UODO (Poland) - DKN.5131.5.2020

From GDPRhub
Revision as of 09:40, 30 December 2020 by 37.47.45.62 (talk) (→‎Dispute)
UODO - DKN.5131.5.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 33(1) GDPR
Article 34(1) GDPR
Article 34(2) GDPR
Article 57(1)(a) GDPR
Article 58(2)(i) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Article 83(4)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.12.2020
Published: 29.12.2020
Fine: 85588 PLN
Parties: n/a
National Case Number/Name: DKN.5131.5.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The President of the Polish Office for Personal Data Protection (UODO) imposed a fine of ca. EUR 18,900 on the insurance company for failing to notify a personal data breach to the DPA without undue delay and for failing to notify a personal data breach without undue delay to data subjects.

English Summary

Facts

In May 2020, the authority was notified of a personal data breach. It consisted in sending by e-mail, by an insurance agent, who is an entity processing for an insurance company, an insurance policy containing personal data to an unauthorised addressee. In this way, the confidentiality of data of two persons was violated in the scope of names, surnames, residential or correspondence addresses, PESEL (national identification numbers), telephone numbers, e-mail addresses and information concerning the subject of insurance (passenger car), the scope of insurance, payments, assignments, as well as additional provisions resulting from the agreement. The supervisory authority has been informed about a personal data protection breach by an unauthorised addressee who has come into possession of documents not intended for him/her containing the aforementioned personal data.

PUODO conducted an investigation and received information from the insurer that a personal data protection breach consisting in providing personal data to an unauthorised recipient actually took place. The company indicated that an assessment was made with regard to the risk of violation of rights and freedoms of natural persons. On the basis of the assessment, the Company concluded that there was no breach resulting in the need to notify the President of UODO, because:

1. the customer provided an incorrect e-mail address to which the insurance policy document was sent, 2. the unauthorised recipient has informed the Company, so it can be concluded that he was aware of the regulations and importance of the information he received.

The Company accepted that there is no high probability of negative consequences for the data subjects through unauthorised use of their data and indicated the applied corrective measure in the form of a request to the unauthorised recipient to permanently delete the message together with a request for feedback confirming its deletion.

The authority has indicated to the Company that the fact that the infringement occurred as a result of an error of the customer who provided the agent with an incorrect e-mail address cannot affect the assessment of the event and its classification as a personal data protection violation. It results in making personal data available to an unauthorised person, which means that data confidentiality has been breached. What is more, due to the fact that the indicated data confidentiality violation concerns PESEL numbers together with names and surnames, residential addresses, telephone numbers and e-mail addresses, it should be considered that it may involve a high risk of violation of rights or freedoms of natural persons. At the same time, the President of UODO has again called upon the Company to carry out an analysis of the risk of infringement of rights and freedoms of natural persons necessary to assess whether there has been a breach of data protection resulting in the necessity to notify the President of the UODO and the persons affected by the breach.

However, the Company has upheld its argumentation and previous risk assessment. In the absence of notification of a personal data breach to the PUODO and the lack of notification of a personal data breach to the persons affected by the breach, the authority initiated administrative proceedings.

Dispute

Has there been a data protection breach resulting in the need to notify the authority and the data subjects, according to Article 33(1) GDPR and [[Article 34 GDPR#1|Article 34(1) GDPR]?

Holding

The PUODO held that the insurance company infringed the GDPR provisions, failing to notify a personal data breach to the DPA without undue delay and for failing to notify a personal data breach without undue delay to data subjects. PUODO imposed a fine of EUR 18,902.

Comment

Following the initiation of the administrative procedure in this case, the Company notified the President of UODO of the breach of personal data protection by sending a form containing a detailed description of the event. The form also stated that the Company notified two data subjects of a personal data protection breach and anonymised content of the notification. Nevertheless, the authority found that there was an infringement of Article 33(1) GDPR and [[Article 34 GDPR#1|Article 34(1) GDPR]]], justifying the imposition of a fine.

In the opinion of the authority, the violation of data confidentiality, which occurred in the case in question, in connection with the violation of personal data protection consisting in sending the insurance policy to an unauthorised recipient, in particular data concerning PESEL numbers together with names and surnames, addresses of residence or correspondence, telephone numbers, e-mail addresses and information about the subject of insurance (passenger car), the scope of insurance, payments, assignments, as well as additional provisions resulting from the agreement, causes a high risk of violation of rights or freedoms of natural persons.

As a matter of practice, the PUODO considers that the breach poses a high risk to the rights and freedoms of the data subject in virtually every case where a PESEL (national identification number) has been disclosed. In my opinion, this is not the correct approach and the risks will vary depending on the circumstances of the specific case.

In the opinion of the authority in the present case, the breach could lead to physical or financial or non-financial damage to the persons whose data were breached. Examples of such damage include discrimination, identity theft or falsification, financial loss and damage to reputation. In the opinion of PUODO, 'there is no doubt that the examples of damage mentioned in the guidelines may occur in this case'. There was therefore a high risk and the Company should, in the opinion of the authority, have notified both the PUODO and the data subjects.

In the opinion of the authority, this assessment is not affected by asking the wrong recipient to permanently delete the correspondence received. There is no certainty that before these actions the person has not made, for example, a photocopy or recorded the personal data contained in the document in another way, e.g. by writing it down. Therefore, the mere removal of correspondence does not give any guarantee that the intentions of such a person will not change now or in the future, and the possible consequences of using such categories of data may be significant for the persons whose data have been infringed. The same applies to a possible declaration of destruction of the received correspondence, as the Company has no possibility of actually verifying it.

PUODO stressed that, in the present case, there were no grounds to recognise and treat an unauthorised recipient as a 'trusted recipient'. Moreover, the Article 29 Working Party's guidelines clearly indicate that "in case of any doubt, the controller should report the breach, even if such a caution could prove excessive".

It is also irrelevant to the authority that in this case a personal data protection breach has occurred due to the fact that it was the Company's own customers who provided the wrong e-mail address to which the policy was to be sent. The data was made available to an unauthorised addressee, which means that there was a security breach leading to unauthorised disclosure of personal data, and the scope of such data determines that there is a high risk of violation of rights and freedoms of natural persons. At the same time, it should be emphasised that the data controller allowing the possibility of using electronic mail for communication with the customer should be aware of the risks associated with e.g. incorrect e-mail address provided by the customer and in order to minimise them, take appropriate organisational and technical measures, such as verification of the provided address or encryption of documents sent in this way. As it results from the notification of a personal data protection breach submitted after the initiation of administrative proceedings, these measures did not function properly, since the data controller in point 9B of the above mentioned notification, in order to minimise the risk of a repeat of the breach, decided to conduct an interview with the agent and to train the staff of the agency, which will take into account the need to encrypt the electronic correspondence directed to the clients and the need to pay attention to the correctness of the contact data provided by the client.

What is more, the infringement is also connected with a violation of insurance secrecy, which clearly increases the seriousness of the infringement and justifies its more severe assessment.

The authority stated that the Company, therefore, by taking a decision on notifying the supervisory authority as well as the data subjects only after the initiation of administrative proceedings (despite the fact that information about the event was sent to it in May 2020 by an unauthorised recipient), in practice deprived those persons of reliable information about the breach and the possibility to prevent potential damage.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT OFFICE OF SECURITY PERSONAL DATA

Warsaw, 09 December 2020

Based on Article. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended), art. 7 sec. 1 and art. 60, art. 101 and art. 103 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), as well as Art. 57 sec. 1 lit. a), art. 58 sec. 2 lit. i), art. 83 sec. 1-3 and art. 83 sec. 4 lit. a) in connection with art. 33 paragraph. 1 and art. 34 sec. 1 and 2 of the Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection ) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended), hereinafter also referred to as "Regulation 2016/679", after conducting administrative proceedings regarding the failure to notify the personal data breach to the President of the Office for Protection Personal Data and the lack of notification of a breach of personal data protection of persons affected by the breach by TUiR WARTA SA with its seat in W., President of the Personal Data Protection Office,finding that TUiR WARTA SA with its seat in W. has breached the provisions: 1.Art. 33 paragraph. 1 of Regulation 2016/679, consisting in not reporting the breach of personal data protection to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after the breach has been found,2.Art. 34 sec. 1 of Regulation 2016/679, consisting in failure to notify about a breach of personal data protection, without undue delay of data subjects, imposes on TUiR WARTA SA with its seat in W. a fine of PLN 85,588 (say: eighty-five thousand five hundred and eighty-eight zlotys).


Substantiation
The Office for Personal Data Protection, hereinafter also referred to as "UODO", on [...] May 2020, received information about a breach of personal data protection. The breach consisted in sending by e-mail by the insurance agent (PUJK based in O.), being the processing entity for TUiR WARTA SA based in W., hereinafter also referred to as the "Company", an insurance policy containing personal data to an unauthorized addressee, as a result of what the confidentiality of the data of two persons was breached in terms of names, surnames, addresses of residence or correspondence, PESEL numbers, telephone numbers, e-mail addresses and information regarding the subject of insurance (passenger car), scope of insurance, payment, assignment, as well as additional provisions resulting from from the contract. The supervisory body was informed about the breach of personal data protection by an unauthorized addressee who came into possession of documents not intended for him containing the above-mentioned personal data.</p><p> In connection with the above, on [...] June 2020, the President of the Office for Personal Data Protection, hereinafter also referred to as the "President of the Personal Data Protection Office", pursuant to Art. 58 sec. 1 lit. a) and e) of Regulation 2016/679 of the European Parliament and of the Council and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended), hereinafter also referred to as "Regulation 2016/679", asked the Company to clarify whether in connection with the sending of electronic correspondence to an unauthorized recipient, an analysis was made in terms of the risk of violation of the rights and freedoms of natural persons, necessary to assess whether there has been a breach of data protection resulting in the need to notify the President of the Personal Data Protection Office (Article 33 (1) and (3) of Regulation 2016/679) and persons affected by the infringement (Article 34 (1) and (2) of Regulation 2016/679). In the letter, the President of the Personal Data Protection Office indicated to the Company how to report the violation and called for explanations within 7 days from the date of receipt of the letter.</p><p> In response to the above, the Company, in a letter of [...] July 2020, confirmed that a breach of personal data protection consisting in disclosure of personal data to an unauthorized recipient took place. Moreover, the Company indicated that an assessment was made in terms of the risk of violating the rights and freedoms of natural persons. On its basis, the Company concluded that there was no breach resulting in the need to notify the President of the Personal Data Protection Office, because:</p><p> 1.the customer himself provided an incorrect e-mail address to which the insurance policy document was sent,<br /> 2. an unauthorized recipient turned to the Company, so it can be concluded that he is aware of the regulations and the importance of the information he received.</p><p> Based on the above arguments, the Company assumed the lack of a high probability of negative consequences for data subjects through unauthorized use of their data and indicated the corrective measure in the form of sending an unauthorized recipient a request to permanently delete the message together with a request for feedback confirming its removal.</p><p> In connection with the above in the letter, due to the assessment of the risk of violating the rights and freedoms of data subjects, the President of the Personal Data Protection Office in the letter of [...] August 2020 indicated to the Company that in accordance with Art. 4 point 12 of Regulation 2016/679, a breach of personal data protection is a "breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed". The President of the Personal Data Protection Office also pointed out that we are dealing with a breach of data protection both when an event occurs as a result of deliberate action and when it is caused by inadvertent action. In connection with the above, the fact that the breach occurred as a result of an error of the client who provided the agent with an incorrect e-mail address cannot affect the assessment of this event and qualifying it as a personal data breach. It results in disclosure of personal data to an unauthorized person, which means that the confidentiality of the data has been breached. Moreover, due to the fact that the indicated breach of data confidentiality concerns PESEL numbers together with names and surnames, residential addresses, telephone numbers and e-mail addresses, it should be considered that it may involve a high risk of violating the rights or freedoms of natural persons. . At the same time, the President of the Personal Data Protection Office again called the Company to perform an analysis in terms of the risk of violation of the rights and freedoms of natural persons necessary to assess whether there has been a breach of data protection resulting in the need to notify the President of the Personal Data Protection Office and the persons affected by the infringement and send explanations within 7 days from the date of delivery of the letter. .</p><p> In its response of [...] September 2020, the Company again indicated that in its opinion, in the case at hand, there was no high risk of violating the rights and freedoms of data subjects, as the data was disclosed only to an unauthorized recipient who himself asked the Company with the incident notification, which shows that he is aware of the regulations and the importance of the information he has received. Therefore, the probability of using this information in an unauthorized way or causing other damage is low. As proof of the above, the Company presented a completed risk assessment form and correspondence with the unauthorized recipient, in which he was asked to permanently delete the message.</p><p> Due to the lack of notification of the breach of personal data protection to the President of the Personal Data Protection Office and the lack of notification of the breach of personal data protection of persons affected by the breach, on [...] October 2020, the President of the Personal Data Protection Office initiated administrative proceedings against the Company (letter reference: [...]) .</p><p> After the initiation of administrative proceedings in this case, on [...] October 2020, the Company notified the President of the Personal Data Protection Office of the breach of personal data protection by sending a form containing a detailed description of the event (administrator's reference number [...]). The form also contained information that on [...] October 2020, the Company notified two data subjects of the breach of personal data protection and the anonymised content of the notification.</p><p> After reviewing the entirety of the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:</p><p> Art. 33 sec. 1 and 3 of Regulation 2016/679 provide that in the event of a breach of personal data protection, the data controller shall, without undue delay - if possible, no later than 72 hours after finding the breach - report it to the competent supervisory authority pursuant to Art. 55, unless it is unlikely that the violation would result in a risk of violation of the rights or freedoms of natural persons. The report submitted to the supervisory authority after 72 hours shall be accompanied by an explanation of the reasons for the delay. The notification referred to in para. 1, must at least: a) describe the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects, as well as the categories and approximate number of personal data entries affected by the breach; (b) include the name and contact details of the data protection officer or an indication of another contact point from which more information can be obtained; c) describe the possible consequences of the breach of personal data protection; (d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.</p><p> In turn, Art. 34 sec. 1 of Regulation 2016/679 indicates that in a situation of high risk for the rights and freedoms of natural persons resulting from the breach of personal data protection, the controller is obliged to notify the data subject about the breach without undue delay. According to Art. 34 sec. 2 of Regulation 2016/679, the correct notification should:</p><p> (a) describe the nature of the personal data breach in clear and plain language;<br /> (b) contain at least the information and measures referred to in Art. 33 paragraph. 3 lit. b), c) and d) of Regulation 2016/679, i.e .:<br /> c) the name and contact details of the data protection officer or designation of another contact point from which more information can be obtained;<br /> d) description of the possible consequences of a breach of personal data protection;<br /> (e) a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.</p><p> It should be emphasized that the breach of confidentiality of data that occurred in the case in question, in connection with the breach of personal data protection consisting in sending an insurance policy to an unauthorized recipient, in particular data on PESEL numbers along with names and surnames, residence or correspondence addresses, telephone numbers, e-mail addresses and information about the subject of insurance (passenger car), the scope of insurance, payment, assignment, as well as additional provisions resulting from the contract, cause a high risk of violating the rights or freedoms of natural persons. As the Article 29 Working Party points out in the guidelines on reporting personal data breaches in accordance with Regulation 2016/679, hereinafter also referred to as "guidelines": "This risk exists when the breach may lead to physical damage or damage to property or property for people whose data has been breached. Examples of such damage include discrimination, identity theft or fraud, financial loss and damage to reputation. " There is no doubt that the examples of damage referred to in the guidelines may occur in the present case. Another important factor for such an assessment is the possibility of easy identification of persons whose data was affected by the breach, based on the disclosed data. As a consequence, this means that there is a high risk of violating the rights and freedoms of persons covered by the violation in question, which in turn results in the obligation for the Company to report a violation of personal data protection to the supervisory body, in accordance with Art. 33 paragraph. 1 of the Regulation 2016/679, which must contain the information specified in art. 33 paragraph. 3 of Regulation 2016/679 and notification of these persons about the violation in accordance with art. 34 sec. 1 of the Regulation 2016/679, which must contain the information specified in art. 34 sec. 2 of Regulation 2016/679.</p><p> The above assessment is not affected by the fact of asking the wrong recipient to permanently delete the correspondence received. There is no certainty that before these activities, the person did not make e.g. a photocopy or did not record the personal data contained in the document in another way, e.g. by writing them down. Thus, the mere deletion of correspondence does not give any guarantee that the intentions of such a person will not change now or in the future, and the possible consequences of using such categories of data may be significant for the persons whose data was affected by the breach. The same applies to a possible declaration of destruction of the correspondence received, as the Company cannot actually verify it. The WP29 guidelines state: “Whether a controller knows that personal data is in the hands of persons whose intentions are unknown or who may be malicious may be relevant to the level of potential risk. There may be a breach of data confidentiality consisting in an accidental disclosure of personal data to a third party, as defined in Art. 4, paragraph 10, or to another recipient. This may be the case, for example, if personal data is inadvertently sent to the wrong department of the organization or to a supplier organization whose services are widely used. The administrator may request the recipient to return or securely destroy the data received. In both cases - due to the fact that the controller is in a permanent relationship with these entities and may know their procedures, their history and other relevant details concerning them - the recipient can be considered "trusted". In other words, the controller can trust the recipient enough to be able to reasonably expect that the party will not read or access the data sent by mistake and that it will follow the instruction to send it back. " In the present case, however, there are no grounds for recognizing an unauthorized recipient and treating it as a "trusted recipient". Moreover, the Article 29 Working Party clearly states in the guidelines that "in case of any doubts, the controller should report the breach, even if such caution could turn out to be excessive".</p><p> It is also irrelevant that in the present case the breach of personal data protection took place due to the fact that the Company's clients themselves provided the wrong e-mail address to which the policy was to be sent. The data has been made available to an unauthorized addressee, which means that there has been a security breach leading to unauthorized disclosure of personal data, and the scope of this data determines that there is a high risk of violating the rights and freedoms of natural persons. At the same time, it should be emphasized that the data controller allowing the possibility of using e-mail for communication with the client should be aware of the risks related to, for example, incorrect provision of an e-mail address by the client and in order to minimize them, take appropriate organizational and technical measures, such as verification of the address provided, or also encryption of documents sent in this way. As is clear from the notification of a personal data breach (administrator reference [...]) submitted after the initiation of the administrative procedure, these measures did not function properly, since the data controller in point 9B of the above-mentioned In order to minimize the risk of a recurrence of the breach, he decided to conduct a conversation with the agent and train employees of the agency, which will take into account the need to encrypt electronic correspondence addressed to customers and the need to pay attention to the correctness of the contact details provided by the customer.</p><p> Moreover, the infringement also involves, pursuant to Art. 35 sec. 1 of the Act of 11 September 2015 on insurance and reinsurance activities (Journal of Laws 2020, item 895, as amended), in violation of insurance secrecy, which clearly raises the seriousness of the violation and justifies its more rigorous assessment.</p><p> In a situation where, as a result of a breach of personal data protection, there is a high risk of violation of the rights and freedoms of natural persons, the controller is obliged to implement all appropriate technical and organizational measures to immediately identify the breach of personal data protection and promptly inform the supervisory authority, and in cases of high risk of breach rights and freedoms also of data subjects. The controller should fulfill this obligation as soon as possible.</p><p> Recital 85 of the preamble to Regulation 2016/679 explains: "In the absence of an adequate and prompt response, a breach of personal data protection may result in physical, property or non-material damage to natural persons, such as loss of control over own personal data or limitation of rights, discrimination, theft or falsification of identity, financial loss, unauthorized reversal of pseudonymisation, breach of reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, as soon as it becomes aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay, where practicable, no later than 72 hours after the breach is discovered, unless the controller can demonstrate in accordance with the accountability principle that it is unlikely that the breach could cause a risk of violation of the rights or freedoms of natural persons. If the notification cannot be made within 72 hours, the notification should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually without further undue delay. '</p><p> In turn, recital 86 of the preamble to Regulation 2016/679 explains: "The controller should inform the data subject without undue delay of the breach of personal data protection, if it may result in a high risk of violating the rights or freedoms of that person, so as to enable that person to take necessary preventive actions. Such information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimize any potential adverse effects. Information should be provided to data subjects as soon as reasonably possible and in close cooperation with the supervisory authority, respecting instructions provided by that authority or other relevant authorities such as law enforcement authorities. (...) ".</p><p> Therefore, when deciding to notify the supervisory authority and data subjects about the breach, only after the initiation of administrative proceedings (despite the fact that the information about the event was sent to it on [...] May 2020 by an unauthorized recipient), it practically deprived them of the person, provided without undue delay, reliable information about the breach and the ability to counteract potential damage. Meanwhile, the role of notifying people about a breach of their personal data is primarily to provide data subjects - quick and transparent information about the breach of personal data protection, along with a description of the possible consequences of the breach of personal data protection and the measures that they can take to minimize its possible negative effects.</p><p> As a consequence, it should be stated that the Company notified the personal data breach to the supervisory authority after the deadline specified in Art. 33 paragraph. 1 of Regulation 2016/679 and did not notify data subjects without undue delay of a breach of their data protection, in accordance with art. 34 sec. 1 of the Regulation 2016/679, which means the Company's breach of these provisions.</p><p> According to Art. 58 sec. 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Art. 58 sec. 2 of Regulation 2016/679, an administrative fine under Art. 83 of the Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Company pursuant to Art. 83 sec. 4 lit. a) of Regulation 2016/679 stating, inter alia, that the breach of the administrator's obligations referred to in art. 33 and 34 of Regulation 2016/679 is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the previous financial year, with the higher amount being applicable.</p><p> Pursuant to art. 83 sec. 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 sec. 2 lit. a) - h) and lit. j) Regulation 2016/679. When deciding to impose an administrative fine on the Company, the President of the Personal Data Protection Office - pursuant to Art. 83 sec. 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, necessitating the application of such sanctions in the present case and having an aggravating effect on the amount of the fine imposed:</p><p> a) The nature and gravity of the infringement (Article 83 (2) (a) of Regulation 2016/679).</p><p> The infringement found in the present case is of considerable gravity and serious nature as it is likely to cause pecuniary or non-pecuniary damage to the persons whose data has been breached and is likely to occur.</p><p> Duration of the infringement (Article 83 (2) (a) of Regulation 2016/679).</p><p> The President of UODO considers the long duration of the infringement to be an aggravating circumstance. From the Company becoming aware of a breach of personal data protection ([...] May 2020) to the fulfillment of its obligations referred to in Art. 33 and 34 of Regulation 2016/679, five months have passed, during which the risk of violating the rights or freedoms of persons affected by the violation could be realized, and which could not be prevented by these people due to the Company's failure to comply with the obligation to notify them about the violation.</p><p> b) Intentional nature of the infringement (Article 83 (2) (b) of Regulation 2016/679).</p><p> The company made a conscious decision not to initially notify the President of the Personal Data Protection Office and data subjects about the breach, despite receiving information about the event from an unauthorized recipient and the letters of the President of the Personal Data Protection Office (UODO) addressed to it indicating the possibility of a high risk of violation of rights or freedoms in this case. the persons concerned by the violation. It should be emphasized here that in the past - in the case of violations similar or similar to the discussed - the Company reported them to the President of the Personal Data Protection Office, so it was aware that it should also fulfill this obligation this time.</p><p> c) The degree of responsibility of the administrator, taking into account technical and organizational measures implemented by him pursuant to art. 25 and 32 (Article 83 (2) (d) of Regulation 2016/679).</p><p> The breach found was related to the lack of implementation or incorrect implementation by the Company of organizational and technical measures ensuring data security, i.e. verification of e-mail addresses provided by customers or encryption of files containing personal data sent in electronic messages.</p><p> d) The degree of cooperation with the supervisory authority in order to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679).</p><p> In the present case, the President of the Personal Data Protection Office found the cooperation with him on the part of the Company unsatisfactory. This assessment concerns the Company's reaction to the letters of the President of the Personal Data Protection Office indicating the possibility of a high risk of violating the rights or freedoms of persons affected by the violation in this case. Correct, in the opinion of the President of the Personal Data Protection Office (UODO), the actions (notification of the infringement to the President of the Personal Data Protection Office and notification of the persons affected by the infringement) were initiated by the Company only as a result of the formal initiation of administrative proceedings by the President of the Personal Data Protection Office.</p><p> e) Categories of personal data affected by the breach (Article 83 (2) (g) of Regulation 2016/679).</p><p> Personal data made available to an unauthorized person do not belong to special categories of personal data referred to in art. 9 of Regulation 2016/679, however, their wide scope (names and surnames, addresses of residence or correspondence, PESEL numbers, telephone numbers, e-mail addresses and information on the subject of insurance - a passenger car, scope of insurance, payments, assignment, as well as additional provisions resulting from from the contract), is associated with a high risk of violating the rights and freedoms of natural persons.</p><p> f) The manner in which the supervisory authority became aware of the breach (Article 83 (2) (h) of Regulation 2016/679).</p><p> The President of the Personal Data Protection Office was not informed about the breach of personal data protection being the subject of this case, i.e. disclosure to an unauthorized person of personal data processed by the Company acting as the controller of such data, the President of the Personal Data Protection Office was not informed in accordance with the procedure specified in Art. 33 of the Regulation 2016/679. The fact that there is no information about a breach of data protection provided by the controller obliged to provide such information to the President of the Personal Data Protection Office should be considered as incriminating that controller.</p><p> When determining the amount of the administrative fine, the President of UODO also took into account the mitigating circumstances that had an impact on the final penalty, i.e .:</p><p> a) The number of injured data subjects (Article 83 (2) (a) of Regulation 2016/679).</p><p> In the present case, it was established that the infringement concerned the personal data of only two persons. Such a number of persons affected by the infringement, especially in view of the fact that the Company - due to the scale and scope of its activities - processes personal data of a very large number of clients (insured persons and policyholders), should be considered small, which undoubtedly constitutes a mitigating circumstance in the present case .</p><p> b) Actions taken by the controller or the processor to minimize the damage suffered by the data subjects (Article 83 (2) (c) of Regulation 2016/679).</p><p> Even before reporting the violation, the company turned to the wrong recipient with a request to permanently delete the correspondence received. Such action of the Company deserves recognition and approval, however, it does not in any way constitute a guarantee of the actual removal of personal data by an unauthorized person and does not exclude possible negative consequences of their use for data subjects.</p><p> The sanctions imposed by the President of the Office in the present case in the form of an administrative fine, as well as its amount, had no influence on other sanctions indicated in Art. 83 sec. 2 of Regulation 2016/679, the circumstances:</p><p> a) relevant previous violations of the provisions of Regulation 2016/679 by the Company (Article 83 (2) (e) of Regulation 2016/679);</p><p> b) compliance with previously applied measures in the same case, referred to in Art. 58 sec. 2 of Regulation 2016/679 (Article 83 (2) (i) of Regulation 2016/679);</p><p> (c) adherence to approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of Regulation 2016/679 (Article 83 (2) (j) of Regulation 2016/679);</p><p> (d) the financial benefits gained, or losses avoided, directly or indirectly, from the infringement (Article 83 (2) (k)).</p><p> In the opinion of the President of the Personal Data Protection Office, the administrative fine, in the circumstances of the present case, fulfills the functions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.</p><p> It should be emphasized that the penalty will be effective if its imposition leads to the fact that the Company, which processes personal data professionally and on a mass scale, will fulfill its obligations in the field of personal data protection in the future, in particular with regard to reporting a breach of personal data protection. To the President of the Personal Data Protection Office and to notify about a breach of personal data protection of persons affected by the breach. The application of an administrative fine in this case is also necessary considering the fact that the Company ignored the fact that we are dealing with a breach of data protection both when an event occurs as a result of deliberate action and when it is caused by inadvertent action.</p><p> In the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function, as it will be a response to the Company's breach of the provisions of Regulation 2016/679. It will also fulfill a preventive function; in the opinion of the President of the Personal Data Protection Office, he will indicate to both the Company and other data administrators that they disregard the obligations of administrators related to the occurrence of a breach of personal data protection, and aimed at preventing its negative and often painful consequences for the persons affected consequences or at least a limitation.</p><p> Pursuant to art. 103 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Art. 83 of Regulation 2016/679, are calculated in PLN at the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28 of each year, and in the event that the National Bank of Poland does not announce the average EUR exchange rate on January 28 in a given year - according to the average the euro exchange rate announced in the nearest exchange rate table of the National Bank of Poland after that date.</p><p> In connection with the above, it should be noted that a fine of PLN 85,588 (in words: eighty-five thousand five hundred and eighty-eight zlotys), which is the equivalent of EUR 20,000 (average EUR exchange rate from January 28, 2020 - PLN 4.2794), in the established circumstances of this case meets the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679 due to the seriousness of the infringement found in the context of the basic objective of Regulation 2016/679 - protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative fine imposed on the Company, the President of the Office for Personal Data Protection decided that it is proportional to the financial situation of the Company and will not constitute a burden for it.</p><p> The amount of the fine has been set at such a level that, on the one hand, it constitutes an adequate reaction of the supervisory body to the degree of violation of the administrator's obligations, on the other hand, it does not result in a situation in which the necessity to pay a financial penalty will entail negative consequences, such as a significant reduction in employment or a significant decrease in the Company's turnover. According to the President of the Personal Data Protection Office, the Company should and is able to bear the consequences of its negligence in the field of data protection, as evidenced by, for example, the Company's financial statements for the period from [...] January 2019 to [...] December 2019, sent to the Personal Data Protection Office in on [...] October 2020</p><p> In this factual and legal state, the President of the Personal Data Protection Office resolved as in the sentence.</p><p></p><p> The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00-193 Warsaw). A proportional fee should be filed against the complaint, pursuant to Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended). The party (natural person, legal person, other organizational unit without legal personality) has the right to apply for the right to assistance, which includes exemption from court costs and the appointment of an attorney, legal advisor, tax advisor or patent attorney. The right to assistance may be granted at the request of a party submitted before the initiation of the proceedings or in the course of the proceedings. The application is free of court fees.</p><p> According to Art. 105 paragraph. 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from on the day when the ruling of the administrative court becomes legally binding, to the bank account of the Office for Personal Data Protection at NBP O / O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 paragraph. 2 above of the Act, the President of the Personal Data Protection Office may, at the justified request of the punished entity, postpone the payment of the administrative fine or divide it into installments. In the event of postponing the payment of the administrative fine or dividing it into installments, the President of the Personal Data Protection Office shall charge interest on the unpaid amount on an annual basis, using a reduced rate of interest for late payment, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2020, item 1325, as amended), from the day following the date of submitting the application.</p><p> According to Art. 74 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine.