UODO (Poland) - DKN.5130.3114.2020: Difference between revisions

From GDPRhub
No edit summary
(Added comment about annulment decision)
 
Line 62: Line 62:
}}
}}


The Polish DPA fined a satellite platform operator €250,000 for violating Articles 24(1) and 32(1) and (2) GDPR by not implementing appropriate technical and organisational measures to ensure the security of personal data when cooperating with a courier company.
The Polish DPA fined a satellite platform operator €250,000 for violating [[Article 24 GDPR#1|Article 24(1)]],[[Article 32 GDPR|Article 32(1)]], and [[Article 32 GDPR|Article 32(2) GDPR]] for not implementing appropriate technical and organisational measures to ensure the security of personal data when cooperating with a courier company. '''See comment.''' 


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The penalised company regularly notified the DPA of violations of the protection of personal data of the Company's customers, which consisted, inter alia, in couriers losing documents containing personal data of the customers or giving documents containing personal data such as: name and surname, address of residence or stay, PESEL (national identification) number, e-mail address, series and number of identity card or other identity document, telephone number and data concerning contracts between the parties.
The penalised company regularly notified the DPA of violations of the protection of personal data of the Company's customers, which consisted, ''inter alia'', in couriers losing documents containing personal data of the customers or giving documents containing personal data such as: name and surname, address of residence or stay, PESEL (national identification) number, e-mail address, series and number of identity card or other identity document, telephone number and data concerning contracts between the parties.


When analysing the notifications of breaches, the DPA pointed to a significant lapse of time from the date of occurrence of an event causing a personal data protection breach to the date of its discovery by the Company and, consequently, notification of the breach to data subjects and the President of the DPA. The notifications made by the Company in the analysed period of June 2020 included events causing personal data protection breaches from February and January 2020, and even events from 2019.  
When analysing the notifications of breaches, the DPA pointed to a significant lapse of time from the date of occurrence of an event causing a personal data protection breach to the date of its discovery by the Company and, consequently, notification of the breach to data subjects and the President of the DPA. The notifications made by the Company in the analysed period of June 2020 included events causing personal data protection breaches from February and January 2020, and even events from 2019.  
Line 78: Line 78:


== Comment ==
== Comment ==
''Share your comments here!''
'''This decision has been annulled by the Administrative Court of Warshaw (WSA Warshaw), see reference number: II SA/Wa 2465/21 on https://nsa.gov.pl. Full details of judgement pending.''' 


== Further Resources ==
== Further Resources ==

Latest revision as of 13:48, 15 November 2021

UODO (Poland) - DKN.5130.3114.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 24(1) GDPR
Article 31 GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 34(1) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(4)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 22.04.2021
Published:
Fine: 1136975.00 PLN
Parties: n/a
National Case Number/Name: DKN.5130.3114.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Decyzje Prezesa UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish DPA fined a satellite platform operator €250,000 for violating Article 24(1),Article 32(1), and Article 32(2) GDPR for not implementing appropriate technical and organisational measures to ensure the security of personal data when cooperating with a courier company. See comment.

English Summary

Facts

The penalised company regularly notified the DPA of violations of the protection of personal data of the Company's customers, which consisted, inter alia, in couriers losing documents containing personal data of the customers or giving documents containing personal data such as: name and surname, address of residence or stay, PESEL (national identification) number, e-mail address, series and number of identity card or other identity document, telephone number and data concerning contracts between the parties.

When analysing the notifications of breaches, the DPA pointed to a significant lapse of time from the date of occurrence of an event causing a personal data protection breach to the date of its discovery by the Company and, consequently, notification of the breach to data subjects and the President of the DPA. The notifications made by the Company in the analysed period of June 2020 included events causing personal data protection breaches from February and January 2020, and even events from 2019.

The Company indicated that it clarifies the cases of violations with the carrier on an ongoing basis in order to eliminate the problem of delays in providing information on data loss. The Company additionally explained that the period of the ongoing pandemic had a significant impact on the timeliness of notifications of personal data protection violations concerning the proceedings in question in terms of verification of the correctness of handling the return document process. According to the explanations of the Company, due to the limitations of courier companies related to the period of the pandemic, the process of verification and handling of return documents was prolonged, hence the information about the events was reported by the carrier with a delay. The Company emphasized that, in its opinion, the actions it undertakes bring effects in the long run, because the percentage of personal data protection violations in relation to the volume of all deliveries is small and it presented calculations for the month of June in that respect.

The supervisory authority found that the Company had not provided sufficient evidence of the measures it was taking to minimise the risk of the infringement recurring.

Holding

The DPA fined a satellite platform operator €250,000 for failing to implement appropriate technical and organisational measures when cooperating with a courier company. The controller reported breaches (consisting of a parcel being lost by the courier company or delivered to the wrong person) to the DPA, as well as notifying the affected persons of the incidents two or even three months after they occurred. In the opinion of the DPA, it is the controller who should take effective measures that will firstly minimise the scale of the breach and secondly enable faster identification of such incidents and thus notification of the affected persons and the supervisory authority. The lack of adequate organisational and technical measures in place to quickly identify breaches results in data subjects being unaware for a long time of the risk of their data being used by unauthorised persons, e.g. for so-called identity theft.

Comment

This decision has been annulled by the Administrative Court of Warshaw (WSA Warshaw), see reference number: II SA/Wa 2465/21 on https://nsa.gov.pl. Full details of judgement pending.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

DECISION
DKN.5130.3114.2020
Pursuant to Article 104 § 1 and 105 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended), Article 7 (1), Article 60, Article 101 and Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) and Articles 57(1)(a), 58(2)(i) in conjunction with Articles 24(1), 31, 32(1) and (2), 34(1), and 83(1) and (2) and 83(4)(a) of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Dz. Urz. UE L 119 of 4.05.2016, p. 1, Dz. Urz. UE L 127 of 23.05.2018, p. 2 and Dz. Urz. UE L 74 of 4.03.2021, p. 35), having conducted an ex officio administrative proceeding concerning the processing of personal data by Cyfrowy Polsat Spółka Akcyjna with its registered office in Warsaw at ul. Łubinowa 4a, the President of the Office for Personal Data Protection,

1. concluding that Cyfrowy Polsat Spółka Akcyjna, with its registered office in Warsaw at ul. Łubinowa 4a, infringed Article 24(1) and Article 32(1) and (2) of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2 and Official Journal of the EU L 74 of 4.03.2021, p. 35), hereinafter referred to as "Regulation 2016/679", consisting in the failure to implement appropriate technical and organisational measures to ensure the security of personal data processed in cooperation with the entity providing courier services by prompt identification of breaches of personal data protection, imposes on Cyfrowy Polsat Spółka Akcyjna, with its registered office in Warsaw at ul. Łubinowa 4a, for infringement of Article 32(1) and (2) of Regulation 2016/679, an administrative fine in the amount of PLN 1,136,975 (in words: one million one hundred and thirty-six thousand nine hundred and seventy-five PLN),

2) discontinues the proceedings in the remaining scope.  

JUSTIFICATION

Cyfrowy Polsat Spółka Akcyjna with its registered office in Warsaw at ul. Łubinowa 4a (hereinafter also referred to as "the Company") regularly notified the President of the Office for Personal Data Protection (hereinafter also referred to as "the President of the DPA") of violations of the protection of personal data of the Company's customers. The company notified the President of the Office for Personal Data Protection (hereinafter also referred to as the "President of the Office") of a breach of the protection of the personal data of the Company's customers, consisting, inter alia, of the loss by couriers of documents containing personal data of the customers or the delivery by couriers to a wrong person of documents containing personal data such as: name and surname, address of residence or stay, PESEL number, e-mail address, series and number of identity card or other identity document, telephone number and data concerning contracts between the parties. This investigation covers [...] notifications made by the Company between [...] June and [...] July 2020. (a list of these notifications is on file). A detailed analysis of the notifications made by the Company in the above-mentioned period as well as in the period from [...] August to [...] September 2020 forms the basis for the decision taken in this decision and justifies the finding that the Company committed the infringement described in the operative part of the decision.

Accepting the Company's explanations concerning violations of this type reported to the Office for Personal Data Protection in the period from December 2019 to 26 May 2020, the President of the Office for Personal Data Protection, in his letters of [...] April and [...] May 2020, indicated at the same time that the violations in question would be subject to further and continuous comparative analysis with possible violations committed in the future in order to determine the effectiveness of the measures taken to minimise the negative effects of the violation and the risk of its recurrence. Moreover, it was indicated that in order to control the controllers' compliance with the law, in particular to check whether they fulfil their obligations in the process of personal data processing, the President of the Office for Personal Data Protection has the right to carry out inspections also with regard to those entities with which he conducted correspondence concerning the data protection infringements. The abovementioned letters addressed to the Company (as well as the earlier letters regarding the infringements reported by the Company) contained the indication that a lot of information on the principles of personal data processing, the content of legal acts binding in this matter, as well as the guidelines on their application in practice, could be found on the website of the Office for Personal Data Protection (www.uodo.gov.pl), where, inter alia, the Obligations of Controllers with regard to Violations of Personal Data Protection and the Guidelines on Notification of Personal Data Protection Violations pursuant to Regulation 2016/679 of the Article 29 Working Party (hereinafter also referred to as the "Guidelines") are published. This means that the Company had the opportunity to familiarise itself with these documents.

When performing subsequent analyses of reports of personal data protection breaches related to the Company's cooperation with the courier service provider, in which the Company indicated that there was a high risk of infringement of rights or freedoms of natural persons, it was noted that there was an increase in the number of reports of breaches of this type in June 2020, compared to the period from [...] January to [...] May 2020. Moreover, attention was drawn to the significant lapse of time from the date of occurrence of an event causing a personal data protection breach to the date of its discovery by the Company and, consequently, notification of the breach to data subjects and the President of the Office for Personal Data Protection, as the notifications made by the Company in the analysed period of June 2020 concerned, inter alia, events causing personal data protection breaches from February and January 2020, and even events from 2019. When analysing [...] notifications of personal data protection breaches received by the President of the DPA in June 2020, there were no cases of the Company finding a breach within 7 days from the date of the event that caused the breach. It was found that [...] breaches were found more than 7 to 14 days after the date of the event causing the breach, [...] breaches were found more than 14 to 30 days, [...] breaches were found more than 30 to 60 days. [...] breaches were found by the Company more than 60 days after the date of the event causing the breach, which represents 60% of the total number of data protection breaches reported during the period under review.

In view of the above, on [...] July 2020 President of the DPA, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, requested the Company to provide information and indicate:

1. the actions to minimise the risk of recurrence of the infringement taken by the Company in Q2 2020 in cases of infringements related to the delivery of parcels by courier companies;   
2. whether, and if so which technical and organisational protection measures have been implemented by the Company to immediately identify a personal data breach and to notify the supervisory authority and the data subject without undue delay;
3. whether the Company analysed the impact of timely identification of personal data protection violations on the rights and freedoms of data subjects, if so, what were the results of the aforementioned analysis.

At the same time, in the letter of [...] July 2020, the general results of the analysis of the notifications of personal data protection violations made by the Company in June 2020 were presented to the Company.  The President of the Office for Personal Data Protection emphasised that evidence to support the explanations should be submitted together with the explanations. The Company was also instructed that failure to submit explanations and supporting evidence in the aforementioned scope may result in the imposition of an administrative fine pursuant to Article 83(5)(e) of Regulation 2016/679.

By letter dated [...] July 2020. The Company provided explanations, which show, inter alia, that it has been assured by the carrier of ongoing monitoring of the scale of the violations, as well as taking measures to eliminate or at least minimize such violations. The Company indicated that in the second quarter of this year it was important for the Company to ensure the safety and health of customers and couriers during the ongoing pandemic, which was reflected in the instructions developed between the parties on how to proceed during the delivery of shipments, while maintaining the highest possible standards of data security.

The Company also informed that it conducts ongoing talks with the carrier in this respect, presenting as evidence the correspondence constituting Appendix No. 3 to the aforementioned letter of the Company. As evidence, an e-mail message dated June [...], 2020 was attached concerning cases of lost shipments, without providing any other evidence of the explanations provided. Moreover, the analysis of the aforementioned document showed that the e-mail was not addressed to the Company but to another entity ([P. Sp. z o.o.]). The Company did not refer to this fact in its explanations. Moreover, in attachment no. 3 the Company submitted correspondence of May 2020. (two emails) regarding the failure of the courier service provider to report violations in a timely manner.

The Company also indicated that it is clarifying the breaches with the carrier on an ongoing basis in order to eliminate the problem of delays in reporting the loss of data. The Company additionally explained that the period of the ongoing pandemic had a significant impact on the timeliness of notifications of personal data protection violations related to the proceedings in question with regard to the verification of the correctness of handling the return document process. According to the explanations of the Company, due to the limitations of courier companies related to the period of the pandemic, the process of verification and handling of return documents was prolonged, hence the information about the events was reported by the carrier with a delay. The Company emphasized that, in its opinion, the actions it undertakes bring effects in the long run, because the percentage of personal data protection infringements in relation to the volume of all deliveries is small and it presented calculations for the month of June in this regard. 

Additionally, in its reply to the abovementioned letter of the President of the Office for Personal Data Prtotection of [...] July 2020. The Company provided explanations on the infringements concerning the service of documents to third parties, according to which, in the majority of cases, as indicated by the carrier, the persons served with the documents are relatives (household members) of the data subjects. The Company indicated that in its opinion the service of a document to a third person who is a close relative of the data subject causes a very low probability that the possible risk of infringement of rights and freedoms associated with this event will materialize, and therefore requiring the Company to inform its customers about the potential consequences in terms of infringement of their personal data associated with the transfer of their personal data to a third person - close relative, as a result of acting at the request or demand of the customer, is in the opinion of the Company at least pointless. The Company did not explain, however, which of the three questions from the letter of the President of the Office for Personal Data Protection it refers to and what it understands the transfer of personal data to a third party - relatives as a result of actions undertaken at the request or on the demand of the customer to mean.     

The analysis of the material collected in the case has shown that in the scope specified in point 1) of the letter of the President of the Office for Personal Data Protection of [...] July 2020. The Company did not provide sufficient evidence of the actions it undertook to minimise the risk of recurrence of the infringement.  With regard to the scope specified in point 2) of the letter of the President of the Office for Personal Data Protection, in which it was requested to indicate the technical and organizational measures of protection implemented by the Company in order to immediately identify a breach of personal data protection and to notify the supervisory authority and the data subject without undue delay, the Company, without indicating whether technical or procedural measures were implemented, informed that it "clarifies on an ongoing basis with the carrier the cases of violations in order to eliminate the problem of delays in the transmission of information on data loss." However, the Company's attached email correspondence under the subject line "Untimely notification of violations" showed that violations related to shipments sent in December 2019 and January and February 2020 were being clarified in May 2020, which cast doubt on the Company's above-cited information regarding ongoing clarification of violations with the carrier. The evidence gathered also could not support the Company's additional explanation that "the timeliness of data breach reports relating to this Office proceeding regarding verification of the correct handling of the return document process was significantly impacted by the ongoing pandemic", as 60% of the total number of data breaches reported in June 2020 were identified by the Company more than 60 days after the date of the event causing the breach, and more than 33% of the total number of reports were events identified by the Company more than 90 days after the date of the event, i.e. events prior to the declaration of the pandemic status. More than 17% of the total number of data protection breaches reported in June 2020 were for events in January 2020 and 2019, meaning that they were identified by the Company more than 120 days from the date of the event causing the data protection breach. Moreover, the Company did not refer to the request of the President of the Office for Personal Data Protection to indicate whether it conducted the analysis of the impact of timeliness of identification of personal data protection breaches on the rights and freedoms of data subjects, and if so, what were the results of the said analysis.

The evidence gathered indicated that the Company, as a data controller, may have breached the provisions of Regulation 2016/679 in respect of:

1. failing to implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with Regulation 2016/679 and to be able to demonstrate this, and failing to review and update these measures, in breach of Article 24(1) and Article 32(1) and (2) of Regulation 2016/679./.
2. failure to notify data subjects without undue delay of a breach that is likely to result in a high risk of prejudice to the rights or freedoms of natural persons, in breach of Article 34(1) of Regulation 2016/679.
3. failing to provide information as requested by the President of the DPAO, providing incomplete or unreliable information, failing to provide evidence supporting the explanations provided, in violation of Article 31 of Regulation 2016/679.

In connection with the above, by letter sent [...] July 2020. (mark: DKN.5130.3114.2020 [...])the President of the Office for Personal Data Protection initiated ex officio administrative proceedings in the scope covering the violations indicated above.

In the letter of [...] August 2020, constituting a reply to the notification on the initiation of the administrative proceedings, the Company indicated, among others, that it acts in accordance with the Policy for assessment and notification of infringements of personal data protection in Cyfrowy Polsat S.A. (hereinafter the "Policy"), attaching the contents of the document as Appendix 1 to the explanations. The Company indicated that in accordance with point 3.3. of the Policy, it endeavours to ensure that its employees and associates have the necessary knowledge in the area of personal data protection, in particular in the area of infringements, and that for this purpose regular trainings in the area of personal data protection are conducted. As evidence, the Company presented the content of the communication addressed to the Company's employees informing them about the mandatory training on personal data protection, which is attached as Annex 2 to its explanations. One of the training modules includes issues related to personal data protection violations. At the same time, pursuant to point 3.4 of the Policy, entities processing data on behalf of the Company are obliged to cooperate with the Company with regard to identified personal data protection violations.

The Company indicated that the issues concerning the entrustment of personal data processing, including the courier company's liability towards the Company, are regulated by the cooperation agreement on the provision of courier services as well as an annex to that agreement (hereinafter jointly: "Agreement"), which imposes on the courier company, in particular, the obligation to secure the parcel during its transport and from the moment of its release to its delivery to the recipient, the obligation to act in accordance with the instruction for the courier attached each time to the parcel, the content of which is attached as Appendix No. 4 to the indicated letter of the Company, the obligation to verify the identity of the person collecting the parcel with the data on the waybill and the documents contained in the parcel and to secure the return documents by depositing them safely in the return envelope attached to the parcel, the obligation to immediately report the loss of a shipment and/or data contained therein to the Company's Data Protection Inspector and provides for the possibility to lodge complaints regarding the quality of courier services, claim damages as provided for in the agreement, including in particular the possibility to impose penalties in the event of a breach of the principles of protection of personal data entrusted.

The Company has indicated that it has taken measures to "eliminate cases of breaches of events in the future by, inter alia, preparing an instruction for the courier company on how to recognise breaches of personal data protection and how to report them immediately." The content of the instruction was attached by the Company as Annex No. 13 to the letter of [...] August 2020. The Company indicated that each courier receives educational material describing basic issues on personal data protection, presenting the content of the "Guide for couriers" as Annex No. 20 to the aforementioned letter. The Company explained that, due to the measures taken, it found a lower number of logistical breaches in July 2020 than in the preceding months, i.e. May and June, providing a relevant breakdown in this respect. Furthermore, the Company provided explanations and documented that the correspondence (ref. [...] attached as a reply to the letter of the President of the Office for Personal Data Protection of [...] July 2020, confirming actions taken to eliminate or at least minimise personal data protection violations related to the delivery of parcels by courier companies, conducted between the carrier and [P. Sp. z o.o.], refers at the same time to actions taken by the Company in this scope, as [P. Sp. z.o.o.], on the basis of the agreement of [...] January 2017 linking it with the Company and Annex No. 1 of [...] May 2018, carries out the handling of logistics processes for the Company, and the activities concerning [P. Sp. z.o.o.] are the same in the context of servicing the Company's customers. The content of the annex referred to above was provided by the Company as Annex 16 to its explanations of [...] July 2020.

In addition, referring to the number of notifications indicated in the notice of initiation of proceedings, the Company pointed out that, due to its telecommunications activity, each time it assesses the legitimacy of notifying violations to the supervisory authority and notifying a person, not based on the premises of Art. 33 and Art. 34 of Regulation 2016/679, but on the basis of specific provisions, i.e. Commission Regulation (EU) No 611/2013 of 24 June 2013 on measures applicable to the notification of personal data breaches, pursuant to Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (hereinafter "Regulation 611/2013"). Indeed, pursuant to Article 2(1) of Regulation 611/2013, the provider shall notify the national competent authority of all personal data breaches. Such construction of the provision is much stricter than the disposition resulting from Article 33 of Regulation 2016/679, which consequently affects the number of notifications made.

The Company, in its explanations sent by letter dated [...] August 2020, underlined that Article 33 of Regulation 2016/679 provides that "(...) it shall be notified to the supervisory authority competent under Article 55, unless the breach is unlikely to result in a risk of prejudice to the rights or freedoms of natural persons". At the same time, pursuant to Article 3(2)(a-c) of Regulation 611/2013, the likelihood that a personal data breach is likely to have an adverse effect on the personal data or privacy of the subscriber or individual shall be assessed taking into account, in particular, the following circumstances: a) the nature and content of the personal data concerned, in particular if the data relate to financial information, special categories of data referred to in Art. (a) the nature and content of the personal data concerned, in particular where the data relate to financial information, special categories of data referred to in Article 8(1) of Directive 95/46/EC, electronic mail data, location data, internet log files, web search logs and lists of telecommunications services provided; (b) the likely consequences of the personal data breach for the subscriber or individual concerned, in particular where the breach could result in identity theft or fraud, physical harm, psychological suffering, humiliation or damage to reputation; and (c) the circumstances under which the personal data breach occurred, in particular where the data were stolen and when the provider became aware that the data were in the possession of an unauthorised third party. The Company has indicated that, taking the above into account, it has made an individual risk assessment of each of the events bearing the hallmarks of a personal data breach, taking into account the duality of the provisions referred to above. The Company has assessed the severity of personal data breaches according to the methodology for assessing the severity of data breaches developed by the European Union Agency for Network and Information Security (ENISA), which proposes three main criteria: 1 (KPD) Context of the data processing, 2 (Łl) Ease of identification of the data subject, 3 (ON) Circumstances of the breach having an additional impact on the gravity (severity) of the breach. As indicated by the Company, the final result of the assessment of the violation severity (DN), after taking into account the adopted point values for particular criteria, may be obtained using the following formula DN = KPD x Łl + ON.

In its explanations, the Company distinguished three types of infringements, i.e.: 1) incidents concerning delivery of a shipment to a third party, where, according to the Company's explanations, in most cases the third party is a member of the closest family residing at a common address with the customer; 2) loss of documents by the courier company; 3) theft of a shipment with equipment. With regard to shipments delivered to third parties, the Company indicated that, according to the information provided by the courier company, such events generally occur at the express request of the Company's customer and the courier acts contrary to the instructions provided by the Company, thus violating the principles of proper delivery of a shipment. In addition, couriers often act at the express request of customers who ask them to deliver shipments to persons indicated by them, usually their closest family members. As regards deliveries to third parties, the Company emphasized again that the analysis of such notifications shows that these persons are most often relatives (family members) of the persons to whom the deliveries are actually addressed. Therefore, issuing such documents to a person who knows the data and lives with the customer in the same household has more consequences in terms of civil law [lack of authority to sign a contract, and thus lack of possibility to commence the service by the Company] than it has a risk of possible negative consequences in terms of rights and freedoms of the data subject. At the same time, according to the Company's explanations, such a method of delivery of correspondence is a generally accepted principle in the procedure of delivery in civil and administrative proceedings. As the Company indicated, "the above allows us to conclude that there are no grounds to claim that there are no negative consequences for the customer as a result of the described event in the form of identity theft or use of the customer's data to e.g. extort loans or medical services.]

The Company indicated that it made a detailed assessment of the risk of breaches for each of the three above-mentioned categories of events. According to the Company's explanations, the result obtained according to the ENISA methodology allowed to determine the level of severity of the data breach for data subjects as low. The results of the "detailed risk analysis" of the breaches subject to these proceedings, as specified by the Company in its explanations, are presented in Annexes No. 12, 14 and 15 to the Company's letter of [...] August 2020, respectively.
The Company indicated that, despite the analysis of the breaches, the result of which allowed it to determine the level of severity of the data protection breach for data subjects as "low", it nevertheless notified these breaches due to the guidelines of the President of the Office for the Protection of Personal Data provided to the Company in its submission of [...] September 2018. (reference [...]), indicating the necessity of notifying events that included PESEL No., considering the risk as "high".

In addition, the Company indicated the compliance of its actions with Article 33 of Regulation 2016/679 and recital 85 of Regulation 2016/679 and informed that it had imposed contractual penalties on the courier service provider on [...] February 2020, due to the loss of personal data of the Company's customers, for a total amount of PLN [...], presenting a debit note as Annex No. 9 to its explanations. The Company also indicated that it decided to impose further penalties for breach of contractual provisions by presenting debit notes dated [...] June 2020 and [...] July 2020 for a total amount of PLN [...] (Annexes No 10 and 11).

In view of the fact that the notice of initiation of the administrative proceedings indicated, inter alia, that the Company may have breached Article 34(1) of Regulation 2016/679 and quoted the content of recital 87, and that the Company, in its letter of [...] August 2020, provided explanations regarding its compliance with the requirements set out in Article 33 and recital 85 of Regulation 2016/679, and because, in its letters of [...] July and [...] August 2020 The Company did not answer whether it had analysed the impact of the timeliness of the identification of personal data protection breaches on the rights or freedoms of data subjects, and if so, what were the results of the aforementioned analysis, the President of the Office for Personal Data Protection, by letter of [...] October 2020, again asked the Company to provide explanations in this regard. At the same time, the President of the Office for Personal Data Protection asked to indicate whether, in addition to the contract with the courier company, the Company has internal procedures ensuring compliance with the requirements set out in Article 34(1) of Regulation 2016/679, while asking to indicate specific provisions from internal regulations. In the aforementioned letter, the President of the Office for Personal Data Prtoection also mentioned that in the notice on the initiation of administrative proceedings, he referred to recital 87 of Regulation 2016/679 and not to recital 85 of Regulation 2016/679, as indicated by the Company in its explanations. Furthermore, the President of the Office for Personal data Protection asked to send the detailed risk assessment methodology used by the Company for the risk assessment referred to in point 2 of its explanations of [...] August 2020.

By letter dated [...] October 2020. The Company submitted additional clarifications in the case.  With regard to the request of the President of the Office for Personal Data Prtoection to answer whether an analysis of the impact of timely identification of personal data protection infringements on the rights or freedoms of persons was carried out, the Company indicated, inter alia, that it undertakes actions aimed at analysing the impact of personal data protection infringements on the rights and freedoms of natural persons. The Company informed that it assesses in each case individually the risk of effects on the data subject through the prism of possible negative consequences for the person whose data have been breached. The Company indicated that, as of the date of the preparation of the response in question, it did not record the receipt of correspondence from data subjects whose data had been breached regarding their suffering any consequences referred to, in particular, in Regulation 611/2013. The Company explained that "in carrying out the risk analysis, it assesses the potential negative consequences for the data subject, using a summary prepared for internal purposes of the risks, including the rights and freedoms of the natural person that may constitute a breach, taking into account the risks and the consequences and preventive measures, which is attached as Annex 1 to this letter." Referring to the request regarding the indication of internal regulations aimed at ensuring compliance with the requirements set out in Article 34.1 of Regulation 2016/679, the Company emphasised that as a telecommunications undertaking, it applies the provisions of Regulation 611/2013 to subscribers' personal data first, and the provisions of Regulation 2016/679 second. In addition, the Company pointed to point 5.5 of the Policy for Assessment and Notification of Personal Data Protection Violations at Cyfrowy Polsat S.A, according to which "if it is determined that a personal data breach is likely to result in adverse effects on the personal data or privacy of a subscriber or individual, the Administrator shall make the notification referred to in para. 5.5. of the Policy and, in addition, shall immediately notify the Data Subjects affected by the Breach (...). If an exhaustive identification of the Data Subjects affected by the Breach is not possible, the Controller shall post the information on its website or provide it in another way that maximizes the chances of the information reaching the relevant Data Subjects". In its response to the request to send the detailed risk assessment methodology used for the risk assessment, the Company stressed that it had already indicated in its previous letter to the Data Protection Authority on [...] August 2020 that in assessing the severity of the risk it was using the methodology for assessing the severity of the breach prepared by the European Union Agency for Network and Information Security (ENISA). In its clarifications, the Company also sent the templates used to assess the risk of breaches. The Company also confirmed that the individually conducted risk analyses of the violation of the rights and freedoms of the data subject for each breach covered by the present proceedings, in accordance with the ENISA methodology, were submitted to the DPA at its letter of [...] August 2020.

In addition, the Company informed that, at the beginning of September 2020, there was a change in the parameters of the services attributed to the parcels transmitted to the carrier, to further oblige the courier to deliver the parcel only to the hands of the subscriber whose data appear on the address label of the parcel. The change, in the Company's opinion, allowed to eliminate cases of delivery of a parcel to an unauthorised person, including household members residing at the same delivery address. The Company also informed about the implementation of additional measures to streamline the process of tracking shipments on the way, so as to determine their final status within a short period of time after dispatch. All shipments sent through the Company's remote channels are subject to cyclical verification. According to the Company's explanations, information obtained in the course of explanations and interventions with the carrier allows the Company to take further actions with regard to the shipment, including confirmation of, in particular, lost shipments, and thus faster identification and notification of potential loss of personal data. The Company indicated that, in its assessment, the changes introduced have yielded positive results, based on the scale of breaches, which decreased significantly in September 2020. The Company also provided calculations regarding, among other things, the number of breaches related to courier deliveries between April and September 2020.

By letter dated [...] February 2021. The Company again pointed to the period of the ongoing pandemic, which caused additional difficulties in the proper performance of services by the entity providing courier services, and indirectly contributed to the number of violations and delays in notifying the Company about these events.

The Company stressed that when making the notifications (both to the President of the Office for PErsonal Data Protection  and to the data subjects), the Company was not late - it made them immediately after the infringement had been identified (i.e. immediately after being informed about the event constituting the infringement of data protection by the courier service provider). Moreover, the Company indicated that the lapse of a longer period of time between the events leading to the personal data protection infringement and the notifications made by the Company to the President of the Office for Personal Data Protection and to the data subjects was not caused by the Company's delay as a data controller, but by the failure of the courier company to fulfil its contractual and statutory obligation to immediately notify the data controller of the personal data protection infringement.  

In this factual state, having considered all the evidence gathered in the case, the President of the Office for the Protection of Personal Data stated as follows:  

Pursuant to the wording of Article 24(1) of Regulation 2016/679, taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of different probability and gravity, the controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with this Regulation and to be able to demonstrate it. These measures shall be reviewed and updated as necessary. This means that the controller, when assessing the proportionality of the safeguards, should take into account the factors and circumstances relating to the processing (e.g. type, manner of processing) and the risks involved. At the same time, the implementation of appropriate safeguards is an obligation which is a manifestation of the general principle of data processing - the principle of integrity and confidentiality, as set out in Article 5(1)(f) of Regulation 2016/679. The implementation of technical and organisational measures should consist of the implementation by the controller of appropriate provisions, rules for the processing of personal data in a given organisation, but also in the regular review of these measures and, if necessary, updating of previously adopted safeguards.

It follows from the wording of Article 32(1) of Regulation 2016/679 that the controller is obliged to apply technical and organisational measures corresponding to the risk of infringement of the rights and freedoms of natural persons with different probability of occurrence and seriousness of the threat. The provision specifies that when deciding on the technical and organisational measures, account should be taken of the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons of varying probability and seriousness. It follows from the cited provision that the determination of appropriate technical and organisational measures is a two-step process. First, it is important to determine the level of risk involved in the processing of personal data taking into account the criteria indicated in Article 32 of Regulation 2016/679, and then it is necessary to determine what technical and organisational measures will be appropriate to ensure a level of security corresponding to that risk. These determinations, where applicable, in accordance with points (b) and (d) of that Article, should include measures such as the ability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services and to regularly test, measure and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing.

Article 32(2) of Regulation 2016/679 provides that in assessing the adequacy of the degree of security, account shall be taken in particular of the risks involved in the processing, in particular arising from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed.

Recital 87 of Regulation 2016/679 provides, inter alia, that it must be ensured that all appropriate technical protection measures and all appropriate organisational measures are in place to immediately identify the personal data breach and to promptly notify the supervisory authority and the data subject. Whether the notification was made without undue delay should be determined taking into account, in particular, the nature and gravity of the personal data breach, its consequences and adverse effects for the data subject.

In the opinion of the President of the Office for Personal Data Protection, the Company insufficiently assessed the effectiveness of technical and organizational measures to ensure the security of the processing of personal data contained on documents delivered to the Company's customers via a courier service provider, which constitutes a breach of Article 24(1) and Article 32(1) and (2) of Regulation 2016/679.

First, it is necessary to refer to the Company's explanations regarding the assessment of the risk of infringement of the rights or freedoms of natural persons affected by the personal data protection breaches covered by the present proceedings. In its response to the initiation of the administrative proceedings, the Company emphasised that, pursuant to Article 33 of Regulation 2016/679, it "(...) shall notify it to the supervisory authority competent under Article 55, unless the breach is unlikely to result in a risk of infringement of the rights or freedoms of natural persons", while citing Article 3(2) of Regulation 611/2013, according to which the likelihood that a personal data breach may have an adverse effect on the personal data or privacy of the subscriber or natural person shall be assessed taking into account, in particular, the circumstances set out in points a-c of the said provision. Subsequently, the Company indicated that it made an individual risk assessment of each of the events having the appearance of a personal data protection breach. The Company indicated that it assessed the severity of personal data breaches according to the methodology for assessing the degree of data breach developed by the European Union Agency for Network and Information Security (ENISA).

In addition, the Company identified three types of breaches, i.e. 1) incidents involving the delivery of a shipment to a third party, 2) loss of documents by a courier company 3) theft of a shipment of equipment. The Company indicated that it made a detailed assessment of the risk of infringements for each of the three above-mentioned types of infringements, presenting its results in Appendices No. 12, 14 and 15 to the Company's letter of [...] August 2020, respectively.

In its letters of [...] August and [...] October 2020. The Company indicated that in all 3 types of breaches, described above, on the basis of the individual risk assessment carried out according to the ENISA methodology, the result of the breach analysis made it possible to determine the level of severity of the data protection breach for data subjects as "low". According to the Company, this also applies to breaches involving theft of documentation, since, as the Company stated, the thief was interested in the equipment sent to the customer, and not in the customer's personal data. However, apart from the result of the analysis of such violations, the Company did not provide any other evidence to justify this assessment.

The Company explained that "despite the fact that the obtained result of the analysis of breaches allowed to determine the level of severity of the data protection breach for the data subjects as "low", the Company nevertheless notified the breaches, due to the guidelines of the President of the Office for Personal Data Protection provided to the Company in the speech of [...] September 2018. (reference [...]), indicating the necessity of notifying events that included PESEL No., taking into account the risk as 'high'." However, it is not clear from the above explanations whether the Company disputes the assessment made by the President of the Office for Personal Data Protection at that time, why it did not question it at that time and why it made notifications where in the notification forms it indicated a high risk of infringement of rights or freedoms of natural persons in connection with those infringements despite its different assessment of this risk.

At this point, it should be emphasised that the address (ref. [...]) was addressed to the Company in connection with the Company's notification of a personal data protection breach of [...] August 2018, in which the Company informed that it had notified the data subject of the fact of a personal data breach and provided the content of the notification. In the said address, the President of the Office for Personal data Protection indicated that the notification sent by the Company does not meet the conditions set out in Article 34(2) of Regulation 2016/679, i.e. it does not contain the information referred to in Article 34(2) in conjunction with Article 33(3)(c) of Regulation 2016/679, as it does not describe the possible consequences of a personal data breach. In response to the said request, the Company, by letter dated [...] October 2018, informed that it had notified the data subject in accordance with the guidelines presented in the said request of the President of the DPA. The Company did not question the said speech in any way, made notifications of personal data protection violations resulting from the cooperation with the courier service provider and notified the data subjects in cases concerning personal data protection violations in which there was a high risk of infringement of rights or freedoms of natural persons. It should be stressed that the Company raises the above only at the stage of these proceedings, thus questioning the legitimacy of the assessment of the high risk of infringement of rights or freedoms of natural persons made by it in the notifications of personal data protection violations, when it could have already questioned it in its response to the President of the Office for Personal Data Protection ref. [...] of [...] September 2018.

With regard to the assessment of the risk of violations of rights or freedoms of natural persons presented by the Company, presented for the types of violations singled out by the Company, the following circumstances should be indicated. As regards violations related to the provision of documentation to third parties, the Company argued that such documentation is most often provided to relatives and, therefore, the provision of such documents to a person who knows the data and lives in the same household with the customer, gives rise to more consequences in terms of civil law [lack of authority to sign a contract, and, therefore, lack of possibility to commence the provision of services by the Company], than it gives rise to the risk of possible negative consequences in terms of rights and freedoms of the data subject. In view of the above, it should be pointed out that in accordance with the Guidelines, depending on the particular situation, the controller may consider an accidental recipient, a third party, as "trusted", and the fact that the recipient is trusted may cause that the consequences of the breach will not be serious, but it does not mean that the breach has not taken place. However, this in turn may eliminate the likelihood of risk to individuals, with the result that there is no longer a need to notify the supervisory authority or the individuals affected by the breach. This means that the controller should make a case-by-case assessment of the breach. In its explanations, the Company based its assessment on general information provided by the courier service provider, without providing evidence of its individual analysis in this regard for specific cases of personal data protection breaches of this type. Although the Company informed that it conducted a detailed risk assessment of infringements involving delivery of a parcel to a third party, the content of which is attached as Annex No. 12 (1-20) to the Company's explanations of [...] August 2020, the indicated documentation presented by the Company does not take into account the situation of delivery by a courier company of documents containing personal data of the Company's customer to a person who could be considered a trusted recipient. It should be pointed out that recognition of the person who actually received the documentation containing personal data of the Company's customer as a trusted recipient would require, however, that in each case the Company examines the relationship between such recipient and the customer, e.g. whether they are not in conflict and whether they actually already had all personal data of the customer. It should also be emphasised that the civil law consequences raised by the Company also translate into an infringement of the rights or freedoms of natural persons as referred to in Regulation 2016/679. However, this issue, as evidenced by the documentation submitted by the Company, was also not taken into account by the Company when assessing the risk of a personal data breach.

In its letter of [...] July 2020, the Company stated that in its opinion "it appears that the service of a document on a third party being a close relative of the data subject results in a very low probability of materialization of a possible risk of violation of rights and freedoms associated with this event", however, as indicated above, it did not sufficiently document that it made an individual assessment of particular cases of violations of this type, basing its assessment mainly on explanations provided by the entity providing courier services to the Company. It should be stressed that in order to assess the high risk of infringement of the rights or freedoms of natural persons related to violation of personal data protection, it is not important whether the risk materializes, but the fact of its existence. Therefore, the Company's argumentation justifying the lack of high risk of infringement of rights or freedoms of natural persons in this respect cannot be accepted. It should be stressed again that the Company should explain each case individually, which, as is clear from the documentation presented, it failed to do. It should be stressed that due to the scope of disclosed personal data, violations of this type, in the absence of individual confirmation that the person who received documentation containing personal data of a customer could be considered a trusted recipient, should have been assessed as resulting in a high risk of violation of rights or freedoms of natural persons and notified the customers, which the Company did. Similarly, for the other two categories of breaches identified by the Company, i.e. loss or theft of documentation containing personal data of customers, in the absence of an individual assessment sufficiently justifying the lack of high risk, given the scope of disclosed personal data, the risk should have been assessed as high and the customer should have been notified about the breach.

The President of the Office for Protection of Personal Data Protection points out that the "detailed risk analysis" presented by the Company as attachments to its explanations are in fact printouts from the personal data protection breach severity calculator made available on the website of one of the entities providing support services in the scope of personal data protection. The President of the Office for Personal Data Protection does not assess the correctness of the functioning of the said calculator at this point, but points out that calculators can produce any result, depending on the data entered into the calculation. Moreover, the printouts in question contain a disclaimer "that each case of a breach or suspected breach of personal data protection should be analysed individually, in particular within the scope of the obligations set out in Article 33 and 34 of the RODO, therefore, this calculator may constitute at most an additional auxiliary source and cannot be an independent basis for decision-making by any entity or person who uses the calculator on their own responsibility". These documents do not bear the date of production, nor do they contain a description of the detailed criteria which guided the Company in making its assessment using the calculator indicated. As previously indicated, the risk assessment for breaches involving the release of documentation to a third party does not contain an individual assessment or justification that, in the case in question, there has been a disclosure of personal data to a trusted entity, which could justify for this case the assessment of the absence of a high risk of infringement of the rights or freedoms of individuals. Apart from the indicated printouts from the calculator, the Company did not present such an assessment with regard to other categories of infringements identified by it.

In its explanations, the Company only emphasises that it made its assessment in accordance with the ENISA methodology, without providing any additional justification for its risk assessment criteria.

It should be further noted that the ENISA method indicates that the final score for the processing context (CRPD) may be increased or decreased depending on the occurrence of various factors, inter alia the wide range of data for one person, the nature of the data or the possible adverse effects for the data subject and the scale of the data breached (for the same person).

According to the Guidelines, the key factor when assessing risk is of course the type and sensitivity of the personal data that has been exposed as a result of the breach. Typically, the risk of harm to individuals affected by a breach increases with the sensitivity of the data, but other personal data about those individuals that may already be available should also be taken into account (...). Breaches related to health data, identity documents or financial data such as credit card data can cause harm if they occur individually, but if they occur cumulatively, they can be used for identity theft. A collection of different personal data is usually more sensitive in nature than a single piece of personal data. Furthermore, Article 3(2) of Regulation 611/2013, which the Company referred to in its explanations, also provides guidance on the factors to be taken into account in connection with breach notification in the electronic communications services sector. According to this provision, the likelihood that a personal data breach may have an adverse effect on the personal data or privacy of a subscriber or individual shall be assessed by taking into account, in particular, the following circumstances: (...) the likely consequences of the personal data breach for the subscriber or individual concerned, particularly if the breach could result in identity theft or forgery, bodily harm, mental suffering, humiliation or damage to reputation.

When analysing the assessment of the risk of infringement of rights or freedoms of natural persons presented by the Company in the notifications of personal data protection infringements covered by the present proceedings, the President of the Office for Personal Data Protection took into account the information in this respect contained in the content of these notifications.  In assessing the breaches of personal data protection covered by the present proceedings, the President of the Office for Personal Data Protection found that the breach of data confidentiality, in particular the data concerning jointly the forename and surname, address of residence or stay, PESEL number, series and number of identity card or other identity document, telephone number, and other categories of data concerning the parties to the agreements (e.g. contract ID, contract number, document number, equipment number, number and amount of VAT invoice, account number for payments), results in a high risk of infringement of rights or freedoms of natural persons, and therefore it is necessary to notify the data subject of the breach of his/her personal data. It means that when notifying the breaches of personal data protection, the Company correctly indicated in the forms of such notifications that they cause high risk of infringement of rights or freedoms of natural persons.

The different assessment of the risk of violation of rights or freedoms of natural persons was not sufficiently substantiated by the Company, and the printouts presented by the Company, in accordance with the supplier's reservation contained therein, may only have auxiliary character and may not constitute the basis for assessment of the risk of violation of rights or freedoms of natural persons. The fact that the documentation presented by the Company may only be of an auxiliary nature is further evidenced by the fact that, according to the Company's "detailed" assessment, incidents involving the loss by couriers of documentation containing personal data in the following form: first and last name, address of residence or stay, PESEL number, e-mail address, series and number of identity card or other identity document, telephone number, and the above-mentioned categories of data concerning the agreements between the parties may also be considered as the basis for assessing the risk of infringement of the rights and freedoms of natural persons. In the opinion of the President of the Office for Personal Data Protection, the infringements identified by the Company as [...], [...], [...] and [...] were assessed not only as minor (i.e. persons will not be affected by the infringement or the infringement will cause minor inconvenience), but also as events not subject to the obligation to report the infringement. In the opinion of the President of the Office for Personal Data Protection, in its calculations presented in the course of the proceedings, the Company failed to take into account additional criteria related to the scope of disclosed personal data influencing the context of data processing, which resulted in unjustified lowering of the risk.

Summing up, the personal data protection infringements covered by the proceedings, resulting from the Company's cooperation with the courier service provider, caused high risk of infringement of rights or freedoms of natural persons, and the Company as the controller was obliged to notify the data subjects of these infringements without undue delay.

In summary, the personal data protection breaches covered by this investigation resulting from the Company's cooperation with the courier service provider caused a high risk of infringement of rights or freedoms of natural persons, and the Company as the controller was obliged to notify the data subjects of these breaches without undue delay.

In the course of the proceedings, the Company demonstrated that it had a Policy on the assessment and notification of breaches of personal data protection in Cyfrowy Polsat S.A. The Company indicated that in accordance with paragraph 3.3 of the Policy it makes efforts to ensure that its employees and associates have the necessary knowledge in the field of personal data protection, in particular in the case of infringements, and that for this purpose cyclic trainings in the field of personal data protection are carried out, presenting as evidence the content of a communication addressed to the Company's employees informing them of obligatory training in the field of personal data protection.

The Company indicated that the issues related to entrusting the processing of personal data of the Company's customers, including liability of the courier company towards the Company, were regulated in the agreement with the entity providing courier services and in relevant instructions for couriers.

It should be pointed out, however, that the Company, despite the implementation of the Policy and personal data protection procedures related to notification of infringements, as well as conclusion of the personal data processing outsourcing agreement with the processor, has not developed appropriate mechanisms aimed at controlling the processor's performance of its obligations. The Company indicated that it undertakes actions in order to ensure adequate performance of the agreement by the processor and consequently to reduce the number of breaches, presenting as evidence the correspondence enclosed to the explanations of [...] July 2020, however actual actions in this respect were taken only in connection with the letter of the President of the Office for Personal Data Protection (UODO) of [...] July 2020, which presented the results of the analyses of personal data protection breaches reported by the Company, conducted in the Office for Personal Data Prtoection (UODO), and then in connection with the initiation of the administrative proceedings in question. This is evidenced by the Company's correspondence constituting Annexes No 8 and 17 to the Company's letter of [...] August 2020.

In the course of the proceedings, the Company implemented a change in the parameters of services assigned to parcels transferred to the carrier to further oblige the courier to deliver the parcel only to the Subscriber's own hands, which, in the Company's opinion, eliminated the cases of delivery of the parcel to an unauthorised person, including household members residing at the same delivery address. As part of the dispatch of parcels containing only the customer's copy of the agreement itself, additional elements were added to the process to verify the completeness of the parcels sent. The Company announced that it has also implemented additional measures to improve the process of tracking parcels en route, so that its status can be determined shortly after shipment. As indicated by the Company, the information obtained in the course of explanations and interventions with the carrier allows the Company to take further actions with regard to the shipment, including confirmation, in particular, of lost parcels, and thus faster identification and reporting of potential loss of personal data.

In the course of the administrative proceedings, the Company provided explanations regarding its compliance with the requirements set out in Article 33 and recital 85 of Regulation 2016/679. In its explanations of [...] October 2020, the Company emphasised that it applies the provisions of Regulation 611/2013 to subscribers' personal data first, and the provisions of Regulation 2016/679 second.

In the context of the above-mentioned explanations of the Company, it should be noted that at no stage of the assessment of the compliance of the Company's conduct with Regulation 2016/679 in the case of breaches covered by the present proceedings did the President of the Office for Personal Data Protection indicate that the Company may have breached the provision of Article 33 of Regulation 2016/679. The provisions of Regulation 611/2013, as rightly pointed out by the Company in its letter of [...] August 2020, are of a stricter nature than the provision of Article 33 of Regulation 2016/679, imposing an obligation on entities engaged in telecommunications activities to notify the competent national authority of all personal data breaches, no later than 24 hours after the discovery of the personal data breach. The fact that the Company complies with the requirements set out in Article 33 of Regulation 2016/679 (and Article 2 of Regulation 611/2013) does not at the same time mean that it complies with the requirements set out in other provisions of Regulation 2016/679. Indeed, the notification of a personal data breach to the supervisory authority within the time limit set out in the aforementioned provision of Regulation 2016/679 or within the time limit set out in Article 2(2) of Regulation 611/2013 does not exempt the controller from taking measures to identify personal data breaches efficiently and promptly. "The time limit for notifying a personal data breach shall be calculated from the moment the breach is identified. By ascertaining a breach, it should be understood that the controller becomes aware of the factual circumstances that could be qualified as meeting the prerequisites of Article 4(12). However, the moment when the controller has made such a subsumption is not decisive. It should be borne in mind that, according to recital 87, the controller should implement such technical protection measures as to be able to immediately identify personal data breaches. If this is not the case, the failure to establish the breach will not result in a breach of Article 33(1) due to the failure to start the notification period, but the controller will be in breach of the requirements to implement appropriate technical measures to catch possible breaches. It is important to emphasise that any delay in notifying individuals of a breach of their personal data further increases the possibility that the risk of a breach of their rights or freedoms will materialise. The sooner the person whose data has been disclosed is properly notified of the breach, the sooner he or she will be able to take action to minimise the risk of negative consequences of the breach.

As indicated in the Guidelines on Notification of Personal Data Breaches under Regulation 2016/679 of the Article 29 Working Party, the provisions of Regulation 2016/679 require both controllers and processors to adopt appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved in the processing of personal data. Controllers and processors should take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing and the risk of violation of the rights and freedoms of natural persons with different probability and gravity. In addition, Regulation 2016/679 requires the adoption of all appropriate technical safeguards and all appropriate organisational measures to immediately identify a personal data breach, which in turn is critical in determining whether the breach notification obligation applies in a given case. This means that the ability to prevent breaches where possible, and the ability to respond promptly to breaches where they nevertheless occur, is a key element of any data security policy.

In its explanations, the Company demonstrated that immediately after receiving information about the breach from the processor, it notified of the breach and notified the data subjects. However, the processor's failure to react promptly does not remove the controller's responsibility for establishing a personal data breach, as the ability to, among other things, detect breaches should be seen as a key element of technical and organisational measures, including any data security policy. It follows from the wording of Article 32(1) of Regulation 2016/679 that the controller is obliged to apply technical and organisational measures appropriate to the risk of a breach of the rights and freedoms of natural persons of varying probability and gravity. Pursuant to Article 32(2) of Regulation 2016/679, when assessing whether the degree of security is adequate, the controller shall in particular take into account the risks involved in the processing, in particular arising from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed. The provisions of Regulation 2016/679 oblige both controllers and processors to adopt appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved in the processing of personal data. It further follows from the aforementioned provisions as well as recital 87 of Regulation 2016/679 that the Regulation has established the requirement to adopt the aforementioned measures in order to immediately identify a personal data breach. The evidence gathered confirms that the Company took measures to explain the reasons for delays in reporting breaches by the courier service provider, but these measures were taken after the breaches were reported by the provider. Therefore, the Company should not wait only for reporting of infringements by the processing entity, but should implement appropriate solutions enabling verification of these obligations e.g. by current monitoring of the stage of delivery of parcels.

The Company, referring to delays in reporting information on infringements by the carrier, confirms the lack of verification mechanisms on the part of the Company.

In the course of the proceedings, the Company pointed to clause 5.5 of the Policy, according to which "if it is determined that a personal data breach is likely to result in adverse effects for the personal data or privacy of a subscriber or individual, the Administrator shall make the notification referred to in clause 5.5. of the Policy. 5.5. of the Policy and, in addition, shall immediately inform about the Breach the Data Subjects affected by the Breach". The collected evidence indicates, however, that the above provision of the Policy in fact remained dead, as the Company did not implement sufficient mechanisms allowing for ongoing monitoring of courier shipments. The Company indicated that it clarifies the cases of infringements with the carrier on an ongoing basis in order to eliminate the problem of delays in the transmission of information on data loss, however, the correspondence presented by the Company, in which the reasons for delays in the reporting of personal data protection infringements by the processor are explained, does not confirm the explanations of the Company in this regard (e-mail correspondence constituting Annexes No. 5, 6 and 7 to the Company's explanations of [...] August 2020). 

In the course of the proceedings, the Company demonstrated that it concluded an agreement with the courier service provider on the entrustment of personal data processing.  In its explanations of [...] August 2020, the Company quoted the wording of § 8 of the agreement and then explained that it had issued debit notes on that account. The President of the Office for Personal Data Protection does not deny that the Company took actions aimed at proper performance of the agreement, however the attached debit notes do not refer to § 8 indicated by the Company, but to other contractual provisions. Even if the Company were to charge the processor for not reporting personal data protection violations in a timely manner, the collected evidence unambiguously indicates the lack of sufficient supervision in this regard, which, in addition to the actual dates of identification of events causing personal data protection violations, is evidenced by the above-mentioned correspondence of the Company, in which it explains the reasons for reporting events from, inter alia, July, October and December 2019, where enquiries from the Company were sent in January and May 2020.

According to the Guidelines, "the GDPR provides that individuals must be notified of a breach "without undue delay" - i.e. as soon as possible. Notifying individuals is primarily intended to provide them with details of the preventive action they should take. Depending on the nature of the breach and the risk posed, prompt notification will allow individuals to take action to protect themselves from any negative consequences of the breach." The importance of immediate response to breaches is underlined both in the Guidelines and in the document Obligations of controllers related to personal data protection breaches issued by the President of the Office for Personal Data Protection. In view of the above, in the course of the proceedings, the President of the Office for Personal Data Protection asked the Company whether it had analyzed the impact of timely identification of personal data protection infringements on the rights or freedoms of data subjects. In a letter of [...] October 2020. The Company explained that "in carrying out the risk analysis, it assesses the potential negative effects on the data subject, using a summary prepared for internal purposes of the risks, including the rights and freedoms of the natural person that may constitute a breach, taking into account the risks and the consequences and preventive measures", presenting the aforementioned summary as Annex No. 1 to the explanations. However, the submitted documentation does not include criteria for assessing violations in terms of their prompt identification and, consequently, prompt notification of violations to data subjects. The Company did not analyze the impact of timely identification of personal data breaches on rights or freedoms of data subjects.

In light of the above-mentioned explanations of the Company, it should be reiterated that Regulation 2016/679 establishes a requirement for the controller to implement all appropriate technical protection measures and all appropriate organisational measures to immediately identify a personal data breach and promptly notify the supervisory authority and data subjects. Regulation 2016/679 also states that whether notification is made without undue delay should be determined taking into account, in particular, the nature and gravity of the personal data breach, its consequences and adverse effects on the data subject. This imposes an obligation on the controller to maintain the ability to "establish" the occurrence of any breach in a timely manner to ensure that the data subject is also able to take appropriate action.

In the course of the proceedings, the Company indicated that it had implemented procedures to promptly notify data subjects as well as the supervisory authority of personal data breaches, but the material on record confirms that it did not maintain sufficient oversight in this area, resulting in data subjects being notified of breaches of their personal data in most cases more than 60 days after the date of the event that caused the breach. In June 2020. The Company made [...] notifications of personal data breaches. [...] breaches, representing 60% of the total number of data protection breaches reported in June 2020, were identified by the Company more than 60 days after the date of the event causing the breach, while more than 33% of the total number of reports were events identified by the Company more than 90 days after the date of the event. Over 17% of the total number of data protection breaches reported in June 2020 were for events in January 2020 and 2019, meaning that they were identified by the Company more than 120 days from the date of the event causing the data protection breach. In July 2020. The Company made a further [...] notifications. [...] of these, representing more than 44% of the total number of notifications are breaches identified more than 60 days from the date of the event causing the breach, while 15% of the total number of notifications were events identified by the Company more than 90 days from the date of the event causing the breach.

Prior to the receipt of the letter from the President of the Office for Personal Data Protection, in which the analyses of timeliness of identification of infringements were presented, the Company had admittedly asked the courier service provider to explain the reasons for the delay, but, as the evidence collected in the case indicates, these were follow-up actions, after the events were reported by the courier service provider, and concerned explaining the reasons for delays in reporting infringements of events even several months after the date of reporting (e-mail correspondence constituting Annexes No. 5, 6 and 7 to the Company's letter of [...] August 2020). The illustrative correspondence provided to explain the reasons for the courier company's late reporting of delivery irregularities included events from July, October and December 2019, where enquiries from the Company were sent in January and May 2020, indicating a lack of sufficient oversight in this area also in relation to data protection breaches identified by the Company before June 2020 and before the pandemic period.

The Company, in its explanations of [...] October 2020, indicated that immediately after the occurrence of late reporting of personal data loss or breach by a processor on behalf of the Company, it again reviewed the process of distribution of shipments and settlement of return documents, which allowed to identify areas that needed to be improved. Thanks to this verification, the Company introduced additional system changes, as well as changes on the carrier's side in reporting of return documents sent back to the Company and verification and timeliness of notifications of suspected loss of personal data of the Company's customers.

However, it results from the evidence gathered in the course of the proceedings that real actions aimed at quick identification of events resulting in personal data protection violations were taken only in connection with the letter of the President of the Office for Protection of Personal Data of [...] July 2020, and then in connection with the initiation of administrative proceedings in this regard (correspondence constituting Annexes 8 and 17 to the Company's letter of [...] August 2020). It is also impossible to agree with the claims of the Company that its actions in this respect were undertaken immediately after the occurrence of cases of late reporting of data breaches by the processor, because, as indicated by the e-mail correspondence presented by the Company, cases of late reporting of breaches by the processor were identified by the Company at least from January 2020. The absence in this regard of effective organisational measures allowing for the prompt identification of personal data protection breaches prejudges the Company's breach of its obligations under Article 24(1) and 32(1) and (2) of Regulation 2016/679.

In a letter dated [...] October 2020. The Company further indicated that at the beginning of September 2020 it had implemented new mechanisms to eliminate cases of delivery to an unauthorised person. The Company also informed that it has implemented additional measures to improve the process of tracking shipments, which consequently results in faster identification and reporting of possible loss of personal data. In relation to the Company's explanations in the aforementioned scope, the President of the Office for Competition and Consumer Protection analysed the notifications that were not included in the list of infringements constituting grounds for initiating the present proceedings. As a result of the analysis of notifications made in August and September 2020 indicated by the Company in the statement sent by letter of [...] October 2020, there was not a single case of infringement identified by the Company within more than 90 days from the date of the event causing the infringement, while notifications of personal data protection infringements in which the Company identified the infringement within more than 60 days from the date of the event constituted 16 % of the total number of notifications of personal data protection infringements made by the Company in that period. However, it should be stressed again that the Company took these actions only after the administrative proceedings had been initiated.

In the course of the proceedings, the Company emphasised that the period of the pandemic had a significant impact on the timeliness of notifications of personal data breaches concerning these proceedings. The President of the Office for Personal Data Protection, while not denying that during the pandemic there may occur various types of delays, also points out that the material collected in the case confirms the lack of supervision of the Company in this area, which resulted in notifying the data subjects of the violation of their data protection even two or three months after the date of the violation. In June 2020, breaches identified by the Company more than 60 days from the date of the incident accounted for 60% of the total number of data protection breaches reported to the DPA. While in July 2020, i.e. immediately after the analyses performed in the DPA in this regard were sent to the Company, the breaches identified by the Company more than 60 days after the event causing the breach still accounted for 44% of the total number of notifications, after the initiation of the proceedings in the analysed period of August and September 2020, the breaches identified more than 60 days after the event accounted for only 16% of the total number of notifications.

The above analysis confirms that it was possible for the Company to take effective measures to minimise the scale of breaches, as well as to identify breaches relating to courier delivery more quickly, even despite the pandemic period. However, these mechanisms were implemented after the administrative proceedings were initiated and after the President of the Office for Competition and Consumer Protection had presented his own analyses. At the same time, this confirms the Company's failure to apply, prior to the initiation of the administrative proceedings, appropriate organisational and technical measures to ensure the security of personal data processing and prompt identification of personal data protection violations, and consequently, a breach of the aforementioned provisions of Regulation 2016/679 in this regard.

One should agree with the explanations of the Company that violations of this type arise mainly due to human errors and it is not possible to eliminate them in 100% by implementing any additional organisational or technical measures, nevertheless, the evidence gathered in the course of the proceedings indicates, which should be emphasised once again, that the Company did not exercise adequate supervision in the area of processing personal data contained in documents sent via courier service providers, due to the lack of implementation of appropriate measures to quickly identify personal data protection violations, as well as to minimise their scale.

Referring to the Company's additional explanations, according to which "the number of breach notifications made by the Company is affected by the fact that it complies with the provisions of Regulation 611/2013, which are of a stricter nature than the provisions of Regulation 2016/679, since, in accordance with Article 2(1) of the Regulation, the provider shall notify the competent data protection authority. 1 of the Regulation, the provider shall notify the competent national authority of all cases of personal data breaches, which consequently affects the number of notifications made", the President of the Office for Personal Data Protection points out that the subject of the present proceedings were only the notifications of personal data protection breaches resulting from the Company's cooperation with entities providing courier services, in which the Company indicated a high risk of infringement of rights or freedoms of natural persons, and the analysis of these cases performed by the President of the Office for Personal Data Protection confirmed the assessment made by the Company. Other notifications of personal data protection infringements made by the Company, in case of which the assessment performed by the President of the Office for Personal Data Protection confirmed the lack of high risk of infringement of rights or freedoms of natural persons, or notifications of personal data protection infringements not resulting from the Company's cooperation with entities providing courier services, are included in separate internal statements of the Office for Personal Data Protection, and did not constitute the basis for statistical calculations in the analysis of the notifications presented in this decision and were not subject to the present proceedings.

Incidentally, cases of reported infringements of personal data protection related to irregularities on the part of postal operators are not exceptional in the practice of the Office for PErsonal Data Protection; however, the exceptions include situations where the controller fails to take immediate action in relation to the loss or incorrect delivery of postal items containing customers' personal data.

In view of the above, it should be concluded that the Company insufficiently assessed the effectiveness of the technical and organisational measures implemented to ensure the security of the processing of personal data contained in documents sent through the courier service provider and to ensure the prompt identification of breaches in the protection of personal data, thereby violating the provisions of Article 24(1), Article 32(1) and (2) of Regulation 2016/679.

In view of the above findings, the President of the Office for Personal Data Protection, exercising the power vested in him pursuant to Article 58(2)(i) of Regulation 2016/679, according to which each supervisory authority is entitled to apply, in addition to or instead of other remedies provided for in Article 58(2)(a-h) and (j) of that Regulation, an administrative pecuniary penalty pursuant to Article 83(4)(a) of Regulation 2016/679, having regard to the circumstances established in the proceedings in question, concluded that the premises justifying the imposition of an administrative pecuniary penalty on the Company occurred in the case under consideration.

When deciding to impose an administrative fine on the Company, the President of the Office for Personal data Protection - pursuant to the content of Article 83(2)(a-k) of Regulation 2016/679 - took into account the following circumstances of the case, which have an aggravating effect and influence the amount of the financial penalty imposed:

1. the nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).
When imposing the penalty, the fact that the breach of Regulation 2016/679 had an impact on the delays in notifying the Company's customers of the breach of the protection of their personal data was significant. The Company, due to the lack of implementation of technical and organisational measures enabling a quick identification of personal data protection breaches causing a high risk of infringement of rights or freedoms of natural persons, consequently notified its customers about the breach with a significant delay (more than 17% of the total number of personal data protection breaches reported in June 2020 concerned events from January 2020 and from 2019, which means that they were identified by the Company more than 120 days from the date of the event causing the personal data protection breach). The investigation covered notifications of data protection breaches made by the Company in June and July 2020. However, the collected evidence indicates the lack of supervision in this area already in the earlier period, as the notifications of violations from that period included events identified by the Company even after 120 days from their occurrence. Moreover, the sample correspondence presented in the course of the proceedings concerning the explanation of the reasons for the courier company's late reporting of irregularities in the delivery of parcels concerned, inter alia, events from July, October and December 2019, where enquiries from the Company were sent in January and May 2020, which indicates the lack of sufficient supervision in this area also in relation to breaches of personal data protection identified by the Company before June 2020. The aforementioned results of the analysis of notifications of personal data protection breaches made by the Company clearly indicate excessive - in relation to the deadlines deemed appropriate by the provisions of Regulation 2016/679 - delays in the identification of breaches and, consequently, delays in the notification of breaches to the affected persons. Such delays, resulting - as demonstrated above - from the Company's failure to implement appropriate technical and organisational measures to ensure the prompt identification of personal data breaches, should be considered serious and require a negative assessment in the context of the risk borne by the persons whose personal data has been breached. Indeed, as indicated in recital 85 of Regulation 2016/679: "In the absence of an adequate and timely response, a personal data breach may result in physical harm, economic or non-pecuniary damage to individuals, such as loss of control over their own personal data or limitation of their rights, discrimination, identity theft or falsification, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, or any other significant economic or social damage."

2. the degree of responsibility of the Company (as an administrator) taking into account the technical and organisational measures implemented (Article 83(2)(d) of Regulation 2016/679).
The findings made by the President of the Office for Personal Data Protection allow the conclusion that the Company, despite the agreement concluded with the entity providing courier services and relevant provisions in the Policy, did not exercise adequate supervision in this area, thus failing to identify on an ongoing basis personal data protection infringements related to the dispatch of documentation containing personal data, which in consequence led to notifying the data subjects after a considerable lapse of time from the date of the event causing the infringement of the protection of their personal data. Therefore, it should be concluded that the Company is responsible for the failure to implement mechanisms guaranteeing the effectiveness of measures (contractual provisions and provisions of internal documents of the Company) intended to ensure - in accordance with the provisions of Regulation 2016/679 - the identification of personal data protection violations and, consequently, their notification to the President of the Office for Personal Data Protection and informing the persons affected by the violation about them.   

3 Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679).
The notifications of breaches of personal data protection covered by the present proceedings concerned irregularities in the delivery of parcels containing personal data within the scope of: first name, surname, address of residence or stay, PESEL identification number, often e-mail address, series and number of identity card or other identity document, telephone number, and other categories of data concerning the contracts connecting the parties (e.g. contract ID, contract number, document number, equipment number, VAT invoice number and amount, account number for payments). Such a wide scope of personal data disclosed to unauthorised persons and remaining in their possession for a longer period of time - as a consequence of the infringement established by the present decision - without the knowledge and without the possibility of any reaction from the subject of the data, must have an adverse impact on the assessment of the established infringement and the amount of the administrative fine imposed. It should be stressed that the infringement committed by the Company involves a high risk of violation of rights or freedoms of persons affected by the infringement. The Guidelines, already cited above, clearly indicate the high risk associated with disclosure of, in particular, data concerning identity documents, and they also emphasize that "a set of different personal data is usually more sensitive than a single piece of personal data".

When determining the amount of the administrative fine, the President of the Office for Personal Data Protection took into account as a mitigating circumstance the premise set out in Article 83(2)(f) of Regulation 2016/679, i.e. the degree of the Company's cooperation with the supervisory authority in order to remedy the breach and mitigate its possible negative effects. The President of the Office for Personal Data Protection noticed and positively assessed the fact that the Company (already after the analyses performed by the President of the Office for Personal Data Protection were presented to it and the present proceedings were initiated) undertook actions aimed at faster identification of personal data protection infringements. Despite the fact that in the course of the proceedings the Company questioned the high risk of infringement of rights or freedoms of natural persons related to the infringements covered by the proceedings, it implemented mechanisms which resulted in both reduction of the number of personal data protection infringements related to such events and identification of these events much faster. This is confirmed by the results of the analysis of the notifications of personal data protection breaches made by the Company in August and September 2020, presented above in the justification of this Decision (page 25).  

The fact that the President of the Office applied the sanction in the form of an administrative fine in the present case, as well as its amount, was not affected by other circumstances indicated in Article 83(2) of Regulation 2016/679, namely:

1. the unintentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679) - the President of the Office for Personal Data Protection did not establish in the present case any intentional actions of the Company leading to the state of infringement of the provisions of Regulation 2016/679, nevertheless, negligence in controlling the effectiveness of technical and organisational measures aimed at ensuring the security of personal data processing in the process of delivery of parcels to its customers does not provide grounds to exempt it from liability for the identified infringement.
2. measures taken by the Company to minimise the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679) - in the present case, no damage was found to have occurred to the persons affected by the breach and therefore there are no grounds to expect the Company to take measures to minimise it.
3. Relevant prior breaches of Regulation 2016/679 by the Company (Article 83(2)(e) of Regulation 2016/679) - no relevant prior breaches of Regulation 2016/679 have been identified by the Company.
4. the manner in which the supervisory authority became aware of the breach (Article 83(2)(h) of Regulation 2016/679) - the President of the DPA found the breach by analysing the notifications of personal data protection breaches made by the Company itself, however, due to the fact that the Company, in making these notifications, was only fulfilling its legal obligation, there are no grounds to consider that this circumstance constitutes a mitigating circumstance for the Company.
5. compliance with the measures referred to in Article 58(2) of Regulation 2016/679 previously applied in the same case (Article 83(2)(i) of Regulation 2016/679) - in the present case, the measures referred to in Article 58(2) of Regulation 2016/679 were not previously applied to the Company.
6. application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679) - the Company does not apply approved codes of conduct or approved certification mechanisms as referred to in the provisions of Regulation 2016/679.
7. financial benefits achieved or losses avoided directly or indirectly as a result of the breach (Article 83(2)(k) of Regulation 2016/679) - the President of the DPA has not established in the course of the present proceedings that, by committing the breach subject to a penalty, the Company has achieved any financial benefits or avoided any financial losses.

Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection found that the imposition of an administrative fine on the Company is necessary and justified by the gravity, nature and scope of the violations of Regulation 2016/679 alleged against the Company. It should be stated that the application to the Company of any other remedy provided for in Art. 58(2) of Regulation 2016/679, in particular, merely to issue a warning (Article 58(2)(b)), would not be proportionate to the irregularities found in the processing of personal data and would not guarantee that the Company would not commit negligence similar to that in the present case in the future.

Pursuant to the content of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates on 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the National Bank of Poland's table of exchange rates nearest to that date.

In the opinion of the President of the Office for Personal Data Protection, the imposed administrative fine in the amount of PLN 1,136,975 (in words: one million one hundred and thirty-six thousand nine hundred and seventy-five zlotys), which is equivalent to EUR 250,000 (average exchange rate of the euro as at 28 January 2021 - PLN 4.5479), fulfils, in the established circumstances of this case, the functions referred to in Article 83(1) of Regulation 2016/679, i.e. is effective, proportionate and dissuasive in this individual case. During the proceedings, the Company presented its financial statements for 2019, according to which its net sales revenues amounted to approximately PLN 2.38 billion, while its net profit amounted to PLN 586.8 million. It should additionally be noted that the Company is the parent company of the Cyfrowy Polsat S.A. Group, whose net sales revenues for 2019 amounted to approximately PLN 11.68 billion and its net profit for 2019 amounted to approximately PLN 1.1 billion (data presented by the Company in the "Consolidated Annual Report for the financial year ended 31 December 2019" posted on the website at https://grupapolsat.pl/sites/default/files/documents/cps_raport_roczny_2019.pdf). Taking into account the above presented financial results of both the Company itself and the capital group in which the Company is a parent company, it should be stated that the imposed administrative pecuniary penalty will not be excessively severe for the Company.

The administrative pecuniary penalty will, in these specific circumstances, fulfil a repressive function, as the Company breached the provisions of Regulation 2016/679, but also a preventive function, i.e. preventing future breaches of data protection regulations both by the Company and other data controllers. In addition, the monetary penalty applied meets, in the established circumstances of this case, the prerequisites referred to in Article 83(1) of Regulation 2016/679, due to the gravity of the violations found in the context of the basic requirements and principles of Regulation 2016/679.  
II. At the same time, on the basis of the evidence gathered in the course of the proceedings, it must be concluded that there has been no breach by the company of the other provisions of Regulation 2016/679 which are the subject of these proceedings.

By letter dated [...] July 2020. The President of the DPAO, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, requested the Company to provide information and supporting evidence. By letter dated [...] July 2020. The Company sent part of the explanations requested by the President of the Office for PErsonal Data Protection, providing as evidence only 3 emails, one of which was addressed by the carrier to another entity, which the Company did not explain in its reply. Therefore, when initiating the administrative proceedings, the President of the Office for PEsronal Data Protection also pointed to the possibility of a breach of Article 31 of Regulation 2016/679, i.e. the lack of the Company's cooperation with the President of the Office for Personal Data Protection requesting the submission of information necessary for the examination of the case. It was only after the administrative proceedings were initiated that the Company provided additional explanations and evidence to support the explanations it had submitted. The evidence thus obtained was sufficient to issue an administrative decision, and therefore the proceedings should have been discontinued with regard to a possible violation of Article 31 of Regulation 2016/679.

In the course of the proceedings, the Company demonstrated that it notifies data subjects of a breach of their personal data immediately after the breach is identified, while applying the provisions of Regulation 611/2013. With regard to the possibility that the Company breached Article 34(1) of Regulation 2016/679, the proceedings became devoid of purpose due to the fact that the Company implemented without undue delay (even if it currently questions the existence of a high risk of infringement of the rights or freedoms of natural persons associated with the breaches) the obligation to notify affected persons of the breach. The delays in the implementation of the obligation set out in Article 34(1) of Regulation 2016/679 were due to the lack of mechanisms enabling the rapid identification of breaches of personal data protection, and not to the delay that occurred between the identification of those breaches and the notifications to the persons affected by them. In view of the above, the proceedings should be discontinued with regard to the possibility that the Company infringed the abovementioned provision.

In view of the above, the President of the Office for Personal Data Protection resolved as set forth in the operative part of this decision.