UODO (Poland) - DKN.5131.1.2021

From GDPRhub
Revision as of 16:53, 21 November 2024 by W.p. (talk | contribs) (→‎Holding)
UODO - DKN.5131.1.2021
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 28(1) GDPR
Article 28(3) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 33(3)(c) GDPR
Article 33(3)(d) GDPR
Article 34(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.10.2024
Published: 12.11.2024
Fine: 353,589 PLN
Parties: n/a
National Case Number/Name: DKN.5131.1.2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (Poland) (in PL)
Initial Contributor: w.p.

The DPA fined a controller PLN 353,589 and a processor PLN 9,822 for violation of data security duties that led to a data breach, affecting approximately 200 people.

English Summary

Facts

An individual, being a sole entrepreneur (the controller) was attacked with a ransomware software. The attackers encrypted the personal data of the controller’s customers and employees, approximately 200 people. The encrypted data consisted of, in particular, national identification number (PESEL), name and surname, address, current account number, e-mail and phone number. Shortly after the attack, the controller restored access to the data. The identity of the attackers remained unknown.

The controller indicated that the breach sourced in a human error. Supposedly, one of the controller’s employees turned off the antivirus software. Moreover, the attackers also used the server’s vulnerability. The controller explained that a third party, responsible for the server maintenance and IT services (the processor), failed to update the server’s software for certain time. That made the vulnerability being present when the data breach took place.

The controller notified the Polish DPA (UODO) about the data breach. Due to immediate restoration of data access, the controller found the breach didn’t result in high risk to data subjects’ rights and freedoms. Allegedly, the attackers’ only purpose was to obtain ransom from the controller in exchange for access to the data, not to access and to share the data. Initially, the controller didn’t notify the data subjects under Article 34 GDPR, because of the technical and organisational measures implemented in response to the breach. Eventually, a month following the DPA notification, the controller notified the data subject by publishing an announcement within their premises.

The DPA found no evidence that the data confidentiality was not affected by the breach. Thus, the DPA ordered the controller to renotify the data subjects. The DPA claimed the original notification was incomplete, as it was lacking, inter alia, contact data of the DPO or the description of measures applied by the controller after the breach.

The DPA decided to initiate ex officio proceedings against the controller.

During the proceedings the controller stated that all the employees went under training of data protection duties prior to the breach. Moreover, the controller regularly made backups of processed data.

Holding

The DPA found the controller violated GDPR.

The categories of data processed by the controller required increased data security. Specifically, the controller didn’t introduce measures preventing their IT assets from being infected by the ransomware. For the DPA such a preventive measure amounted to the up-to-date software.

The controller didn’t update the server software for approximately two years. Moreover, the controller failed to regularly test and improve the risk posed by undertaken processing activities. In particular, the DPA emphasised that the controller failed to demonstrate the risk assessment covering potential ransomware attack.

The DPA expressed doubts over the security measures implemented by the controller after the breach. As stated by the DPA, there was no evidence that any security audit of the controller’s IT assets was performed following the breach. Furthermore, the DPA was uncertain whether the controller supervised the implementation of new security measures. At the same time, the DPA noted lacking backup management procedure. Consequently, the controller was unable to restore access to data without undue delay.

Thus, according to the DPA, the controller didn’t perform the risk assessment under Article 32 GDPR neither prior to, nor afterwards the breach. Insufficient security measures in place led to the data breach and subsequent violation of data confidentiality and integrity principles.

Additionally, the controller didn’t verify nor audit how the processor fulfilled their data security and other duties stemming from the GDPR. For the DPA, such a omission amounted to violation of Article 28(1) GDPR. Also, the controller didn’t demonstrate how the processor assisted the controller in maintaining data security under Article 32-36 GDPR. Hence, the processor violated Article 28(3)(f) GDPR and Article 32(2) GDPR.

In addition, the controller violated Article 34(2) GDPR. The controller didn’t provide affected data subjects with enough information, in particular, about the consequences of the breach and available remedies.

In consequence, the DPA found violation of Article 5(1)(f) GDPR, 5(2) GDPR, 24(1) GDPR, 25(1) GDPR, 28(1) GDPR, 28(3) GDPR, 32(1) GDPR, 32(2) GDPR, 33(3) GDPR and 34(2) GDPR.

The controller was fined PLN 353,589 (approximately €81,000). Separately, the processor was fined PLN 9,822.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.