UODO (Poland) - DKN.5130.2415.2020
From GDPRhub
| UODO - DKN.5130.2415.2020 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 25(1) GDPR Article 28(1) GDPR Article 28(3)(c) GDPR Article 28(3)(f) GDPR Article 28(3)(h) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 12.11.2024 |
| Published: | |
| Fine: | 1.527.855 PLN |
| Parties: | n/a |
| National Case Number/Name: | DKN.5130.2415.2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (Poland) (in PL) |
| Initial Contributor: | w.p. |
The DPA fined the operator of a website €350.000 (PLN 1,527,855) and its processor €4.590 (PLN 20,037) for data security violations after a configuration error on the website led to a data breach concerning 21,453 individuals
English Summary
Facts
A controller started a new website outsourcing the management of the website and other systems to another company, acting as a processor. An error of a configuration file led to unauthorised disclosure of an old website folder. The folder contained personal data of 21,453 clients and employees of the controller. The disclosed data consisted of name, birthday, contact information, national identification number and encrypted website-user passwords.
After the controller notified the DPA of the breach, the DPA initiated ex officio proceedings against the controller and the processor. In one of the documents subsequently provided by the controller, the processor stated that the breach was a result of their employee's error. Furthermore, the controller claimed, that the processor did not monitor the server activities as expected. Thus, the controller claimed the processor to be liable for the breach.
According to the processor, its contract with the controller did not include the concerned personal data and the controller had not otherwise informed the processor about it. Consequently, the website was treated as a typical website for information purposes. Moreover, the processor emphasised that they were assigned only to move the old website's content to the new one and that they had not been instructed to verify the new website's security nor to monitor the server activities.
Holding
The DPA found the controller - wholly relying on the professional status of the processor without supervision- violated Article 5(1)(f) GDPR's principle of integrity and confidentiality by not implementing data protection by design and default (Article 25(1) GDPR) and not monitoring it's processor as required by Article 28(1) GDPR. The DPA found no evidence that the controller performed regular audits and inspections of the processor under Article 28(3)(h) GDPR. Also, the controller did not monitor if the processor adequately secured personal data during the process changing the servers. For the DPA, such an omission of the controller contributed to the breach. Thus, the controller did not implement appropriate security measures under Article 32(1) GDPR.
Furthermore, the DPA found that the controller did neither identify nor assess the risk stemming from moving the personal data from one server to another, required by Article 32(2) GDPR. Moreover, the controller did not provide the processor with information necessary to perform the risk assessment.
The DPA found separate violations of the processor who failed to implement appropriate measure to ensure the security of processing (Article 32(1) GDPR and (2) GDPR) by the processor. The processor did not communicate their doubts referring to the assignment thus violating it's obligations under Article 28(3)(c) GDPR and Article 28(3)(f) GDPR towards the controller to secure processing and assist the controller in complying with the GDPR. In particular, the processor did not verify if the website contained the personal data. According to the DPA, by such a conduct the processor did not abide their duty of care.
In consequence the DPA fined the controller PLN 1.527.855 (ca. €350.000) and the processor PLN 20.037 (ca. €4.590).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
On the basis of Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2024, item 572), Article 7 par. 1 and 2, Article 60, Article 101 and Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) and Article 57 par. 1 letters a) and h), Article 58 par. 2 letter i), Article 83 par. 1 - 3 and Article 83 par. 4 letter a) in conjunction with Article 24 par. 1, Article 25 par. 1, Article 28 par. 1 and 3 and Article Article 32 paragraphs 1 and 2, as well as Article 83 paragraph 5 letter a) in conjunction with Article 5 paragraph 1 letter f) and Article 5 paragraph 2 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4.05.2016, p. 1, OJ EU L 127, 23.05.2018, p. 2 and OJ EU L 74, 4.03.2021, p. 35), after conducting administrative proceedings initiated ex officio regarding the infringement of the provisions on personal data protection by A. with its registered office in W. at ul. (...) and X. with its registered office in W. at ul. (…), President of the Personal Data Protection Office
1) finding a violation by A. with its registered office in W. at ul. (…) of Article 24 sec. 1, Article 25 sec. 1, Article 28 sec. 1 and Article 32 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4.05.2016, p. 1, OJ EU L 127, 23.05.2018, p. 2 and OJ EU L 74, 4.03.2021, p. 35), hereinafter referred to as "Regulation 2016/679", consisting in: a) failure to implement appropriate technical and organisational measures to ensure the security of data processing in IT systems and the protection of the rights of data subjects, based on the risk analysis carried out taking into account the state of the art, the cost of implementation, the nature, scope, context, purposes of processing and the risk of violating the rights or freedoms of natural persons,
b) failure to implement appropriate technical and organisational measures to ensure regular testing, measurement and assessment of the effectiveness of technical and organisational measures to ensure the security of personal data processed in IT systems, in particular in terms of vulnerabilities, errors, updates and their possible effects on these systems and the actions taken to minimise the risk of their occurrence, resulting in a breach of the principle of confidentiality (Article 5 paragraph 1 letter b) f) Regulation 2016/679) and the principle of accountability (Article 5 paragraph 2 of Regulation 2016/679),c) lack of verification of the processor, whether it provides sufficient guarantees for the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects,
imposes on A. with its registered office in W. at ul. (...), for the violation of Art. 5 paragraph 1 letter f), Art. 5 paragraph 2, Art. 25 paragraph 1, Art. 28 paragraph 1 and Art. 32 paragraphs 1 and 2 of Regulation 2016/679, an administrative fine in the amount of PLN 1,527,855.00 (in words: one million five hundred twenty-seven thousand eight hundred fifty-five zlotys);
2) finding that X., with its registered office in W. at ul. (...) 2, has violated Art. 32 sec. 1 and 2 and Art. 32 sec. 1 and 2 in conjunction with Art. 28 sec. 3 letters c) and f) of Regulation 2016/679, consisting in failure to implement appropriate technical and organizational measures to ensure the security of personal data, including ensuring their confidentiality, imposes on X., with its registered office in W. at ul. (...), for the violation of Art. 32 sec. 1 and 2 and Art. 32 sec. 1 and 2 in conjunction with Art. 28 sec. 3 letters c) and f) of Regulation 2016/679, an administrative fine in the amount of PLN 20,037.00 (in words: twenty thousand thirty-seven zlotys).
Justification
A. (ul. (…), (…)), hereinafter referred to as “A.”, “Company” or “Administrator”, on 24 April 2020, reported to the President of the Personal Data Protection Office, hereinafter also referred to as the “President of the Personal Data Protection Office” or “supervisory authority”, a breach of personal data protection that occurred on 17 April 2020 (a supplementary report was submitted to the supervisory authority on 7 May 2020).
The President of the Personal Data Protection Office conducted explanatory proceedings regarding the reported breach of personal data protection, and then on 27 April 2020, he officially initiated administrative proceedings regarding the possibility of A. violating Article 5 paragraph 1 letter f), Article 24 paragraph 1, Article 25 paragraph 1 and Article 32 paragraphs 1 and 2 of Regulation 2016/679.
By letters of 15 March 2021 and 15 June 2021, the President of the UODO informed X. (ul. (...), (...)), hereinafter referred to as "X." or the "Processor", of recognizing X. as a party to the administrative proceedings conducted under reference number DKN.5130.2415.2020, indicating that the subject of these proceedings is the possibility of A. and X. violating the obligations arising from the provisions of art. 5 par. 1 letter f), art. 24 par. 1, art. 25 par. 1 and art. 32 par. 1 and 2 of Regulation 2016/679.
In connection with the explanations provided, on 24 March 2022, the President of the UODO extended the proceedings to include reference number DKN.5130.2415.2020 regarding the possibility of infringement of the obligations arising from the provisions of art. 28 sec. 1 and art. 28 sec. 3 of Regulation 2016/679.
In a letter dated 17 April 2024, the President of the UODO informed A. and X. that the proceedings under reference number DKN.5130.2415.2020 had been extended to include the possibility of infringement of the obligations arising from art. 5 sec. 2 of Regulation 2016/679.
As a result of the explanatory proceedings and administrative proceedings, the President of the UODO established the following factual circumstances.
I.
In the personal data protection breach report, the Administrator described that the breach consisted of the fact that "(...) in the process of launching a new website on 17.04.2020, the files of the old website were copied to a new folder, which should have been hidden but was made available. This was done by an employee of an IT company without prior consultation and verification of the content of the old website files. The employee of the IT company made a mistake and did not hide the files. Company A. was not aware of this action (...)". In turn, in the supplementary report, A. indicated that "(...) the breach consisted of the possibility of gaining access to the database file of the historical (unused) website (...). The breach occurred due to the Z robot allowing the indexing of the database files of the old website (...). The possibility of indexing the files was caused by incorrect configuration by the IT company providing constant care for the IT infrastructure. (…) The scale of the breach involving PESEL numbers of people was also smaller than originally (in total, it affected over 7,000 fewer people than those included in the database in total. The breach in the part concerning the possibility of obtaining access to customer data including only the first name, last name, email address, residential address, encrypted password to the Customer panel of the website (...) and telephone number affected over 7,000 people [without PESEL numbers] (…) The independent audit of the incident commissioned by company A. shows that the main reason for indexing the files of the old website were errors in the configuration file (…). The files of the old website (...) contained backup copies of the database placed there by the IT company and not deleted as part of maintenance work (…)”.
The information contained in the “Report of a personal data protection breach” forms submitted to the supervisory authority shows that: - there was a breach of data confidentiality, - the cause of the breach of personal data protection was an internal unintentional action, - the approximate number of the number of persons affected by the breach is 21,453 (see the personal data breach report of May 7, 2020),- the categories of personal data that were breached include: first name and last name, address of residence or stay, PESEL number, date of birth, e-mail address, telephone number and encrypted password for registration on the (...) website,- the breach concerns the personal data of customers and employees A.
The Administrator, together with the letter of June 3, 2020, provided the supervisory authority with the document: "Report (...)". It should be noted that the document in question was prepared at the request of the Administrator. The supervisory authority did not see any grounds to question the credibility of this evidence.
As it results from its content, the purpose of the report was to present how a security incident occurred in A.'s IT environment, resulting in the disclosure of legally protected information (including personal data of A.'s clients, their PESEL numbers, residential addresses, e-mail addresses, telephone numbers) and information constituting a business secret (including password hashes, certificates, security keys for selected IT systems). The purpose of the report was also to indicate the reasons for disclosing the above information. The report indicated the principles of implementation of work related to the analysis of the incident, a description of the incident, a description of the Administrator's IT environment in relation to the incident, a description of how the incident occurred, the scope of the incident, the causes of the incident.
In the section indicating the scope of the incident, it was indicated that "(...) information in databases was or could have been disclosed (...) access to database dumps [their reading was possible due to the lack of appropriate permissions prohibiting reading and due to the lack of encryption] took place on April 17-20, 2020 (...) number of rows in the customer table: 21453. This is the number of unique records. Each record should be treated as one customer and personal data assigned to it in accordance with the scheme above (...)". The report also included a list of IP addresses that downloaded the indexed content.
In the section indicating the causes of the incident, technical and organizational reasons were discussed. The technical reasons were indicated as: (...). The organizational reasons were indicated as: (...).
II.
The supervisory authority received explanations from the Administrator and the Processor regarding their cooperation related to the processing of personal data. Together with the letter dated 3 June 2020, the Administrator provided the President of the UODO with a copy of the agreement (...), which was concluded between A. and X. The agreement contains a number of provisions regarding the relationship between the Administrator and the Processor. From the point of view of this case, the key provisions in this agreement are formulated as follows: - "(...) On 31 July 2019, the Parties concluded an agreement (...) ["Relevant Agreement] (...)", - "(...) The implementation of the Relevant Agreement requires the Administrator to entrust the Processor with the processing of personal data (...)", - "(...) Personal Data are processed only to the extent provided for in the Entrustment Agreement and the Relevant Agreement and for the purposes of implementing the Relevant Agreement. The purpose of processing Personal Data is described in Annex No. (...) to the Agreement (...)",- "(...) Personal Data may be subject to operations or sets of operations specified in Annex No. (...) to the Agreement (...)",- "(...) The Processor processes Personal Data only upon the documented instructions of the Controller, unless such an obligation is imposed on it by European Union law or Polish law to which the Processor is subject. In such a case, before starting the processing, the Processor shall inform the Controller of this legal obligation, unless that law prohibits the provision of such information due to important public interest (...)",- "(…) The Processor declares that it has at its disposal appropriate technical and organizational measures within the meaning of the Regulation enabling the processing of Personal Data in accordance with applicable law, in particular the Regulation (...)",- "(…) The Processor declares that, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights and freedoms of natural persons of varying probability and severity, it has implemented appropriate technical and organizational measures consistent with the purpose of implementing the Relevant Agreement (...)",- "(…) The Processor is obliged to keep a register of all categories of processing activities performed on behalf of the Controller in accordance with Art. 30 sec. 2 of the Regulation (...)",- "(...) The Processor grants access to Personal Data only to persons who, due to the scope of the tasks performed, have received personalized authorization from the Processor to process them, have been trained in the provisions on personal data protection and solely for the purpose of performing the obligations arising from the Relevant Agreement and the Entrustment Agreement. The Controller authorizes the Processor to grant the authorizations referred to in the previous sentence (...)",- "(...) The Processor keeps a register of persons authorized to process Personal Data (...)",- "(...) The Processor is obliged to ensure that each person acting under the authorization of the Processor and having access to Personal Data processes them only on the instructions of the Controller (...)",- "(...) The Processor is obliged to: a) take all measures required under Art. 32 of the Regulation; b) assist the Controller, through appropriate technical and organisational measures, in fulfilling the obligations specified in Art. 32-36 of the Regulation; (...) d) assist the Controller, through appropriate technical and organisational measures, in fulfilling the obligation to respond to requests of the data subject within the scope of his or her rights specified in Chapter III of the Regulation; (...) f) make available to the Controller without delay all information necessary to demonstrate compliance with the obligations specified in Art. 28 of the Regulation within the deadlines resulting from legal provisions or imposed by the relevant authorities (...) g) enable the Controller or an auditor authorised by the Controller to conduct audits or inspections regarding the compliance of the processing of Personal Data with the law; the Controller will inform the Processor at least 4 business days before the planned date of the audit/inspection of the intention to carry it out; if for important reasons, in the opinion of the Processor, the audit/inspection cannot be carried out within the period specified by the Controller, the Processor shall inform the Controller thereof, indicating the justification for this circumstance; in such a case, the Parties shall agree on another date for the audit/inspection; in the event of a security incident (breach of personal data protection), the Controller is entitled to carry out the audit/inspection without observing the period indicated above in this point; h) provide the Controller, at the request of the Controller, with documentation of the implemented technical and organisational measures in order to ensure an appropriate level of security and other information necessary to demonstrate that the Processor complies with its obligations resulting from the Entrustment Agreement and applicable legal provisions; i) immediately inform the Controller if, in its opinion, an order issued to the Processor constitutes a breach of the Regulation or other provisions on personal data protection; the information should include an indication of the provision of law which, in the opinion of the Processor, has been breached and the justification for the breach; (...) After the audit/inspection referred to in sec. 1 point g) above, the Administrator will prepare any recommendations for the removal of deficiencies or the implementation of actions improving the security of Personal Data processing. The Processor should comply with the Administrator's recommendations. After the audit/inspection referred to in point g) above, the Administrator will prepare any recommendations for the removal of deficiencies or the implementation of actions improving the security of Personal Data processing. The Processor should comply with the Administrator's recommendations (...)".
A., together with the letter of 3 February 2021, sent a copy of the Agreement (...), which he concluded with X. The Agreement contains provisions specifying, among others: - subject of the agreement, - obligations of the contractor (X.), - additional provisions, - liability and its exclusions, - entrustment of personal data, - final provisions.
It follows from the submitted agreement that its subject matter is the provision by X. to A. of IT services in the scope of maintaining the correct and uninterrupted functioning of the IT system (system) and A.'s software, including supervision of the network computer system, as well as in the scope of other services specified in this agreement.
The agreement in question defines what is to be understood by the term IT system and indicates that it is a set of interconnected elements (a set of computer systems, networks and software), the function of which is to process data using computer technology, taking into account changes in this system made during the term of this agreement.
The content of the agreement specifies the obligations of X., indicating that "(...) 1. The obligations of the Contractor [X.] include ongoing IT support and supervision of the IT System held by the Principal [A.], by providing services consisting of: 1) Providing ongoing support for system users, including, among others, providing IT supervision, removing technical, system and software faults and failures, maintaining computer hardware and software, handling the Client’s notifications; 2) On-going management (administration) of the IT System, monitoring the IT System, with particular emphasis on the security of the operation of the Client’s system; 3) Consultations on the ongoing use of the IT System; 4) Performing administrative and commissioned work related to keeping the system in operation and installing computer hardware, software, updating system components; 5) Maintaining IT system documentation, inventory of components; 6) Preparation and implementation of a uniform IT policy, data security, IT governance; 7) Delivery of hardware, software, IT solutions together with installation and configuration in agreement with and at the request of the Client; 8) Advice on computerization, selection of solutions, conducting IT projects; 2. The detailed scope of the Contractor's obligations is specified in Annex No. (...) to the Agreement [Offer] (...)".
In the part of the subject agreement specifying liability and its exclusions, it is indicated, among other things, that "(...) the Contractor shall make every effort to guarantee the highest quality of services provided and shall perform all activities entrusted to it in accordance with its best knowledge, taking into account the professional nature of its activity (...) The Contractor shall not be liable for the correct operation of systems implemented by third parties. The Contractor shall also not be liable in the event of a failure of system components that are products of third parties, e.g. computer hardware, desktop software, network operating system, task systems, unless the failure is related to the Contractor's interference in these elements of the IT System performed as part of the performance of this agreement. The Contractor does not provide any guarantees as to the correct operation of the system or its components implemented at the Client's before signing the agreement below, excluding those previously implemented by the Contractor (...) The Contractor shall not be liable for damages resulting from: 1) errors caused by improper use of the system by the Client's users resulting in loss of data, significant slowdown of system operation or system stoppage; 2) loss of data as a result of a system failure or accidental deletion of data by the system user; 3) operation of malicious software; 4) breach of security or exceeding of privileges by the Client's system users; 5) unauthorized persons gaining access to the system as a result of configuration errors or security imperfections; 6) unauthorized persons making passwords available to them intentionally or as a result of negligence; 7) loss of data or access to data as a result of hardware or software failure, unless the failure occurred for reasons attributable to the Contractor; 8) the effects of external factors beyond the control of the Contractor, including, among others, power supply, external environment, air conditioning, lack of access to the Internet, WAN, lack of connection to external systems, cloud services managed by third parties and security errors in the software of other suppliers used by the Principal; The Contractor's liability referred to above is excluded to the extent that the Contractor is not responsible for its occurrence (...)".
The subject agreement contains a provision regarding the entrustment of personal data. Its content indicates that the principles of entrusting the processing of personal data are regulated by a separate agreement between the parties (the entrustment agreement has already been discussed in detail above).
The Processor also provided explanations regarding the cooperation between A. and X. In a letter dated July 15, 2021, X indicated that it had provided IT services to A. in the period from July 31, 2019 to September 30, 2020 and had performed duties related to the provision of ongoing care for the maintenance of the traffic and operation of the IT system.
III.
The Administrator provided explanations regarding the verification of the Processor before entering into a relationship with it in relation to the obligation of the Processor to provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679.
In the letter dated 3 February 2021, the Controller explained that the verification of the Processor took into account the following circumstances: 1) The Processor had previously cooperated with the Company and during the period of previous cooperation, the Company did not identify any concerns regarding the quality of the work performed or any other problems regarding the processing of personal data or issues related to the security of information or managed IT systems, 2) The Processor declared that it had a current certificate of implementation of the ISO/IEC 27001 standard in the field of information security (certificate number (...)), which the Company verified and confirmed the truthfulness of such a declaration, 3) The Processor had the status of a certified partner of the largest global companies offering solutions in the area of cybersecurity (such as: (...)), and was also a certified partner of global giants offering IT solutions with the highest level of IT security ((…)), 4) The Processor had been operating on the market since (...), serving over (…) clients at the time of submitting the offer and cooperating with over (…) experts IT and ICT security,5) Before making the decision to continue cooperation, the Company verified the competences of the team dedicated by the Processor to cooperation with the Company, including, as part of negotiating the terms of cooperation, the Company required the Processor to submit the following declarations and undertake the following commitments:- The Processor undertook that "it will make every effort to guarantee the highest quality of the services provided and will perform all activities entrusted to it in accordance with its best knowledge, taking into account the professional nature of its activity",- "The Processor, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying probability and severity of the threat, has implemented appropriate technical and organisational measures consistent with the purpose of implementing the Relevant Agreement"),- The subject of the contractor's work was, among others, "Ongoing management (administration) of the IT System, monitoring of the IT System, with particular emphasis on the security of the Principal's system operation" and "Advice on computerization, selection of solutions, management of IT projects"; - The Contractor undertook to "Exercise due diligence in order to ensure and maintain appropriate measures to secure the protection of Confidential Information against access and unlawful use by unauthorized persons" under penalty of payment of a contractual penalty in the amount of PLN 100,000; - The Processing Entity declared that the advantage of cooperation with it is, among others, "Transfer of responsibility for the entire IT infrastructure and user support to one entity".
IV.
In a letter dated 27 August 2020, the President of the UODO asked A. whether the Administrator exercised the right of control referred to in Article 28 sec. 3 letter h) of Regulation 2016/679, in terms of ensuring by X. the measures required under Article 32 of Regulation 2016/679 and, if so, an indication of when, how and what were the results of such an inspection. The supervisory authority also requested a copy of the relevant documentation. In response to such a question, A. indicated in its letter of 7 September 2020 that "(...) the regular testing, measurement and assessment of the effectiveness of the organisational and technical measures applied to ensure the security of personal data processing in the IT area has been entrusted in the technical part to company X. as part of the general cooperation of the Controller. These activities included reviews of reports from tools used, analyses and decisions related to additional security, and testing the vulnerability of IT infrastructure in terms of TOP10 OWASP vulnerabilities (report provided in the attachment to the letter dated June 3, 2020).”
V.
The Administrator provided explanations regarding the principles - in force before the personal data breach - of regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of personal data processed in IT systems covered by the breach. In the letter of 3 June 2020, the Administrator informed that regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of data processed in the IT area was entrusted to X. as part of the Administrator's general service, additionally attaching to the explanations a copy of the data processing agreement of 31 July 2019 and a list of sample activities related to testing, measuring and assessing the effectiveness of technical and organizational measures and their results.
In turn, in the letter of 3 February 2021, the Administrator indicated that as part of regular testing, measuring and assessing the effectiveness of security measures related to the operation of the previous website (...), activities were carried out, such as entrusting X. with performing regular security tests in accordance with the list of activities included in the offer and in the personal data processing agreement and conducting a security analysis, the report of which was attached to the explanations. The Administrator informed that "(...) these activities also included reviews of reports from the tools used, analyses and decisions related to additional security, or examination of the vulnerability of the IT infrastructure (...)".
VI.
The key issue from the point of view of the personal data protection breach in question is the participation of the Processing Entity in the process of transferring the website available at (...) from the previous hosting service provider directly to the infrastructure A. At the outset, it should be noted that the Administrator considers X to be responsible for the situation, while the Processing Entity expresses the opposite position and indicates that it did not have the necessary information that it should have received from the Administrator. In order to precisely determine the factual situation, the President of the UODO asked both the Administrator and the Processing Entity to provide detailed explanations regarding the transfer of the previous website to the new environment.
In a letter dated February 3, 2021, A. explained that "(...) the transfer of the previous website to the new environment was carried out in connection with the performance of the main agreement by . The scope of duties was indicated in the main agreement in paragraph 2 and in the offer prepared for A. (...) Additionally, according to the explanations obtained after the event, the processor confirmed that the event occurred as a result of an error by their employee (...) [original spelling]".
In the aforementioned letter, the Controller also indicated that it had entrusted the Processor with verifying whether the locations where the database copies were located had been configured in a way that ensured their confidentiality, to which he obtained information from X that the database copies had been made in accordance with the requirements of the personal data processing entrustment agreement and with ensuring an appropriate level of security. On this basis, the Controller assumed that "(...) all tasks in the area of security and confidentiality of data carried out by a specialist processor provide sufficient guarantees for the protection of customer data (...)". The Controller considered that there was no need to engage another entity to supervise the actions taken by X, while the Controller himself supervised the work undertaken and the results as part of quarterly reviews of the IT status.
X. provided explanations in this regard in a letter dated 15 July 2021. The Controller's explanations confirm that the transfer of the said website was carried out by X. under the applicable agreement. The Processor indicated that its task consisted in preparing the runtime environment. For this purpose, X. selected "(...) the latest, then available, version of the C. software and a commercial license of the current version of a renowned operating system for hosting (...)", and also equipped the server with the D. software, which was placed in a dedicated VLAN in private addressing. The transfer of the Administrator's website was carried out by making a copy of the databases to the website folder and copying the entire folder structure along with the content to a newly prepared (in accordance with the Administrator's instructions) server. X. carried out an initial inspection and reported to the Administrator that the website was made using an old content management system and that it had not been updated. In the above respect, a recommendation was issued to introduce the necessary update. The Processor indicated that it was not authorized to take such actions, did not have the necessary access and that carrying out the update was not the subject of the concluded service agreement. The above reports were made orally during regular meetings in the presence of the President of the Management Board, Marketing Director, Data Protection Inspector and a representative of the Administrator's IT Department. During these meetings, the Processor was informed several times that work on the new website was nearing completion and that the old one would soon be deactivated.
The Processor informed that it had not received information from the Administrator about the functionalities of the website (...) (including that it carried out the reservation process and that it was itself a collection of personal data). It also had no information that the website database was used to process personal data and that this data was not transferred to the local management system of the company. Additionally, X indicated that the agreement on entrusting the processing of personal data concluded between the parties to the proceedings did not indicate the website (...) in the scope of processing personal data. It also indicated that it had not received any guidelines from the Administrator regarding the control of the website's security, taking into account the personal data processed by it.
X also explained that it had informed the Administrator that its website was based on outdated software, and that it should have a substantive guardian who would provide supervision over its operation. In addition, the Processor informed that it recommended the Controller to implement a Q. class solution for automatic log analysis and event correlation, which could enable monitoring of, among others, www server logs. The Processor also indicated that the Controller informed it that the transfer of the website to A.'s infrastructure was temporary due to a change of service provider, and that the old website would be replaced with a new one, and at the same time instructed the Processor to take ad hoc actions, e.g. "(...) related to the loss of files on the website after a probable hacking into it (...), related to an attack on an unsecured website form (...), or explanations of exceeding limits in the G. service and blocking addresses saturating the G. hosting service (...)". According to X.'s explanations, at the end of February 2020, A. informed the Processor that the new website was ready and instructed him to launch it on the server that had previously hosted the old website. X. informed the Controller that, in his opinion, security measures should be taken and OWASP TOP 10 security tests should be performed. The tests were carried out on 19-29 March 2020 and ended with the preparation of a report. As a result of the tests, the Processor made changes to increase the level of server security. Additionally, the Processor indicated that it actively cooperated with the author of the OWASP report, the authors of the new website and the author of the API on the implementation of the report's recommendations. The report in question - as X. indicates - is important due to the fact that the security tests of the new website were performed in March 2020 on the same server that was already used to host the old website and concerned checking the correctness of the server configuration and its web services. The processor also indicated that "(...) Company [ X. ], when accepting the order to transfer the website (...) from G. to the server it manages, without having information about the scope of processing carried out using the website (...), took into account that it was dealing with an informational website, the database of which was used to support the CMS of the website, i.e. display its content, and that no personal data related to the provision of services by A. was processed through it. A. never indicated that the website had been processing its customers' data for many years, saving it in the CMS database and that the aforementioned database was located in the website environment. Therefore, the Company - without having information in this respect provided by the data controller (A.) - applied security measures and a web server support methodology appropriate to the nature and scope of the website's operation, in accordance with the knowledge it had and the instructions provided by A. (...)". In response to the question of the President of the UODO as to how the logs of the O. server, on which the (...) website was located, were verified, X. indicated that he used L.'s hosting system and did not manually check the O. configuration file, as this file was managed entirely by L. and, in accordance with the manufacturer's indication, the Processing Entity used only the functionalities available in the graphical interface. According to X.'s explanations, manual monitoring of logs was not performed due to the lack of an appropriate order from the Controller and the high workload that the Processing Entity did not have.
In response to the question regarding the procedures for reviewing the network and application infrastructure in terms of the possibility of breaking the Controller's website security, X. informed that he carried out cyclical monitoring of the website using W.'s system, reviewed logs and had implemented policies that were configured to ensure automatic blocking of traffic to/from hosts that exceeded the rules configured in them. The Processor explained that it recorded anomalies in internal network traffic using antivirus software, which was installed on all servers and workstations. The monitoring was carried out once a week or immediately after the event was registered. In order to enable monitoring of the system infrastructure, X. lent the Administrator a commercial system designed for this purpose, which was used to monitor P.'s system updates, server replication, AD replication and other environmental conditions of the infrastructure.
The Processor also reported that the database was not encrypted and that it did not know its content until the incident occurred. X. considered that the website database was used to support the display of information on the website and decided not to encrypt it, considering it unnecessary.
X. reported that it did not separate the management network, i.e. the network used to manage telecommunications. The server had one network interface and one IP address, which supported both the production traffic of the server and its management. The Processor considered that separate management was not necessary for this server, but other methods of protecting access to server management were introduced as part of the standard security measures previously used by X. in preparing the server for hosting tasks. X. indicated that no manual aliases were set and no subdomain aliases were created. The configuration was performed automatically by L. scripts. The Processor indicated that it had carried out system reviews, as a result of which reports and recommendations were prepared and which were presented at monthly meetings with the Management Board of A.
In a letter dated 15 July 2021, X. responded to A.'s claims contained in the explanations and documents submitted to date, which the Administrator submitted to the supervisory authority.
X. indicated that "(...) it is not true that a configuration error was made, to which the Company admitted to A. on the day the incident was detected, but it is true that there was a hasty and erroneous interpretation of the information provided by V. and such an erroneous response was formulated to the IODO A. on 24.04.2020 (...)".
The Processing Entity referred to the conclusions of the Report (...). In response to the causes of the incident indicated in the aforementioned report: "(...) In the period from the beginning of April 2020, there was a lack of regular and routine verification of O. server logs by Y. and a lack of standard reactions to emerging attempts to break security. Routine review of logs would have detected attempted attacks and a non-standard attempt to index the server content by (…) (or an intruder) as early as April 9, 2020, and an appropriate deindexing entry in N. prevented the disclosure of already indexed content (…)” X. polemically pointed out that “(…) in order to quickly find a threat in the logs, they should have been reviewed daily. Company [X.] did not have such an option within the scope of its basic duties, because it did not have a tool that would allow for the automation of these activities [even though it recommended A. to implement such a tool in relation to all logs generated by elements of the IT infrastructure] and did not have the time to perform them manually. It should be emphasized that the undertaking of such activities was not ordered by A. at any stage of cooperation, nor did the obligation to take such actions result from the content of the concluded agreement. The offer to provide services presented to A. was calculated without taking into account the performance of such activities, about which Company [X.] also had no knowledge at the time of submitting the offer / concluding the agreement (at that time the website was located in G.). Attempts to break security were visible only in selected periods in O.'s logs and possibly R.'s logs, so their review should also be carried out by the webmaster, whom the Administrator did not appoint. If A. had provided the Company with information about the functional nature of the website, the content of the database and the method and scope of data processed in it, Company [X.] would have had the opportunity to establish additional protection rules with the Administrator or implement tools in the Administrator's infrastructure enabling their enforcement (...)".
In reference to the statement contained in the aforementioned report: "(...) Transfer of the website from the G. service to the server (...) by Y. without verifying the vulnerability of the transferred website. Even a basic verification of the website version would indicate the R. framework in the version below (...), i.e. susceptible to executing external scripts and breaking security. Additionally, the lack of verification of the transferred website results in the need to scale the infrastructure capable of maintaining queries, a large part of which are bots or traffic exploiting website vulnerabilities. This translates into an increase in the cost of maintaining the solution and the selection of suboptimal solutions [e.g. C. while disabling proxy traffic] (...)" The Processing Entity indicated that "(...) the Company was not obliged to perform a security analysis of the components used on the website, as it only received an order from the Administrator to transfer it. Despite this, the Company informed the Administrator in the period preceding its transfer that the website required updating, while its execution was not within the scope of the Company's obligations resulting from the Company's Agreement with A. (...)".
VII.
Due to the existing discrepancies between the explanations of the Administrator and the Processor, on August 30, 2021, the President of the UODO sent a request to A. and X. to provide explanations regarding the indication of the direct cause of the incorrect configuration that led to the breach of personal data protection.
In a letter dated September 6, 2021, which was a response to the aforementioned request from the President of the UODO, the Administrator indicated that the direct cause of the incident that led to the breach of personal data protection was a server configuration error that resulted in the possibility of indexing files located on the server by indexing robots.
In response to the aforementioned request, in a letter dated September 7, 2021, the Processor explained that in its assessment, "(...) the situation occurred was not a consequence of incorrect server configuration or a consequence of activities that (...) was obliged to perform (...)". The Processor indicated that, in its opinion, the irregularities could have resulted from the Controller's failure to provide it with information on the actual purpose of the system and databases, preparing only the default configuration of the hosting panel provided by its manufacturer, without configuring it to take into account the specifics of the processed data, and using an outdated content management system for the website. X. emphasized in the aforementioned letter that the cause of the incident was not an incorrect configuration of the server, as no element of O.'s or the server's configuration resulted in enabling the installation of exploits. The Processor again stated that, due to the lack of guidelines from the Controller, it independently adopted and applied security measures that, in its opinion, were commensurate with the nature of the website known to it.
VIII.
On September 27, 2021, the President of the UODO summoned A. to provide evidence confirming that the Processor was responsible for the occurrence of the incident.
In response to the aforementioned request in a letter dated 6 October 2021. The Administrator explained that the Processor was carrying out an order to transfer the website at (...) from the previous hosting service provider to a server in the A. infrastructure as part of the activities specified in the agreement of 31 July 2019. Under the aforementioned agreement, the Processor was responsible for, among other things, consulting in the field of computerization, selecting appropriate solutions and conducting IT projects. The scope of duties was specified in the annex to the agreement and included: - proactive control of the IT system, - security and analysis of events, - conducting business process computerization projects, IT consulting in the field of ensuring and selecting IT tools, - protection of computerization processing, penetration tests, analysis of threats and risks, - monitoring system events related to data processing, implementing dedicated solutions.
The Administrator emphasized that within the scope of the above-mentioned tasks, the Processor was obliged to safely, correctly and error-free perform the service ordered and accepted for implementation. The Administrator indicated that X. was responsible for analyzing logs in such a way as to enable ongoing monitoring of whether any anomalies occurred during the tasks performed that could threaten the Administrator's IT security.
The Administrator also indicated in the aforementioned letter that "(...) the explanations of the processor regarding its ignorance that the website (...) is also a collection of data are irrelevant to these proceedings, because the key fact in the case is the incorrect configuration of the server carried out by the processor, which consequently enabled the disclosure of data contained in the website files to unauthorized persons. The fact that this was personal data is a secondary issue [although due to the nature of this data, it is extremely sensitive and of very high importance], because indexing of any website files, regardless of their content, should never be allowed without any control and awareness. In addition, it should be pointed out that the processor's explanation of lack of knowledge about the website's content is all the more evidence of the lack of due diligence of this entity, which carried out the transfer of the website without having sufficient information to perform these activities correctly and safely for the administrator. It is the processor that should take the necessary steps to determine in a sufficient manner what is the subject of the transfer, and in the absence of sufficient information, conduct a risk assessment and possibly refuse to carry out the order. However, what should be emphasized again, even if the processor had knowledge that the website files contain personal data [although they should have this knowledge] - this would not change the circumstances of the execution of the incorrect configuration by the processor (...) The processor, as a professional and an entity entrusted with the care of all the administrator's systems, was obliged to analyze the logs in such a way as to constantly monitor whether there are any anomalies in the tasks performed that could threaten the IT security of the administrator. The burden of selecting such monitoring solutions was on the processor's side, in order to identify potential risks and threats in an appropriately advanced and sufficient manner. The processor's explanations that it did not have the appropriate time and human resources to properly analyze the logs cannot be considered a proper justification, because the organization of the processor's work is its internal matter, and the administrator had the right to expect properly performed services (...)".
IX.
The President of the UODO requested the Administrator to provide information on whether it had conducted a risk analysis in order to ensure an appropriate level of security corresponding to this risk in accordance with Art. 32 sec. 1 and 2 of Regulation 2016/679 and whether it had informed the Processor that the transfer of the website (...) from the previous hosting service provider to the server in the A. infrastructure is related to the processing of personal data of customers.
In response to the above. summons, the Administrator informed on April 25, 2022 that it had not conducted a risk analysis, indicating that "(...) in accordance with the obligation assumed, arising from § (...) section (...) of the personal data processing agreement, contained in the files of the relevant case, conducting a risk analysis on behalf of the Administrator was the sole responsibility of the Processor. Taking into account the nature of the service and the professional nature of the Processor, the obligation to conduct a risk analysis related to taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purpose of processing and the risk of violating the rights or freedoms of natural persons with varying probability of occurrence and severity, related to the transfer of the website from the previous hosting service provider to a server in the A. infrastructure, the Processor was absolutely obliged to implement appropriate technical and organizational measures ensuring a level of security corresponding to this risk (...)".
In the aforementioned In the letter, the Administrator indicated that the role of the Processor in the organization consisted of monitoring IT systems in a comprehensive and holistic manner and closely cooperating with the Administrator in the implementation and maintenance of these systems. In the letter, the Administrator informed that "(...) even if the Processor did not know that the data transfer concerned personal data, which should generally be considered highly unlikely, as a professional, he should exercise due diligence to find out what is covered by the data transfer service to the Administrator's server (...)".
X.
On May 9, 2022, the President of the Personal Data Protection Office sent another letter to the Administrator requesting information on whether the agreements of July 31, 2019 covered website management and website transfer, an indication of which software listed in the annex to the data processing agreement was used to process personal data contained on the website (...) and an indication of how and when it instructed the Processor to transfer the website to a new environment.
In response to the above request, the Administrator informed that the agreement for the provision of IT services and the personal data processing agreement concluded with the Processor undoubtedly included website management, and therefore the action of transferring the website. The service order was comprehensive in nature and concerned the entire IT area. The Administrator informed that due to the fact that the support of the Processor was very broad and that it was responsible for the IT area, the scope of personal data was specified by indicating the data contained in the indicated IT systems. In the opinion of the Administrator, the above was consistent with the structure of the entrustment agreement, which provided for the specification of the scope, purpose and entrusted operations in a separate annex. The scope of data processed using the (...) website was not wider than the scope of data processed in the indicated IT systems. The Company also indicated that "(...) the processor, when accepting the order to transfer the website, was to do so in accordance with due diligence as a professional in this field. For this purpose, the processor was granted access to the (...) website in order to properly prepare the migration [a circumstance confirmed in the explanations submitted by the processor to the Personal Data Protection Office in this case]. It is obvious that one of the circumstances that the processor had to take into account was the issue of whether personal data [original spelling] would be processed using the new website (...)".
XI.
The Processor provided explanations regarding the actions taken in connection with increased traffic and exceeding the limits on the Administrator's server, informing the Administrator about the possible effects of verification activities in the above-mentioned scope, and also provided information regarding its participation in the process of administering the website - with an unencrypted database - which was located in its original location. In a letter dated October 4, 2022, the Processor explained that it did not conduct "(...) actions aimed at carrying out any verification of the method, scope or actual processing of personal data. There is no agreement between Company [X.] and A. (…) under which Company [X.] would be obliged to take such actions (…) Company [X.] fully maintains its previous position on the matter, emphasizing that the process of transferring A.'s ICT platform was carried out correctly, safely [within the scope of activities carried out by the Company] and error-free. Working copies of files were made for the purposes of migrating the database and files present at the hosting provider (G.), and leaving the above-mentioned copies on the server after the completion of the platform transfer process cannot be considered an incorrect action (…) The copy was also made due to the fact that the correct operation of the website after the transfer was to be checked by A. and due to the deletion, shortly after the transfer, of the hosting account by G. [termination of the service]. Of no small importance in this respect is the fact that - according to the information obtained by the Company from A., the website - and consequently it can be concluded that its database, was used solely to handle content published via the platform, and not to store personal data or process them in any way, and was to be ultimately shut down in a very short time in connection with the launch of a new website about which A. informed the Company [which effectively did not happen due to the delay in preparing the new service].
The data processor indicated that it had selected and applied organizational and technical measures (security measures) appropriate for the reliable and proper implementation of the scope of cooperation - maintaining the website (...) (information website) - on the server prepared by X. The data processor pointed out that 24/7 log monitoring was never the subject of the agreement concluded by the parties. X further explained that "(...) similarly, it was not the preparation of a server [<runtime environment>] for a website processing personal data. The website (...) was not included in the list of systems or data sets covered by the personal data entrustment agreement or the order regarding their processing (...) Company [X.] did not have the authorization, consent of A. or the obligation to make any updates to the website database during its transfer to a new server or after the completion of this process, in particular for the purposes of a possible search for specific database structures [tables] that may contain personal data (...) From the point of view of the proceedings conducted by the UODO, it also seems significant that A. did not inform Company [X.] during the cooperation about the actual content of the platform [processing of personal data through it] and did not take any steps to enable Company [X.] to contact the author of the website (...) or the persons operating this website (despite the fact that Company [X.] directly requested the transfer of contact data] (...)".
In a letter dated September 26, 2022, the President of the UODO asked A. to indicate whether the Processor had undertaken verification activities in connection with the above-mentioned increased traffic and exceeding the server limits. In response to the above-mentioned letter, on October 5, 2022, the Administrator informed that the Processor did not perform verification activities and, contrary to the obligations arising from the agreements of July 31, 2019, did not monitor and analyze the www server logs. The Administrator indicated that the Processor provided comprehensive care for A.'s IT environment and in many cases the Processor acted independently, making an ongoing assessment of what activities were needed or necessary. The Administrator argued that the Processor was inconsistent in its explanations due to the fact that it simultaneously accuses the Administrator of the lack of an agreement that would oblige it to analyze the logs, while at the same time indicating that it did not perform the above analysis because it is not recommended for technical reasons.
XII.
A. presented explanations regarding the introduction of security measures aimed at minimizing the risk of a recurrence of a personal data breach, the introduction of which was declared in point 9B of the personal data breach notification. In the letter dated 3 June 2020, the Administrator informed, among other things, that: - it decided to completely eliminate data processing on temporarily inactive or deactivated websites, - it updated the procedure for making and storing backup copies, - it reviewed the network and application infrastructure in terms of possible vulnerabilities and the possibility of breaking security, - it introduced new database encryption standards, - it verified entries in the O. configuration file, - it decided to introduce a new solution for examining unusual traffic, - it employed a person responsible for verifying the implementation of specific technological solutions and described the applied principles for securing passwords of persons affected by the breach. At the request of the supervisory authority to provide additional explanations regarding the introduction of security measures aimed at minimizing the risk of a recurrence of a breach of personal data protection, the Administrator explained in a letter dated 7 September 2020, among other things, that: 1) verification and analysis of the network architecture, systems and applications was carried out and the following conclusions were drawn from it: - (…) 2) The Administrator introduced changes in the scope of examining unusual network traffic by: - (…)
The supervisory authority assessed the evidence in terms of examining its credibility and evidentiary value. The President of the UODO considered the evidence submitted by the Administrator and the Processor to be credible, because - due to the individual characteristics of this evidence and the objective circumstances of its creation - there is no basis to question its credibility. At the same time, it should be noted that the positions presented by the Administrator and the Processor are contradictory. The lack of consistency in the explanations of the Administrator and the Processor concerns primarily the issue of responsibility for the lack of implementation of technical and organizational measures ensuring security in the process of processing personal data. During the conducted administrative proceedings, A. tried to prove that the Processor was responsible for implementing adequate measures ensuring security in the process of processing personal data. On the contrary, X. indicated that the Administrator was responsible for the breach of personal data protection.
The President of the UODO stated that the evidentiary value of some of the documents submitted by the Administrator, in particular the agreement (...) concluded between A. and X and (...) concluded between A. and X is limited, i.e. some of the evidence submitted by the Administrator (contrary to A.'s position) does not confirm the thesis that the Processor received from A. all the necessary information regarding the transfer of the website (...), the receipt of which was necessary for the implementation of adequate security measures for the process of processing personal data related to the transfer of the aforementioned website. A detailed justification of the persuasiveness of the aforementioned evidence was included in the justification of the decision.
In this factual situation, after reviewing all the evidence gathered in the case, the President of the Personal Data Protection Office considered the following:
Pursuant to art. 34 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781; hereinafter referred to as the Act of 10 May 2018), the President of the Personal Data Protection Office is the authority competent in matters of data protection and the supervisory authority within the meaning of Regulation 2016/679. Pursuant to art. 57 sec. 1 lit. (a) and (h) of Regulation 2016/679, without prejudice to other tasks specified under that Regulation, each supervisory authority on its territory shall monitor and enforce the application of this Regulation and conduct proceedings for infringements of this Regulation, including on the basis of information received from another supervisory authority or another public authority.
I. Principles of security of personal data processing.
Article 5 of Regulation 2016/679 formulates the principles relating to the processing of personal data which must be respected by all controllers, i.e. entities which, alone or jointly with others, determine the purposes and means of processing personal data. In accordance with Article 5(1) lit. f) Regulation 2016/679, personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures ("confidentiality and integrity"). The principle of confidentiality referred to in Art. 5 par. 1 letter f) of Regulation 2016/679 is specified in further provisions of this legal act. In accordance with Art. 5 par. 2 of Regulation 2016/679, the controller is responsible for compliance with the provisions of par. 1 and must be able to demonstrate compliance with them ("accountability").
In accordance with Art. 24 par. 1 Regulation 2016/679, taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate processing in accordance with this Regulation. Those measures shall be reviewed and updated as necessary.
In accordance with Article 25 paragraph 1 of Regulation 2016/679, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity of infringement of the rights and freedoms of natural persons resulting from processing, the controller - both when determining the means of processing and during the processing itself - shall implement appropriate technical and organisational measures, such as pseudonymisation, designed to effectively implement data protection principles, such as data minimisation, and to provide the processing with the necessary safeguards in order to meet the requirements of this Regulation and protect the rights of data subjects.
It follows from the content of Article 32 paragraph 1 of Regulation 2016/679 that the controller is obliged to apply technical and organisational measures appropriate to the risk of varying likelihood and severity of infringement of the rights and freedoms of natural persons. The provision specifies that when deciding on technical and organizational measures, the state of technical knowledge, the cost of implementation, the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying likelihood and severity should be taken into account. It follows from the cited provision that determining appropriate technical and organizational measures is a two-stage process. First, it is important to determine the level of risk associated with the processing of personal data, taking into account the criteria indicated in Article 32 paragraph 1 of Regulation 2016/679, and then it should be determined what technical and organizational measures will be appropriate to ensure a level of security corresponding to this risk. These arrangements, where appropriate, should include measures such as pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to promptly restore the availability and access to personal data in the event of a physical or technical incident, and regular testing, measuring and assessing the effectiveness of technical and organisational measures to ensure the security of processing. In accordance with Article 32(2) of Regulation 2016/679, when assessing whether the level of security is adequate, the controller shall take into account in particular the risks associated with the processing, in particular those resulting from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
In the established factual and legal circumstances, the President of the UODO found that there had been a breach of personal data protection resulting from access to the A. customer database file contained on the website (...). by unauthorized persons (this fact is confirmed by the security incident analysis report – see point I of the factual justification). As a result of the above, A. violated the principle of confidentiality referred to in art. 5 sec. 1 letter f) of Regulation 2016/679. The violation occurred as a result of allowing indexation of database files by the robot Z. The process of transferring the website containing the personal database from the previous provider of hosting services to the new environment was carried out at the request of A. by X. In the explanations provided, the Administrator informed that he had entrusted X with verifying whether the location where the database copies were located was configured correctly and indicated that he had obtained confirmation from X that the database copies had been made correctly and with an appropriate level of security. Based on this information, the Administrator assumed that all IT security tasks performed by a qualified entity provide final guarantees for the protection of customers' personal data. It should be emphasized that the Administrator, despite having knowledge of how, in accordance with commonly used practices, the implementation of changes in the IT system should proceed, did not supervise at any stage whether the implementation was carried out in accordance with generally applicable standards and the personal data processing entrustment agreement, despite the fact that, as he indicated, he maintained "competences of supervision and review of the contractor's work results".
The Administrator did not take any independent actions and did not verify whether the location where the database copies were located was configured in a way that ensured their confidentiality. According to the explanations provided, the Administrator, based on the information received from X., assumed that all the tasks performed by the "specialist entity" in the area of data security and confidentiality provided sufficient guarantees of protection for customers. As will be justified later in the decision, this improper action of the Administrator contributed significantly to the breach of confidentiality of personal data.
The evidence collected shows that on July 31, 2019, A. concluded an agreement (...). The analysis of the provisions of this agreement indicates that X. undertook to provide ongoing maintenance and supervision of the A. IT system. The issue of personal data processing related to the performance of the aforementioned agreement was regulated by a separate document, i.e. the agreement (...) (see point II of the factual justification).
II. Management of the risk of a breach of personal data protection.
Regulation 2016/679 introduced an approach in which risk management is the foundation of activities related to the protection of personal data. Risk management is a continuous process that forces the data controller not only to ensure compliance with the provisions of Regulation 2016/679 through a one-off implementation of organizational and technical security measures, but also to ensure the continuity of monitoring the level of threats and to ensure accountability in terms of the level and adequacy of the introduced security measures. In view of the above, it becomes necessary to be able to prove to the supervisory authority that the solutions introduced, aimed at ensuring the security of personal data, are adequate to the level of risk, and also take into account the nature of the given organization and the mechanisms used to process personal data. The administrator must therefore independently conduct a detailed analysis of the data processing processes and conduct a risk assessment, and then apply such measures and procedures that will be adequate to the estimated risk. The consequence of this approach is the need to independently select security measures based on the analysis of threats. It should be emphasized that administrators are not given specific security measures and procedures.
In the context of the above, it should be indicated that the risk analysis carried out by the data administrator should be documented and justified based primarily on the determination of the factual situation existing at the time of its conduct. In particular, the characteristics of the ongoing processes, assets, vulnerabilities, threats and existing security measures within the ongoing personal data processing processes should be taken into account. During this process, it is also impossible to ignore the scope and nature of personal data processed in the course of activities carried out by the data administrator, because the potential negative consequences for a natural person in the event of a breach of their personal data protection will depend on the scope and nature of the disclosed data.
The term assets is used to indicate everything that is of value to the data controller. Some assets will be of higher value than others, and should also be assessed and secured from this perspective. The interconnections of the assets are also very important, e.g. the confidentiality of assets (personal data) will depend on the type and method of processing of this data. Determining the value of assets is necessary to estimate the effects of a possible breach of personal data protection. It is obvious that a wide scope of personal data or the processing of personal data referred to in Article 9 or Article 10 of Regulation 2016/679 may cause (in the event of a breach of personal data protection) far-reaching negative effects for data subjects, so they should be assessed as high-value assets, and therefore their level of protection should be appropriately high.
It is necessary to specify existing or applied safeguards, among other things, so as not to duplicate them. It is also absolutely necessary to check the effectiveness of these safeguards, because the existence of an unverified safeguard, firstly, may eliminate its value, and secondly, may give a false sense of security and may result in omitting (not detecting) a critical vulnerability, which, if exploited, will cause very negative effects, including in particular a breach of personal data protection.
Vulnerability is commonly defined as a weakness or gap in security, which, if exploited by a given threat, may disrupt functioning, and may also lead to incidents or breaches of personal data protection. Identifying threats involves determining what threats and from what direction (reason) they may appear.
A method for conducting risk analysis is, for example, defining the risk level as the product of the probability and the effects of a given incident. A risk matrix is usually used, which allows for visualizing risk levels, presenting risk levels for which the organization defines appropriate actions.
It should be emphasized that risk management (conducting risk analysis and implementing appropriate security measures on this basis) is one of the basic elements of the personal data protection system and is a continuous process. Therefore, there should be periodic verification of both the adequacy and effectiveness of the security measures applied, in accordance with the requirement provided for in Article 32 paragraph 1 letter d) of Regulation 2016/679. The data controller should therefore regularly test, measure and assess the effectiveness of technical and organizational measures to ensure the security of processing.
New risks or threats may also materialize or be revealed spontaneously, in a manner completely independent of the administrator, and this is a fact that should also be taken into account both when building a personal data protection system and during its implementation. This, in turn, defines the need to regularly verify the entire personal data protection system, both in terms of adequacy and effectiveness of the implemented organizational and technical solutions.
It should also be emphasized that the examination of the probability of a given event should not be based solely on the frequency of events in a given organization, because the fact that a given event did not occur in the past does not mean that it cannot occur in the future.
In this context, it should be noted that the Provincial Administrative Court in Warsaw in its judgment of August 26, 2020, file ref. Act II SA/Wa 2826/19 (upheld by the judgment of the Supreme Administrative Court of 28 February 2024, reference number II OSK 3839/21), stated that "(...) activities of a technical and organizational nature are within the competence of the personal data controller, but they cannot be selected in a completely free and voluntary manner, without taking into account the degree of risk and the nature of the protected personal data." Taking into account in particular the scope of personal data processed by the Controller in order to properly fulfill the obligations imposed by the above-mentioned provisions of Regulation 2016/679, the Controller was obliged to take actions ensuring an appropriate level of data protection by implementing appropriate technical and organisational measures, as well as actions aimed at optimally securing and configuring the resources, tools and devices used (including computer hardware) by regularly testing, measuring and assessing the effectiveness of technical and organisational measures intended to ensure the security of data processing in the form of security tests of IT infrastructure and applications. The nature and type of these actions should result from the risk analysis conducted, which should identify vulnerabilities relating to the resources used and the threats resulting from them, and then determine adequate security measures. As emphasised by the Regional Administrative Court in Warsaw in its judgments of 13 May 2021, file reference II SA/Wa 2129/20, and of 5 October 2023, file reference Act II SA/Wa 502/23, "The Data Controller should therefore conduct a risk analysis and assess the threats it is dealing with".
Carrying out work related to transferring the IT system used to process personal data to another location should be preceded by detailed analyses to determine the impact of this activity on the security of data processed in this system. It is particularly important to verify whether appropriate technical and organizational measures ensuring data confidentiality have been used to perform this operation. The obligations in this respect for the Controller and the Processor result directly from Art. 32 sec. 1 and 2 of Regulation 2016/679.
In the factual circumstances of this case, as follows from the letter of April 25, 2022, the Controller did not conduct a risk analysis before transferring the website from the previous hosting service provider to the server in A.'s infrastructure, informing that in accordance with § (...) sec. 1 let.(…) of the agreement (...) conducting such an analysis was the obligation of the Processor.
The supervisory authority, assessing the evidential value of the submitted agreements regulating the issue of cooperation between A. and X. (the agreement (...) and the agreement (...) – discussed in detail in point II of the factual justification) considered that they do not clearly indicate that the Processor received from the Controller sufficient information necessary to transfer the website to a new environment in a way that guarantees security for the personal data processing process. The lack of convincing evidence confirming proper communication between the Controller and the Processor also applies to cooperation between these entities related to the need to conduct a risk analysis. It should therefore be emphasized that the deficit of proper communication is evident from the very beginning of the personal data processing process, which was carried out at the Controller's request by the Processor. The agreements in question (and in particular the agreement on entrusting the processing of personal data) are constructed in a very general manner (see point II of the factual justification). The Administrator, when constructing the entrustment agreement, essentially rewrote the content of certain articles of Regulation 2016/679 and did not refer its provisions to specific activities related to the process of processing personal data, which took place on behalf of the Administrator by the Processor. The supervisory authority does not dispute that the entrustment agreement submitted during the administrative proceedings was concluded. Nevertheless, the evidentiary value of this document in relation to specific facts, which – according to the Administrator – took place, is negligible.
In the case in question, it should be emphasized that risk analysis and risk management are processes that require cooperation between all interested parties and as such require, above all, planning, organizing, directing and controlling the resources used for processing, carrying out the processing activities themselves and investigating and detecting possible vulnerabilities and gaps. In particular, it is necessary to analyze the impact of each change on the level of security of the data being processed. Consequently, before performing any actions, especially those involving, for example, transferring a resource containing personal data from one location to another, the Administrator and the Processor should exercise the utmost caution, and before implementing the change itself, they should determine the principles for its introduction, especially in the context of ensuring an appropriate level of security of the processed data, and check whether the operation was completed with complete success not only in terms of the efficiency of the application or system, but also in terms of meeting the requirements of legal regulations, including the provisions of Regulation 2016/679 imposing obligations in the scope of ensuring an appropriate level of data security. Taking the above into account, it should be indicated that the Administrator was obliged to verify whether the personal data were properly secured against access by unauthorized persons. The thesis of A. contained in the letter of 27 September 2021, according to which the fact that the website (...) is a collection of data is irrelevant for these proceedings, and the fact that these were personal data is a secondary issue (see point VIII of the factual justification), does not merit consideration. It is precisely the fact that the website in question contained a database of personal data that is crucial from the point of view of personal data protection, because this fact determines the need to implement specific (adequate) technical measures aimed at ensuring the security of personal data processing. The supervisory authority does not indicate to the controllers what technical conditions they should meet in order to avoid violations of personal data protection. It is the Controller, being aware that he is processing personal data, knowing their nature and scope, who, after a thoroughly conducted risk analysis, decides what adequate organizational and technical measures should be implemented by him. Moreover, he should be able to demonstrate - before the supervisory authority - that he has actually implemented such measures. As indicated by the Regional Administrative Court in Warsaw in its judgment of 5 October 2023, file reference II SA/Wa 502/23, "the supervisory authority is not obliged to indicate to the Controller the technical and organizational solutions that he should implement in order to process personal data in accordance with the law. It is the Controller's task to introduce these measures and then - if necessary - demonstrate that he complies with the principles of personal data processing specified in Regulation 2016/679, in accordance with the principle of accountability (Article 5 paragraph 2 of the aforementioned regulation)". In turn, the Supreme Administrative Court in its judgment of 9 February 2023, file reference III OSK 3945/21, indicated that "On the basis of the GDPR, the legislator has moved away from the static definition of the technical and organizational measures required from the controller in favor of a dynamic assessment of the adopted security measures. The above means that it is the controller and the processor that are responsible for determining appropriate (adequate) security measures, while maintaining the competence of the supervisory authority to verify the adopted level of security”.
Entrusting the processing of personal data to a processor does not release the Controller from the obligations arising from art. 32 sec. 1 and 2 of Regulation 2016/679. Therefore – contrary to the position of A. indicated in the letter of 27 September 2021 – the key issue is the fact that the transferred website contained a database of personal data of the Company's customers.
In accordance with art. 4 point 7 of Regulation 2016/649, "controller" means a natural or legal person, public authority, unit or other entity that alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, a controller may also be designated by Union law or the law of a Member State, or specific criteria for its designation may be laid down. In turn, Article 4(8) of Regulation 2016/679 states that "processor" means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Indicating the relationship between the controller and the processor, it should be emphasised that the obligation to conduct a reliable risk analysis also results from the provisions of the law already referred to above contained in Articles 24 and 25 of Regulation 2016/679 - these, in turn, refer only to the controller. Therefore, the use of the services of a processor does not release the controller from the obligation to select adequate measures to ensure security in the process of personal data processing and cannot constitute an argument for transferring the responsibility for the selection and implementation of the measures referred to above to the processor.
It should be noted that in order to properly conduct a risk analysis, it is necessary to have the entire spectrum of information. Even if we were to assume that this general provision of the entrustment agreement implies that the obligation to conduct a risk analysis rested only with the processor (which in itself is contrary to art. 32 sec. 1 of Regulation 2016/679), the processor, in order to be able to conduct such a risk analysis, should have knowledge concerning, for example, the fact that the transferred website contains personal data of a specific scope, processed for a specific purpose. During the administrative proceedings, the Controller did not credibly prove – in accordance with the principle of accountability – that it had provided the Processor with information that the transferred website contains a database of personal data with specific properties.
The lack of effective communication is confirmed by the incident analysis report submitted during the proceedings for A., which indicated that the transfer of the website to the new environment took place without verifying the vulnerabilities of the transferred website (see point I of the factual justification). It should be emphasized that the identification of these vulnerabilities should have taken place as part of the risk analysis conducted, and A. did not submit convincing evidence that he had provided the Processor with all the information necessary to perform it, and at the same time he had not conducted such an analysis himself.
According to the risk-based approach regulated in the provisions of Regulation 2016/679, entrusting the processing to the Processor does not exclude the Controller's responsibility for ensuring the security of processing. It should be pointed out here that recital 74 of Regulation 2016/679 calls for imposing obligations on the controller and establishing the controller's legal liability for the processing of personal data by the controller or on its behalf. In particular, the controller should be obliged to implement appropriate and effective measures and should be able to demonstrate that the processing activities comply with this Regulation and that they are effective. These measures should take into account the nature, scope, context and purposes of the processing and the risk of infringement of the rights and freedoms of natural persons. The literature on the subject argues that "the provisions impose obligations on the controller to comply with the principles and hold him liable for their infringement. In the commented regulation, there is a tendency to give controllers greater freedom in the scope of the security measures applied, while at the same time increasing liability for infringements of data protection provisions. The controller should conduct a risk analysis and assess what threats he is dealing with in order to be able to apply appropriate measures to effectively secure the data being processed." P. Fajgielski [in:] Commentary to Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, art. 5.
Referring the above to the case at hand, it should be noted that in the absence of a risk analysis for personal data processing operations in connection with the work related to the transfer of the IT system used to process personal data to another location before the breach of personal data protection occurred - the Controller did not monitor both the adequacy and effectiveness of the applied security measures, contrary not only to the obligations arising from art. 24 sec. 1, art. 25 sec. 1 and art. 32 sec. 1 and 2 of Regulation 2016/679, but also the principle of accountability referred to in Art. 5 sec. 2 of Regulation 2016/679.
The supervisory authority would like to emphasize here how necessary - for the protection of personal data - it is to monitor the Controller's compliance with the principle of accountability. The case law indicates that "taking into account all the norms of Regulation 2016/679, it should be emphasized that the controller has significant freedom in the scope of applied security measures, but at the same time is liable for the infringement of the provisions on the protection of personal data. It follows directly from the principle of accountability that it is the controller who should demonstrate, and therefore prove, that he complies with the provisions specified in Art. 5 sec. 1 of Regulation 2016/679" (judgment of the Provincial Administrative Court in Warsaw of 26 August 2020, file reference II SA/Wa 2826/19). "(...) Regulation 2016/679 does not, however, prejudge how the controller should fulfil the obligations arising from the principle of accountability contained in art. 5 sec. 2 of the aforementioned regulation, but it does indicate the need to account for compliance with the provisions, report on their implementation and provide evidence of the proper performance of the obligations. The principle of accountability obliges controllers to demonstrate that they have taken all measures to ensure compliance with the obligation to protect personal data. In light of the aforementioned principle, the controller, and not the supervisory authority dealing with personal data protection, is responsible for developing, updating and maintaining all procedures and documents related to the protection of personal data, as well as for creating evidentiary possibilities demonstrating the compliance of the processing with the provisions (...)" (judgment of the Voivodeship Administrative Court in Warsaw of 1 February 2022, file reference II SA/Wa 2106/21, LEX no. 3392761). The above is confirmed by the ruling of the Regional Administrative Court in Warsaw of 10 February 2021, file reference II SA/Wa 2378/20: "The principle of accountability is therefore based on the legal responsibility of the controller for the proper performance of duties and imposes on him the obligation to demonstrate, both to the supervisory authority and to the data subject, evidence of compliance with all data processing principles."
During the administrative proceedings, A. attempted to transfer responsibility for personal data protection violations to X., referring to documents, i.e. the "Report (...)", the agreement (...) concluded between A. and X and the agreement (...) concluded between A. and X. The analysis of the submitted documents does not confirm that the Processor is solely responsible for the effects of the personal data protection violation. § (...) section (...) of the agreement (...) contains regulations regarding X.'s liability and its exclusion. It should be noted that the exclusions of X.'s liability do not apply only to those IT systems that were implemented by third parties. In accordance with § (…) section (…) point (…) of the aforementioned agreement, X. shall not be liable for damages resulting from unauthorized persons gaining access to the system as a result of configuration errors or security imperfections (see section II of the factual justification). The President of the UODO does not question the legality of the concluded agreement, however, this agreement, as well as the agreement on entrusting the processing of personal data, does not precisely define the areas of responsibility of the Administrator and the Processor. Consequently, it does not follow from the aforementioned documents that the Administrator has fulfilled the obligations imposed on it by Regulation 2016/679.
III. The role of the Administrator and the Processor in the process of processing personal data.
If the processing is to be carried out on behalf of the administrator, then in accordance with the wording of art. 28 sec. 1 of Regulation 2016/679, it shall only use the services of processors that provide sufficient guarantees for the implementation of appropriate technical and organisational measures in order for the processing to meet the requirements of Regulation 2016/679 and protect the rights of data subjects. In accordance with Article 28(3) of Regulation 2016/679, processing by a processor shall be carried out on the basis of a contract or other legal instrument, which is subject to Union or Member State law and is binding on the processor and the controller, specifying the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the controller. That contract or other legal instrument shall provide in particular that the processor:a) processes personal data only on documented instructions from the controller – which also applies to transfers of personal data to a third country or an international organisation – unless such an obligation is imposed on it by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before starting processing, unless that law prohibits such information on important grounds of public interest; (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality; (c) takes all measures required under Article 32; (d) complies with the terms and conditions of use of another processor referred to in paragraphs 2 and 4; (e) taking into account the nature of the processing, where possible, assist the controller, through appropriate technical and organisational measures, in meeting its obligation to respond to requests by data subjects to exercise their rights set out in Chapter III; (f) taking into account the nature of the processing and the information available to it, assist the controller in complying with the obligations set out in Articles 32 and 43; 32 to 36; (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing and deletes existing copies unless Union or Member State law requires storage of the personal data; (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allows for and contributes to audits, including inspections, conducted by the controller or an auditor mandated by the controller.
In connection with the obligation set out in point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction issued to it infringes this Regulation or other Union or Member State data protection provisions.
The need for verification of the processor is highlighted in the EDPB Guidelines 7/2020 on the concepts of controller and processor contained in the GDPR[1]. They indicate that "(...) the safeguards <provided> by the processor are those which the processor is able to demonstrate to the controller's satisfaction, as these are the only safeguards which the controller can effectively take into account when assessing compliance with its obligations. This will often require the exchange of appropriate documentation [e.g. [privacy policy, terms of service, register of processing activities, document management policy, information security policy, reports from external data protection audits, internationally recognized certificates such as ISO 27000 standards] (...) The controller's assessment of whether the guarantees are sufficient is a form of risk assessment that largely depends on the type of processing entrusted to the processor and must be made on a case-by-case basis, taking into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. Therefore, the EDPB cannot provide an exhaustive list of documents or activities that the processor must demonstrate or prove in a given scenario, as this depends largely on the specific circumstances of the processing (...)".
During the administrative proceedings, A. indicated how he verified whether the Processor ensures the implementation of appropriate technical and organizational measures to meet the security requirements of the personal data processing process. A detailed description of this verification is included in point III of the factual justification. In this respect, the supervisory authority gave credence to the explanations provided by the Controller and saw no grounds to question that A. – before starting cooperation with the Processor – verified X. in the area of ensuring sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing of personal data meets the requirements of Regulation 2016/679 and protects the rights of data subjects. However, it should be emphasised that – similarly to the need to conduct a risk analysis – the obligation to perform this verification is a continuous obligation. It should be emphasised that the consequences of neglecting the obligation to continuously verify by the controller the guarantees referred to in Article 28 paragraph 1 of Regulation 2016/679 may directly affect natural persons whose personal data have been entrusted to the Processor. The necessity of continuous verification of the processor is indicated in the EDPB Guidelines 07/2020, which state that "(...) 99: The obligation to use only the services of processors "providing sufficient guarantees" contained in Article 28 paragraph 1 of the GDPR is a continuous obligation. It does not end at the time of conclusion of an agreement or other legal act by the controller and the processor. Rather, the controller should verify the processor's guarantees at appropriate intervals, including, where appropriate, through audits and inspections (...)". As already indicated above, before concluding the personal data processing entrustment agreement, the Controller carried out verification of the Processor, and the circumstance taken into account in this process by A. was the fact of previous cooperation with X., in the framework of which the Company did not find any reservations regarding the quality of the work performed, or any other problems concerning the processing of personal data or issues related to the security of information or managed IT systems. Due to the fact that the verification of the processor must be a continuous process, it should be pointed out that long-term cooperation of the parties not supported by periodic, systematic audits or inspections does not guarantee that the processor will properly perform the tasks required by law and resulting from the concluded entrustment agreement.
In the present case, verification by the Controller of the method of implementing changes related to the transfer of the website to a new environment by the Processor would significantly reduce the risk of unauthorized persons gaining access to personal data processed on the website (...). The effect of the above omission was the lack of action by A. to ensure the security of the personal data of its customers, to which it was obliged in accordance with the above-mentioned provisions of Regulation 2016/679, as the controller of such data. It should also be emphasized that the fact of using the services of the processor does not release the Controller from the implementation of these obligations. The obligations in this respect rest primarily with the data controller. Analyzing the actions (or rather the lack of actions of the Controller in this respect), it can be concluded that it limited itself to notifying the Processor of the need to transfer the website to a new environment, without taking any action to verify whether the security of processing of customers' personal data was ensured in the process of making changes to the system.
Pursuant to Article 28 paragraph 3 letter h) of Regulation 2016/679, the Controller has the right to conduct audits, including inspections, at the Processor. The purpose of these actions of the Controller should be to constantly verify whether the Processor is fulfilling all the obligations specified in Article 28 paragraph 3 of Regulation 2016/679. In the context of this case, taking into account the nature of the action commissioned by X. to transfer the website (...) to a new environment, it was particularly important to verify whether the Processor is taking all the measures required under Article 32 of Regulation 2016/679. The President of the UODO asked the Controller to indicate whether he had exercised the right of control referred to in Article 28 paragraph 3 letter h) of Regulation 2016/679. In response to a precisely formulated question from the supervisory authority, A. provided an evasive answer, which in fact had no connection with the question of the supervisory authority (see point IV of the factual justification). Taking into account the above, it should be stated that A. did not exercise the right to conduct audits, including inspections, at the processing entity in order to verify whether X. was properly performing its obligations arising from Regulation 2016/679. The Controller's explanations indicating that "(...) regular testing, measuring and assessing the effectiveness of the organizational and technical measures applied to ensure the security of personal data processing in the IT area were entrusted to X. in the technical part as part of the Controller's general cooperation. These activities included reviews of reports on the tools used, analyses and decisions related to additional security, and testing the vulnerability of the IT infrastructure in terms of the occurrence of TOP10 OWASP vulnerabilities (report provided in the attachment to the letter dated June 3, 2020)" are irrelevant to the issue of A. conducting an inspection at X. It should be emphasized here how important an element of the verification process of the processor is the possibility of its inspection. Art. 28 sec. 3 lit. h) Regulation 2016/679 gives the controller tools to ensure that the processing of data subject to entrustment will be compliant with the standards specified in Regulation 2016/679, and submitting evidence confirming the performance of such control activities - in accordance with the principle of accountability - may prove that the Controller has taken actions aimed at verifying the processor, that it has implemented appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. It should be emphasized that the discussed right of the controller should be treated as one of the most important security measures that it should apply in order to properly fulfill its obligations under Art. 32 sec. 1 of Regulation 2016/679. The Controller should, when using the services of a data processor, have knowledge of whether and how the entity entrusted with the processing of personal data meets the requirements specified in Regulation 2016/679. It is worth noting that the agreement submitted by the Controller (...) contained regulations permitting the performance of such inspections and precisely specified the principles for their performance (see point II of the factual justification), and despite this, A. did not submit evidence that such inspection activities were undertaken by him.
Moreover, as already shown above, the application of the above measures is linked to the obligation of the data controller resulting from Article 28 paragraph 1 of Regulation 2016/679, which in turn means that its performance is also to confirm whether the data processor continues to provide guarantees of implementing appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. Failure to carry out audits, including inspections, at the Processor means, as a consequence, a breach by the Controller not only of the provision of Article 28 paragraph 1 of Regulation 2016/679, but also of the provision of Article 25 paragraph 1 of Regulation 2016/679, which obliges it to implement appropriate technical and organisational measures, both when determining the means of processing and during the processing itself. The continuity inherent in this obligation may therefore in practice manifest itself, among others, in the need to ensure regular monitoring of the security measures applied and to conduct constant supervision of the Processor through, for example, audits and inspections referred to in Article 28 paragraph 3 letter h) of Regulation 2016/679, which were lacking in the circumstances of this case.
Contrary to the EDPB guidelines 7/2020, the Controller, in the course of the ongoing proceedings, tried to justify the fact that concluding a personal data entrustment agreement with an external entity specializing in IT security releases it from responsibility for implementing organizational and technical measures (referred to in Article 32 of Regulation 2016/679), and this responsibility lies solely with the Processor.
In accordance with the EDPB guidelines 7/2020, it should be noted that: 135: Moving on to specific obligations, the processor is obliged, firstly, to assist the controller in fulfilling the obligation to adopt appropriate technical and organizational measures to ensure the security of processing. While this may overlap to some extent with the requirement for the processor to adopt appropriate security measures itself, where the processing operations carried out by the processor fall within the scope of the GDPR, they remain two separate obligations, as one relates to the processor’s own measures and the other relates to the controller. 138: The obligation to assist does not constitute a transfer of responsibility, as these obligations are imposed on the controller. For example, while the DPIA may in practice be carried out by the processor, the controller remains responsible for the obligation to carry out the assessment and the processor is obliged to provide assistance to the controller “where necessary and upon request”. Accordingly, it is the controller that must take the initiative to carry out the DPIA, not the processor.
Article 32 of Regulation 2016/679, interpreted in the light of the above-quoted guidelines, it follows that the obligations to implement organizational and technical measures have been imposed on both processors and data controllers. The fact of concluding an agreement and entrusting certain personal data processing activities to a processor does not therefore release the controller from the obligation to implement appropriate technical and organizational measures referred to in Art. 32 of Regulation 2016/679, nor does it release the controller from the obligation to conduct constant supervision over the processor in this respect.
Consequently, in the opinion of the President of the UODO, the technical and organizational measures applied by the Controller only met the requirements specified in Art. 32 of Regulation 2016/679 to a very limited extent, in connection with the fact that the Controller did not enforce the implementation of the provisions of their agreements and did not verify the Processor in the scope of its activities aimed at transferring the old website. At no stage of the work carried out on IT systems did the Administrator supervise whether the implementation was actually carried out in accordance with generally applicable standards and the personal data processing agreement. In the course of the proceedings, the Administrator did not prove that by commissioning the Processor to transfer the historical website (...) to the new environment, it informed the Processor that the personal data of its customers were processed in the website environment. In the explanations of July 15, 2021, the Processor indicated that during the period of cooperation it did not receive information from the Administrator about the functionality of the website, and in particular that the implementation of the website transfer task involves the processing of personal data of A.'s customers, that the above data is not transferred to the local enterprise management system but collected directly in the website database. Consequently, according to the explanations provided, the Processor did not know the content of the database of the transferred website until the personal data protection breach occurred and therefore did not take any action to secure it, e.g. by encrypting it. The actions taken by X focused solely on securing the website, including by placing it on an updated server, connecting the server to a public network, which enabled incoming connections to be made on ports indicated by the software manufacturer L., and activating traffic filtering to the server, as well as launching an additional network firewall for the website.
When ordering the Processor to perform actions that involve data processing, the Administrator should specify them in a manner that does not raise any doubts as to what the ordered actions involve. During the ongoing proceedings, the Administrator indicated that the Processor, as a professional entity, must have known that the transfer operation also involved transferring customer data. However, the Administrator did not provide evidence that would confirm that it had provided information regarding the processing of its customers' personal data in the website database. In its explanations, the Administrator referred to the fact that the support of the Processor was very broad and that the Processor was responsible for the IT area, and the scope of personal data was specified in the annex to the data processing agreement, indicating the data contained in IT systems, which did not include the website (...). In its explanations, the Administrator indicated that the scope of data processed using the website (...) was not wider than the scope of data processed in the indicated IT systems. In connection with the above, it should be emphasized that it is unacceptable for the Administrator to leave these issues to the Processor's guesswork only because a data processing agreement was signed with it. Especially in a situation where the transfer of the website was one of many services that the Processor provided to the Administrator pursuant to the agreement on (...).
It should also be noted that as part of the cooperation between A. and X., the Processor communicated to the Administrator its doubts as to the level of security of the IT infrastructure. As it results from the explanations provided by the Processor, X informed the Controller that the website was based on outdated software and that it should have a substantive guardian who would ensure supervision over its operation. Such messages should lead to increased vigilance on the part of the Controller. A. should at least review the procedures defining the scope of responsibility of the Processor, i.e. it should establish with X who is responsible for securing the website (including updating the software) on which the personal data database is located. Meanwhile, in the case in question, the entrustment agreement was constructed in such a way that even the Processor, as part of these administrative proceedings, presented the position that the entrustment agreement in question did not take into account the issue of entrusting the processing of personal data as part of the operation of the website (...) (see point VI of the factual justification). Even if we were to assume that X.'s explanations in this area were provided by this entity in order to avoid liability for violating the provisions of Regulation 2016/679, this does not change the fact that the data processing agreement in question was constructed in a way that raises doubts as to the scope of the personal data entrusted and the scope of activities that the Processing Entity undertook to perform in connection with the processing of this data. The Controller is primarily responsible in this case, because it was A. who made the decision to select a specific business entity. It is the Controller that should select a processing entity that provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. It is the Controller that should exercise due diligence when concluding agreements (including the personal data processing agreement), so that this agreement precisely specifies the subject and duration of processing, the nature and purpose of processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the parties thereto. However, it cannot be overlooked that in connection with the lack of instructions from the Administrator as to how the server should be configured in connection with the transfer of the website, the Processor, in order to eliminate any doubts, should verify whether it will process personal data during the performance of this task and determine what functions the website in question performs, whether and what data is processed using it and adapt the security measures to the information obtained. In the absence of sufficient information, the Processor should conduct a risk analysis on its own and then decide whether it will undertake the execution of the given order.
At the same time, it should be noted that, taking into account the period of cooperation between X. and the Controller (including the fact that X. and A. concluded an agreement to entrust the processing of personal data), knowledge of its IT infrastructure and the nature of its business activity, the Processor, for the purposes of broadly understood security and to fulfill the duty of care that rests with it as a qualified entity, could have inquired about the content of the database and the place of saving the data processed on the website.
According to the judgment of the Voivodship Administrative Court in Warsaw of October 5, 2021, file reference II SA/Wa 528/21, "(...) the deputy [representative] of the controller is a separate legal entity, acting on behalf of the represented party, on the basis of the authorization granted in the agreement on entrusting the processing concluded with the controller.If the processing activities are performed by a processor, not a controller, then, in principle, the provisions specifying the obligations related to processing should apply to the activities of this substitute. However, Regulation No. 2016/679 divides these obligations between the controller and the processor, which means that the controller, by entrusting data processing to another entity, is not completely exempt from liability for failure to comply with the legal requirements for processing. The provisions of the regulation direct some obligations to the controller (Article 5, paragraph 2), while others are addressed simultaneously to the controller and the processor (Article 32, paragraphs 1 and 2). Furthermore, the processor has separate obligations in this respect (Article 28 of the regulation). It is true that these obligations of the processor should be included in the data processing agreement concluded between the parties. However, the fact that they are mandatory for the parties to include them in the contract does not deprive them of their public law nature, does not make them exclusively obligatory obligations, which is of course of fundamental importance for determining liability for their infringement and which is confirmed by Article 83 paragraph 4 letter a of the Regulation. It should be emphasized that the processor is obliged to cooperate with the controller and even to provide assistance in fulfilling its obligations specified in Articles 32-36 (Article 28 of the Regulation). The imposition of a rather general obligation to ensure data security on both the controller and the processor (Article 32 paragraph 1) does not of course imply the necessity for these entities to take the same actions and does not create liability for infringements on their part, regardless of which of them can be attributed to. There is no question here of any joint and several performance by the parties, in the legal sense, of the obligations concerning ensuring the security of data processing and joint and several liability for the infringement of these obligations (...)”.
In relation to the above, it should be noted that the lack of actions by X consisting in appropriate communication with A. (e.g. asking whether there is personal data on the transferred website) indicates a lack of due diligence on the part of the Processing Entity in the scope of performing the action, which should have been performed in a safe, correct and error-free manner. The effect of the discussed unreliability was a violation by X. of Article 32 paragraphs 1 and 2 in connection with Article 28 paragraph 3 letters c) and f) of Regulation 2016/679.
IV. Obligation to conduct regular testing, measurement and assessment of the effectiveness of security measures for the processing of personal data.
Another aspect of personal data protection that is important from the point of view of the resolution contained in the decision in question is the need to regularly test, measure and assess the effectiveness of personal data processing security measures (Article 32 paragraph 1 letter d) of Regulation 2016/679). In this respect, the Controller provided explanations from which it follows that it entrusted the Processor with regular testing, measuring and assessing the effectiveness of security measures related to the operation of the previous website (...). These activities were to be carried out by X as part of the basic tasks performed in connection with the service provided to A. (see point V of the factual justification). As it results from the evidence collected, the Controller did not regularly test, measure and assess the effectiveness of technical and organisational measures to ensure the security of processing on its own. The Administrator indicated that the list of activities attached to the case file shows that tests on the website were performed before the incident occurred, which in its opinion confirms that activities related to data processing and IT security were monitored.
It should be noted that the evidence presented regarding monitoring and testing the website's vulnerabilities and the tests conducted were performed solely by the Processor and concerned the website itself and its functionality, and not the threats resulting from processing personal data of customers using it, of which the Processor was unaware. Additionally, despite the evidence presented by the Administrator confirming that the Processor regularly tests, measures and assesses the effectiveness of security measures, the vulnerability that led to the breach of personal data protection of customers was not detected. It should also be emphasized that the fact that the Processor regularly tests, measures and assesses the effectiveness of personal data processing security measures does not release the Administrator from the obligation to carry out such activities. A. should at least check whether X.'s actions in this respect were carried out correctly.
Regular testing, measuring and assessing the effectiveness of technical and organisational measures to ensure the security of processing is a fundamental obligation of every controller and processor resulting from art. 32 sec. 1 letter d) of Regulation 2016/679. The controller is therefore obliged to verify both the selection and the level of effectiveness of the technical measures used, at each stage of processing. The comprehensiveness of this verification should be assessed through the prism of adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing. Testing, measuring and assessing, in order to constitute the implementation of the requirement resulting from art. 32 sec. 1 letter d) of Regulation 2016/679 d) Regulation 2016/679, must be carried out in a regular, consciously planned, organized and documented manner (in connection with the principle of accountability - Art. 5 sec. 2 of Regulation 2016/679) in specific time intervals, regardless of changes in the organization and course of data processing processes, caused, for example, by entrusting the processing of personal data to a processor. A. did not take such actions (and was authorized to do so under Art. 28 sec. 3 letter h) of Regulation 2016/679), which exaggerates the violation of this provision of Regulation 2016/679.
In a similar factual situation, the Voivodship Administrative Court in Warsaw in its judgment of 21 October 2021, file ref. Act II SA/Wa 272/21 "(...) the President of the UODO was also right when he indicated in the justification of the contested decision that the lack of regulations in the procedures adopted by the Company ensuring regular testing, measurement and assessment of the effectiveness of the technical and organizational measures used to ensure the security of data processing contributed to the occurrence of a personal data protection breach. The authority also correctly points out that the proceedings showed that the Company did not conduct tests aimed at verifying the security of the application (...) and the WebAPI of the (...) system, regarding the vulnerability of the IT system related to the personal data breach that occurred (...) conducting tests only in the event of an emerging threat, without introducing a procedure that would specify a schedule of actions ensuring regular testing, measurement and assessment of the effectiveness of the implemented measures is insufficient. The Company, as it results from the collected material, despite the adopted solutions, was unable to detect the vulnerability due to the lack of regular tests of the system implemented by the Company (...) In this context, it is impossible to question the assessments of the President of the UODO that regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing is a fundamental obligation of every controller and processor resulting from art. 32 sec. 1 letter d of the GDPR (...)".
V. Summary of the identified violation of the provisions of Regulation 2016/679.
The findings made do not therefore provide a basis for stating that the technical and organizational measures used by the Controller and the Processor to ensure the security of personal data were adequate to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing, which consequently did not ensure effective implementation of the data protection principles. As a result, in the opinion of the President of the UODO, both A. and X. did not implement appropriate technical and organizational measures to ensure the security of the processing of personal data located on the transferred website, which constitutes a violation of art. 32 sec. 1 and 2 of Regulation 2016/679.
It should also be noted that the obligations to implement appropriate technical and organizational measures to ensure that the processing is carried out in accordance with Regulation 2016/679 and to provide the processing with the necessary security measures to meet the requirements of Regulation 2016/679 were imposed on the Administrator (and only on the Administrator) by the provisions of art. 24 sec. 1 and art. 25 sec. 1 of Regulation 2016/679. In view of the lack of application of adequate security measures by A., as mentioned above, it should be considered that the Administrator also violated these provisions of Regulation 2016/679. The consequence of their violation is the necessity to establish that A. also violated the principle of confidentiality expressed in art. 5 sec. 1 letter f) of Regulation 2016/679, and consequently also the principle of accountability referred to in art. 5 sec. 2 of Regulation 2016/679.
It should be emphasized that proper and effective data protection was raised in Regulation 2016/679 to the rank of a general principle, which indicates that the issue of ensuring the confidentiality of data should be treated in a special and priority manner by the Controller. Meanwhile, as already demonstrated in the justification of this decision, both the Controller and the Processor failed to implement appropriate technical and organizational measures to ensure the security of personal data processing, which led to a breach of their confidentiality in connection with the occurrence of a breach of personal data protection.
When applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1, paragraph 2) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In the event of any doubts, e.g. as to the performance of obligations by Controllers - not only in a situation where a breach of personal data protection has occurred, but also when developing technical and organizational security measures to prevent them - these values should be taken into account first.
In order to monitor and enforce the application of the provisions of Regulation 2016/679, the President of the UODO has been equipped with instruments that serve to bring about a situation in which the controller and/or the processor fulfills the obligations imposed on them by this Regulation. At the same time, both A. and X. must be held liable for the identified violations of the provisions of Regulation 2016/679.
VI. Justification for imposing and determining the amount of the administrative fine.
Pursuant to Article 58 paragraph 2 letter i) of Regulation 2016/679, each supervisory authority is entitled to apply, in addition to or instead of other corrective measures provided for in Article 58 paragraph 2 letters a) - h) and letter j) of this Regulation, an administrative fine under Article 83 of Regulation 2016/679, depending on the circumstances of the specific case. Taking into account the findings of the factual circumstances, the President of the Personal Data Protection Office, exercising his authority specified in the above-mentioned provision of Regulation 2016/679, stated that in the case at hand there were grounds justifying the imposition of an administrative fine on A. and X.
Pursuant to Article 83 sec. 4 letter a) of Regulation 2016/679, infringements of the provisions concerning the obligations of the Controller and the processor referred to in Articles 8, 11, 25-39 and 42 and 43 shall be subject, in accordance with paragraph 2, to an administrative fine of up to EUR 10,000,000, and in the case of an undertaking – of up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher.
In accordance with Article 83 sec. 5 letter a) of Regulation 2016/679, infringements of the provisions concerning the basic principles of processing, including the conditions for consent, the principles and conditions of which are referred to in Articles 5, 6, 7 and 9, shall be subject, in accordance with paragraph 2 administrative fine of up to EUR 20,000,000, and in the case of an enterprise – of up to 4% of its total annual worldwide turnover in the previous financial year, whichever is higher.
Article 83 paragraph 3 of Regulation 2016/679 provides that if the Controller or Processor intentionally or negligently infringes several provisions of this Regulation within the same or related processing operations, the total amount of the administrative fine shall not exceed the amount of the fine for the most serious infringement.
In this case, the administrative fine against A. was imposed for infringement of Article 25 paragraph 1, Article 28 paragraph 1, Article 32 paragraphs 1 and 2 of Regulation 2016/679 on the basis of the above-mentioned Article 83 paragraph 4 lit. A. was fined under Article 5(1)(a) of Regulation 2016/679, while for the infringement of Article 5(1)(f) and Article 5(2) of Regulation 2016/679 – under Article 83(5)(a) of that Regulation. At the same time, the fine of the equivalent of EUR 350 000 imposed on A. in total for the infringement of all the above provisions – pursuant to Article 83(3) of Regulation 2016/679 – does not exceed the amount of the fine for the most serious infringement established in this case, i.e. the infringement of Article 5(1)(f) of Regulation 2016/679, which, pursuant to Article 83(5)(a) of that Regulation, a) Regulation 2016/679 is subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise – up to 4% of its total annual worldwide turnover from the previous financial year.
In turn, the administrative fine against the Processor was imposed for the infringement of Art. 32 sec. 1 and 2 and Art. 32 sec. 1 and 2 in conjunction with Art. 28 sec. 3 letters c) and f) of Regulation 2016/679 on the basis of Art. 83 sec. 4 letters a) Regulation 2016/679, which, pursuant to this provision of law, is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - of up to 2% of its total annual global turnover from the previous financial year.
VI. a) Justification for imposing and determining the amount of the administrative fine on A.
In deciding to impose an administrative fine on A., the President of the UODO - pursuant to Article 83 sec. 2 lit. a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:
1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them (Article 83 paragraph 2 letter a of Regulation 2016/679). In this case, a violation of the provisions was found: Article 24 paragraph 1, Article 25 paragraph 1, Article 28 paragraphs 1 and 3, Article 32 paragraphs 1 and 2, Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679. Infringement of the above. provisions was related to an event consisting in the disclosure of personal data of A.'s clients on a broad scale. When imposing the penalty, the fact that the infringement of the provisions of Regulation 2016/679, imposing on the Controller obligations to apply appropriate technical and organisational measures to ensure the security of the processed personal data, had an impact on the breach of confidentiality of data of over 21 thousand clients of the Controller was of significant importance. It is therefore of significant importance and serious nature, as it may lead to property or non-property damage to persons whose data was breached, and the probability of such damage occurring is high. In addition, the risk resulting from the wide scope of data covered by the breach, the large number of data subjects, as well as the large scale and professional nature of data processing should be taken into account. It should be emphasized that in relation to persons whose data has been breached, there is still a high risk of unlawful use of their personal data, because the purpose for which unauthorized persons came into possession of the file containing the Administrator's customer database is unknown. Data subjects may therefore still suffer material damage, and the breach of data confidentiality itself also constitutes non-material damage (harm). The data subject may at least feel a fear of losing control over their personal data, identity theft or identity fraud, or finally financial loss. As indicated by the District Court in Warsaw in its judgment of 6 August 2020, file reference XXV C 2596/19, fear, i.e. loss of security, constitutes real non-material damage associated with the obligation to repair it. In turn, the Court of Justice of the EU in its judgment of 14 December 2023 in Natsionalna agentsia za prihodite (C-340/21) stressed that "Article 82 paragraph 1 of the GDPR should be interpreted as meaning that the fear of possible use by third parties in a manner constituting a misuse of personal data, which the data subject has as a result of an infringement of that regulation, may in itself constitute "non-material damage" within the meaning of that provision".
The President of the UODO also considers the long duration of the infringement of the provisions of Regulation 2016/679 by A. as an aggravating circumstance. In the case of an infringement of Article 28 paragraph 1 of Regulation 2016/679, it should be assumed that the infringement lasted from the date of conclusion of the personal data processing agreement (31 July 2019) until the date of termination of the provision of services by X. to A. (30 September 2020). In the event of a breach of the remaining provisions of Regulation 2016/679, it should be noted that it lasted from the date of commencement of cooperation between A. and X. (31 July 2019) until the date of introduction of technical and organisational measures aimed at ensuring security in the process of personal data processing, the implementation of which was declared by the Controller after the personal data protection breach occurred in a letter dated 3 June 2020.
2. Unintentional nature of the breach (Article 83 paragraph 2 letter b of Regulation 2016/679). In accordance with the Guidelines of the Article 29 Data Protection Working Party on the application and setting of administrative pecuniary penalties for the purposes of Regulation No. 2016/679 (hereinafter referred to as the WP253 Guidelines) confirmed by the Guidelines 04/2022 on the calculation of administrative pecuniary penalties under the GDPR (hereinafter referred to as the 04/2022)[2] intentionality "includes both knowledge and deliberate action, in connection with the characteristics of a prohibited act".
The Controller was aware that in the event of allowing the processing of personal data in IT systems, it should process personal data in such a way as to ensure their appropriate security, i.e. in such a way as to ensure compliance with the principle of "integrity and confidentiality" expressed in art. 5 sec. 1 letter f) of Regulation 2016/679.
It should be emphasized here that the occurrence of the infringement in question was significantly influenced by A.'s gross negligence and the Company's disregard for the data controller's obligations. Despite being aware of the threat to security in the process of personal data processing, the Controller did not implement adequate measures to guarantee this security, and in the course of the administrative proceedings, it tried to transfer responsibility for the breach of personal data protection to the Processor. The evidence collected clearly shows that A. was aware that – as the data controller – he should implement appropriate technical and organisational measures to ensure that the processing was carried out in accordance with Regulation 2016/679, as evidenced by, for example, the conclusion of a personal data processing agreement, which – incidentally – contains provisions directly copied from Art. 28 sec. 3 of Regulation 2016/679. Despite having this knowledge, the Controller did not even independently conduct a risk analysis for the process related to transferring the website to a new environment and entrusted the entire process to X., in relation to whom – this should be emphasised once again – he did not apply control measures, the possibility of which results not only from Art. 28 sec. 3 letter h) of Regulation 2016/679, but even from the Agreement (...) (§ (...) sec. (...) letter (...)) – see point II of the factual justification).
Therefore, A. unintentionally violated the provisions on the protection of personal data - Article 5 paragraph 1 letter f) of Regulation 2016/679 in connection with Article 24 paragraph 1, 25 paragraph 1, 32 paragraphs 1 and 2 and Article 28 paragraph 1 of Regulation 2016/679 and consequently also Article 5 paragraph 2 of Regulation 2016/679.
3. Any relevant previous infringements by the controller or processor (Article 83 paragraph 2 letter e of Regulation 2016/679). When deciding on the imposition and amount of an administrative fine, the supervisory authority is obliged to take into account any previous infringements of Regulation 2016/679. The EDPB in the Guidelines 04/2022 clearly indicates: "The existence of previous infringements may be considered an aggravating factor when calculating the amount of the fine. The weight given to this factor should be determined taking into account the nature and frequency of the previous infringements. However, the absence of previous infringements cannot be considered a mitigating circumstance, since compliance with the provisions of [Regulation 2016/679] is the norm". And although, as indicated in the above-mentioned guidelines, "greater weight should be given to infringements concerning the same subject matter, since they are closer to the infringement that is the subject of the current proceedings, in particular where the controller or processor has previously committed the same infringement (repeated infringements)" (point 88 of the Guidelines), nevertheless "all previous infringements may constitute information about the controller's or processor's general approach to compliance with the provisions of Regulation 2016/679". The supervisory authority, having established in other administrative decisions that the Controller violated the provisions on the protection of personal data, has already exercised its remedial and warning powers against A. The President of the UODO issued the following decisions addressed to the Controller: - decision of 9 July 2021 (...), a warning for the violation of art. 6 sec. 1 of Regulation 2016/679, - decision of 14 September 2023 (...), a warning for the violation of art. 12 sec. 3 and 4 in connection with art. 21 sec. 2 of Regulation 2016/679 and an order to stop processing personal data. The above-mentioned earlier violations, identified by the authority as a result of administrative proceedings initiated by complaints filed by individuals about irregularities in the processing of their personal data by A., indicate that there are problems within the structures of the Administrator with the implementation of the obligations arising from the provisions of Regulation 2016/679. The Administrator was not able to demonstrate to the supervisory authority in the above-mentioned individual cases the legality of the processing and the proper implementation of the individual's right to object to the processing of his or her personal data – which resulted in the application of appropriate remedial measures to A. However, it should be stated that the identified problems were not systemic or recurring in nature, but concerned individual situations. The fact that the violations identified in the above-mentioned proceedings differed objectively from those examined in this case is also significant for the assessment of this premise. Thus, the President of the UODO took the position that the Administrator's previous attitude indicating existing difficulties in respecting the provisions on the protection of personal data - while it is considered to be detrimental to the Administrator and currently justifies the imposition of an administrative fine on him - does not significantly increase its amount.
4. Categories of personal data concerned by the infringement (Article 83 paragraph 2 letter g of Regulation 2016/679).
Although the personal data concerned by the infringement of the provisions of Regulation 2016/679 do not belong to the special categories of personal data referred to in Article 9 of Regulation 2016/679, their scope, i.e. first name and last name, address of residence or stay, PESEL registration number, e-mail address, telephone number, encrypted password is associated with a high risk of violating the rights or freedoms of natural persons affected by the infringement. It should be emphasized that the fact that the personal data protection breach covers categories of data such as the PESEL registration number together with the first and last name, which uniquely identify a natural person, may have a real and negative impact on the protection of the rights or freedoms of that person. It should be pointed out that the PESEL registration number, i.e. an eleven-digit numerical symbol, uniquely identifying a natural person, containing, among others, the date of birth and gender designation, and therefore closely related to the private sphere of a natural person and also subject, as a national identification number, to exceptional protection under Article 87 of Regulation 2016/679, is data of a special nature and requires such special protection. In this context, it is worth recalling the Guidelines 04/2022, which indicate that: "As regards the requirement to take into account the categories of personal data concerned by the breach (Article 83(2)(g) of [Regulation 2016/679]), [Regulation 2016/679] clearly indicates the types of data that are subject to special protection and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Articles 9 and 10 of [Regulation 2016/679] as well as data not covered by those articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g. location data, private communications data, national identification numbers or financial data such as transaction records or credit card numbers). Generally speaking, the more categories of such data are concerned by the breach or the more sensitive the data is, the more weight the supervisory authority may give to such a factor." The amount of data relating to each data subject is also important, because the scale of the violation of the right to privacy and personal data protection increases with the amount of data relating to each data subject.”
This view was also shared by the above-mentioned Court in its judgment of 21 June 2023 in case file reference II SA/Wa 150/23, where the Regional Administrative Court in Warsaw indicated: “To sum up, the Court is of the opinion that the disclosure of the PESEL number indicates a high risk of violating the rights or freedoms of natural persons.”
When determining the amount of the administrative fine, the President of the UODO took into account as a mitigating circumstance, having an impact on reducing the amount of the fine imposed, the good cooperation of the Controller with the supervisory authority undertaken and conducted in order to eliminate the violation and mitigate its possible negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). It should be noted here that, in addition to the proper performance of the Controller's procedural obligations during the administrative proceedings concluded with the issuance of this decision, the Controller took steps to increase the level of security in the process of processing personal data by A. (see point XII of the factual justification). In the opinion of the President of the UODO, the performance of the above-mentioned activities should be considered a mitigating circumstance that reduces the amount of the imposed penalty.
The other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the UODO to be neutral in his opinion, i.e. having neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine.
1. Actions taken to minimise the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679). In the context of this premise, the purpose of the Controller's action is important, i.e. to minimise the damage suffered by data subjects. The President of the UODO did not note such actions of the Controller in this case. The mere provision of information about the event to data subjects cannot be considered in this case as action to minimise the damage suffered by these persons.
2. The degree of the controller's responsibility, taking into account the technical and organisational measures implemented by him under Article 25 and 32 (Article 83 paragraph 2 letter d of Regulation 2016/679). The findings made by the President of the UODO allow for the conclusion that the Controller, despite having concluded an agreement with the Processor, adopting appropriate internal regulations and having knowledge on how to implement changes in IT systems, did not fulfil its obligations in terms of supervision over the Processor during the implementation of changes in the IT system used to process personal data, which consequently led to the freedom of the Processor to act, i.e. implementing changes in the IT system without prior appropriate testing of the security measures used in the test phase of the implemented solution. The lack of any supervision over the process of implementing changes in the IT system in which personal data were processed results in a high degree of liability of the Controller for breach of confidentiality of personal data. In this case, however, this circumstance constitutes the essence of the infringement of the provisions of Regulation 2016/679; it is not merely a factor influencing – either as a mitigating or aggravating factor – its assessment. For this reason, the lack of appropriate technical and organisational measures referred to in Articles 25 and 32 of Regulation 2016/679 cannot be considered by the President of the UODO in this case as a circumstance that could additionally influence a more severe assessment of the infringement and the amount of the administrative fine imposed on A.
3. The manner in which the supervisory authority learned of the infringement (Article 83 paragraph 2 letter h of Regulation 2016/679). The President of the UODO found an infringement of the provisions of Regulation 2016/679 as a result of the notification of a personal data protection infringement made by the Controller. The controller, by making this notification, was only fulfilling a legal obligation incumbent on it, there is no basis to consider that this circumstance constitutes a mitigating circumstance. According to Guidelines 04/2022, "(...) when assessing this aspect, particular weight may be given to the question of whether the controller or processor notified the breach on its own initiative, and if so, to what extent, before the supervisory authority was informed of the breach by way of, for example, a complaint or investigation. This circumstance is not relevant where the controller is subject to specific obligations to notify breaches (such as the obligation to notify a personal data breach under Article 33). In such cases, the fact of making a notification should be considered a neutral circumstance (...)".
4. Compliance with previously applied measures in the same case, referred to in Article 58 paragraph 2 of Regulation 2016/679 (Article 83 paragraph 2 letter i of Regulation 2016/679). Before issuing this decision, the President of the UODO did not apply any measures listed in Article 58 paragraph 2 of Regulation 2016/679 to the Controller in the case at hand, and therefore the Controller was not obliged to take any actions related to their application, and which actions, assessed by the President of the UODO, could have an aggravating or mitigating effect on the assessment of the identified infringement.
5. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83 paragraph 2 letter j of Regulation 2016/679). The Administrator does not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in the provisions of Regulation 2016/679 - obligatory for administrators and processors, therefore the circumstance of their non-application cannot be considered to the detriment of the Administrator in this case. On the other hand, the circumstance of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of the processed personal data could be considered to the benefit of the Administrator.
6. Financial benefits achieved directly or indirectly in connection with the infringement or losses avoided (art. 83 sec. 2 letter k of Regulation 2016/679). The President of the UODO did not find that the Controller gained any financial benefits or avoided such losses in connection with the infringement. There is therefore no basis to treat this circumstance as aggravating the Controller. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed definitely negatively. On the other hand, the failure of the controller to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be a mitigating factor for the Controller. This is confirmed by the very wording of the provision of art. 83 sec. 2 letter k of Regulation 2016/679. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - those that occurred on the side of the entity committing the infringement.
7. Other aggravating or mitigating factors (Article 83 paragraph 2 letter k of Regulation 2016/679). The President of the UODO, in a comprehensive consideration of the case, did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the imposed administrative fine.
In the opinion of the President of the UODO, the administrative fine applied fulfils the functions referred to in Article 83 paragraph 1 of Regulation 2016/679 in the established circumstances of this case, i.e. it is effective, proportionate and deterrent in this individual case.
Taking into account all the circumstances discussed above, the President of the UODO considered that imposing an administrative fine on the Controller is necessary and justified by the gravity, nature and scope of the violations of the provisions of Regulation 2016/679 alleged against this entity. It should be stated that applying to this entity any other corrective measure provided for in Article 58 paragraph 2 of Regulation 2016/679, in particular limiting it to a warning (Article 58 paragraph 2 letter b) of Regulation 2016/679), would not be proportionate to the irregularities found in the process of personal data processing and would not guarantee that the above entity will not commit similar negligence in the future as in this case.
Pursuant to the content of Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the Personal Data Protection Act, the equivalent of the amounts expressed in euro, referred to in art. 83 of Regulation 2016/679, is calculated in zlotys at the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average euro exchange rate on 28 January - at the average euro exchange rate announced in the National Bank of Poland's exchange rate table closest after that date.
Taking the above into account, the President of the Personal Data Protection Act, on the basis of art. 83 sec. 4 letter a) in conjunction with art. 103 u.o.d.o., for the violation described in the operative part of this decision, imposed on A. – using the average euro exchange rate of 29 January 2024 (1 EUR = 4.3653 PLN) – an administrative fine in the amount of PLN 1,527,855.00 (which is the equivalent of EUR 350,000).
In the opinion of the President of the UODO, the imposed fine in the amount of PLN 1,527,855.00 (in words: one million five hundred twenty-seven thousand eight hundred fifty-five zlotys) meets, in the established circumstances of this case, the conditions referred to in art. 83 sec. 1 of Regulation 2016/679 due to the seriousness of the identified violation in the context of the basic objective of Regulation 2016/679 – protection of fundamental rights and freedoms of natural persons, in particular the right to protection of personal data. Referring to the amount of the administrative fine imposed on A., the President of the UODO considered that it was proportionate to the financial situation of the Administrator and would not constitute an excessive burden for him.
The "Report (…)" presented by the Administrator shows that the total annual turnover from the previous financial year, i.e. in 2023, amounted to PLN (…), therefore the amount of the administrative fine imposed in this case constitutes approx. (…) % of the above amount of revenues. At the same time, it is worth emphasizing that the amount of the fine imposed is only approx. 1.75% of the maximum amount of the fine that the President of the UODO could – applying in accordance with Art. 83 sec. 5 Regulation 2016/679 the static maximum fine of up to EUR 20,000,000 – to be imposed on A. for the infringements found in this case.
The amount of the fine was set at such a level that, on the one hand, it constituted an adequate response of the supervisory authority to the degree of infringement of the administrator's obligations, but on the other hand, it did not cause a situation in which the need to pay the financial penalty would entail negative consequences in the form of a significant reduction in employment or a significant decrease in A.'s turnover. According to the President of the UODO, A. should and is able to bear the consequences of his negligence in the area of data protection, as evidenced by, for example, the "Report (…)". Moreover, when moderating the amount of the penalty, the supervisory authority took into account the financial situation of the Administrator as of the date of issue of this administrative decision, i.e. the fact that in (...) in A. proceedings were pending regarding (...), and since 11 June 2024 (...) have been pending.
Finally, it is necessary to indicate that when determining the amount of the administrative fine in this case, the President of the UODO applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022. In accordance with the guidelines presented in this document:
1. The President of the UODO categorized the violations of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The infringements of the provisions on personal data protection found in this case fall within the category of infringements punishable by fines of up to EUR 10 000 000 or, in the case of an undertaking, up to 2% of its total annual worldwide turnover in the previous financial year, whichever is higher, and within the category of infringements punishable by fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its total annual worldwide turnover in the previous financial year, whichever is higher. The most serious infringement found in this case, i.e. the infringement of Article 5(1)(f) and (2) of Regulation 2016/679 – pursuant to Article 83(5)(a) and (b) of the a) Regulation 2016/679 – is subject to an administrative fine of up to EUR 20,000,000, and in the case of an undertaking – of up to 4% of its total annual worldwide turnover from the previous financial year, whichever is higher. It was therefore considered in abstracto (without taking into account the individual circumstances of a specific case) by the EU legislator as more serious than the infringements indicated in Art. 83 sec. 4 of Regulation 2016/679.
2. The President of the UODO assessed the infringements found in this case as infringements with a high level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account among those listed in Art. 83 sec. 2 Regulation 2016/679, which concern the subject matter of the infringements (they constitute the “seriousness” of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. At this point, it should be pointed out that considering their combined impact on the assessment of the infringements found in this case, taken as a whole, leads to the conclusion that their level of seriousness is also in concreto high (on the scale of seriousness of infringements presented in point 60 of Guidelines 04/2022). The consequence of this is to adopt – as the starting amount for calculating the penalty – a value within the range of 20 to 100% of the maximum penalty that can be imposed on A. Considering that the provision of Article 83 sec. 5 of Regulation 2016/679 obliges the President of the UODO to adopt as the maximum amount of the fine for the infringements indicated in that provision the amount of EUR 20 000 000 or – if that value is higher than EUR 20 000 000 – an amount constituting 4% of A.'s turnover in the previous financial year, the President of the UODO decided that the so-called static maximum amount of the fine, i.e. EUR 20 000 000, was applicable in this case. Having at his disposal a range from 0 to EUR 20 000 000, the President of the UODO adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the amount of the fine of EUR 10 000 000 (constituting 50% of the static maximum amount of the fine).
3. Pursuant to point 66 of the Guidelines 04/2022 (in relation to companies with an annual turnover between EUR 10,000,000 and EUR 50,000,000), the President of the UODO considered it justified to use the possibility of reducing the starting amount adopted based on the assessment of the seriousness of the infringement to EUR 500,000.
4. The President of the UODO assessed the impact on the established infringement of the remaining circumstances (apart from those taken into account above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of the Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The President of the UODO considered (which was justified in the above part of the justification of the decision) that the aggravating circumstances in this case, and therefore additionally increasing the amount of the penalty imposed in this decision, are the relevant earlier infringements on the part of A., as established by the President of the UODO (Article 83 paragraph 2 letter e) of Regulation 2016/679). In turn, the circumstances that have a mitigating effect on the amount of the fine are the degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its potential negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). The remaining conditions (from Article 83 paragraph 2 letters c), d), h), i), j), k) of Regulation 2016/679) – as indicated above – had no effect, either mitigating or aggravating, on the assessment of the infringement and, consequently, on the amount of the fine. Therefore, due to the existence of additional aggravating and mitigating circumstances in the case related to the entity of the infringement, the President of the UODO considered it justified to leave the amount of the fine at EUR 500,000.
5. The President of the UODO stated that the amount of the administrative fine determined in the manner presented above does not exceed – in accordance with Article 83 paragraph 3 of Regulation 2016/679 – the legally defined maximum amount of the penalty provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022).
6. Despite the fact that the amount of the penalty determined in accordance with the above principles does not exceed the legally defined maximum penalty, the President of the UODO considered that it requires an additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives on the assessment of the penalty (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine of EUR 500,000 would be an effective penalty (due to its severity, it would achieve its repressive purpose, which is to punish unlawful conduct) and a deterrent penalty (effectively discouraging both A. and other controllers from committing future infringements of the provisions of Regulation 2016/679). However, taking into account the current financial condition of the Controller (i.e. the fact that (...)), such a penalty would be – in the opinion of the President of the Personal Data Protection Office – a disproportionate penalty both in relation to the gravity of the identified infringements (which in abstracto and in concreto is low – see points 1 and 2 above) and due to its excessive severity in relation to that gravity. The principle of proportionality requires, among other things, that the measures adopted by the administrative body do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to Article 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary). Therefore, taking into account the proportionality of the penalty, the President of the UODO further reduced its amount - to EUR 350,000 (equivalent to PLN 1,527,855.00). In his opinion, such a determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is a threshold above which further increases in the amount of the penalty will not increase its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the penalty could be at the expense of its effectiveness and deterrent nature, as well as a coherent – in relation to other supervisory authorities and the EDPB – understanding, application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities on the EU and EEA internal market.
To sum up the above, in the opinion of the President of the UODO, the administrative fine imposed on the Controller in this case meets, in the light of all the individual circumstances of the case, the conditions (functions of penalties) referred to in Article 83 sec. 1 of Regulation 2016/679, due to the gravity of the identified violations in the context of the basic requirements and principles of Regulation 2016/679 – in particular the principle of confidentiality expressed in Art. 5 sec. 1 letter f) of Regulation 2016/679 and the principle of accountability referred to in Art. 5 sec. 2 of Regulation 2016/679.
VI. b) Justification for imposing and determining the amount of the administrative fine on X..
In deciding to impose an administrative fine on X, the President of the UODO – in accordance with the content of Art. 83 sec. 2 letter a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:
1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a of Regulation 2016/679).
In this case, the Processor was found to have violated the provisions of: Article 32 paragraphs 1 and 2 and Article 32 paragraphs 1 and 2 in conjunction with Article 28 paragraph 3 letters c) and f) of Regulation 2016/679. The violation of the above provisions was related to an event involving the disclosure of personal data of A.'s clients on a wide scale. When imposing the penalty, the fact that the violation of the provisions of Regulation 2016/679, imposing on the Processor obligations to apply appropriate technical and organizational measures in order to ensure the security of processed personal data, had an impact on the breach of confidentiality of data of over 21 thousand customers of the Administrator, was of significant importance and serious nature, as it may lead to property or non-property damage to persons whose data was breached, and the probability of their occurrence is high. In addition, it is necessary to take into account the risk resulting from the wide scope of data covered by the breach, the large number of data subjects, as well as the large scale and professional nature of data processing. It should be emphasized that in relation to persons whose data was breached, there is still a high risk of unlawful use of their personal data, because the purpose for which unauthorized persons came into possession of the file containing the database of the Administrator's customers is unknown. Data subjects may therefore continue to suffer material damage, and the breach of data confidentiality itself also constitutes non-material damage (harm). The data subject may, at the very least, feel a fear of losing control over their personal data, identity theft or identity fraud, or, finally, financial loss. As indicated by the District Court in Warsaw in its judgment of 6 August 2020, file reference XXV C 2596/19, the fear, that is, the loss of security, constitutes real non-material damage giving rise to the obligation to redress it. In turn, the Court of Justice of the EU in its judgment of 14 December 2023 in Natsionalna agentsia za prihodite (C-340/21) emphasized that "Article 82 sec. 1 GDPR should be interpreted as meaning that the fear of possible use by third parties in a manner constituting a misuse of personal data, which the data subject has as a result of an infringement of this regulation, may in itself constitute "non-material damage" within the meaning of this provision".
The President of the UODO also considers the long duration of the infringement of the provisions of Regulation 2016/679 by X as an aggravating circumstance. In the case of an infringement of Art. 28 sec. 1 of Regulation 2016/679, it should be assumed that the infringement lasted from the date of conclusion of the personal data processing agreement (31 July 2019) to the date of termination of the provision of services by X to A. (30 September 2020). In the event of infringement of the remaining provisions of Regulation 2016/679, it should be noted that it lasted from the date of commencement of cooperation between A. and X. (31 July 2019) until the date of introduction of technical and organisational measures aimed at ensuring security in the process of personal data processing, the implementation of which was declared by the Controller after the personal data protection breach occurred in the letter of 3 June 2020.
2. Unintentional nature of the breach (Article 83 paragraph 2 letter b of Regulation 2016/679). The Processor was aware that in the event of allowing the processing of personal data in IT systems, it should process personal data in such a way as to ensure their appropriate security, to which it is obliged by Article 32 paragraphs 1 and 2 of Regulation 2016/679. X. due to the nature of the business activity should be aware of the need to implement the obligation to provide sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing meets the requirements of Regulation 2016/679.
It should be emphasized here that the occurrence of the breach in question was caused by improper communication between the Administrator and the Processor. Evidence of improper communication between the above entities is the fact that during these proceedings A. and X. mutually shifted responsibility for the event in question. Although the Administrator is primarily responsible for implementing adequate security measures in the process of processing personal data, this does not change the fact that the long-term cooperation between the Administrator and the Processor and the fact that an additional task was performed (transferring the website to a new environment) requires additional cooperation between the Processor and the Administrator. Despite being aware of the threat to security in the process of processing personal data, the Processor did not take additional actions in this regard, and during the administrative proceedings tried to transfer responsibility for the breach of personal data protection to the Administrator, forgetting that it also has certain obligations in the scope of implementing appropriate technical and organizational measures to secure personal data. The processor did not independently conduct a risk analysis for the process related to the transfer of the website to the new environment and did not take into account that the transferred website contained personal data.
Thus, X. unintentionally violated the provisions on the protection of personal data – Article 32 paragraphs 1 and 2 and Article 32 paragraphs 1 and 2 in conjunction with Article 28 paragraph 3 letters c) and f) of Regulation 2016/679.
3. Categories of personal data concerned by the infringement (Article 83 paragraph 2 letter g of Regulation 2016/679). Although the personal data concerned by the infringement of the provisions of Regulation 2016/679 do not belong to the special categories of personal data referred to in Article 9 of Regulation 2016/679, however, their scope, i.e. first name and last name, address of residence or stay, PESEL registration number, e-mail address, telephone number, encrypted password is associated with a high risk of violating the rights or freedoms of natural persons affected by the breach. It should be emphasized that the fact that a personal data protection breach covers such categories of data as the PESEL registration number together with the first name and last name, which unambiguously identify a natural person, may have a real and negative impact on the protection of the rights or freedoms of that person. It should be indicated that the PESEL registration number, i.e. an eleven-digit numerical symbol, unambiguously identifying a natural person, containing, among others, date of birth and gender designation, and is therefore closely related to the private sphere of a natural person and is also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, is data of a special nature and requires such special protection.
In this context, it is worth recalling the Guidelines 04/2022, which indicate that: "As regards the requirement to take into account the categories of personal data concerned by the breach (Article 83(2)(g) of [Regulation 2016/679]), [Regulation 2016/679] clearly indicates the types of data that are subject to special protection and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Articles 9 and 10 of [Regulation 2016/679] and data outside the scope of these articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g. location data, private communication data, national identification numbers or financial data such as transaction records or credit card numbers). Generally speaking, the more such categories of data are affected by the breach or the more sensitive the data is, the more weight the supervisory authority may attach to such a factor. The amount of data relating to each data subject is also important, because the scale of the infringement of the right to privacy and personal data protection increases with the amount of data relating to each data subject.”
This view was also shared by the above-mentioned Court in its judgment of 21 June 2023 in case file reference II SA/Wa 150/23, where the Voivodship Administrative Court in Warsaw indicated: “In summary, the Court is of the opinion that the disclosure of the PESEL number indicates a high risk of violating the rights or freedoms of natural persons.”
When determining the amount of the administrative fine, the President of the UODO took into account as a mitigating circumstance, which has an impact on reducing the amount of the fine imposed, the good cooperation of the Processing Entity with the supervisory authority undertaken and maintained in order to eliminate the infringement and mitigate its possible negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). The Processing Entity provided exhaustive answers to the questions of the supervisory authority and, to the extent possible, taking into account its role in the process of personal data processing, contributed to eliminating the infringement and mitigating its possible negative effects. In the opinion of the President of the UODO, the performance of the above activities should be considered a mitigating circumstance, which has an impact on reducing the amount of the fine imposed.
Other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were considered by the President of the UODO to be neutral in his assessment, i.e. having neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine.
1. Actions taken to minimize the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679). In the context of this premise, the purpose of the Processing Entity's action is important, i.e. minimizing the damage suffered by data subjects. The President of the UODO did not note such actions of the Processing Entity in this case.
2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by it under Article 25 and 32 (Article 83 paragraph 2 letter d of Regulation 2016/679). The findings made by the President of the UODO allow for the conclusion that the Processor, despite not receiving information from the Controller that the transferred website contains personal data, did not fulfil its obligations in the scope of implementing adequate security measures in the process of processing personal data. The lack of proper communication between the Processor and the Controller determines the necessity of establishing that X. bears joint responsibility for the breach of confidentiality of personal data. In this case, however, this circumstance constitutes the essence of the infringement of the provisions of Regulation 2016/679; it is not only a factor influencing - either mitigating or aggravating - its assessment. For this reason, the lack of appropriate technical and organisational measures referred to in Article 32 of Regulation 2016/679, cannot be considered by the President of the UODO in this case as a circumstance that could additionally influence a more severe assessment of the infringement and the amount of the administrative fine imposed on X.
However, in the case of obligations arising from Art. 25 of Regulation 2016/679, it should be indicated that they apply to controllers, and therefore the premise discussed in this respect cannot be treated as aggravating or mitigating for the amount of the administrative fine imposed on the processor.
3. Any relevant previous infringements by the controller or processor (Art. 83 sec. 2 letter e of Regulation 2016/679). When deciding on the imposition and amount of the administrative fine, the supervisory authority is obliged to take into account any previous infringements of Regulation 2016/679. The EDPB in the Guidelines 04/2022 clearly indicates: "The existence of previous infringements may be considered an aggravating factor when calculating the amount of the fine. The weight given to this factor should be determined taking into account the nature and frequency of the previous infringements. However, the absence of previous infringements cannot be considered a mitigating circumstance, since compliance with the provisions of [Regulation 2016/679] is the norm". And although, as indicated in the above-mentioned guidelines, "greater weight should be given to infringements concerning the same subject matter, since they are closer to the infringement that is the subject of the current proceedings, in particular where the controller or processor has previously committed the same infringement (repeated infringements)" (point 88 of the Guidelines), nevertheless "all previous infringements may constitute information about the general approach of the controller or processor to compliance with the provisions of Regulation 2016/679". The President of the UODO did not find any previous violations of the provisions on personal data protection by the Processor, therefore there is no basis to treat this circumstance as an aggravating circumstance. The obligation of every processing entity is to comply with the provisions of the law (including the provisions on personal data protection), so the lack of previous violations cannot be a mitigating circumstance when imposing sanctions.
4. The manner in which the supervisory authority learned of the violation (Article 83 paragraph 2 letter h of Regulation 2016/679). The President of the UODO found a violation of the provisions of Regulation 2016/679 as a result of reporting a violation of personal data protection by the Controller. However, this circumstance is not of an aggravating or mitigating nature for determining the amount of the administrative fine imposed on the Processor, because the obligation to report a violation of personal data protection was imposed on the Controller and it is the Controller who is responsible for fulfilling this obligation.
5. Compliance with previously applied measures in the same case, referred to in Article 58 paragraph 2 of Regulation 2016/679 (Article 83 paragraph 2 letter i of Regulation 2016/679). Before issuing this decision, the President of the UODO did not apply any measures listed in Article 58 paragraph 2 of Regulation 2016/679 to the Processor in the case at issue, and therefore the Processor was not obliged to take any actions related to their application, and which actions, assessed by the President of the UODO, could have an aggravating or mitigating effect on the assessment of the identified infringement.
6. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83 paragraph 2 letter j of Regulation 2016/679). The Processor does not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in the provisions of Regulation 2016/679 - mandatory for controllers and processors, and therefore the fact of their non-application cannot be considered to the detriment of the Processor in this case. On the other hand, the fact of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of the processed personal data could be considered to the benefit of the Processor.
7. Financial benefits achieved directly or indirectly in connection with the infringement or losses avoided (art. 83 sec. 2 letter k of Regulation 2016/679). The President of the UODO did not find that the Processor gained any financial benefits or avoided such losses in connection with the infringement. There are therefore no grounds to treat this circumstance as aggravating the Processor. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed clearly negatively. On the other hand, the failure of the Processor to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be a mitigating factor for the Processor. This is confirmed by the very wording of the provision of art. 83 sec. 2 letter k of Regulation 2016/679. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - those that occurred on the side of the entity committing the infringement.
8. Other aggravating or mitigating factors (Article 83 paragraph 2 letter k of Regulation 2016/679). The President of the UODO, in a comprehensive consideration of the case, did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the imposed administrative fine.
In the opinion of the President of the UODO, the administrative fine applied fulfils the functions referred to in Article 83 paragraph 1 of Regulation 2016/679 in the established circumstances of this case, i.e. it is effective, proportionate and deterrent in this individual case.
Taking into account all the circumstances discussed above, the President of the UODO considered that imposing an administrative fine on the Processor is necessary and justified by the gravity, nature and scope of the infringements of the provisions of Regulation 2016/679 alleged against this entity. It should be stated that applying to this entity any other remedy provided for in Article 58 paragraph 2 of Regulation 2016/679, in particular limiting it to a warning (Article 58 paragraph 2 letter b) of Regulation 2016/679), would not be proportionate to the irregularities found in the process of personal data processing and would not guarantee that the above entity will not commit similar negligence in the future as in this case.
Pursuant to the content of Article 103 u.o.d.o., the equivalent of the amounts expressed in euro, referred to in art. 83 of Regulation 2016/679, is calculated in zlotys at the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average euro exchange rate on 28 January – at the average euro exchange rate announced in the National Bank of Poland exchange rate table closest after that date.
Taking the above into account, the President of the UODO, on the basis of art. 83 sec. 4 letter a) in conjunction with art. 103 u.o.d.o., for the violation described in the operative part of this decision, imposed on X. – using the average euro exchange rate of 29 January 2024 (1 EUR = 4.3653 PLN) – an administrative fine in the amount of PLN 20,037.00 (which is equivalent to EUR 4,590).
In the opinion of the President of the UODO, the imposed fine in the amount of PLN 20,037.00 (in words: twenty thousand thirty-seven zlotys), meets, in the established circumstances of this case, the conditions referred to in art. 83 sec. 1 of Regulation 2016/679 due to the seriousness of the identified violation in the context of the basic purpose of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative fine imposed on X, the President of the Personal Data Protection Office considered that it was proportionate to the financial situation of the Processor and would not constitute an excessive burden for it.
The "Report (…)" available on the website (...) shows that the net sales revenue achieved by X for 2023 amounted to PLN (…). In connection with the above, the amount of the administrative fine imposed in this case constitutes approx. (…) % of the above amount of revenue. At the same time, it is worth emphasizing that the amount of the fine imposed is only approx. 0.05% of the maximum amount of the fine that the President of the Personal Data Protection Office could - applying the static maximum fine of up to EUR 10,000,000 in accordance with Article 83 paragraph 4 of Regulation 2016/679 - impose on X for the infringements found in this case.
The amount of the fine was set at such a level that, on the one hand, it constituted an adequate response of the supervisory authority to the degree of breach of the administrator's obligations, but on the other hand, it did not result in a situation in which the need to pay the fine would entail negative consequences, such as a significant reduction in employment or a significant decrease in X's turnover. According to the President of the UODO, X should and is able to bear the consequences of his negligence in the area of data protection, as evidenced by, for example, the "Report (...)".
Finally, it is necessary to indicate that when determining the amount of the administrative fine in this case, the President of the UODO applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022. In accordance with the guidelines set out in this document:
1. The President of the UODO categorized the violations of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The violations of personal data protection provisions found in this case fall into the category of violations punishable by a fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual global turnover from the previous financial year, whichever is higher.
2. The President of the UODO assessed the violations found in this case as violations with a high level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account among those listed in Article 83 para. 2 Regulation 2016/679, which concern the subject matter of the infringements (they constitute the “seriousness” of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. At this point, it should be pointed out that considering their combined impact on the assessment of the infringements found in this case, taken as a whole, leads to the conclusion that their level of seriousness is also in concreto high (on the scale of seriousness of infringements presented in point 60 of Guidelines 04/2022). The consequence of this is to adopt – as the starting amount for calculating the penalty – a value within the range of 20 to 100% of the maximum penalty that can be imposed on X. Considering that the provision of Article 83 sec. 4 of Regulation 2016/679 obliges the President of the UODO to adopt as the maximum amount of the penalty for the infringements indicated in this provision the amount of EUR 10,000,000 or - if this value is higher than EUR 10,000,000 - an amount constituting 2% of X.'s turnover from the previous financial year, the President of the UODO considered that the so-called static maximum amount of the penalty, i.e. EUR 10,000,000, applies in this case. Having at his disposal a range from 0 to EUR 10,000,000, the President of the UODO adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the amount of the penalty of EUR 4,000,000 (constituting 40% of the static maximum amount of the penalty). 3. Pursuant to point 66 of the Guidelines 04/2022 (in relation to undertakings with an annual turnover between EUR 0 and EUR 2,000,000), the President of the UODO considered it justified to use the possibility of reducing the starting amount adopted based on the assessment of the seriousness of the infringement to EUR 12,000.
4. The President of the UODO assessed the impact on the established infringement of the remaining circumstances (apart from those taken into account above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of the Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The President of the UODO considered (which was justified in the above part of the justification of the decision) that the circumstances having a mitigating effect on the amount of the fine is the degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its possible negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). The remaining conditions (under Article 83 paragraph 2 letters c), d), e), h), i), j), k) of Regulation 2016/679) – as indicated above – had no influence, neither mitigating nor aggravating, on the assessment of the infringement and, consequently, on the amount of the penalty. Therefore, due to the existence of additional aggravating and mitigating circumstances in the case, relating to the subject of the infringement, the President of the UODO considered it justified to reduce the amount of the fine to EUR 10,200.
5. The President of the UODO stated that the amount of the administrative fine determined in the manner presented above does not exceed – in accordance with Article 83 paragraph 3 of Regulation 2016/679 – the legally defined maximum amount of the fine provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022)
6. Despite the fact that the amount of the fine determined in accordance with the above principles does not exceed the legally defined maximum fine, the President of the UODO considered that it requires additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives on the assessment of the fine (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine of EUR 10,200 would be an effective penalty (due to its severity, it would achieve its repressive purpose, which is to punish unlawful conduct) and a deterrent penalty (effectively discouraging both X and other processors from committing future infringements of the provisions of Regulation 2016/679). However, in the opinion of the President of the UODO, such a penalty would be disproportionate both to the gravity of the infringements found (which in abstracto and in concreto is high – see points 1 and 2 above) and due to its excessive severity in relation to that gravity. The principle of proportionality requires, among other things, that the measures adopted by the administrative body do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to Article 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary).
Therefore, taking into account the proportionality of the penalty, the President of the UODO further reduced the amount of the penalty - to EUR 4,590.00 (equivalent to PLN 20,037). In his opinion, such a determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is a threshold above which further increases in the amount of the penalty will not increase its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the penalty could be at the expense of its effectiveness and deterrent nature, as well as a coherent – in relation to other supervisory authorities and the EDPB – understanding, application and enforcement of Regulation 2016/679, and the principle of equal treatment of entities on the EU and EEA internal market.
To sum up the above, in the opinion of the President of the UODO, the administrative fine imposed in this case against the Processing Entity meets, in the light of all the individual circumstances of the case, the conditions (functions of penalties) referred to in Article 83 sec. 1 of Regulation 2016/679, due to the seriousness of the identified violations in the context of the basic requirements of Regulation 2016/679.
Taking the above into account, the President of the Personal Data Protection Office decided as in the operative part of this decision.
[1] https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_pl
[2] https://edpb.europa.eu/system/files/2024-01/edpb_guidelines_042022_calculationofadministrativefines_pl_0.pdf
