) to control antivirus (...)’, so that ‘(...) antivirus protection (...)’. could “(...) disable only the IT team (...)”, were effectively implemented by the Administrator only in the context of the data protection violation in question. In turn, the use of “(...) licensed A. (...) antivirus program” by workstation users. could not, in the present case, constitute a fulfillment of the Administrator's obligations under Articles 5(1)(f), 24(1), 25(1) and 32(1) of Regulation 2016/679, since these persons had an unfettered opportunity to interfere with the operation of this software during the period in which the personal data protection violation in question occurred. As the outcome of the proceedings initiated to determine the causes of the personal data protection breach in question has emphatically shown, it was directly caused by “(...) the disabling of the licensed A.antivirus program by one of the (...) employees,” following which third-party processes “(...) were started on the server and the encryption process began.” Thus, in this light, it should be pointed out that the event of November 25, 2019. The Administrator could have avoided it if he had not only ensured in good time that the operating systems he used were updated to the latest available and stable versions, but also timely revoked the privileges of workstation users that allowed them to interfere with the operation of the A. system, which combines - depending on the version used - the functions of a firewall and an antivirus program, i.e. software that is crucial from the point of view of protecting the systems used in the processing of personal data, and, above all, exercised regular supervision over the use of company resources.

Thus, the reasoning presented by the Administrator in its letter of February 16, 2021, according to which “(...) [d]ocess to computers is protected by passwords. Only the staff member directly using the specific equipment has access to the computer password. Specialized IT service providers ensure the integrity and security of the computer system and the information contained therein. If you leave your workstation and the computer system is temporarily idle, a screen saver is automatically activated, which can only be deactivated by entering the appropriate password. (...)”, does not stand up to scrutiny when juxtaposed with the disclosed circumstances of this particular case, on the basis of which it is indisputable that the technical measures implemented by the Administrator did not continuously ensure an adequate degree of security of the data processed through the computer systems used by it, if the personal data protection violation in question nevertheless occurred.

In conclusion, it should be pointed out that having even the most technically advanced solutions, which, in light of the explanations submitted by the Administrator on April 10, 2020, was not the case anyway (the Administrator indicated that, as part of the corrective measures after the occurrence of the personal data protection violation in question, it made “(...) changes[y] to versions of antivirus software to provide more complete protection ((...)) (...)”, thus admitting that the previously used solution did not constitute a sufficient security measure for the personal data processing processes), will not continuously ensure an adequate degree of security of the data processed through these IT systems, if the controller not only fails to ensure that cyclic updates are carried out and their configuration is optimized, but also fails to limit the rights of end users and, equally importantly, fails to supervise their activities.

The findings made so far do not provide a basis for concluding that the technical and organizational measures applied by the Administrator to ensure the security of personal data processing were adequate to the state of the art, the cost of implementation and the nature, scope, context and purposes of processing. In addition, these measures - in the opinion of the President of the DPA - were not adequately reviewed and updated, which consequently did not ensure effective implementation of the data protection principles.

I.5 The lack of the Administrator's ability to quickly restore the availability of personal data in the context of the failure to regularly test, measure and evaluate the effectiveness of technical and organizational measures.
From the analysis of the evidence gathered in the present case, the sluggishness of the Administrator in its efforts to fulfill the obligations set forth in Article 32(1)(c) and (d) of Regulation 2016/679, and related to the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident, as well as the regular testing of the security copies created, also shines through. Indeed, it should be noted that the Administrator's recovery of access to the data occurred after as many as 4 days after the data had been encrypted. This circumstance therefore gives rise to the thesis that - in view of the Administrator's failure to implement adequate procedures for recovering data from backups in the event of a personal data breach - it was deprived of any real ability to quickly restore temporarily lost data.

Additional justification for the assumption made by the supervisory authority in the above form should be provided by the circumstance of the Administrator's failure to provide explanations - as requested by the President of the DPA in a letter dated July 1, 2021. - regarding the description of its procedures for creating, storing and testing backups prior to the occurrence of the personal data protection breach in question. Although he addressed the aforementioned issue in a letter dated August 16, 2021, nevertheless the explanations provided by the Administrator only cover the period after November 25, 2019, which only strengthens the argument related to the Administrator's failure to implement adequate procedures for the recovery of data from backups before the aforementioned date, and clearly negates its ability to quickly restore the availability of personal data. As a consequence of this negligence, the restoration of personal data turned out to be possible only 4 days after it was encrypted, which the Administrator could not have foreseen beforehand, for in the disclosed facts of this case there is also no evidence that attempts were made by the Administrator to measure and assess its ability to quickly restore the availability of personal data. In this light, the Administrator's violation of the obligation set forth in Article 32(1)(c) of Regulation 2016/679 should therefore not be in doubt.

The Administrator's failure to comply with the requirement to have the capacity to quickly restore the availability of and access to personal data in the event of a physical or technical incident, moreover, is part of the broader context of the Administrator's improper implementation of the obligation provided for in Article 32(1)(d) of Regulation 2016/679. For by refraining from regularly testing, measuring and evaluating the effectiveness of the technical and organizational measures in place to ensure the security of the personal data processing processes taking place within its structure, the Controller could not, prior to the date of the personal data protection breach in question, demonstrate its knowledge of network segmentation solutions. Meanwhile, implementing them as cited by the Administrator in its letter of April 10, 2020, i.e. “(...) introducing network segments, and separating them from each other through firewall rules, separating the network for guests (...)”, and thus only after the occurrence of the ransomware attack in question, could have, if not prevented, at least significantly reduced the magnitude of the negative effects on individuals in connection with the 4-day unavailability of their personal data. In this context, it also remains reasonable to charge the Administrator with the inability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services (Article 32(1)(b) of Regulation 2016/679).

I.6 Order to bring processing operations into compliance with Regulation 2016/679.
It should be noted that it was only the occurrence of the personal data protection breach in question on November 25, 2019 that prompted the Administrator to implement technical security measures, the description of which is cited on pages 7 and 8 of the justification and in paragraph 1 of the letter of August 16, 2021, consisting of changing the logical topology of its IT structure and establishing a backup policy. Nonetheless, it should be noted that the Administrator has not presented any evidence unequivocally probable of the fact that the above-described technical security measures have been implemented, taking into account the risks associated with the possibility of breaking the security of the IT system used by the Administrator in the processing of personal data, and subsequently encrypting it.

Thus, he is unable to demonstrate beyond any doubt that these measures constitute not an arbitrary, but a truly adequate response to the existing risk associated with the possibility of a renewed loss of availability of the personal data processed by him. Moreover, the detachment of the implemented technical measures as described above from the risk analysis, while there is no evidence that the Administrator subjects them to periodic evaluations, again calls into question its ability to demonstrate continuous assurance of the confidentiality, integrity, availability and resilience of its processing systems and services. Consequently, the reasoning outlined above and the related allegation of the Administrator's failure to comply with the accountability principle set forth in Article 5(2) of Regulation 2016/679 remain valid.

With the above in mind, the President of the DPA could not act otherwise than to issue a notice to the Administrator - pursuant to the content of Article 58(2) lit. (d) of Regulation 2016/679 - an order to bring the processing operations into compliance with the provisions of Regulation 2016/679, by performing a risk analysis taking into account the risks associated with the installation of malware interfering with the availability of personal data, then implementing, on the basis of the risk analysis performed, adequate solutions to fully secure the servers used by the Administrator in the processing of personal data, and implementing appropriate technical and organizational measures to ensure regular testing, measuring and assessing the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.

II. Responsibility of the Processor.
It goes without saying that a comprehensive consideration of the entire body of evidence gathered in the present case would not be possible without the supervisory authority taking into account the circumstance relied upon by the Administrator in its letter of April 10, 2020, in which the occurrence of the personal data protection breach in question was allegedly “(...) caused doubly by a human factor - [faulty behavior - add. on...] of the Administrator's employees and the company hitherto providing IT services to the Administrator.” Indeed, in the course of the explanations provided, the Administrator indicated that “(...) [t]he former company (whose services the Administrator was not satisfied with due to its failure to provide maintenance services and security system audits in a timely manner) was replaced in late September/early October 2019 by Y s.c.” This new entity in the Administrator's opinion (meanwhile, the evidence gathered in the present case clearly shows that Y s.c. and the Administrator were connected by a contract concluded as recently as May 24, 2018. “(...)”, and the informal cooperation lasted ‘(...) since at least 2010 (...)’, ‘(...) was to take over the security of the Administrator's IT systems, perform a security audit and prepare a report in this regard (...)’. As the Administrator further communicated, “(...) it turned out that this entity also failed to perform its duties and misled the Administrator, because (unbeknownst to the Administrator at the time), at the same time this new entity was performing another very large order for a third party, which translated into the occurrence of the incident in November 2019.”

Undoubtedly, the credibility of the facts cited in the above form, indicating - according to the Administrator - the co-responsibility of the partners of Y s.c., i.e. Ms. CD, Mr. EF and Mr. GH, for the occurrence of the personal data protection violation in question, must be considered - in the absence of a written contract for the provision of services that were to have been performed by the partners of Y s.c. for the Administrator “(...) since at least 2010 (...)”. - with regard to the disclosed content of the contract concluded on May 24, 2018. “(...)”. Thus, it should be pointed out that it follows from § (...)pt. (...) of the aforementioned document that the Administrator's entrustment of the processing of personal data in its name and on its behalf to the partners of Y s.c. took place for the purpose of executing the contract with regard to the operation, operation and maintenance of the d. system. in the Administrator's enterprise and the proper fulfillment of the obligation to statutory state authorities, which, after all, is not equivalent to exercising custody over the entire IT infrastructure within the Administrator's structure, a circumstance that was, moreover, referred to by the Processor in the letter of July 8, 2022.

Of course, it remains to consider the eventuality in which, as it were, in addition to the main relationship of entrustment of personal data processing, there would be the provision by Y s.c. of IT services on behalf of the Administrator. However, this hypothesis is not supported by the collected evidence, in which no trace of the existence of informal even initiatives on the part of the Administrator to obtain assistance from the Processor in fulfilling the Administrator's obligations set forth in Articles 32-36 of Regulation 2016/679 has been recorded. It is also difficult to reasonably assume that the Processor would act outside the mandate set forth in Article 28(3)(a) of Regulation 2016/679, arising solely from the documented instruction of the Administrator. For the aforementioned reasons, it is also impossible to recognize the veracity of the Administrator's statement regarding the existence of the Processor's obligation to perform a security audit and prepare a report in this regard, since the aforementioned “(...)” in no way required it to do so. Finally, it is impossible not to notice that the direct cause of the security incident on November 25, 2019, which led to a breach in the protection of personal data processed in the Administrator's IT systems, was the infection of one of the employee computers “(...) (...) (...)”, “(...) due to the (probably accidental) disabling of the licensed A. antivirus program by one of the Administrator's employees”, for which the Administrator is responsible. This is because he allowed a situation in which the granting of privileges to end-users inconsistent with their official classification enabled them to interfere with the operation of the antivirus software, which the Administrator could not have been aware of, for, as demonstrated in the earlier pages of the justification for this decision, at the time of the personal data protection violation in question, he did not yet have the technical instrumentation to exercise effective supervision over the use of official resources by his employees.

The issue of the lack of cyber security awarness training for the people employed in the Administrator's organization, which, had it been conducted by the Administrator, would have constituted the implementation of organizational security measures adequate to the risks associated with the personal data processing processes, is also not without significance, for which the Administrator is also solely responsible. In turn, the use by the perpetrators of the vulnerability “(...) of the B. server, which had not been updated for a long time” is another manifestation, on the part of the Administrator, of negligence, who, as the host of personal data processing processes, failed to take adequate care of the ongoing updating of the software, the implementation of which is not the responsibility of the partners of Y s.c., since in light of the provisions of the “(...)” connecting them with the Administrator. dated May 24, 2018, confirmed by the content of their concurring statements dated July 8, 2022, they were responsible not for the operation and maintenance - remaining within the Administrator's own structure - of the B. server, but for the activities of “(...) for the operation, operation and maintenance of the d.system in the Administrator's enterprise,” which, significantly, after all, did not include the authority to interfere with the technical security measures implemented by the Administrator.

It should also be noted that, in the opinion of the supervisory authority, the facts of the case do not provide grounds for concluding that the maintenance and security of the IT infrastructure of the server “(...) >>(...)<< [on which the personal data protection violation in question occurred - added on its own]. (...)” on which the d. system was hosted, did not - contrary to its own assertions - belong to the Administrator. This is implicitly confirmed by the fact that it was the Administrator himself who undertook after November 25, 2019. - in terms of technical safeguards - a number of measures to remove the effects of the personal data protection breach in question and prevent the occurrence of similar ones in the future (in particular, he changed the outdated system (...) to (...)).

In light of the above-mentioned reasoning, the fact that the Processing Entity was entrusted with processing personal data in the d. system, in the scope of the work of which, by the way, no lack of adequate measures to mitigate the risk of a personal data protection breach was found (in contrast to the work of the server software on which the d. program was installed), excludes - in the opinion of the President of the PDPA - the possibility of attributing to the Processing Entity responsibility for failure to implement organizational and technical security measures within the framework of the processing process entrusted to it. For the above reasons, it is also impossible to attempt to shape joint and several liability of the Processing Entity for the negligence shown to the Administrator with regard to the organizational and technical security measures implemented by the Administrator.

Nevertheless, the lack of grounds for assuming joint and several liability of Ms. CD, Mr. EF and Mr. GH for the negligence demonstrated to the Administrator with respect to the selection of ineffective security measures for the IT system used to process personal data and the failure to adequately test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of the processed personal data in the affected IT systems, in particular with respect to vulnerabilities, errors and their possible effects on these systems and the measures taken to minimize the risk of their occurrence, does not in any way obviate the need to seek liability of the associates of Y s. c. for failing to assist the Administrator in complying with its obligation to implement adequate technical and organizational measures to ensure the security of personal data processing, i.e. for violation of Art. 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679.

The legitimacy of the allegation so formulated with respect to the Processor should not raise any doubts, since the evidence established in the present case unequivocally shows (which, by the way, was informed in unison by both the Processor and the Administrator in letters dated September 29, 2023 and October 3, 2023, respectively), “(...) that the >>d.<< system was seated on the >>(...)<< server [on which the personal data protection violation in question occurred - added. ], using E. software,” and thus - as already demonstrated in this decision - an IT architecture with a number of well-known security flaws, of which the partners of Y s.c. must have been aware, having, after all, not only ‘(...) many years of experience in implementing systems based on the (...) platform and customizing them (...)’, or ‘(...) the most experienced implementation team in Poland (...)’, but also the status of ‘(...) (...)’. Unfortunately, despite the competence undoubtedly possessed by the above-mentioned persons and the knowledge that “(...) [n]a server using E.software was installed (...) with the database used by the d.system. The installation of the d.client application was performed on users' computers” they refrained from providing the Administrator with information about the vulnerabilities present in E.software.

In this context, it is all the more vain to look for a justification for the failure of the partners of Y s.c. over the years to take any initiatives related to even an attempt to communicate to the Administrator about the need to update the operating system to the possibly latest version or even to implement newer, and therefore more adequate response to the inherent risks associated with the personal data processing processes carried out, solutions (e.g. in the form of the implementation of the B. system, which ultimately occurred in the Administrator's structure only after the occurrence of the personal data protection violation in question). At the same time, there is no doubt that the use of this software, which incidentally had its world premiere (...), to operate “(...) server[a] (...) with the database used by the d. system”, would have significantly mitigated the risk of materialization of such even an attack on the Administrator's IT infrastructure, which had just occurred on November 25, 2019. Thus, for the reasons demonstrated above, the occurrence of the personal data protection breach in question was materially contributed to by the grossly negligent actions on the part of the partners of Y s.c., who, as established, provided IT support services to the Administrator with respect to the d. system. Indeed, in the normal course of business and in accordance with a risk-based approach, they should have anticipated, especially as IT professionals, on the basis of the risk analysis carried out, the consequences that the security of the personal data entrusted to them might entail, basing their processing processes on solutions that do not provide sufficient security guarantees.

The above argumentation is not diminished by the fact that the partners of Y s.c. could not, on their own and as part of the IT services provided to the Administrator, remove the software vulnerabilities of the server on which system d was installed. However, being aware of their existence, they did not notify the Administrator of this fact, which excludes the possibility of assuming that the Processor complied with the obligation to provide the Administrator with “assistance” taking into account the “information available to it”, which constitutes a violation by the partners of Y s. c. exclusively addressed to the Processor, of the obligations set forth in Article 28(3)(f) of Regulation 2016/679. In turn, the failure of the Processor to comply with its obligations in the aforementioned respect, statutes on the basis of the aforementioned provision of Regulation 2016/679 its separate liability of a public law nature, i.e. remaining separate from its obligatory obligations and constituting a self-contained basis for the application of sanctions by the supervisory authority, pursuant to Article 83(4)(a) of the said Regulation. 

III. Administrator-Processor relationship.
The findings to date, however, do not preclude the need for a more detailed examination of the allegation made by the Administrator against the aforementioned Processor regarding the inadequate fulfillment by the Processor of its obligations related to ensuring “(...) security of IT systems at the Administrator (...)”, performing security audits and preparing relevant reports on this basis.

Indeed, as it follows from Article 28(1) of Regulation 2016/679, if the processing is to be carried out on behalf of the Controller, the Controller shall use only such processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. The implementation of this principle, in turn, is ensured by the obligation introduced in Article 28(3) of Regulation 2016/679 to conclude a contract between the controller and the processor specifying the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller, which contract shall contain, in particular, the elements indicated in points (a) through (h) of this provision.

In the factual state under consideration, the contract connecting, as of May 24, 2018. The Administrator and the Processor “(...)” did contain all the elements indicated in the aforementioned provision, nevertheless, based on the explanations provided by the aforementioned entities, it remains impossible to determine whether the actions taken by the partners of Y s.c. “(...) in order to implement the agreement with respect to the operation, operation and maintenance of the d. system at the Administrator's company (...)” presented by the Processor in its letter of July 8, 2022, were carried out according to predetermined rules to ensure the security of personal data. In addition to the general formulations contained in § (...) of the referenced document, on the grounds of which the Processor undertook, among other things, to secure the personal data processing processes entrusted to it “(...) through the application of appropriate technical and organizational measures ensuring an adequate degree of security corresponding to the risks involved in the processing of personal data, as referred to in Article 32 of the Regulation [Regulation 2016/679 - added on its own]”, the technical and organizational measures to ensure this security were not specified either in the general regulations implemented by the Controller or in the relevant agreement concluded with the Processor.

Thus, based on the facts thus outlined, a picture emerges in which the means and methods of the implemented solutions “(...) for the running, operation and maintenance of the d.system at the Administrator's enterprise (...)” was in fact decided by the partners of Y s.c.. However, the Processor's arbitrariness in the choice of applied solutions should not come as a surprise, since the Administrator, who should have positioned himself in the role of the host of personal data processing processes carried out on his behalf and for his benefit, did not outline a precise framework for cooperation with the Processor, while the lack of implemented procedures for controlling the correctness of activities undertaken by the Processor only deepened this state of affairs, characterized by the lack of adequate knowledge of the above-mentioned entity's activities on the part of the Administrator.

In view of the fact that the Processor was left, as it were, with discretionary authority to decide how to carry out activities “(...) with regard to the operation, operation and maintenance of the d. system at the Administrator's enterprise (...)”, it should be further analyzed whether such action by the Administrator could have resulted from reasonable certainty about the Processor's competence. In the case at hand, the Administrator indicated that the cooperation with the Processor began long before the provisions of Regulation 2016/679 came into force, i.e. it lasted “(...) since at least 2010 (...)”. From the explanations provided by the Administrator, in which it stated that based on the information available on the Processor's website, it determined that the Processor has been operating “(...) on the market since 2004, has numerous staff and a significant portfolio of clients (...)”, it does not appear that the verification of the competence of the partners of Y s.c. bears the hallmarks of a formalized process. Nonetheless, in the Administrator's opinion, it exercised “(...) due diligence in selecting the entity providing IT support to the company,” as “(...) [t]he conclusion of the contract with this entity was therefore preceded by an analysis of its professional experience in the area of providing IT solutions.”

Referring to the above-mentioned explanation of the Administrator, it should be pointed out that in the previous legal state, defined under the PDPA, different requirements were defined with respect to the processor, while others apply from May 25, 2018, i.e. from the start of the application of Regulation 2016/679. Therefore, the previous, positively assessed cooperation can only be a starting point when verifying whether the processor provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and, above all, protects the rights of data subjects. Indeed, the requirement set forth in Article 28(1) of Regulation 2016/679 absolutely applies to any data controller that, in the course of its business, uses the resources or services of a processor when processing personal data. At the same time, it should be emphasized that the fact of long-standing cooperation and use of the services of a given Processor prior to May 25, 2018, i.e. prior to the commencement of the application of the provisions of Regulation 2016/679, does not exempt the Administrator from the obligation to carry out such an assessment. The Administrator has not carried out such verification, contenting itself with a positive assessment of the Processor as a result of previous cooperation established long before the commencement of the provisions of Regulation 2016/679. The Administrator's failure to carry out such assessment is tantamount to a breach of the obligation set forth in Article 28(1) of Regulation 2016/679.

At the same time, it should be noted that the mere signing of a personal data processing entrustment agreement without an appropriate evaluation of the Processor cannot be viewed from the perspective of the proper implementation by the Administrator of its obligation to carry out proceedings verifying the Processor for compliance with the requirements of Regulation 2016/679. Long-term cooperation of the parties not supported by periodic, systematic audits or inspections does not guarantee that the Processor will properly perform the tasks required by law and arising from the concluded entrustment agreement. Such as in the case at hand, where the allegation made by the Administrator against the partners of Y s.c., concerning the non-performance or improper performance by this entity of its obligations, appeared only in the letter of April 10, 2020, putting - contrary to the Administrator's intentions - into question the issue of the Administrator's prior inspection of the compliance of the personal data processing processes carried out on its behalf and for its benefit, consequently putting to rest the strength of the theses so formulated by the Administrator. Moreover, they become even more incomprehensible when juxtaposed with the “(...)” stipulated by the parties. of May 24, 2018, stipulating in § (...) the right of the Administrator to perform inspections to determine “(...) whether the measures applied by the Processor in processing and securing the entrusted personal data comply with the provisions of the agreement”, where the circumstances of the exercise of the said right - in light of the evidence gathered in the course of these proceedings - the Administrator is not able to effectively demonstrate with respect to the entire duration of the agreement connecting it with the Processor. Meanwhile, the control mechanisms implemented by the controllers responsible for assessing the adequacy of the guarantees provided by the Processor are the primary tool for verifying the Processor, particularly in terms of the technical and organizational measures implemented by the Processor to ensure an adequate level of protection for personal data processing.

The issue of criteria for evaluating a processor was also considered by the EROD. As indicated in the “Guidance 07/2020 on the concepts of controller and processor contained in the RODO,” hereinafter referred to as Guidance 07/2020, referring to the content of Article 28(1) and recital 81 of Regulation 2016/679, (quoted): “The controller is (...) responsible for assessing the adequacy of the guarantees provided by the processor and should be able to prove that it has seriously taken into account all the elements provided for in the RODO. The warranties “provided” by the processor are those that the processor is able to demonstrate to the satisfaction of the administrator, as these are the only warranties that the administrator can effectively take into account when assessing the fulfillment of its obligations. This will often require the exchange of relevant documentation (e.g., privacy policies, terms of service, register of processing activities, records management policies, information security policies, external data protection audit reports, internationally recognized certifications such as ISO 27000 standards). The administrator's assessment of the sufficiency of the safeguards is a form of risk assessment that largely depends on the type of processing entrusted to the processor and must be made on a case-by-case basis, taking into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of individuals. (...) The controller should consider the following elements (...) to assess whether the safeguards are sufficient: expertise (e.g., technical knowledge of security measures and data breaches); reliability of the processor; resources of the processor. The reputation of the processor in the market may also be an important factor for controllers to consider. In addition, adherence to an approved code of conduct or certification mechanism can be used as an element to demonstrate sufficient guarantees. (...) The obligation to use only processors “providing sufficient guarantees” in Article 28(1) of the RODO is an ongoing obligation. It does not end when the administrator and the processor enter into a contract or other legal act. Rather, the controller should verify the processor's guarantees at appropriate intervals, including through audits and inspections where appropriate (...).”

Relating the EROD's opinion presented above to the circumstances of the disclosed facts, it can be noted that the Administrator, when entrusting the partners of Y s.c. with the processing of personal data of its employees, temporary employees, contractors, contractors, family members of employees, trainees, interns and interns, and contractors, was guided by faith in the expertise of the Processor “(...) in providing and optimizing IT business solutions that enhance the efficiency of the organization's operations (...)”. He trusted that it has “(...) years of experience in implementing systems based on the (...) platform and customizing them to meet individual customer needs (...)” and that it is distinguished not only by “(...) the most experienced implementation team in Poland (...)”, but also by its status as “(...) (...)”. In light of the EROD's recommendations cited above, the above beliefs held by the Administrator towards the Processor should, in the normal course of activities, only become a reason for the Administrator to conduct - at least on the basis of the exchange of relevant documentation - a study of the adequacy, as an element of a broader risk analysis, of the guarantees provided by the Processor to ensure the level of protection of the aforementioned categories of persons entrusted to it, which, in the disclosed circumstances of the present case, did not take place. Therefore, in this context, the emergence of a circumstance in which the activities carried out by the partners of Y s.c. related to the operation and maintenance of the d. system, with the use of a system that is not updated and therefore does not constitute an adequate response to the objectively occurring risk to the security of personal data processing processes located in the (...) database of the “(...) (...) (...)” server software, should not come as a surprise, directly contributed to the occurrence on November 25, 2019 of the personal data protection breach in question. Perception of irregularities occurring in the Administrator's structure related to the organization and management of the process of implementing new solutions in the IT infrastructure or making changes to it, may take place even after taking into account the efforts made by the Processor after the said date (vide: pages 14 and 15 of the justification of this decision). 



IV. Co-responsibility of the Administrator and the Processor for omissions to conduct a risk analysis for the “(...) operation, operation and maintenance of the system d. (...)”, the identification and application of adequate technical and organizational measures to ensure the security of the processing carried out using this software, and verification of the effectiveness of the Administrator's IT infrastructure safeguards in place.
Undoubtedly, the responsibility for the application of appropriate, i.e. adequate to the existing risk, technical and organizational measures to ensure the security of the processed personal data extends to all entities involved in the processing of personal data, so in this particular case to the Administrator and the persons who are, as of November 25, 2019, partners of Y s.c.. As a consequence of this assumption, it should be concluded that both the Administrator and the Processor should have verified that the personal data was adequately protected against a possible ransomware attack. The lack of such verification and the failure to implement, on its basis, technical and organizational measures to effectively secure the personal data processed in the d. system, which, after all, cannot be considered as such the use in the processing of personal data of outdated software of the server on which the database containing personal data was hosted, was instrumental in the occurrence of the personal data protection violation in question. And the measures, the shape of which was recorded in the explanations submitted on April 10, 2020 and August 16, 2021, were taken only after the incident of November 25, 2019, and were aimed only at minimizing the risk of recurrence of the breach.

Therefore, in light of the above findings, it must be concluded that the omissions on the part of both the Administrator and the Processor to conduct a risk analysis for the “(...) operation, operation and maintenance of the system d. (...)”, identification and application of adequate technical and organizational measures to ensure the security of the processing carried out with the use of this software, and verification of the effectiveness of the Administrator's IT infrastructure safeguards in place, resulted in a violation by the aforementioned entities of Article 32(1) and (2) of Regulation 2016/679.

It should be pointed out that the findings in the present case do not provide a basis for concluding that the organizational measures applied by the Administrator to ensure the security of personal data were adequate to the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, which consequently did not ensure effective implementation of the principles of personal data protection. As a result - in the opinion of the President of the DPA - the Administrator failed to implement adequate organizational measures to ensure the security of the processing of personal data located in the IT system d. on an uninterrupted basis, which in turn constitutes a violation of Article 32(1) and (2) of Regulation 2016/679. At the same time, the implementation of such a measure cannot be considered as the Administrator's stopping at the conclusion with the Processor on May 24, 2018. “(...)”, for in Guideline 07/2020, the EROD clearly indicated that (quote): “While the elements set forth in Article 28 of the Regulation constitute its core content, the contract should be a way for the controller and processor to further clarify how to implement these essential elements through detailed instructions.” It goes without saying that the formulation of these detailed instructions should be attributed to the controllers, who determine, on the basis of Article 4(7) of Regulation 2016/679, the purposes and means of processing personal data, including with regard to processes carried out on their behalf and for their benefit by external entities.

Thus, referring the above to the context of the case at hand, it should be pointed out that the Administrator, in the absence of the application of procedures ensuring the security of the processed data in the process of changes made to the d. computer system in which the data is processed, and the lack of supervision of the Processor “(...) with regard to the running, operation and maintenance of the d. system at the Administrator's enterprise (...)” improperly fulfilled its role in implementing appropriate technical and organizational measures so that the processing is carried out in accordance with Regulation 2016/679 and to give the processing the necessary safeguards to meet the requirements of this act, thereby failing to comply with the obligations provided for in Articles 24(1) and 25(1) of Regulation 2016/679.

As a consequence of the above omissions, it must be concluded that the principle of integrity and confidentiality expressed in Article 5(1)(f) of Regulation 2016/679 was violated by the Administrator. By failing, in turn, to demonstrate that the personal data processing processes taking place in its organization correspond to an adequate level of security, the Administrator violated the principle of accountability referred to in Article 5(2) of Regulation 2016/679.
Notwithstanding the above, as demonstrated in the earlier part of the justification of this decision, the reasons for the occurrence of the personal data protection violation in question should also be sought in the processes directly related to the inadequate fulfillment by the partners of Y s.c. of their contractual obligations “(...) with regard to the running, operation and maintenance of the d. system at the Administrator's company (...)”. In this context, the attribution of joint responsibility to the above-mentioned persons for the materialization on November 25, 2019 of the risk of a ransomware attack on the Administrator's IT infrastructure is determined by the circumstance that, on the basis of the contract concluded on May 24, 2018. “(...)”, confirmed by their unanimous statements submitted to the President of the DPA on July 8, 2022. “(...) [s]hare Y was responsible for the provision of the database server, licenses, implementation and maintenance work related to the d. system”. The logical consequence of the existence of a set of duties of the Processor in the aforementioned scope, which, moreover, follows from the concurring statements of the partners of Y s.c. disclosed in the course of these proceedings, quote “(...) [n]a server [”(...)“] using the E. software was installed (...) with the database used by the d. system”, was therefore their full awareness of the fact that the software of this server, i.e. B., had not been updated for a long time. Despite this, they allowed with full knowledge that “(...) the server (...) with the database used by the d. system (...)” was seated on a server operated by E. software, which has numerous security vulnerabilities, where one of these vulnerabilities was successfully exploited by undetermined perpetrators to carry out a successful attack on November 25, 2019 and fully encrypt the said database containing personal data.

Meanwhile, both the Administrator and the associates of Y s.c. acting on his behalf and in his name should have demonstrated the implementation of technical measures to ensure the security of the personal data processed in the d. system, which, as shown, did not occur. Thus, the findings made in the course of these proceedings give rise to a reasonable thesis that, by refraining from implementing appropriate technical and organizational measures to ensure that the processing is carried out in accordance with Regulation 2016/679 and to give the processing the necessary safeguards, the Administrator did not adequately mitigate the inherent risks of the personal data processing processes. The partners of Y s.c., on the other hand, despite their knowledge regarding the outdated and hence vulnerable (which eventually materialized) “(...)” server software used in the data processing processes, did nothing to counteract the said state of affairs. This constitutes their failure to comply with the requirements under Article 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679, understood as an obligation to support the controller in its efforts to implement technical and organizational security measures for the personal data processing processes that are adequate to the existing risks. At the same time, the above reasoning does not diminish, in view of the proven omissions on the part of the Processor, the necessity to impute to the Controller a violation of the provision of Article 28(1) of Regulation 2016/679, since, as shown earlier, it did not monitor the associates of Y s.c., in terms of whether these persons provide sufficient guarantees for the implementation of adequate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. 

V. Violation of Article 34(2) of Regulation 2016/679.
Notwithstanding the findings so far, it should be pointed out that in the course of the present administrative proceedings, the President of the DPA also found deficiencies on the part of the Controller in notifying its former as well as current employees of the fact that the protection of their personal data had been violated. Indeed, according to the wording of Article 34(1) of Regulation 2016/679, if a personal data breach is likely to result in a high risk of infringement of the rights or freedoms of natural persons, the controller shall notify the data subject of such breach without undue delay. Paragraph 2, in turn, contains a closed catalog of elements that the controller should include in the notification to data subjects if it wants, in accordance with the principle of accountability (Article 5(2) of Regulation 2016/679), to demonstrate the correctness of its obligation to inform data subjects. Thus, the notification referred to in paragraph 1 of the aforementioned article shall, in clear and simple language, describe the nature of the personal data protection breach and contain, at a minimum, the information and measures referred to in Article 33 (3) lit. (b), (c) and (d) of Regulation 2016/679, that is, those relating to the name and contact details of the data protection officer or the designation of another point of contact from whom more information can be obtained; a description of the possible consequences of the personal data protection breach; and a description of the measures applied or proposed by the controller to remedy the data protection breach, including, where appropriate, measures to minimize its possible adverse effects.

In this regard, referring to the issue of the Administrator's broadly subjecting to processing personal data relating to its former and current employees, among which, based on the explanations provided by the Administrator in its letter of April 10, 2020, are such categories as: “(...) first name(s), last name, parents' first names, date of birth, bank account number, address of residence or domicile, PESEL, email, series and number of identity card, telephone number”, consequently, it is impossible to pass by the failure on the part of the Administrator to carry out the notification of data subjects, taking into account all the elements indicated in Article 34(2) of Regulation 2016/679. As if in reference to the argumentation raised so far, it should be pointed out that the “risk-based approach” adopted on the grounds of the aforementioned legal act also creates obligations on the part of controllers related to personal data protection violations.

Therefore, it follows from the analysis of the aforementioned legislation that, depending on what level of risk of violation of the rights or freedoms of natural persons the controller is dealing with, its obligations towards the supervisory authority, as well as towards the data subjects, are shaped differently. If, as a result of the analysis, the controller has determined that the likelihood of a risk of violation of the rights or freedoms of individuals is low, it is not obliged to report the violation to the President of the DPA. He only has to enter the indicated violation in the internal record of violations. If a risk of violation of the rights or freedoms of individuals is identified, it is the controller's obligation to report the data protection violation to the President of the DPA, as well as make an entry in the internal record of violations. The occurrence of a high risk of violation of the rights or freedoms of individuals, in addition to an entry in the record of violations, requires the controller to take appropriate actions, both towards the supervisory authority (notification of a data protection breach), but also towards the data subjects. Indeed, in the case of data protection breaches that are likely to result in a high risk of infringement of the rights or freedoms of the data subject, Regulation 2016/679 introduces an additional obligation for the controller to notify the data subject immediately, unless the controller has taken either preventive measures before the breach occurred or remedial measures after the breach occurred (Article 34(3) of Regulation 2016/679).

Adopting this very optics, the President of the DPA, having analyzed both the content of the notice originally provided by the Administrator on January 10, 2020 to data subjects, and the nature of the breach that occurred, its duration, the category of data and the categories of persons affected by the breach, and the remedial measures taken, asked the Administrator on March 13, 2020 to promptly, again and correctly notify data subjects of the breach of their personal data, and to take measures to eliminate similar irregularities in the future. Pursuant to the provisions of Article 52(1) and (3) of the PDPA and Article 34(4) of Regulation 2016/679, he also obliged him to provide, within 30 days from the date of receipt of that request, information on the actions taken, and in particular those related to providing data subjects with a description of the possible consequences of the personal data breach and a description of the measures applied or proposed by the Controller to remedy the breach - including, where applicable, measures to minimize its possible negative effects. The President of the DPA then weighed in that there were insufficient grounds for the assumption formulated by the Administrator, according to which “the purpose of encrypting the data was not to steal it.” Considering the information provided by the Administrator in its letter of March 5, 2020, that the Administrator “(...) does not have data that unequivocally excludes the possibility of data retrieval by unauthorized third parties during a break-in,” the President of the DPA, guided by far-reaching caution, therefore considered it legitimate to conclude that, with a very high degree of probability, the confidentiality of the personal data processed by the Administrator could also have been breached in the case in question. Undoubtedly, the Administrator's failure in the explanations it has submitted so far to provide details of the investigation conducted and its results, including in particular the lack of sufficient evidence to make adequate findings to actually determine the modus operandi of the malware, confirmed the supervisory authority in this conviction. At the same time, it should be pointed out that a comprehensive analysis of the content of the documentation submitted by the Administrator in the present case shows that, to date, he has not submitted convincing evidence in support of the claims he makes. Consequently, the position of the President of the DPA, expressed on March 13, 2020, regarding the reasonable suspicion that the confidentiality of the datasets processed by the Administrator may have been violated as a result of the November 25, 2019 ransomware attack, remains valid.

Therefore, in light of the cited argument, it is impossible to conclude that the Administrator, by providing on March 21, 2020 to former and current employees (i.e., a total of “(...) approximately 200 (...)” persons) the “Data Breach Notification” did so taking into account all the elements required by the regulation contained in Article 34 (2) of Regulation 2016/679, as it was obliged to do when identifying the high risk of the personal data protection breach that occurred on November 25, 2019 (the authority is led to make such a conclusion by the Administrator's issuance on March 21, 2020 to the data subjects of a renewed notification of a breach of the protection of their personal data), in accordance with Art. 34(1) of Regulation 2016/679. Without being able to exclude beyond any doubt that the confidentiality of a wide range of data in the aforementioned shape of the aforementioned categories of persons was not breached in the case in question, the Administrator should have therefore, taking the perspective of protecting the interests of data subjects and exercising far-reaching caution, provided them with all the information required by law. Meanwhile, an analysis of the content of the notice sent on March 21, 2020 to data subjects shows that, although the Administrator indicated to former as well as current employees certain possible consequences of the breach and the remedies they can take to minimize the negative consequences of the data protection breach in question, which are listed on page 7 of the justification of this decision, however, in the opinion of the supervisory authority, these measures remain inadequate in relation to the risk that occurred in connection with the breach in question. This is because, by failing to address all disclosed categories of data, in particular those whose unauthorized disclosure entails a high risk of infringement of the rights or freedoms of individuals, i.e. the data set in terms of PESEL no., first and last name, they do not sufficiently minimize its negative consequences. 

Besides, regardless of the Administrator's assessment of the risk of infringement of the rights or freedoms of individuals, the above argumentation is strengthened after taking into account that the data breach in question may have resulted in a breach of the confidentiality of the PESEL number, which is an 11-digit numerical symbol that allows not only for the unambiguous identification of individuals, but also contains the date of birth and the gender designation of these individuals, i.e. information closely related to the sphere of their privacy. In addition, it should also be taken into account that as a result of the occurrence of a breach of personal data protection - with a high degree of probability - the confidentiality of this registration number, along with the names of former and current employees of the Administrator, could have been lost to the benefit of undetermined perpetrators of an attack on its IT infrastructure, and after all, this combination of personal data alone is sometimes enough to “impersonate” the person to whom the data relates and incur on his behalf and to his detriment, for example, monetary obligations (vide: https://www.bik.pl/poradnik-bik/wyludzenie-kredytu-tak-dzialaja-oszusci - where a case is described in which: “Just a first name, last name and PESEL number were enough for the scammers to extort more than a dozen loans totaling tens of thousands of zlotys. Nothing else matched: neither the ID number nor the address of residence”, accessed 2.9.2024.). It should not be overlooked that the data protection violation in question involved an even broader catalog of personal data of former and current employees of the Administrator, covering - according to its declaration - also such categories of data as: “(...) parents' names, date of birth, bank account number, address of residence or domicile, (...) , email, series and number of identity card, telephone number,” which, combined with the criminal actions of those who potentially came into possession of the aforementioned information on the Administrator's staff members, only raises the potential seriousness of the risk of violation of the rights or freedoms of data subjects.

The issue of violations of the confidentiality of national identification numbers and the resulting obligations of controllers both to the supervisory authority and to data subjects was also addressed by the EROD in the “Guidelines 01/2021” adopted on December 14, 2021. “Guideline 01/2021 on Examples of Data Protection Breach Notification, Version 2.0” (hereinafter EROD Guideline 01/2021). Discussing in the cited document a case of “sending highly confidential personal data by mistake by mail,” in which a social security number, incidentally the equivalent of the PESEL number used in Poland, was disclosed, the EROD found beyond any doubt that the disclosure of data regarding: first and last name, e-mail address, postal address and social security number, indicates a high risk of infringement of the rights or freedoms of individuals (“the involvement of their [the victims'] social security number, as well as other, more basic personal data, further increases the risk, which can be described as high”), thus implying the need to notify the supervisory authority and notify the data subjects of the breach. A similar position was also expressed several times by the WSA in Warsaw (vide: judgment of July 1, 2022, ref. no. II SA/Wa 4143/21, judgment of September 22, 2021, ref. no. II SA/Wa 791/21, judgment of November 15, 2022, file II SA/Wa 546/22, judgment of June 21, 2023, file II SA/Wa 150/23, and judgment of November 6, 2023, file II SA/Wa 996/23), as well as the Supreme Administrative Court in its judgment of December 6, 2023, file III OSK 2931/21).

Thus, referring the above-quoted reasoning to the presented facts, it should be emphasized that in case of any doubts about the fulfillment of obligations by controllers - including in a situation where there has been a violation of personal data protection - one should first of all, referring to the purposive interpretation of Regulation 2016/679, take into account the rule expressed in Article 1(2) of this legal act, according to which the primary purpose of the norms contained therein always remains the protection of fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. Thus, in an attempt to comply with the above postulate, the Administrator should have analyzed, following the occurrence of the personal data protection violation in question, the risks that the fact of its occurrence poses to the legally protected values concerning these individuals. He was therefore obliged to take into account, following the Guidelines of the Working Group Art. 29 “on the notification of personal data protection breaches in accordance with Regulation 2016/679,” hereinafter referred to as the “WP250 Guidelines” (the EROD 9/2022 Guidelines “on the notification of personal data protection breaches in accordance with the RODO,” hereinafter referred to as the “9/2022 Guidelines” are currently in use) - the criteria of the type of personal data protection breach, the nature, sensitivity and amount of personal data, the ease of identification of natural persons, the severity of the consequences for data subjects due to the breach, the number of data subjects affected by the breach in question, the specific circumstances of the personal data protection breach, including, in accordance with recitals 75 and 76 of the preamble to Regulation 2017/679, the severity of the potential consequences and the likelihood of their occurrence. This is because a high level of any of these factors affects the overall assessment on which compliance with the obligations set forth in Articles 33(1) and 34(1) of Regulation 2016/679 depends.

Bearing in mind that due to the scope of the potentially disclosed personal data in the case under review, there was, as shown above, the possibility of momentous negative consequences materializing with respect to former and current employees of the Administrator, the severity of the potential impact on the rights or freedoms of an individual must be considered high. At the same time, the probability of a high risk following the violation in question is not low and has not been eliminated. Thus, it must be concluded that a high risk of infringement of the rights or freedoms of data subjects has occurred as a result of the breach in question, which consequently determines, among other things, the obligation to notify former and current employees of the Controller of the breach of the protection of their personal data, pursuant to Article 34(1) of Regulation 2016/679, taking into account all the elements indicated in Article 34(2) of Regulation 2016/679 (the premise of high risk does not exist in the case of “(...) customers who have made a purchase at least once (...)” at the Administrator's enterprise due to the scope of information concerning these persons, i.e. name, surname, bank account number, residential address, business address, TIN, e-mail, telephone number, data on orders placed).

Thus, as an exemplification of the state of affairs opposite to that advocated by the EU legislator, it is necessary to point to the content of the notice of a breach of protection of their personal data provided by the Administrator to data subjects on March 21, 2020, in which the Administrator did not list all the foreseeable consequences of the personal data breach that occurred, and did not formulate corresponding recommendations based on them regarding the actions that data subjects can take to fully secure their privacy sphere, thus depriving them of the opportunity to effectively counteract the potential damage. The above constitutes a violation by the Controller of the provision of Article 34(2) of Regulation 2016/679, which, after all, is intended not only to ensure the most effective protection of the fundamental rights or freedoms of data subjects, but also to implement the principle of transparency, which follows from Article 5(1)(a) of Regulation 2016/679 (cf. Chomiczewski Witold (in:) RODO. General Data Protection Regulation. Commentary. ed. by E. Bielak - Jomaa, D. Lubasz, Warsaw 2018).

The proper fulfillment of the obligation set forth in Article 34 of Regulation 2016/679 is to ensure that data subjects are promptly and transparently informed of a breach of the protection of their personal data, together with a description of the possible consequences of the personal data breach and the measures they can take to minimize its possible negative effects, which - taking into account both the scope of the categories of personal data covered by the personal data breach in question and the context of the processing in which it occurred - may prove to be fraught with consequences, e.g. by incurring financial liabilities to the detriment of former and current employees of the Administrator. An excellent example of the materialization of the aforementioned risk is contained in the infoDOK report (vide: https://www.zbp.pl/raporty-i-publikacje/raporty-cykliczne/raport-infodok), prepared as part of the public information campaign of the RESTRICTED DOCUMENTS system, organized by the Polish Bank Association and some banks, under the auspices of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation. It shows that in the fourth quarter of 2019, i.e., at the time of the personal data protection breach in question, 1,607 attempts to defraud loans and credits for a total of PLN 58.4 million were recorded, which means that each day there were 18 attempts to steal on someone else's personal data for a total of PLN 642 thousand, which, in turn, in view of the demonstrated negligence on the part of the Administrator in providing the data subjects with an incomplete message regarding all the potential consequences of the personal data breach in question and recommendations to minimize the likelihood of their updating, is undoubtedly of considerable importance. In comparison, in the fourth quarter of 2020, 1,943 loans were already attempted to be defrauded, with a total amount of PLN 67.3 million, while in the fourth quarter of 2021, 2,075 attempts to defraud loans were recorded, with a total amount of PLN 91.3 million, which is a perfect illustration of the alarming upward trend in the risk of using other people's personal data for criminal acts. Moreover, according to case law, judgments in cases of extortionate credit are not uncommon and have been issued by Polish courts in similar cases for a long time - for confirmation: the judgment of the District Court in Leczyca of July 27, 2016. (ref. I C 566/15), the judgment of the District Court for Łódź - Widzew in Łódź of August 13, 2020. (Ref. II C 1145/19), judgment of the District Court in Pisz dated August 21, 2020. (ref. I C 260/20), or the judgment of the District Court in Pulawy dated April 7, 2022 (ref. I C 475/19).

It should therefore be emphasized that, acting in accordance with the law and demonstrating concern for the interests of data subjects, the Controller should therefore have ensured, without further delay, that data subjects were able to protect their personal data in the best possible way. In turn, in order to achieve this goal, it was necessary to at least indicate the information listed in Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679, an obligation that the Controller failed to comply with, and this despite the request addressed to him in this regard on March 13, 2020 by the President of the DPA.

Thus, on the basis of the evidence gathered in the case, and in light of the above-mentioned reasoning, the allegation that the Administrator violated its obligation under Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679, due to its failure to properly notify former and current employees of a breach in the protection of their personal data, should not raise any doubts. The analysis of the facts presented also revealed that the Controller has made no further attempts to date to provide its former as well as current employees with a full-fledged, i.e. including all those listed on the grounds of Article 34(2) of Regulation 2016/679 in conjunction with Art. 33(3)(c) and (d) of Regulation 2016/679, the communication, despite the fact that, after reading the speech addressed to him on March 13, 2020 by the President of the DPA, he should have already demonstrated his knowledge regarding the laws of notifying data subjects of a breach of the protection of their personal data.

VI. Administrative monetary penalty.
In view of the above findings, the President of the Office for the Protection of Human Rights, exercising his authority set forth in Article 58(2)(i) of Regulation 2016/679, taking into account the circumstances established in the proceedings in question, concluded that in the case under consideration there were prerequisites justifying the imposition of administrative fines on the Controller and the Processor.

Pursuant to Article 83(4)(a) of Regulation 2016/679, violations of the provisions relating to the obligations of the Controller and the Processor referred to in Articles 8, 11, 25 - 39, and 42 and 43 shall be subject, in accordance with paragraph 2, to an administrative fine of up to EUR 10,000,000, or, in the case of an enterprise, up to 2% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying.

Pursuant to Article 83(5)(a) of Regulation 2016/679, violations of the provisions on the basic principles of processing, including the conditions of consent referred to in Articles 5, 6, 7 and 9, are subject to an administrative fine of up to EUR 20,000,000, and in the case of a company, up to 4% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying, according to paragraph 2.

Article 83(3) of Regulation 2016/679, on the other hand, stipulates that if a controller or processor intentionally or unintentionally violates several provisions of this Regulation in the same or related processing operations, the total amount of the administrative monetary penalty shall not exceed the amount of the penalty for the most serious violation.

In the present case, the administrative monetary penalty against Mr. AB, doing business at X, (...) Street, was imposed for violation of Articles 25(1), 28(1), 32(1) and (2), and 34(2) in conjunction with 33(3)(c) and (d). 3(c) and (d) of Regulation 2016/679 on the basis of Article 83(4)(a) of Regulation 2016/679 cited above, and for violation of Article 5(1)(f) and Article 5(2) of Regulation 2016/679 - on the basis of Article 83(5)(a) of that Regulation.

The administrative fine imposed on Mr. EF and Mr. GH, partners of Y s.c., Al (...), and Ms. CD, former partner of Y s.c., all jointly and severally liable, for violation of Article 28 (3) (f) in conjunction with Article 32. paragraphs (1) and (2) of Regulation 2016/679, finds its basis in Article 83 (4) (a) of the Regulation.

In addition, it should be pointed out that in accordance with the wording of Article 58 (2) (d) of Regulation 2016/679, each supervisory authority shall have the remedial power of ordering the controller or processor to bring the processing operations into compliance with the provisions of this Regulation, and, where applicable, to indicate the manner and time limit.

I. Rationale affecting the imposition of an administrative fine against the Administrator (Article 83(2) in fine of Regulation 2016/679).
In deciding to impose an administrative monetary penalty on Mr. AB, doing business under the name X, ul. (...), the President of the DPA - pursuant to the wording of Article 83(2)(a-k) of Regulation 2016/679 - took into account the following circumstances of the case, affecting aggravating factors and influencing the size of the imposed administrative monetary penalty:

1. the nature, gravity and duration of the violation, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679).
When imposing the administrative fine, the fact that the violation of the provisions of Regulation 2016/679, which impose obligations on the Administrator to apply appropriate technical and organizational measures to ensure the security of personal data processed in connection with its nationwide business activities, the form of which is cited on p. 3 of the statement of reasons for this decision, affected at least the violation of the availability of “(...) database[s] of customers who have made a purchase at least once (...)”, as well as data on both former and current employees of the Administrator “(...) in the number of approximately 200 (...)” persons. persons. In turn, the logical consequence of the deficiencies of the Administrator identified in the course of this investigation in the aspect of its compliance with the provisions of Articles 24(1), 25(1), 32(1) and 32(2) of Regulation 2016/679 was the personal data protection breach that arose on November 25, 2019, consisting of unauthorized access by undetermined perpetrators to the Administrator's IT infrastructure and encryption of the following categories of personal data of its former as well as current employees: “(...) first name(s), last name, parents' first names, date of birth, bank account number, residence or domicile address, PESEL, email, ID card series and number, telephone number.” Thus, the violations of the aforementioned provisions of Regulation 2016/679, as demonstrated to the Administrator, should be attributed to considerable gravity and seriousness, since the resulting event may lead to property or non-property damage to the categories of persons whose data were violated in the aforementioned scope, and the probability of their occurrence still remains high. Indeed, it should be emphasized that the evidence gathered in the present case does not show indications that would make it likely that the Administrator would make appropriate arrangements to actually identify the mode of operation of the malware. Consequently, in view of the Administrator's failure to provide details of the investigation conducted and its results, including, in particular, the lack of sufficient evidence of the steps taken by the Administrator to actually identify the mode of operation of the malware, it is impossible to unequivocally recognize the veracity of the assumption made by the Administrator, according to which “(...) the purpose of encrypting the data was not to steal it (...)”. On the contrary: in light of the cited facts, it is impossible to reject the scenario in which the confidentiality of the above-mentioned category of personal data may nevertheless have been breached in the case in question, creating a high risk of materialization of negative consequences for the rights or freedoms of former as well as current employees of X, ul. (...), which risk, significantly, was identified by the Administrator himself, informing on March 21, 2020. these individuals of the potential consequences of the data protection breach in question, quoting “(...) The data affected by the breach may be used for such purposes as an attempt to defraud others of your data, or an attempt to enter into a contract with you (for example, an online sale) using the data, to execute a hacking attack by sending a notification to your email or phone number. There is also a chance that you will receive commercial, marketing information to which you have not given your consent.”

Leaving aside even the consideration of real pecuniary damage, which may be - taking into account the set of categories of personal data and the context of processing - the consequence of a breach of confidentiality of personal data (and their further access to unauthorized entities, which, after all, cannot be excluded in the case at hand either), it should be pointed out that the very breach of availability of personal data constitutes a non-pecuniary damage (harm). This is because the data subject may, at the very least, feel the fear associated with the loss of control over his or her personal data, which inconvenience is a direct result of the nature of the violation of the attribute of availability of such data, the psychological suffering associated with the uncertainty of further possible consequences of this violation, such as identity theft, identity fraud, or, finally, financial loss, not to mention, and as rightly noted by the District Court in Warsaw in its judgment of August 6, 2020, ref. no. XXV C 2596/19, fear, and therefore loss of a sense of security, constitutes a real non-pecuniary damage involving an obligation to compensate for it. In turn, the Court of Justice of the EU, in its ruling of December 14, 2023 w/s Natsionalna agentsia za prihodite (C-340/21), stressed that “Article 82(1) of the RODO must be interpreted to mean that the fear of possible misuse of personal data by third parties by the data subject following a breach of that regulation may itself constitute ‘non-pecuniary damage’ within the meaning of that provision.”

Particular emphasis should be placed on the fact of the long duration of the violation of the regulations of interest to the President of the DPA within the framework of the authority's investigation. Indeed, it should be pointed out that the state of violation of the provisions of Article 5(1)(f), Article 5(2), Article 25(1), Article 32(1) and (2) of Regulation 2016/679, manifested by: the failure to select effective technical measures to ensure the degree of security corresponding to the risk of personal data processing, in particular by using an outdated server with B. software. ; failure to regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of personal data processed in the controller's IT system, and thus inadequate consideration of the risks associated with the processing of personal data in the system; inadequate selection and failure to monitor organizational measures providing for the possibility of employees modifying the work of the A. antivirus software, or, finally, the failure to implement appropriate organizational measures in the form of ensuring sufficient accountability in terms of the training provided to employees, which together constitute the basic premise for the occurrence of the personal data protection violation in question, began on May 25, 2018, i.e. on the date of application of Regulation 2016/679, and is - in the absence of evidence that the Administrator conducted a risk analysis to identify and assess the appropriate level of risk associated with the processing of personal data - continuing to this day. A similar optics should be adopted with respect to the persistent violation of the provision of Article 28(1) of the Regulation from May 24, 2018, i.e. from the moment the Administrator signed an agreement for the entrustment of personal data processing with the Processor, until today, since, as the Administrator admitted in a letter dated July 7, 2023. “(...) has not terminated the contract with Y for it continues to cooperate with this entity to a certain extent.” 

2 Unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679).
Unauthorized access to the Administrator's IT infrastructure, including personal data processed in the system d. became possible as a result of the negligent omissions on the part of the Administrator, evidencing its gross negligence, manifested both by its failure to perform any risk analysis for the personal data processing processes it designed even before starting them, and by its failure to conduct periodic evaluations in this regard after commencing personal data processing operations based on regular testing, measuring and evaluating the technical and organizational security measures implemented in its organization for personal data processing processes, and this despite its knowledge of the updates offered by the software manufacturer. As a logical consequence of the gross negligence on the part of the Administrator, it was established that he implemented such technical and organizational measures to ensure the security of personal data processing processes in his organization, which, already at the design stage, could not constitute an adequate response to the inherent risks associated with the personal data processing processes implemented in his structure. Moreover, by refraining from basing the security architecture designed in his organization on the previously performed risk analysis, the Administrator was a priori deprived, as has been shown, of an effective tool for assessing whether the technical and organizational security measures implemented by him are sufficient, while the lack of periodic checks of the tools in his possession and their assessment in terms of risk further compounded this state of ignorance. A contrario,the Administrator, knowing the nature of the personal data processing processes taking place in his organization, should show awareness of the specifics of the operation of IT systems and the impact that the “human factor” has on their functioning. Despite the use of such systems to process personal data, the Administrator not only failed to conduct a risk analysis in the area of the personal data protection breach, but in designing and implementing changes aimed at mitigating the risk of reoccurrence of the personal data protection breach, he once again neglected to conduct an appropriate risk evaluation. Thus, the characteristics of his actions should again be attributed to a lack of awareness of potential threats to the personal data processing processes implemented in his structure, and the technical and organizational processing security measures implemented by the Administrator cannot be attributed to adequacy in relation to the objectively existing risks. From this point of view, no accusation can be formulated against the Administrator other than regarding “gross negligence”, understood as failure to observe, in a specific state of facts, at least elementary principles of behavior in a given situation, in other words, acting or omitting to act in a manner that does not meet the basic standards of Art. 5(1)(f) of Regulation 2016/679 the principle of integrity and confidentiality, which consequently supports, in the opinion of the authority, the intentional nature of the violation of Articles 25(1), 28(1), 32(1) and (2), which the Administrator has not remedied to date.

(3) Actions taken to minimize harm to data subjects (Article 83(2)(c) of Regulation 2016/679).
In the present case, the Administrator's action of recovering the availability of the encrypted data after 4 days cannot be considered as one that would actually promote the minimization of damage of a pecuniary or non-pecuniary nature to the property of the data subjects. Indeed, it should be pointed out that the primary purpose of this action was to restore the possibility of operation of the Administrator's business, and not consideration of the rights or interests of the persons affected by the violation in question. Such an assessment of the authority, moreover, stems from the assumption made by the Administrator, but not supported by any facts, according to which “(...) the purpose of encrypting the data was not to steal it.” Meanwhile, the actual purpose of the perpetrators remains unknown, while the modus operandi presented by them allows a conclusion contrary to the reasoning of the Administrator, who downplayed ill-will as a motive for criminal action. Consequently, the actions taken by the Administrator do not in any way meet the postulate of minimizing damage of a material and immaterial nature to the property of data subjects. Instead, the fulfillment of this obligation would be an initiative - feasible by the Administrator - related, in particular, to an apology or monetary compensation to the data subjects. Clearly, therefore, the focus of its activities only on attempts to regain access to the database, which, importantly, does not prejudge the proper protection of the data from further consequences of the violation, such as from being downloaded by further unauthorized entities, does not fit into this context. In light of the above circumstances, it becomes all the more difficult to look for a rational justification for the pragmatics adopted by the Controller to refrain from providing data subjects with a correct description of the possible consequences of a personal data protection breach and a description of the measures applied or proposed by it to remedy the personal data protection breach, including, where appropriate, measures to minimize its possible negative effects, which constitutes a failure by it to comply with the obligation set forth in Article 34(2) in conjunction with Article 33(3)(c) and (d) of Regulation 2016/679.

4 The degree of cooperation with the supervisory authority to remedy the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).
The deficiencies demonstrated in the course of these proceedings and on the part of the Administrator are part of the context of its flagrant - due to its persistence - lack of cooperation with the supervisory authority, resulting in the failure to remedy to date the state of violation of Articles 24(1), 25(1), 32(1) and (2), and 34(2) in connection with Article 33(3)(c) and (d) of Regulation 2016/679, despite the formal initiation of administrative proceedings by the President of the DPA in this case.

5 Categories of personal data affected (Article 83 (2) (g) of Regulation 2016/679).

The personal data processed in the d. system did not belong to the special categories of personal data referred to in Article 9(1) of Regulation 2016/679; however, its broad scope, including such categories of data of individuals as PESEL number, ID card series and number, first and last names, parents' first names, date of birth, bank account number, address of residence or stay, email address, and telephone number, entails a high risk of violation of the rights or freedoms of individuals affected by the breach in question. It should be emphasized that the unauthorized disclosure of such a category of data of a special nature as the PESEL number, which is an eleven-digit numeric symbol uniquely identifying an individual, including date of birth, sequence number, gender designation and check number, remaining closely linked to the sphere of privacy of the individual and also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, particularly when combined - as it was in the case at hand - with a broader set of personal data, can realistically and negatively affect the protection of individuals' rights or freedoms. Moreover, the issue of the special nature of identifying information, such as the PESEL identification number, and the related demand for its special protection, was not different in the opinion of the Provincial Administrative Court in Warsaw, which stated in its judgment of July 1, 2022, that “in the case of violation of such data as first name, last name and PESEL number, it is indeed possible to steal or falsify identity resulting in negative consequences for data subjects.” Significantly, a similar view was expressed by the Supreme Administrative Court, which, in a ruling issued on December 6, 2023 (judgment of the Supreme Administrative Court of December 6, 2023, file no. III OSK 2931/21), ruled that the disclosure of “(...) data on, among other things, first and last names, as well as PESEL numbers of individuals, i.e. relatively permanent, unchangeable data (...) may always give rise to a risk of negative consequences for the above-mentioned persons.”

As pointed out in the ERO Guidelines 04/2022 on the calculation of administrative fines under the RODO (p. 22; version 2.1; adopted May 24, 2023), hereinafter Guidelines 04/2022, “As for the requirement to take into account the categories of personal data affected by the violation (Article 83(2)(g) of the RODO), the RODO clearly identifies the types of data that are subject to special protection and thus a more stringent response when imposing fines. At a minimum, this applies to the types of data covered by Articles 9 and 10 of the RODO, as well as data not covered by those articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g., location data, private communication data, national identification numbers, or financial data such as transaction statements or credit card numbers). Generally speaking, the greater the number of such categories of data affected by the breach or the more sensitive the data, the more weight the supervisory authority can assign to this factor.”

In determining the amount of the administrative fine for the Administrator, the President of the DPA found no basis for taking into account mitigating circumstances affecting the final penalty. In the opinion of the supervisory authority, all prerequisites listed in Article 83 (2) (a) - (j) of Regulation 2016/679 are either aggravating or merely neutral. Also, applying the premise listed in Article 83(2)(k) of Regulation 2016/679 (ordering consideration of any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found, only neutral ones (as noted below in paragraph 7).

The other following circumstances referred to in Article 83(2) of Regulation 2016/679, after assessing their impact on the violation found in the present case, were found by the President of the DPA to be neutral in his assessment, that is, to have neither an aggravating nor mitigating effect on the size of the administrative fine imposed.

1 The degree of responsibility of the administrator, taking into account the technical and organizational measures it has implemented under Articles 25 and 32 (Article 83(2)(d) of Regulation 2016/679).
As the EROD pointed out in Guideline 04/2022, when considering the aforementioned premise, “the supervisory authority must answer the question of the extent to which the controller has ‘done everything that could be expected’ given the nature, purposes or scope of the processing and in light of the obligations imposed on it by the regulation.”

In the present case, the supervisory authority found that the Administrator had violated the provisions of Article 25(1) and Article 32(1) and (2) of Regulation 2016/679. In the opinion of the President of the DPA, the Administrator bears a high degree of responsibility for failing to implement appropriate technical and organizational measures that could have prevented a personal data protection breach. It is clear that in the considered context of the nature, purpose and scope of the processing of personal data, the Controller has not done everything that could be expected, thus failing to comply with the obligations imposed on him under Articles 25 and 32 of Regulation 2016/679.

In this case, however, this circumstance constitutes the essence of the violation itself and is not merely a factor affecting - either aggravating or mitigating - its assessment. For this reason, the lack of appropriate technical and organizational measures, as referred to in Articles 25 and 32 of Regulation 2016/679, cannot be considered in the present case as a circumstance that may further affect the assessment of the violation and the size of the administrative fine imposed on the Administrator.

2 Any relevant prior violations by the Administrator (Article 83(2)(e) of Regulation 2016/679).
The President of the DPA has not found any previous violations of data protection regulations on the part of the Administrator, and therefore there is no basis for treating this circumstance as aggravating. It is the duty of every Administrator to comply with the law, and therefore the lack of previous violations cannot be a mitigating circumstance when imposing sanctions either.

3 How the supervisory authority learned of the violation, in particular, whether and to what extent the administrator reported the violation (Article 83(2)(h) of Regulation 2016/679).
The President of the DPA found that the Controller had violated data protection regulations as a result of the Controller's notification of a data breach. By making the notification, the Administrator was fulfilling its legal obligation, so there are no grounds to consider this fact as a mitigating circumstance. The EDPS points out in Guideline 04/2022 that “the manner in which the supervisory authority became aware of the breach may constitute either a significant aggravating or mitigating circumstance. In assessing this aspect, particular weight may be given to whether the controller or processor notified the supervisory authority of the breach on its own initiative and, if so, to what extent, before the supervisory authority was informed of the breach through - for example - a complaint or proceeding. This circumstance is not relevant when the controller is subject to specific breach notification obligations (such as the data breach notification obligation set forth in Article 33 of the RODO). In such cases, the fact of reporting should be considered a neutral circumstance.”

(4) If the measures referred to in Article 58(2) have been previously applied to the controller concerned in the same case - compliance with those measures (Article 83(2)(i) of Regulation 2016/679).
Prior to the issuance of this decision, the President of the DPA did not apply any of the measures listed in Article 58(2) of Regulation 2016/679 to the Administrator in the case at hand, and therefore the Administrator was not required to take any actions related to their application, which, subject to the assessment of the supervisory authority, could have an aggravating or mitigating effect on the assessment of the identified violation.

5 Use of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83(2)(j) of Regulation 2016/679).
The Administrator does not apply the approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application are not, as the provisions of Regulation 2016/679 state, mandatory for administrators, and therefore the circumstance of their non-application cannot be read against the Administrator in the present case. On the other hand, the circumstance of the adoption and application of such instruments, as measures that guarantee a higher than standard level of protection for the processing of personal data, could be taken into account in its favor.

6. financial benefit achieved directly or indirectly due to the breach or avoidance of loss (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA has not established that the Administrator has achieved any financial benefit or avoided such loss in connection with the violation. Therefore, there is no basis for treating this circumstance as incriminating the Administrator. The finding of the existence of tangible financial benefits resulting from the violation of Regulation 2016/679 would have to be viewed in a strongly negative light. In turn, the Administrator's failure to achieve such benefits, as a natural state of affairs, independent of the violation and its consequences, is a circumstance that, by its very nature, cannot be mitigating for the Administrator. This interpretation is confirmed by the very wording of the provision of Article 83(2)(k) of Regulation 2016/679, which directs the supervisory authority to pay due attention to benefits “achieved” - occurring on the part of the violator.

7 Other aggravating or mitigating factors applicable to the circumstances of the case (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA, while comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the administrative monetary penalty imposed.

Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection found that the imposition of an administrative monetary penalty on the Administrator is necessary and justified by the gravity and nature and scope of the violations of Regulation 2016/679 alleged against these entities. It should be noted that the application to these entities of any other remedy provided for in Art. 58(2) of Regulation 2016/679, in particular, to stop at a warning (Article 58(2)(b) of Regulation 2016/679), would not be proportionate to the irregularities found in the processing of personal data, and would not guarantee that the aforementioned entities will not commit similar negligence as in the present case in the future.

II. The method of calculating the penalty against the Administrator based on Guideline 04/2022 on the calculation of administrative fines under the RODO.

It is necessary to point out that in determining the amount of the administrative monetary penalty against the Administrator in the present case, the President of the DPA applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022. In accordance with the guidelines set forth therein:

1. the President of the DPA categorized the violations of Regulation 2016/679 found in the present case (vide Chapter 4.1 of Guidelines 04/2022). The violations found in the present case of Article 5(1)(f) and Article 5(2) of Regulation 2016/679 fall - in accordance with Article 83(5) of Regulation 2016/679 - into the category of violations punishable by the higher of the two penalty dimensions provided for in Regulation 2016/679 (with a maximum of up to EUR 20,000,000 or up to 4% of the company's total annual turnover from the previous fiscal year). Thus, they were in abstracto (in isolation from the individual circumstances of a particular case) considered by the EU legislator to be more serious than the violations indicated in Article 83(4) of Regulation 2016/679.

(2) The President of the DPA assessed the violations found in the present case as violations of medium seriousness (vide Chapter 4.2 of Guideline 04/2022). This assessment took into account those prerequisites among those listed in Article 83(2) of Regulation 2016/679 that pertain to the subject side of the violations (make up the “seriousness” of the violation), namely: the nature, gravity and duration of the violations (Article 83(2)(a) of Regulation 2016/679), the unintentional nature of the violations (Article 83(2)(b) of Regulation 2016/679), and the categories of personal data affected by the violations (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. At this point, it should be pointed out that consideration of their combined impact on the assessment of the violations found in the present case taken as a whole leads to the conclusion that the level of their severity also in concreto is average (in the scale of severity of violations presented in paragraph 60 of Guideline 04/2022). The consequence of this, in turn, is the adoption - as the starting amount for the calculation of the penalty - of a value within the range from 10 to 20% of the maximum amount of the penalty possible to be imposed on the Administrator. Given that the provision of Article 83(5) of Regulation 2016/679 obliges the President of the DPA to adopt as the maximum amount of the penalty for violations indicated in this provision the amount of EUR 20,000,000 or - if this value is higher than EUR 20,000,000 - the amount representing 4% of the company's turnover from the previous fiscal year, the President of the DPA considered that the so-called static maximum amount of the penalty, i.e. EUR 20,000,000, which is the amount higher than - resulting from the application of the 4% ratio applied to the Administrator's turnover for 2023, applies in the present case, whose value amounted to EUR (...). With a range of EUR 2,000,000 to EUR 4,000,000 available, the President of the DPA adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the penalty amount of EUR (...) (representing (...)% of the static maximum penalty amount).

(3) Pursuant to the European Data Protection Board's guidance set forth in paragraph 65 of Guideline 04/2022 (for companies with an annual turnover between EUR 10 and 50 million), the President of the DPA considered it reasonable to take advantage of the possibility to reduce the starting amount adopted based on the assessment of the seriousness of the violation, which the Guideline (in Chapter 4.3) provides for companies of smaller size and economic strength. In paragraph 65 of Guideline 04/2022, the ERO indicates that “(...) For companies with an annual turnover of between €10 million and €50 million, supervisory authorities may consider making calculations based on values in the range of 1.5 to 10% of the identified starting amount.” Consequently, the President of the OFODO, taking into account the size of the Administrator's organization as measured by its turnover, weighed that it is justified to make an adjustment to (...) % of the starting amount of the administrative fine, i.e. to the amount of EUR (...) (equivalent to PLN (...),-).

4. the President of the Office for the Protection of Human Rights assessed the impact on the identified violation of the other circumstances (in addition to those taken into account above in the assessment of the seriousness of the violation) indicated in Article 83(2) of Regulation 2016/679 (vide Chapter 5 of the Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the violation, relate - as assumed by Guideline 04/2022 - to the subjective side of the violation, that is, to the violator himself and to his behavior before, during, and after the violation. A detailed assessment and justification of the impact of each of these premises on the assessment of the violation are presented above. The President of the Office for the Protection of Human Rights considered (as justified in the above-presented part of the justification for the decision) that the aggravating circumstances in the present case, and therefore further increasing the size of the penalty imposed by this decision, are the actions taken by the Administrator to minimize the damage suffered by the data subjects (Art. 83(2)(c) of Regulation 2016/679), as well as the degree of cooperation between the Administrator and the President of the DPA to remedy the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). The other prerequisites (from Article 83(2)(d), (e), (h), (i), (j), (k) of Regulation 2016/679) - as indicated above - had no impact, either mitigating or aggravating, on the assessment of the violation and, consequently, on the penalty. Thus, due to the existence of additional aggravating circumstances in the case, related to the subjective side of the violations (assessment of the Administrator's conduct before and after the violations), the President of the DPA considered it reasonable to increase the amount of the penalty determined on the basis of the assessment of the seriousness of the violations (item 2 above) and the size and economic strength of the Administrator (item 3 above). Adequate to the impact of these premises on the assessment of violations is, in the opinion of the President of the OFODO, its increase to the amount of PLN (...), equivalent to EUR (...).

5. the President of the Office for the Protection of Human Rights stated that the amount of the administrative monetary penalty, determined in the manner presented above, does not exceed - pursuant to Article 83(3) of Regulation 2016/679 - the legally defined maximum amount of the penalty provided for the most serious violation (vide Chapter 6 of the 04/2022 Guidelines). In the case of the most serious violation, that is, a violation of Article 5(1)(f) and Article 5(2) of Regulation 2016/679, the legally specified maximum (static) penalty amount is, as indicated above in point 1, EUR 4,000,000. Thus, the penalty amount listed above, equivalent to EUR (...), clearly does not exceed the maximum penalty risk provided for the most serious of the violations found.

(6) Despite the fact that the amount of the penalty determined in accordance with the above rules does not exceed the legally defined maximum penalty, the President of the Office for the Protection of Human Rights considered that it requires additional adjustment due to the principle of proportionality listed in Article 83(1) of Regulation 2016/679 as one of the three penalty assessment directives (vide Chapter 7 of Guidelines 04/2022). Undoubtedly, a monetary penalty in the amount of EUR (...) would be an effective penalty (by its severity it would achieve its repressive purpose, which is to punish unlawful behavior) and a deterrent (allowing to effectively discourage both this particular Administrator and other Administrators from committing future violations of Regulation 2016/679). However, such a penalty would be - in the opinion of the President of the DPA - disproportionate both in relation to the gravity of the violations found (which, although in abstracto is greater, but in concreto remains average - vide points 1 and 2 above) and due to its excessive - in relation to this gravity - severity. Indeed, the principle of proportionality requires, among other things, that the measures adopted by the administrative authority do not go beyond what is appropriate and necessary to achieve legitimate objectives (vide paragraph 137 and paragraph 139 of the 04/2022 Guidelines). In other words, “A sanction is proportionate if it does not exceed the threshold of annoyance determined by taking into account the circumstances of the particular case” (P. Litwinski (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. [...]; Commentary to Article 83 [in:] P. Litwinski (ed.) General Data Protection Regulation. Law on personal data protection. Selected sector regulations. Commentary). Thus, taking into account the consideration of proportionality of the penalty, the President of the Office for Harmonization in the Internal Market further reduced the amount of the penalty - to EUR 81,000 (equivalent to PLN 353,589.00). In his opinion, such determination of the final amount of the penalty imposed will not reduce its effectiveness and deterrent character. This is because this amount is the threshold above which further increases in the amount of the penalty will not be associated with an increase in its effectiveness and deterrent character. On the other hand, reducing the amount of the penalty to a greater extent could be at the expense of its effectiveness and deterrent character, as well as the consistent - in relation to other supervisory authorities and the EROD - understanding, application and enforcement of Regulation 2016/679, and the principle of equal treatment of entities in the EU and EEA internal market.

III. Directives of effectiveness, proportionality and dissuasiveness of the sanction applied to the Administrator (Article 83(1) of Regulation 2016/679).

In the opinion of the President of the Office for Harmonization in the Internal Market, the administrative fine applied to Mr. AB, doing business under the name X, (...) Street, fulfills, in the established circumstances of the case, the functions referred to in Article 83(1) of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.

The penalty will be effective if its imposition leads to the Administrator's future compliance with its data protection obligations, in particular in the aspect of: the implementation of appropriate technical and organizational measures to ensure the security of data processing in information systems and the protection of the rights of data subjects, based on a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing and the risk of violation of the rights or freedoms of individuals; Implementation of appropriate technical and organizational measures to ensure regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processed in IT systems, in particular with regard to vulnerabilities, errors and their possible effects on these systems and the measures taken to minimize the risk of their occurrence; implementation of appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.

In the opinion of the President of the DPA, the administrative fine will fulfill a repressive function, as it will be a response to the Administrator's violation of Regulation 2016/679. It will also fulfill a preventive function, as, in the opinion of the President of the Office for Harmonization in the Internal Market, it will indicate to this particular Administrator, as well as to other controllers, the reprehensibility of disregarding their obligations related to: implementing appropriate technical and organizational measures to ensure the security of data processing in IT systems and the protection of the rights of data subjects, on the basis of a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons; implementation of appropriate technical and organizational measures to ensure regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processed in information systems, in particular with regard to vulnerabilities, errors and their possible effects on these systems and the measures taken to minimize the risk of their occurrence; implementation of appropriate technical and organizational measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident; 

verification of the processor that it provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects; with the occurrence of a personal data protection breach, and aimed, after all, at preventing its negative and often severe consequences for the persons affected by the breach, as well as at removing those consequences or at least reducing them. 

Pursuant to the content of Article 103 of the PDPA, the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in zlotys according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of January 28 of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on January 28 - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest to that date.

With the above in mind, the President of the Office for the Protection of Human Rights, pursuant to Article 83(5) in connection with Article 103 of the PDPA, for the violation described in the operative part of this decision, imposed on the Administrator - using the average exchange rate of the euro on January 29, 2024 (EUR 1 = PLN 4.3653) - an administrative fine of PLN 353,589 (equivalent to EUR 81,000).

In the opinion of the President of the OFODO, the administrative pecuniary penalty applied to the Administrator in the amount of PLN 353,589 (in words: three hundred and fifty-three thousand five hundred and eighty-nine zlotys), meets, in the established circumstances of the case, the prerequisites referred to in Article 83(1) of Regulation 2016/679 due to the seriousness of the identified violation in the context of the fundamental objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative monetary penalty imposed on Mr. AB, doing business at X, (...) Street, the President of the DPA found that it is proportionate to the financial situation of the Administrator and will not constitute an undue burden on him.

The statement submitted by the Administrator on March 8, 2024 shows that “(...) revenue for 2023 amounted to (...) PLN”, so the amount of the administrative monetary penalty imposed in the present case is approximately (...)% of the aforementioned value. At the same time, it should be emphasized that the amount of the penalty imposed is only (...)% of the maximum amount of the penalty that the President of the Office for Harmonization in the Internal Market could - applying the maximum penalty of up to EUR 20,000,000 pursuant to Article 83(5) of Regulation 2016/679 - impose on the Administrator for the violations found in the present case.

This is because the amount of the penalty was set at such a level so that, on the one hand, it would constitute an adequate reaction of the supervisory authority to the degree of violation of the Administrator's obligations, but, on the other hand, it would not cause a situation in which the necessity to pay the financial penalty would entail negative consequences, in the form of a significant reduction in employment or a significant decrease in its turnover. In the opinion of the President of the OFODO, the Administrator should and is able to bear the consequences of its negligence in the sphere of data protection, as evidenced, for example, by the aforementioned statement dated March 8, 2024.

At the same time, the President of the Office for the Protection of Human Rights, pursuant to Article 83(3) of Regulation 2016/679, decided to impose a single penalty for the entirety of the violations attributed to the Administrator in the proceedings under DKN.5131.1.2021. This is because the events exemplifying them are so contextually, spatially and temporally interconnected that, in accordance with Guideline No. 4/2022, they should be treated as a single behavior of the Administrator, leading to the imposition of a single fine (paragraph 28 of the Guidelines). Indeed, in light of the evidence gathered in the course of these proceedings, it should be pointed out that the materialization of the risk, which resulted in the loss of availability of the Administrator's resources on November 25, 2019, at the very least, was the result of the Administrator's inadequately designed security system for the processing of personal data and the lack of regular testing of possible vulnerabilities in the IT infrastructure. In turn, the issuance of a defective notice to data subjects should be considered in the context of the Administrator's response to the fact of the personal data protection breach in question.

IV. Factors affecting the imposition of an administrative fine against the Processor (Article 83(2) in fine of Regulation 2016/679).
In deciding to impose an administrative monetary penalty on Ms. CD, Mr. EF and Mr. GH, i.e. persons who were partners of Y s.c. at the time of the violations found in the present case, the President of the DPA - pursuant to the content of Article 83(2)(a)-(k) of Regulation 2016/679 - took into account the following circumstances of the case, affecting aggravatingly and having an impact on the size of the administrative penalty imposed.

1 The nature, gravity and duration of the violation taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679).
The circumstance determining the imposition of an administrative fine against the persons who were partners of Y s.c. at the time of the violations found in the present case was the failure of Ms. CD, Mr. EF and Mr. GH to comply with the provisions of Regulation 2016/679 imposing obligations on the processor to assist the Controller in maintaining adequate safeguards for the processing of personal data, i.e. Article 28(3)(f) in conjunction with Article 32(1) and (2) of the Regulation. This assistance should consist of informing him of the lack of adequate security measures for the server used by him in the processing of personal data, regardless of whether or not this lack resulted in its use by the perpetrators of the ransomware attack and, as in the case at hand, the occurrence of a personal data protection breach. As stipulated in Article 28(3)(f) of Regulation 2016/679, this assistance should be provided to the Controller based on the “information available to it” (possessed by the Processor in this case in connection with the services provided to the Controller) and due to the “nature of the processing” (this is the same personal data - processed in the d. system, stored on the Controller's server and used by the Controller in its business activities, the nature of which is approximated on page 4 of the grounds of this decision). Contrary to the literal wording of the provision of Article 28(3)(f) of Regulation 2016/679, the assistance referred to therein extends beyond the obligatory relations arising from the agreement concluded on May 24, 2018 between the Administrator and the Processor “(...)”, which statutes the processor's responsibility for the activities “(...) with regard to the running, operation and maintenance of the d.system in the Administrator's enterprise.” The broader understanding of the concept of “assistance” applies here, i.e. (following the PWN Dictionary of the Polish Language): “an action taken for the benefit of another person.” “Helping,” on the other hand, is (again following the PWN Polish Language Dictionary) ”making some effort for the good of some person, in order to make something easier for him or to help him in a difficult situation; also: giving someone something.” Meanwhile, the indolence manifested by the Processor in its cooperation with the Administrator, not only did not facilitate its discernment (which, as a non-professional entity, it did not have to have) of the technical and organizational security measures it maintained for the personal data processing processes taking place in its structure, but contributed directly to the occurrence of the November 25, 2019 event. The passivity found in the present case on the part of the Processor, manifested in its failure over the years to inform the Administrator about the vulnerabilities present in the server software (while one of them was successfully exploited by the perpetrators of the criminal action) and the need to upgrade the operating system to the latest possible version, or to use other, newer logical solutions, is directly related to the materialization of the risk in the form of unauthorized access by undetermined perpetrators to the Administrator's IT infrastructure. In turn, the consequence of the occurrence of the said violation of the protection of personal data processed on the Administrator's servers was, at the very least, the encryption of “(...) database[s] of customers who have purchased (...) at least once,” as well as data on both former and current employees of the Administrator “(...) in the number of approximately 200 (...)” persons. persons. The demonstrated Processor's violation of the aforementioned provisions of Regulation 2016/679 should be attributed at the same time - due to the categories of data of former and current employees of the Administrator covered, i.e. “(...) first name(s), surname, parents' names, date of birth, bank account number, residence or stay address, PESEL, email, ID card series and number, telephone number”. - significant importance and serious nature. This is because the personal data protection violation that occurred on November 25, 2019, to which the persons, who were partners of Y s.c. at the time of its occurrence, contributed with their - excluding the possibility of exercising real support towards the Administrator - attitude, may lead to property or non-property damage to the data subjects, and the probability of their occurrence still remains high. Indeed, it should be emphasized that the evidence gathered in the present case does not show indications of the likelihood of the Administrator making appropriate arrangements to actually identify the modus operandi of the malware. Consequently, in relation to the above-mentioned categories of persons whose data has been breached, there is still a high risk of unlawful use of their personal data, since the purpose of the unauthorized persons' actions remains unknown. The above argumentation is reinforced given the modus operandi of criminal perpetrators, for whom, due to their modus operandi, ill will must be assumed as a motive for action. Thus, data subjects may still suffer pecuniary damage, and the mere violation of the availability of their data also constitutes non-pecuniary damage (harm). This is because the data subject may, at the very least, suffer the anxiety associated with the loss of control over their personal data, an inconvenience that stems directly from the nature of the violation of the attribute of availability of that data, with psychological distress associated with the uncertainty of further possible consequences of the violation, such as. in the form of identity theft, identity fraud, or, finally, financial loss, not to mention, and as the Regional Court in Warsaw rightly noted in its judgment of August 6, 2020, ref. no. XXV C 2596/19, the fear, and therefore the loss of a sense of security, constitutes a real non-pecuniary damage involving the obligation to compensate for it. In turn, the Court of Justice of the EU, in its ruling of December 14, 2023 w/s Natsionalna agentsia za prihodite (C-340/21), stressed that “Article 82(1) of the RODO must be interpreted to mean that the fear of possible misuse of personal data by third parties by the data subject following a breach of that regulation may itself constitute ‘non-pecuniary damage’ within the meaning of that provision.”

Notwithstanding the above, the fact of the long duration of the state of violation by the Processor of the provisions of Article 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679 also demands emphasis. On the basis of the findings made in the course of these proceedings, it should be assumed that the state of violation characterized above existed from at least May 24, 2018, i.e. from the moment the Administrator signed the agreement for entrustment of personal data processing with the Processor, until April 10, 2020 at the latest, when the Administrator informed the authority that it had performed actions aimed at“(...) strengthening the security of the processed personal data (...)”, among which the following should be mentioned, among others: “(...) complete decommissioning of the system on which the infection occurred (...); updating operating systems to the latest available versions, including changing the operating system (...) to a system (...) (...)”. At the same time, it should be emphasized that the updating of the risk in the form of running third-party processes on the Administrator's server could have been avoided if the Processor, pursuant to Article 28(3)(f) of Regulation 2016/679, had duly fulfilled the obligation addressed solely to it to provide “assistance” to the Administrator taking into account the actual “information available to it”.

(2) Unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679).
The Processor, having provided professional services in, among other things, the operation of IT systems and having adequate knowledge in this regard, failed to comply with one of its primary obligations, required of it under Article 28(3)(f) of Regulation 2016/679, to provide the Administrator with “assistance” taking into account “information available to it.” Despite their knowledge regarding the outdated (and hence vulnerable, which eventually materialized) “(...)” server software used by the Administrator in the processing of personal data, the partners of Y s.c. did nothing, in addition in the long term, to counteract the said state of affairs. Their omissions therefore preclude the possibility of providing assistance, understood as giving the Administrator real support in terms of the technical and organizational security measures he implemented, about which, as a non-professional in the IT field, he did not have to have a full understanding. Undoubtedly, from a professional entity, especially one with: “(...) many years of experience in the implementation of systems based on (...) and customization (...)” and distinguished not only by “(...) the most experienced implementation team in Poland (...)”, but also by its status as “(...) (...)”, can be required to support its partner's expertise based “on the information available to it” (which it must have had, if only due to the fact that it had custody of the d. system hosted on the said server).

Thus, the findings made by the President of the DPA allow the conclusion that the attitude of the partners of Y s.c. cannot be described in categories other than those relating to gross negligence, which, given the professional nature of the services provided by this entity, must constitute an aggravating circumstance.

3 Categories of personal data affected by the violation (Article 83(2)(g) of Regulation 2016/679).
The personal data processed in the d. system did not belong to the special categories of personal data referred to in Article 9(1) of Regulation 2016/679, however, their wide scope, which includes such categories of data of individuals as PESEL number, series and number of identity card, names and surnames, parents' names, date of birth, bank account number, address of residence or stay, email address and telephone number, entails a high risk of violation of the rights or freedoms of individuals affected by the breach in question. It should be emphasized that the unauthorized disclosure of such a category of data of a special nature as the PESEL number (which, in view of evidence to the contrary, cannot be ruled out in the facts presented), i.e. an eleven-digit numeric symbol, uniquely identifying an individual, including date of birth, sequence number, gender designation and check number, remaining closely linked to the sphere of privacy of an individual and also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, particularly when combined - as it was in the case at hand - with a broader set of personal data, can realistically and negatively affect the protection of individuals' rights or freedoms. Moreover, the issue of the special nature of identifying information, such as the PESEL identification number, and the related demand for its special protection, was not different, as expressed by the Provincial Administrative Court in Warsaw, which, in its judgment of July 1, 2022, noted that “in the case of violation of such data as first name, last name and PESEL number, it is possible to steal or falsify identity resulting in negative consequences for the data subjects.” Significantly, a similar view was expressed by the Supreme Administrative Court, which, in a ruling issued on December 6, 2023 (judgment of the Supreme Administrative Court of December 6, 2023, ref. III OSK 2931/21), ruled that the disclosure of “(...) data on, inter alia, first and last names, as well as PESEL numbers of natural persons, i.e. relatively permanent, unchangeable data (...) may always give rise to a risk of negative consequences for the aforementioned persons.”

As indicated in the ERO Guidance 04/2022, “As for the requirement to take into account the categories of personal data affected by the violation (Article 83(2)(g) of the RODO), the RODO clearly identifies the types of data that are subject to special protection and thus a more stringent response when imposing fines. At a minimum, this applies to the types of data covered by Articles 9 and 10 of the RODO, as well as data not covered by those articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g., location data, private communication data, national identification numbers, or financial data such as transaction statements or credit card numbers). Generally speaking, the greater the number of such categories of data affected by the breach or the more sensitive the data, the more weight the supervisory authority can assign to this factor.”

In determining the amount of the administrative fine, the Chairman of the DPA found no grounds to take into account mitigating circumstances affecting the final penalty. In the opinion of the supervisory authority, all the prerequisites listed in Article 83 (2) (a) - (j) of Regulation 2016/679 are either aggravating or merely neutral. Also, applying the premise listed in Article 83(2)(k) of Regulation 2016/679 (ordering consideration of any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found, only neutral ones (as noted below in paragraph 9).

The other below-mentioned circumstances referred to in Article 83(2) of Regulation 2016/679, after assessing their impact on the violation found in the present case, were found by the President of the DPA to be neutral in his assessment, that is, to have neither an aggravating nor mitigating effect on the size of the administrative fine imposed.

(1) Actions taken to minimize harm to data subjects (Article 83(2)(c) of Regulation 2016/679).
In the present case, the characterization cited in the letter of July 8, 2022 by the former and current partners of Y s.c., Al (...), of the actions they took after the personal data protection violation in question cannot be considered as one that would actually promote the minimization of damage of a pecuniary or non-pecuniary nature to the property of data subjects. The action of “(...) disconnect[ing] the server from the network (...)” could not, after all, contribute in any way to the minimization of such damages, since the unauthorized access to the Administrator's IT infrastructure, as a result of which the availability and - as demonstrated and which cannot be excluded - the confidentiality of the personal data processed with its use was lost, took place prior to the action taken by the Processor. Consequently, the technical measure applied by the Processor, without in any way contributing to the decryption of personal data, much less being able to constitute the restoration of the attribute of their confidentiality, cannot, in the established circumstances of this case, be viewed in terms of a measure that would eliminate the likelihood of a high risk of violation of the rights or freedoms of individuals. Similarly, the information provided by the Processor about “(...) decrypt[ing] the database [containing personal data - added on]” should be treated similarly. Indeed, the Authority refused to recognize the evidentiary force of the circumstance cited by the former and current partners of Y s.c., guided by the premises of both the type of malware used by the perpetrators and bearing in mind that before the date of November 25, 2019, the Administrator's IT infrastructure did not use solutions based on network segmentation, which, as a consequence of the ransomware attack in question, must have led to its effects covering the entire structure, including backups, making it impossible to reconstruct processed personal data other than with the use of decryption codes. On the other hand, the other remedial actions described by the Processor in the content of the aforementioned letter - in the opinion of the President of the DPA - should be considered rather in the aspect of technical and organizational measures to mitigate the risk of recurrence of a personal data protection breach, rather than those taken to minimize the damage suffered by data subjects in the context of this particular breach.

2 Degree of responsibility taking into account the technical and organizational measures implemented (Article 83(2)(d) of Regulation 2016/679).
As the EROD pointed out in Guideline 04/2022, when considering the aforementioned premise, “the supervisory authority must answer the question of the extent to which the controller has ‘done all that could be expected’ given the nature, purposes or scope of the processing and in light of the obligations imposed on it by the regulation.” The above rationale also allows the assignment of possible liability and its degree to the processor. Consequently, the assessment of the processor under the aforementioned Guidelines in the context of the application of an appropriate remedy may refer to Article 32 of Regulation 2016/679 and include the issue of ensuring an adequate level of security. In the present case, the supervisory authority found a violation by the Processor of the provisions of Article 32(1) and (2) of Regulation 2016/679. In the opinion of the President of the DPA, the Processor bears a high degree of responsibility for failing to implement appropriate technical and organizational measures that could have prevented a personal data protection breach. It is clear that in the considered context of the nature, purpose and scope of the processing of personal data, the Processor has not done everything that could be expected, thus failing to comply with the obligations imposed on it by Article 32 of Regulation 2016/679. However, in the present case, this circumstance constitutes the essence of the breach itself - and is not merely a factor affecting - either aggravatingly or mitigatingly - its assessment. For this reason, the lack of appropriate technical and organizational measures referred to in Article 32 of Regulation 2016/679 cannot be considered in the present case as a circumstance that may additionally affect the assessment of the violation and the size of the administrative fine imposed on the Processor.

3 Any relevant prior violation by the Controller (Article 83(2)(e) of Regulation 2016/679).
The President of the DPA has not found any previous violations of data protection regulations on the part of Ms. CD, Mr. EF and Mr. GH, i.e. former and current partners of Y s.c., Al (...), and therefore there are no grounds to treat this circumstance as aggravating. It is the duty of every processor to comply with the law, and therefore the lack of previous violations cannot be a mitigating circumstance in the imposition of sanctions either.

4 The degree of cooperation with the supervisory authority to remedy the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).
During the course of the proceedings, the former and current partners of Y s.c. did not take any additional actions in connection with the supervisory authority's statements. On the other hand, prior to the initiation of the present proceedings, independent actions were taken by the above-mentioned persons aimed at eliminating the source of the personal data protection violation. However, these actions - cited on pages 14 and 15 of the justification for this decision - were of an autonomous nature, and therefore the President of the DPA cannot treat them as having been taken in cooperation with the authority, and therefore cannot assess the “degree” of such cooperation. Regardless, these actions were taken into account above and qualified by the supervisory authority as a neutral circumstance as defined in Article 83(2)(c) of Regulation 2016/679.

5 How the supervisory authority became aware of the violation, in particular, whether and to what extent the controller reported the violation (Article 83(2)(h) of Regulation 2016/679).
The President of the DPA found that the Processor had violated data protection regulations as a result of the Controller's notification of a personal data breach. The Controller, by making the notification, was fulfilling its legal obligation, so there are no grounds to consider this fact as a mitigating circumstance. The EROD in Guideline 04/2022 indicates that “the manner in which the supervisory authority became aware of the breach may constitute either a significant aggravating or mitigating circumstance. In assessing this aspect, particular weight may be given to whether the controller or processor notified the supervisory authority of the breach on its own initiative and, if so, to what extent, before the supervisory authority was informed of the breach through - for example - a complaint or proceeding. This circumstance is not relevant when the controller is subject to specific breach notification obligations (such as the data breach notification obligation set forth in Article 33 of the RODO). In such cases, the fact of reporting should be considered a neutral circumstance.”

6 Compliance with measures previously applied in the same case, as referred to in Article 58(2) of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679)
Prior to the issuance of this decision, the President of the DPA did not apply any measures listed in Article 58(2) of Regulation 2016/679 to the Processor in the case under review, and therefore the Processor was not obliged to take any actions related to their application, which, when assessed by the supervisory authority, could have an aggravating or mitigating effect on the assessment of the identified violation.

7 Use of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83(2)(j) of Regulation 2016/679).
The processor does not apply the approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not, as the provisions of Regulation 2016/679 state, mandatory for processors, and therefore the circumstance of their non-application cannot be read in the present case to the disadvantage of Ms. CD, Mr. EF and Mr. GH, i.e. former and current partners of Y s.c.. In favor of the aforementioned persons, on the other hand, the circumstance of the adoption and application of such instruments, as measures that guarantee a higher than standard level of protection for the processing of personal data, could be taken into account.

8. financial benefit achieved directly or indirectly due to the violation or avoidance of loss (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA has not established that Ms. CD, Mr. EF and Mr. GH have achieved any financial benefit or avoided any such loss in connection with the breach in question. Thus, there is no basis for treating this circumstance as an aggravating one with respect to the former and current partners of Y s.c., Al (...). The finding of the existence of tangible financial benefits resulting from the violation of the provisions of Regulation 2016/679 would have to be viewed in a strongly negative light. In turn, the failure of the aforementioned persons to obtain such benefits, as a natural state of affairs, independent of the violation and its consequences, is a circumstance that, by its very nature, cannot be mitigating for the Processor. This interpretation is confirmed by the very wording of the provision of Article 83(2)(k) of Regulation 2016/679, which directs the supervisory authority to pay due attention to benefits “achieved” - occurring on the part of the infringer.

9 Other aggravating or mitigating factors applicable to the circumstances of the case (Article 83(2)(k) of Regulation 2016/679).
The President of the DPA, while comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the administrative monetary penalty imposed.

Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection found that the imposition of an administrative monetary penalty on the Processor is necessary and justified by the gravity, nature and scope of the violations of Regulation 2016/679 alleged against these entities. It should be stated that the application of any other remedy provided for in Art. 58(2) of Regulation 2016/679, and in particular, to stop at a warning (Article 58(2)(b) of Regulation 2016/679), would not be proportionate to the irregularities found in the processing of personal data, and would not guarantee that the above-mentioned entities will not commit similar negligence as in the present case in the future.

V. How to calculate the penalty against the Processor under Guideline 04/2022 on the calculation of administrative fines under the RODO.

It is necessary to point out that in determining the amount of the administrative monetary penalty against the Processor in the present case, the President of the DPA applied the methodology adopted by the European Data Protection Board in Guideline 04/2022. In accordance with the guidance provided therein:

1. the President of the DPA has categorized the violations of Regulation 2016/679 found in the present case (vide Chapter 4.1 of the Guidelines 04/2022). The violation found in the present case of Article 28(3)(f) in conjunction with Article 32(1) and (2) of Regulation 2016/679 falls - in accordance with Article 83(4)(a) of Regulation 2016/679 - into the category of violations punishable by the lower of the two penalty dimensions provided for in Regulation 2016/679 (with a maximum of up to EUR 10,000,000 or up to 2% of the company's total annual turnover from the previous fiscal year). Thus, it was considered in abstracto (in isolation from the individual circumstances of a specific case) by the EU legislator to be less serious than the violations indicated in Article 83(5) of Regulation 2016/679.

(2) The President of the DPA assessed the violation found in the present case as a violation with a low level of seriousness (vide Chapter 4.2 of Guideline 04/2022). This assessment took into account those prerequisites among those listed in Article 83(2) of Regulation 2016/679 that pertain to the subject side of the violation (make up the “seriousness” of the violation), namely: the nature, gravity and duration of the violation (Article 83(2)(a) of Regulation 2016/679), the intentional or unintentional nature of the violation (Article 83(2)(b) of Regulation 2016/679), and the categories of personal data affected by the violation (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. At this point, it should be pointed out that consideration of their combined impact on the assessment of the violation found in the present case leads to the conclusion that the level of its severity in concreto is low (in the scale of the severity of violations presented in paragraph 60 of Guideline 04/2022). The consequence of this, in turn, is the adoption - as the starting amount for the calculation of the penalty - of a value within the range from 0 to 10% of the maximum amount of the penalty possible to be imposed on the Processor. Given that the provision of Article 83(4) of Regulation 2016/679 obliges the President of the Office for Harmonization in the Internal Market to adopt as the maximum amount of the penalty for the violation indicated in this provision, the amount of EUR 10,000,000 or, if this value is higher than EUR 10,000,000, the amount constituting 2% of the Processor's turnover from the previous fiscal year, the President of the Office for Harmonization in the Internal Market considered that the so-called “static maximum penalty amount” applies in the present case. static maximum amount of the penalty, i.e. EUR 10,000,000, which is an amount higher than the amount resulting from the application of the 2% ratio applied to the Processor's turnover for 2023, which amounted to EUR (...). With a range of EUR 1,000,000 to EUR 2,000,000 available, the President of the DPA adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the penalty amount of EUR (...) (representing (...)% of the static maximum penalty amount).

3 The President of the DPA adjusted the starting amount corresponding to the low seriousness of the identified violation to the turnover of the Processor as a measure of its size and economic strength (vide Chapter 4.3 of the Guidelines 04/2022). According to the 04/2022 Guidelines, for companies with an annual turnover of less than or equal to €2 million, the supervisory authority may consider further calculating the amount of the penalty based on a value between 0.2% and 0.4% of the starting amount. Given that the Processor's turnover in 2023 amounted to PLN (...), i.e. EUR (...) (according to the average EUR exchange rate as of January 29, 2024), the President of the OFODO deemed it appropriate to adjust the amount of the penalty to be calculated to a value corresponding to (...)% of the starting amount, i.e. to the amount of EUR (...) (equivalent to PLN (...)).

4 The President of the DPA assessed the impact on the identified violation of the other circumstances (in addition to those taken into account above in assessing the seriousness of the violation) indicated in Article 83(2) of Regulation 2016/679 (vide Chapter 5 of the 04/2022 Guidelines). These circumstances, which may have an aggravating or mitigating effect on the assessment of the violation, relate - as assumed by Guideline 04/2022 - to the subjective side of the violation, that is, to the violator himself and to his behavior before, during, and after the violation. A detailed assessment and justification of the impact of each of these premises on the assessment of the violation are presented above. The President of the Office for the Protection of Human Rights found (as justified in the above-presented part of the justification for the decision) that the other prerequisites of Article 83(2)(c), (d), (e), (f), (h), (i), (j), (k) of Regulation 2016/679 - as indicated above - had no impact, either mitigating or aggravating, on the assessment of the violation and, consequently, on the penalty. Due to the absence of additional mitigating or aggravating circumstances in the case, related to the subjective side of the violations (assessment of the Processor's conduct before and after the violations), the President of the OFODO considered it reasonable to leave the amount of the penalty determined on the basis of the assessment of the seriousness of the violation (point 2 above) unchanged at the level of EUR 2,250.

5. the President of the Office for the Protection of Human Rights considered that the amount of the aforementioned penalty does not require any additional adjustment due to the principle of proportionality listed in Article 83(1) of Regulation 2016/679, which is one of the three directives for penalty assessment (vide Chapter 7 of the 04/2022 Guidelines). A fine of the equivalent of €2,250 will be an effective penalty (by its severity it will achieve its repressive purpose, which is to punish unlawful behavior) and a deterrent (allowing to effectively discourage both the Processor and other processors from committing future violations of Regulation 2016/679). The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (vide paragraph 137 and paragraph 139 of Guideline 04/2022). In other words, “A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of the specific case” (P. Litwinski (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. [...]; Commentary to Article 83 [in:] P. Litwinski (ed.) General Data Protection Regulation. Law on personal data protection. Selected sector regulations. Commentary). The amount of PLN 9,822, which is the equivalent of EUR 2,250, is the threshold above which further increases in the amount of the penalty will not, in the opinion of the President of the Office for Personal Data Protection, be associated with an increase in its effectiveness and deterrent character. On the other hand, reducing the amount of the penalty to a greater extent could be at the expense of its effectiveness and deterrent character, as well as the consistent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities in the EU and EEA internal market.

VI. Directives of effectiveness, proportionality and deterrence of the sanction applied to the Processor (Article 83(1) of Regulation 2016/679).

In the opinion of the President of the Office for Harmonization in the Internal Market, the administrative fine applied against Mr. EF and Mr. GH, partners of Y s.c., Al (...), and Ms. CD, former partner of Y s.c., all jointly and severally liable, fulfills in the established circumstances of the present case the functions referred to in Article 83 (1) of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.

The penalty will be effective if its imposition leads the Processor to comply with its personal data protection obligations in the future, in particular with regard to the issue of implementing appropriate technical and organizational measures, duly mitigating the risk of a personal data protection breach.

In the opinion of the President of the OFODO, the administrative fine will fulfill a repressive function, as it will constitute a response to the Processor's violation of the provisions of Regulation 2016/679. It will also fulfill a preventive function, as - in the opinion of the President of the OFODO - it will indicate both to this particular Processor and to other processors the reprehensibility of disregarding their duties related to providing assistance to controllers in fulfilling their obligations set forth in Articles 32-36 of Regulation 2016/679. 

Pursuant to the content of Article 103 of the PDPA, the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in zlotys according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of January 28 of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on January 28 - according to the average exchange rate of the euro announced in the National Bank of Poland's table of exchange rates nearest to that date.

With the above in mind, the President of the DPA, pursuant to Article 83(4)(a)

in connection with Article 103 of the PDPA, for the violation described in the operative part of this decision, imposed on the Processor - using the average exchange rate of the Euro on January 29, 2024 (EUR 1 = PLN 4.3653) - an administrative fine in the amount of PLN 9,822 (equivalent to EUR 2,250).

In the opinion of the President of the OFODO, the applied fine in the amount of PLN 9,822 (in words: nine thousand eight hundred and twenty-two zlotys), meets the prerequisites in the established circumstances of this case, referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the found violation in the context of the fundamental purpose of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative fine imposed on the Processor, the President of the DPA found that it is proportionate to the Processor's financial situation and will not constitute an excessive burden for the Processor.

The processing entity's submitted “(...)” shows that the revenue for 2023 amounted to PLN (...), therefore the amount of the administrative fine imposed in the present case is approximately (...)% of the aforementioned value. At the same time, it is worth emphasizing that the amount of the imposed penalty of PLN 9,822.00 is only (...)% of the maximum amount of the penalty that the President of the Office for Harmonization in the Internal Market could - applying the maximum penalty of up to EUR 10,000,000 pursuant to Article 83(4) of Regulation 2016/679 - impose on the Processor for the violation found in the present case.

This is because the amount of the penalty has been set at such a level so that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of violation of the Processor's obligations, but on the other hand, it does not cause a situation in which the necessity to pay the financial penalty will entail negative consequences, in the form of a significant reduction in employment or a significant decrease in its turnover. In the opinion of the President of the DPA, the Processor should and is able to bear the consequences of its negligence in the sphere of data protection, as evidenced, for example, by “(...)”, the content of which was disclosed to the President of the DPA on March 15, 2024.

Summing up the above, in the opinion of the President of the Office for the Protection of Human Rights, both administrative fines imposed in the present case meet, in light of the totality of the individual circumstances of the case, the prerequisites (functions of the fines) referred to in Article 83(1) of Regulation 2016/679, due to the gravity of the violations found in the context of the basic requirements and principles of Regulation 2016/679.

Taking into account the above, the President of the Office for Personal Data Protection resolved as in the operative part of this decision.