UODO (Poland) - DKN.5131.29.2022
From GDPRhub
| UODO - DKN.5131.29.2022 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 33(1) GDPR Article 33(3) GDPR Article 34(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 08.12.2022 |
| Decided: | 12.03.2024 |
| Published: | |
| Fine: | 330,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | DKN.5131.29.2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Polish |
| Original Source: | UODO (in PL) |
| Initial Contributor: | nzm |
The DPA imposed a €330,000 (PLN 1,440,549) to a bank for failing to notify the DPA and data subjects of a data breach concerning banking documents which contained numerous personal data, including names and national identification numbers.
English Summary
Facts
In November 2018, an article was published regarding banking documents from Santander Bank Polska S.A. (“controller”), which were found in an abandoned parcel on a housing estate, after it had been stolen during the transportation. The Polish DPA (“UODO”) requested the controller to clarify whether it had notified the DPA and the data subjects of this data breach. The UODO also asked the controller to indicate the number of persons affected by the breach and to explain what measures it had taken to minimize the risk of this type of event occurring again.
The controller responded that the data breach involved a maximum of 158 persons and that the documents were from November 2018. It also indicated that the breach was not reported to the DPA as (i) the parcel was found by one identified person a short time after it was lost, (ii) this person took the documents directly to the police station and it was verified that no documents were missing and (iii) the person admitted that they had not copied the documents. As a result, data subjects were not informed of the breach either.
Regarding the measures taken to minimize the risk of this type of incident reoccurring in the future, the controller explained that a working group had been set up to analyse the incident and develop mechanisms to prevent similar situations from arising in the future (a process had been developed for paper documentation, controls on different levels…).
After receiving this response, the UODO asked the controller to indicate the precise scope of the personal data affected by the breach and to clarify if they were the sole controller of this personal data.
The controller responded that the following data was concerned: names, dates of birth, bank account numbers, home addresses, PESEL registration number (national identification number), email addresses, user names and/or passwords, data on earnings and/or assets, ID card numbers, phone numbers, information about bank products (loans, bank accounts, names of contracts…), dates of insurance, information about insured properties. The controller indicated that the breach did not concern data referred to in Articles 9 and 10 GDPR.
On 8 December 2022, the UODO initiated proceedings against the controller.
Holding
Regarding the personal data breach in itself, under Articles 33(1) and 33(3) GDPR, the controller is obliged to notify the competent national supervisory authority without undue delay and where feasible, no longer than 72 hours after becoming aware of it, unless the breach is not likely to pose a risk to the rights and freedoms of the data subjects. Article 34(1) GDPR establishes that when a data breach is likely to result in a high risk to the rights and freedoms for data subjects, the controller must communicate the breach to the data subjects without undue delay.
Therefore, if a risk of infringement to the rights and freedoms of data subjects is low, the controller is not obliged to report the infringement to the DPA. When a controller detects a personal data breach, it is first necessary to carry out an analysis with regard to the risk of a violation to data subjects. The UODO emphasized that this assessment should be made through the lens of the data subject at risk, and not the interests of the controller.
In the present case, the DPA held that the controller, due to the scale and object of its activity (provision of various types of financial services), processes the personal data of a very large number of customers. The UODO considered that there was no certainty that before the person who delivered the documents to the police station, the documents had not been seen by other persons. There was also no doubt that the data subjects could easily be identified based on the data disclosed.
The UODO pointed out that the assessment made by the controller was based on the belief that the person who came into possession of the parcel was an honest finder. The UODO considered that a third party who found a parcel of bank documentation containing very detailed personal data of the controller’s clients and who does not have any relationship with the controller does not allow them to be assumed to be a trusted recipient.
In addition, the DPA considered that according to EDPB Guidelines 9/2022, a data breach can potentially cause a number of negative consequences for the data subject, for example identity theft, identity fraud, financial loss etc. In the present case, given the scope of the personal data, especially the PESEL registration numbers alongside first and last names, the UODO considered that there was a high probability of these damages occurring. In particular, the DPA indicated that the EDPB recognized the importance of national identification numbers and stressed that this type of data breach requires the implementation of actions, including the notification of the DPA and data subjects.
The DPA also added that the notification of the breach to data subjects under Article 34(1) GDPR is not made conditional on the existence of an infringement of the rights and freedoms of the data subjects affected by the breach.
In light of all these considerations, the UODO concluded that in the present case, there was a high risk of infringement of the rights of the data subjects affected by the breach. Therefore, the controller should have notified the DPA under Article 33(1) GDPR and the data subjects affected by the breach under Article 34(1) GDPR.
Regarding the corrective measure taken, the UODO took multiple elements into account: firstly, the DPA considered the nature of the processing, the number of data subjects affected and the extent of the damage suffered by them.
Secondly, the DPA took into account the fact that the controller made a conscious decision not to notify the breach to the DPA, as well as the data subjects. The UODO considered that there was no doubt that the controller, who processes personal data on a mass scale, had knowledge of the consequences of ascertaining a personal data breach resulting in a high risk for the rights and freedoms of the data subjects. The controller was therefore aware of its responsibility, but disregarded its obligations and neglected to notify the DPA and data subjects.
Finally, the UODO also looked into any relevant previous breaches by the controller, and found violations that were related to data breaches. It also took into account, among other things, the degree of cooperation with the DPA to remedy the breach, the categories of personal data affected, the actions taken by the controller to minimize the breach, how the DPA became aware of the breach.
Thus, the DPA imposed a PLN 1,440,549 (€330,000) fine to the controller. The UODO also ordered the controller to notify the data subjects affected by the breach within 3 days of the notification of the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775, as amended), Art. 7(1) 1 and 2 and art. 60, art. 101 and art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), as well as Art. 57 section 1 letter a) and h), art. 58 section 2 lit. e) and i), Art. 83 section 1, 2 and 3, art. 83 section 4 lit. a) in connection with Art. 33 section 1 and art. 34 section 1, 2 and 4 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on data protection) (OJ EU L 119 of 04/05/2016, p. 1, OJ L 127 of 23/05/2018, p. 2 and OJ L 74 of 4/03/2021, p. 35), hereinafter referred to as "Regulation 2016/679", after ex officio administrative proceedings initiated regarding the violation of personal data protection provisions by Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warszawa) President of the Personal Data Protection Office,1) noting a violation by Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warszawa) provisions: a) Art. 33 section 1 of Regulation 2016/679, consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach, b) Art. 34 section 1 of Regulation 2016/679, consisting in failure to notify data subjects about a breach of personal data protection without undue delay,
imposes on Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warsaw) an administrative fine in the amount of PLN 1,440,549 (in words: one million four hundred and forty thousand five hundred and forty-nine zlotys),2) ordered by Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warszawa) notify - within 3 days from the date of delivery of this decision - persons whose data protection was violated as a result of an event entered in the Personal Data Breach Register of Santander Bank Polska S.A. under the number (...), about the violation of the protection of their personal data in order to provide these persons with the information required in accordance with Art. 34 section 2 of Regulation 2016/679, i.e.: a) description of the nature of the personal data protection breach; b) name and contact details of the data protection officer or designation of another contact point from which more information can be obtained; c) description of the possible consequences of the data protection breach personal data; d) a description of the measures taken or proposed by the controller to address the breach - including measures to minimize its possible negative effects.
Justification
On August 23, 2022, the President of the Personal Data Protection Office, hereinafter also referred to as the "President of the Personal Data Protection Office" or the "supervisory authority", from an article published on the website (...) at (...), received information about a breach of the protection of personal data of Santander Bank customers Polska S.A. with its registered office in Warsaw, hereinafter referred to as: "Bank" or "Administrator", consisting in making public bank documents contained in a parcel abandoned in a housing estate in K., after it was previously stolen during transport by a courier company. The article itself was published on (...) November 2018, while the incident took place on (...) November 2018. The entry shows that "(...)". The website also reported about the incident two days earlier (...).
In connection with the above, in a letter of August 25, 2022, the President of the Personal Data Protection Office, pursuant to Art. 58 section 1 letter a) and e) of Regulation 2016/679, asked the Bank to clarify whether, in connection with the event, the Bank reported, in accordance with Art. 33 of Regulation 2016/679, the President of the Personal Data Protection Office (UODO), a breach of personal data protection in the above scope, and if so, when and how it was done and whether the Bank fulfilled the obligation to notify data subjects about the breach of their personal data, pursuant to Art. 34 section 1 and 2 of Regulation 2016/679. The President of the Personal Data Protection Office also asked for information on: when and how the Bank determined that the documents indicated in the letter had been made public, the number of persons affected by the personal data protection breach in question, the period from which the public documents come from and an explanation of what actions were taken to minimize the risk of recurrence of this type of events in the future.
In a letter of September 5, 2022, the Bank asked the President of the Personal Data Protection Office to extend the deadline for responding to September 16, 2022, justifying it with the need to "reliably establish (with many people representing various units in the bank), namely: to investigate by the Bank the circumstances of the event after its disclosure; the premises of the bank's assessment of the event; conclusions and actions that the bank took in connection with the occurrence of this event in order to comprehensively answer the questions of the President of the Personal Data Protection Office.
The response provided by the Bank in a letter of September 16, 2022 shows that the Bank determined that the documents indicated in the supervisory authority's letter were found in a block of flats in K. on (...) November 2018. This was done by the unit (…) by monitoring news appearing on the Internet. On the website (…) she found an entry regarding the discovery of the Bank's documents in a block of flats in K. Two days later, the website (…) also reported the incident. The personal data protection breach in question affected a maximum of 158 people (this number was determined on the basis of the data included in the documentation sent, indicating the identification numbers of the customers whose documents were found). The published documents came from the period from (...) November 2018 to (...) November 2018 (date of sending the parcel to (...) the Bank Branch in K.). The personal data protection breach was not reported to the President of the Personal Data Protection Office. The following circumstances influenced this decision:
the parcel was found by one identified person shortly after it was lost by the courier;
it has been verified that no documents are missing; the person who found the documents took them directly to the police station;
this person admitted that he did not copy the documents.
Therefore, the data subjects were not informed about the personal data protection breach.
The bank also described what actions were taken to minimize the risk of recurrence of this type of events in the future, therefore a working group was established whose task was to analyze the event and develop mechanisms to prevent similar situations from occurring in the future. "(...) As a result, work of this group: 1) a "Standard" was developed for the process of sending paper documentation, including: a. preparation of the shipment / packaging method - use of (...). The label (...) has the following content: "(...)"b. control of the "Standard" at three levels: i) control on the courier's side - (...),ii) control carried out by (...),iii) control on the G side - (...),c. reaction to events (detected irregularities). 2) an alert check was carried out on the correctness of sending the parcels with G documentation. As a result of this check, the following post-control activities were established: - Instructions for sending parcels for Bank Branches were prepared, - e-mails were sent to each branch that incorrectly sent the parcel with information on how to correctly send the parcel with documentation to G., - involvement of direct control employees - during visits to branches, they instruct branch employees how to properly send parcels with documentation, 3) talks were initiated with the courier regarding the communication process, including in particular: i) required times and methods of reaction to reported irregularities / identified events,ii) communication tools,iii) documenting explanations / statements.
In connection with the explanations provided so far in the matter, in a letter of October 6, 2022, the President of the Personal Data Protection Office additionally asked the Administrator to: 1) indicate the exact scope of personal data contained in the banking documentation covered by the personal data protection breach in question; 2) explanation , or in relation to the disclosed personal data of Santander Bank Polska S.A. customers. is the sole controller of personal data; alternatively, if personal data whose administrators are also other entities were disclosed, the Bank notified them about this personal data protection breach.
In a letter of October 20, 2022, the Bank requested an extension of the deadline for responding to the above letter until October 27, 2022. In the response of October 27, 2022, the Administrator indicated that the documentation covered by the breach in question included the following categories of personal data : surnames and first names, dates of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, usernames and/or passwords, data on earnings and/or assets, series and numbers of ID cards, telephone numbers , information about banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, information about property insurance policies, i.e., among others policy numbers, dates of issue, insured amounts, insurance premiums, information regarding the insured property. At the same time, the Bank indicated that the banking documentation covered by the personal data protection breach in question did not contain the data referred to in Art. 9 or art. 10 of Regulation 2016/679. Moreover, the banking documentation covered by the personal data protection breach in question included two insurance policies issued for property insurance contracts of the bank's clients. In the scope of these insurance contracts, the data administrator are insurance companies that were not notified by the Bank about the personal data protection breach.
In the absence of reporting a personal data protection breach to the President of the Personal Data Protection Office and in the absence of notification of a personal data breach of the persons affected by the breach, on December 8, 2022, the President of the Personal Data Protection Office initiated administrative proceedings ex officio against the Bank regarding the possibility of a violation by the Bank of Art. 33 section 1 and art. 34 section 1 and 2 of Regulation 2016/679.
When initiating administrative proceedings, the President of the Personal Data Protection Office called on the Bank to indicate, among others: on what basis did the administrator decide that there was a breach of the protection of personal data of Santander Bank Polska S.A. customers? does not require reporting to the supervisory authority and results in no need to notify the persons affected by the breach. At the same time, the President of the Personal Data Protection Office requested the submission of a risk analysis for this violation.
In response to the notification of the initiation of administrative proceedings in the case in question, in a letter dated December 19, 2022, the Bank sent additional explanations, in which it indicated that the breach of the protection of personal data of the Bank's customers, which occurred as a result of the theft of a shipment containing the Bank's documentation during its transport in courier company, and then abandoning an open parcel in a gated housing estate in K., was entered into the Personal Data Breach Register of Santander Bank Polska S.A., under number (...). The assessment of the risk of violating the rights and freedoms of the data subject was set at a low level, and this assessment was influenced by the following circumstances: the parcel was found by one identified person shortly after its loss by the courier; The bank verified that no documents were missing; the person who found the documents took them directly to the police station; this person admitted that he did not copy the documents.
As a result of this assessment, this incident was not reported to the President of the Personal Data Protection Office. At the same time, the Bank did not decide to notify the persons affected by this violation.
After reviewing all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:
In accordance with the definition contained in Art. 4 point 12 of Regulation 2016/679, "personal data protection breach" is a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
Art. 33 section 1 and 3 of Regulation 2016/679 states that in the event of a personal data protection breach, the controller shall, without undue delay - whenever possible, no later than 72 hours after discovering the breach - report it to the competent supervisory authority in accordance with Art. 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours is accompanied by an explanation of the reasons for the delay. The notification referred to in section 1, must at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data entries affected by the breach; b) contain the name and contact details of the data protection officer or another contact point from which more information can be obtained; c) describe the possible consequences of a personal data breach; d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.
In turn, pursuant to Art. 34 section 1 of Regulation 2016/679, in a situation where there is a high risk of violating the rights and freedoms of natural persons, the controller is obliged to notify the data subject about the breach without undue delay. Article 34 section 2 of Regulation 2016/679 states that a proper notification should: 1) describe the nature of the personal data breach in clear and plain language; 2) contain at least the information and measures referred to in Art. 33 section 3 lit. b), c) and d) of Regulation 2016/679, i.e.: a) name and surname and contact details of the data protection officer or designation of another contact point from which more information can be obtained; b) description of the possible consequences of a personal data protection breach; c) a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.
From the analysis of the above The provisions therefore indicate that depending on the level of risk of violating the rights and freedoms of natural persons, the controller has different obligations towards the supervisory authority and the data subjects. If, as a result of the analysis, the administrator finds that the risk of violating the rights and freedoms of natural persons is low, he is not obliged to report the violation to the President of the Personal Data Protection Office. The indicated violation must only be entered in the internal register of violations. If a risk of violating the rights and freedoms of natural persons is identified, the controller is obliged to report the data protection breach to the President of the Personal Data Protection Office, as well as to place an entry in the internal register of violations. The occurrence of a high risk of violating the rights and freedoms of natural persons, in addition to an entry in the register of violations, requires the administrator to take appropriate actions, both towards the supervisory authority (reporting a data protection breach), but also towards the data subjects. In the case of personal data protection breaches that may result in a high risk of violating the rights and freedoms of the data subject, Regulation 2016/679 introduces an additional obligation for the controller to immediately notify the data subject, unless the controller has taken preventive measures before the breach or remedial measures have been taken after the breach. occurrence of an infringement (Article 34(3) of Regulation 2016/679).
As follows from the above, if the administrator detects a personal data protection breach, it is first necessary to analyze the risk of violating the rights and freedoms of natural persons. The administrator is released from the obligation to notify the supervisory authority about a violation if the conducted examination shows that there is at most a low probability of a risk of violating the rights and freedoms of natural persons. However, it should be taken into account that the supervisory authority will be able to ask the controller to justify the decision not to report the breach, therefore the conclusions from the analysis should be recorded in the internal record of breaches. It is worth recalling that the European Data Protection Board (EDPB) Guidelines No. 9/2022[1], adopted on March 28, 2023, include recommendations on reporting personal data protection breaches to the supervisory authority.
It should be emphasized that the assessment of the risk of violating the rights and freedoms of a natural person should be made from the perspective of the person at risk, and not the interests of the administrator. This is particularly important because, based on a personal data breach notification, an individual can assess for themselves whether they believe a security incident may result in negative consequences for them and take appropriate remedial action. Also, based on the information provided by the controller regarding the description of the nature of the breach and the measures taken or proposed to remedy the breach, an individual may assess whether, after a personal data breach, the data controller still guarantees the proper processing of his or her personal data in a manner that ensures their security. . Failure to notify a natural person about a breach of personal data protection in the event of a high risk of violating his or her rights or freedoms deprives him or her not only of the opportunity to respond appropriately to the breach, but also of the opportunity to independently assess the breach, which concerns his or her personal data and may cause serious consequences for him or her. . However, failure to report a personal data protection breach deprives the supervisory authority of the opportunity to respond appropriately to the breach, which consists not only in assessing the risk of breach to the rights and freedoms of a natural person, but also, in particular, in verifying whether the controller has applied appropriate measures to remedy the breach and minimize negative consequences. effects on data subjects, as well as whether it has applied appropriate security measures to minimize the risk of a recurrence of the breach.
Reporting personal data protection breaches by controllers is therefore an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights and freedoms of data subjects and - if such a risk occurred - whether they have provided appropriate information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfillment of the conditions specified in Art. 34 section 3 lit. a) and b) of Regulation 2016/679. The President of the Personal Data Protection Office verifies the assessment made by the controller and may - if the controller has not notified the data subjects - request such notification from the controller. Reports of personal data protection breaches allow the supervisory authority to respond appropriately to limit the effects of such breaches, as the controller is obliged to take effective actions to ensure the protection of natural persons and their personal data, which will, on the one hand, allow for control of the effectiveness of existing solutions and, on the other hand, the assessment of modifications and improvements to prevent irregularities similar to those covered by the infringement. However, notifying natural persons about a breach provides them with the opportunity to provide them with information on the risks associated with the breach and to indicate the actions they can take to protect themselves against the potential negative effects of a personal data breach (this allows the individual to independently assess the breach in the context of the breach). the possibility of materializing negative consequences for such a person and making a decision to apply or not to apply remedial actions).
Santander Bank Polska S.A. Due to the scale and scope of its activities, i.e. the provision of various types of financial services, it processes personal data of a very large number of customers with whom it concludes contracts for the provision of banking services. In the case under consideration, personal data of the Bank's Customers included in the banking documentation in the scope of: name and surname, date of birth, bank account number, address of residence or stay, PESEL registration number, e-mail address, username and/or password, earnings data and/or owned property, series and number of ID card, telephone number, information about banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, and also information about property insurance policies, i.e. incl. policy numbers, date of issue, sum insured, insurance premiums, and information regarding the insured property were read by an unauthorized person. In addition, data related to the conclusion of contracts and their content were disclosed. It is also unclear whether other people had read the documents before the person who delivered the documents in question to the police station, as they were in a publicly accessible place. Therefore, there is no doubt that data subjects can be easily identified based on the disclosed data.
Consequently, the very assessment of the breach carried out by the controller in terms of the risk of violating the rights and freedoms of natural persons is necessary to determine whether there has been a data protection breach resulting in the need to notify the President of the Personal Data Protection Office (Article 33(1) and (3) of Regulation 2016/679) and the persons affected by the infringement (Article 34(1) and (2) of Regulation 2016/679) should, as it should be emphasized once again, be made from the perspective of the person affected by the infringement. Accidental disclosure of personal data, even to one identified person, may lead to an increase in the scale of the breach and thus the risk of violating the rights and freedoms of the data subject. At the same time, the Administrator did not demonstrate, in accordance with the principle of accountability referred to in Art. 5(1) 2 of Regulation 2016/679 that the person who found the parcel may be considered the so-called trusted recipient. The explanations provided by the Bank in a letter of September 16, 2022 show that it refrained from reporting the violation in question to the supervisory authority because "the parcel was found by one identified person shortly after it was lost by the courier." The risk assessment was based on the belief that the person who came into possession of the shipment with the Bank's documents is the so-called "honest finder" because "it was verified that no documents were missing", "the person who found the documents took them directly to the police station" and "the person admitted that he did not copy the documents." Taking the above into account, in the opinion of the Administrator, "the assessment of the risk of violating the rights and freedoms of the data subject has been set at a low level."
For a better illustration of cases of personal data protection violations resulting in accidental disclosure of data to an unauthorized person, please refer to Guidelines 9/2022, which indicates a case of data confidentiality violation involving the mistaken disclosure of personal data to a third party or other recipient in a situation where when these data are accidentally sent to the wrong department of the organization or to the supplier organization whose services the administrator uses. The administrator then has grounds to consider the unauthorized recipient as trusted because he or she remains in permanent relations with such an entity, knows its procedures and can trust the recipient enough to reasonably expect that the recipient will not mistakenly read the sent data or gain access to the them, as well as fulfill the order to send them back. Even in a situation where the data has been accessed, the administrator can still trust the recipient that he will not take any inappropriate actions and will return the data immediately to the administrator. As the EDPB further points out, in the case described above, the controller may take into account the fact that the recipient is a trusted person in the risk assessment carried out following the breach. However, this is certainly not the case in this case. A third party who, quite accidentally, found a parcel with banking documentation containing very detailed personal data of the Bank's Customers, does not remain in any relationship with the Bank that would allow it to be assumed that it is a trusted recipient, in accordance with the above position of the EDPB.
Referring to the above, it should be noted that it is also irrelevant that the data was made available to only one identified person, rather the fact that the parcel was found by one identified person is important. As previously mentioned, the Bank is not sure how many people could have had access to the abandoned parcel, because, as it states, it was stolen during transport by a courier company, which should sufficiently influence the proper assessment of the incident in question, adequate to the circumstances. security, including assessment of the risk of violating the rights and freedoms of natural persons. Even if the wrong recipient is a person known to the Administrator (e.g. his client who reports an error), there is no guarantee that the intentions of this person will not change. The above assessment is also not influenced by the fact of obtaining a declaration from the wrong recipient about keeping the Bank's Customers' data confidential, or, as was the case in this case, by admitting that the person did not copy the documents. It is not certain whether, before submitting the declaration, the person did not make a copy or record the personal data contained in the documentation in another way, e.g. by writing it down. The Bank also has no way of actually verifying that the unauthorized recipient has not transferred the Bank's Customers' data to third parties or has a copy of this data. The Provincial Administrative Court in Warsaw expressed a similar opinion, in its judgment of January 21, 2022, ref. no. no. II SA/Wa 1353/21, indicated that "(...) there is no certainty that before these activities, the person did not make, for example, a photocopy or did not record the personal data contained in the content of the document in another way, e.g. writing down. The mere performance of the activities indicated in the declarations submitted by a third party - an unauthorized recipient - does not guarantee that the intentions of such a person will not change now or in the future, and the possible consequences of using such categories of data may be significant for the persons whose data were subject to the breach. . It should be emphasized once again that a declaration made by an unauthorized person does not mean that the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons and does not exclude the assumption that there is a high risk of violating the rights and freedoms of data subjects. .
As indicated in Guidelines 9/2022, a breach of personal data protection may potentially cause a number of negative consequences for the natural persons whose data is subject to the breach. The possible effects of a violation of the EDPB include: physical damage, material or non-material damage. Examples of such damages include, but are not limited to: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal information and significant economic or social harm. In this case, there is no doubt that due to the scope of data covered by the personal data protection breach in question, including PESEL registration numbers along with names and surnames, there is a high probability of the above-mentioned damages occurring.
First of all, it should be emphasized that the personal data protection breach concerned the PESEL registration number, i.e. an eleven-digit numerical symbol that clearly identifies a natural person, containing, among others: date of birth and gender, and is therefore closely related to the private sphere of the natural person and is subject to also, as a national identification number, exceptional protection under Art. 87 of Regulation 2016/679 - being data of a special nature and requiring special protection. The PESEL number serves as data identifying each person and is commonly used in contacts with various institutions and in legal circles. The PESEL number together with the name and surname clearly identifies a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person. Moreover, it should be taken into account that as a result of the personal data protection breach in question, these registration numbers along with the name and surname of the Bank's clients were made available to at least one unauthorized person, which may be sufficient to "impersonate" the subject of these data. and incurring, on behalf of and to the detriment of, such an entity, e.g., monetary liabilities (see: https://www.bik.pl/poradnik-bik/wyluzenie-kredytu-tak-dzialaja-oszusci - where a case is described in which: "Only the name , name and PESEL number were enough for fraudsters to extort several loans worth tens of thousands of zlotys. Nothing else was correct: neither the ID card number nor the address). emphasize - 158 people also concerned a huge range of other data identifying these people, such as contact details (which, as is commonly accepted, include the address of residence or stay, telephone number and e-mail address), date of birth, bank account numbers, series and numbers of ID cards , usernames and/or passwords, data regarding earnings and/or owned assets, or the content of the contracts regarding banking products (names of the contracts, dates of their conclusion, details of these products) and a number of information related to property insurance policies (including policy numbers, dates of issue, insured amounts, insurance premiums, information regarding the insured property). A key factor in risk assessment is the type and sensitivity of personal data exposed as a result of the breach. Guidelines 9/2022 emphasize that a collection of various personal data is usually more sensitive than individual data.
It is worth citing one of the examples included in the Guidelines of the European Data Protection Board 01/2021[2] (case no. 14, p. 31), relating to the situation of "sending highly confidential personal data by mistake". In the above-mentioned case guidelines, the social security number, which is the equivalent of the PESEL number used in Poland, was disclosed. In this case, the EDPB had no doubt that the disclosed data in the scope of: name and surname, e-mail address, postal address, social security number indicate a high risk of violating the rights and freedoms of natural persons ("involvement of their [victims'] social security number social media, as well as other, more basic personal data, further increases the risk, which can be described as high). The EDPB recognizes the importance of national identification numbers (in this case the PESEL number), at the same time emphasizing that this type of personal data protection breach, which includes data such as: name and surname, e-mail address, correspondence address and social security number, requires the implementation of actions, i.e.: notification of the supervisory authority and notification of the breach to data subjects.
The European Data Protection Board has no doubt that an individually assigned number uniquely identifying a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve a high risk of violating the rights and freedoms of natural persons.
The EDPB also points out in other examples provided in Guidelines 01/2021 that data that uniquely identifies a natural person may result in a high risk of violating rights or freedoms. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by the attacker to guess customer passwords or to conduct a spear phishing campaign aimed at bank customers. For these reasons, the data breach has been deemed likely to result in a high risk to the rights and freedoms of all data subjects. Therefore, material (e.g. financial losses) and intangible (e.g. identity theft or fraud) damage may occur.”
The Provincial Administrative Court in Warsaw did not have similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violating the rights and freedoms of natural persons), in its judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, stated that "There is no doubt that the examples of damage mentioned in the guidelines may occur in the case of persons whose personal data - in some cases, including the PESEL registration number or the series and number of the ID card - have been recorded on shared recordings. Not without significance for such an assessment is the possibility of identifying persons whose data were subject to the breach, based on the disclosed data. Further, in the cited ruling, the Court indicated that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases also the PESEL registration number or the series and number of the ID card, determines the that there is a high risk of violating the rights and freedoms of natural persons.” When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of July 1, 2022 issued in the case with reference number file II SA/Wa 4143/21. In justification of this judgment, the Court stated that: "It should be agreed with the President of the Personal Data Protection Office that the loss of confidentiality of the PESEL number in combination with personal data, such as: name and surname, registered address, bank account numbers and the identification number assigned to the Bank's clients - CIF number , involves a high risk of violating the rights and freedoms of natural persons. In the event of a breach of data such as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects. Therefore, in the case in question, the Bank should have acted without undue delay, pursuant to Art. 34 section 1 GDPR, to notify data subjects about a personal data breach so as to enable them to take the necessary preventive measures” (my emphasis). It is also worth mentioning the judgment of August 31, 2022, ref. no. No. II SA/Wa 2993/21, in which the Provincial Administrative Court in Warsaw emphasized that "(...) the authority correctly assumed that there was a high risk of violating the rights and freedoms of persons affected by the violation in question due to the possibility of easy, based on the disclosed data , identification of persons whose data was subject to the breach. These data include name and surname, correspondence address, telephone number, and PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify data subjects about the breach without undue delay. The Provincial Administrative Court in Warsaw expressed a similar opinion in its judgments of November 15, 2022, ref. no. no. II SA/Wa 546/22, of June 21, 2023, ref. no. no. II SA/Wa 150/23 and of November 6, 2023, ref. no. no. II SA/Wa 996/23.
In the light of the above, it is also worth mentioning the judgment of the Supreme Administrative Court in Warsaw of December 6, 2023, ref. no. No. III OSK 2931/21, which stated: "The President of the Personal Data Protection Office correctly determined that the data was shared, among others. in the field of names and surnames, as well as PESEL numbers of natural persons, i.e. relatively permanent and unchangeable data, the disclosure of which may always pose a risk of negative consequences for the above-mentioned. people. Similarly, residential addresses are personal data whose unauthorized disclosure creates a high risk of negative legal consequences, regardless of the fact that the addresses were disclosed several years after their update.
From the latest infoDOK report[3] (which is prepared as part of the social Information Campaign of the DOCUMENTS RESTRICTED System, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation) , it shows that in the third quarter of 2023 alone, there were 2,587 attempts to extort loans and credits for a total amount of PLN 104.1 million. Throughout 2021, there were 8,096 loan fraud attempts for a total amount of PLN 336.6 million, and in 2022, there were 8,079 loan fraud attempts.
Moreover, according to court decisions, judgments in loan fraud cases are not uncommon and have been issued by Polish courts in similar cases for a long time. As an example, we can mention the judgment of the District Court in Łęczyca of July 27, 2016 (reference number I C 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). . In justification of the above-mentioned judgment, the Court stated that:
"The evidentiary proceedings conducted and the analysis of the documents attached by the plaintiff result in the unambiguous conclusion that in the case under consideration the defendant was not a party to the loan agreement concluded on May 5, 2014. Although the PESEL number of the defendant J. R. was used when concluding the agreement, but the indicated place of residence does not correspond to the place of residence of the defendant. The defendant J. R. never lived in Warsaw. The loan amount was transferred to an account that was not owned by the defendant. On the date of conclusion of the loan agreement, the ID card no. (...) expired on March 15, 2014. The mobile phone number indicated in the loan agreement and its annexes does not match the actual telephone numbers used and used by the defendant.
In another case (I C 693/16), the District Court in Zgierz ruled in its judgment of November 4, 2016: "The defendant's personal data in the form of his name and surname and PESEL number, which were consistent with the defendant's data, did not prove that On December 17, 2014, the defendant submitted a declaration of will to conclude a loan agreement. It cannot be ruled out that a person who unauthorizedly gained access to the defendant's personal data concluded a loan agreement on his account with (...) sp. z o.o. S.K.A. with its registered office in W. In the present case, the defendant demonstrated that he has never lived at the address indicated in the loan agreement and that the telephone number and e-mail address used to register on the website and submit the loan application belonged to him.
There are still many cases related to loan fraud, where unknown people usually only have their name and surname and the correct PESEL number (the other data is false), which is confirmed by the judgments issued by courts in these cases. Below are some examples:
Judgment of the District Court for Łódź-Widzew in Łódź of August 13, 2020 in the case with reference number file II C 1145/19, in which a third party unknown to the defendant illegally took possession of his PESEL number and ID card number, and the remaining address details - indicated in the loan agreement - were false - "In the opinion of the Court, the evidence offered by the defendant - especially documents from the files of a criminal case pending before the District Court in Tarnowskie Góry with file reference number VI K 383/16 - prove that the loan agreement of November 8, 2014 was concluded by a third party using some of Z. A.'s personal data. She provided a false address residence, where the defendant has never lived, and the loan amount was transferred to a bank account that did not belong to Z. A. [...] and the ID card number provided in this agreement was an ID number that the defendant no longer used on the date of concluding the loan agreement, as this evidence had expired approximately 8 months previously”;
Judgment of the District Court in Pisz of August 21, 2020, ref. no. file I C 260/20 - "[...] The court found that when concluding the contract in question, the defendant's data was used in an unauthorized manner and entered as the borrower's data, although the defendant was not a party to the contract. The defendant's position is confirmed by the notification he submitted about committing the crime of fraud to his detriment, as well as by the fact that the prosecutor's office is conducting proceedings in this case against the person indicated by the defendant. As an aside, it should be noted that also in the proceedings for payment pending before this court, ref. no. files I C 1/19 and I C 482/19, where E. M. also acted as a defendant, and where financial obligations were incurred in his name and surname in the same circumstances as in the present proceedings, final judgments were also issued dismissing the claim. In the court's opinion, the circumstances of concluding the contract for the reason that the first name and surname of the borrower and his PESEL number are the same, and there is a discrepancy as to the remaining data resulting from the content of the defendant's ID card, i.e. the series and number of this document, the address of residence, taking into account the fact that criminal trial in relation to a person who allegedly impersonated the defendant in order to conclude distance contracts and incur financial obligations in various institutions, clearly indicate that it was not the defendant who concluded the loan agreement no. (...) with the plaintiff's legal predecessor;
Judgment of the District Court in Puławy of April 7, 2022 in the case with reference number file I C 475/19, in which the Court clearly admitted that "[...] evidence enabling the verification of the defendant as a party to the contract in question is not the mere indication of his personal data: name, surname, PESEL number, as well as the series and number of the ID card in the content contract - in particular when the loan is concluded via an online platform, so obviously the lender is not able to directly verify the identity of the other party, and the contract itself is not confirmed by the borrower's signature.
It should also be borne in mind that the Administrator's performance of his obligation under Art. 34 section 1 of Regulation 2016/679 may not be made dependent on the existence of a violation of the rights and freedoms of natural persons whose data are affected by the personal data protection breach. The same applies to the obligation arising from Art. 33 section 1 of Regulation 2016/679 as stated by the Provincial Administrative Court in Warsaw in the judgment of September 22, 2021 issued in the case with reference number II SA/Wa 791/21: "It should be emphasized that the possible consequences of the event do not have to materialize. In the content of art. 33 section 1 of Regulation 2016/679 indicates that the very occurrence of a breach of personal data protection, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons. natural persons” (this Court ruled similarly in the previously cited judgment of July 1, 2022, issued in the case with reference number II SA/Wa 4143/21 and in the judgments of August 31, 2022, reference number II SA/Wa 2993/21, of November 15, 2022, ref. no. II SA/Wa 546/22 and of April 26, 2023, ref. no. II SA/Wa 1272/22). When applying the provisions of Regulation 2016/679, the purpose of this regulation (expressed in Article 1(2)) should be taken into account, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. In turn, the protection of natural persons with regard to the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - including in the event of a personal data protection breach - these values should be taken into account in the first place.
It is worth emphasizing that when assessing the risk of violating the rights and freedoms of natural persons, which determines, among others, reporting a personal data protection breach, the probability factor and the importance of potential negative effects should be taken into account jointly. A high level of any of these factors affects the overall grade, which determines the completion of, among others: the obligation specified in Art. 33 section 1 of Regulation 2016/679. Bearing in mind that due to the scope of personal data disclosed, in the analyzed case there was a possibility of serious negative consequences for data subjects, the importance of the potential impact on the rights and freedoms of natural persons should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. Thus, it should be stated that in connection with the breach in question, there was a high risk of violating the rights and freedoms of data subjects, which consequently determines the obligation to report a personal data protection breach to the supervisory authority.
In Guidelines 9/2022, the EDPB, indicating the factors that should be taken into account when assessing the risk, refers to recitals 75 and 76 of Regulation 2016/679, which suggest that the administrator should take into account both the probability of occurrence and the seriousness of the threat to the rights or freedoms of the person whose data applies. In the event of a personal data protection breach, the controller should focus on the risk of the breach resulting from the breach on a natural person. Therefore, when assessing the risk to an individual arising from a personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence. Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk for natural persons. The risk of violating the rights and freedoms of a natural person in accordance with Guidelines 9/2022 will be greater when the consequences of the violation are more serious, as well as when the likelihood of their occurrence increases. The guidelines indicate that in case of any doubts, the administrator should report a violation, even if such caution might prove excessive.
To summarize the above considerations, it should be stated that in the case in question there is a high risk of violating the rights and freedoms of persons affected by the breach, which in turn results in the Bank's obligation to report the personal data protection breach to the supervisory authority, in accordance with Art. 33 section 1 of Regulation 2016/679, which must include the information specified in Art. 33 section 3 of Regulation 2016/679 and notifying persons about the infringement, in accordance with Art. 34 section 1 of Regulation 2016/679, which must include the information specified in Art. 34 section 2 of Regulation 2016/679. A bank that, due to the nature of its activities, processes personal data on a massive scale should be aware of the legal obligations related to identifying a personal data protection breach. Informing the Administrator about his obligations in the field of personal data protection, as well as advising the Administrator, are also the tasks of the data protection officer appointed at the Bank. The Bank should also have knowledge in this area due to a previously issued decision imposing an administrative fine for violating Art. 34 section 1 of Regulation 2016/679, consisting in failure to notify data subjects about a personal data protection breach without undue delay (decision of January 19, 2022, ref. (...)), especially since the Administrator's complaint against this decision was dismissed by the judgment of the Provincial Administrative Court in Warsaw of November 15, 2022 (reference number II SA/Wa 546/22).
Referring to the Administrator's obligation specified in Art. 34 section 2 of Regulation 2016/679, the President of the Personal Data Protection Office stated that the Administrator (taking into account the nature of the breach and the categories of data affected) should indicate to data subjects the most likely negative consequences of the breach of their personal data. Certainly, in the event of a breach of data such as names, surnames and PESEL registration numbers, it is necessary to point out, first of all, possible identity theft or falsification by third parties obtaining, to the detriment of the persons whose data was breached, loans from non-bank institutions or insurance fraud or insurance funds, which may result in negative consequences related to an attempt to attribute responsibility to the data subject for committing such fraud. The description of possible consequences should reflect the risk of violating the rights and freedoms of that person, so as to enable him to take the necessary preventive actions.
In a situation where, as a result of a breach of personal data protection, there is a high risk of violating the rights and freedoms of natural persons, the administrator is obliged to implement all appropriate technical and organizational measures to immediately determine the breach of personal data protection and quickly inform the supervisory authority, as well as the persons whose data applies. The administrator should fulfill this obligation as quickly as possible.
Recital 85 of the preamble to Regulation 2016/679 explains: "In the absence of an appropriate and rapid response, a breach of personal data protection may result in physical harm, material or non-material damage to natural persons, such as loss of control over one's personal data or restriction of rights, discrimination, theft or falsification of identity, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, immediately upon becoming aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay, where practicable and no later than 72 hours after becoming aware of it, unless the controller can demonstrate, in accordance with the principle of accountability, that it is unlikely that that the breach may result in a risk of violating the rights and freedoms of natural persons. If a report cannot be made within 72 hours, the report should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually, without further undue delay.”
In turn, recital 86 of the preamble to Regulation 2016/679 states: "The controller should, without undue delay, inform the data subject about a breach of personal data protection if it may result in a high risk to the rights and freedoms of that person, so as to enable that person to take necessary preventive actions. Such information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimize potential adverse effects. Information should be provided to data subjects as soon as reasonably possible, in close cooperation with the supervisory authority, respecting instructions provided by that authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimize an immediate risk of harm will require immediate information to data subjects, while the implementation of appropriate measures against the same or similar data protection breaches may justify subsequent information.
By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights and freedoms against the negative effects of the breach. Article 34 section 1 and 2 of Regulation 2016/679 is intended not only to ensure the most effective possible protection of the fundamental rights and freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5(1) 1 letter a) Regulation 2016/679 (see Witold Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfillment of the obligation specified in Art. 34 of Regulation 2016/679 is intended to provide data subjects with quick and transparent information about a breach of the protection of their personal data, together with a description of the possible consequences of the personal data protection breach and the measures they can take to minimize its possible negative effects. Acting in accordance with the law and demonstrating concern for the interests of data subjects, the controller should have provided data subjects with the best possible protection of personal data without undue delay. To achieve this goal, it is necessary to provide at least the information listed in Art. 34 section 2 of Regulation 2016/679, which the Bank did not fulfill. Therefore, by deciding not to notify the supervisory authority and the data subjects about the breach, the controller in practice deprived data subjects of reliable information about the breach of personal data protection and the possibility of counteracting potential damage, provided without undue delay.
Consequently, it should be stated that the Administrator did not report a personal data protection breach to the supervisory authority in fulfillment of the obligation under Art. 33 section 1 of Regulation 2016/679 and failed to notify data subjects without undue delay of a breach of data protection, in accordance with Art. 34 section 1 of Regulation 2016/679, which means a violation of these provisions by the Administrator.
It should be noted here that in accordance with Art. 34 section 4 of Regulation 2016/679, if the controller has not yet notified the data subject of a personal data breach, the supervisory authority - taking into account the likelihood that the personal data breach will result in a high risk - may require him to do so or may determine, that one of the conditions referred to in section 3. In turn, according to the content of Art. 58 section 2 lit. e) of Regulation 2016/679 states that each supervisory authority has the corrective power to order the controller to notify the data subject about a data protection breach.
Pursuant to Art. 58 section 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Art. 58 section 2 of Regulation 2016/679, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Bank based on Art. 83 section 4 lit. a) of Regulation 2016/679, which states, among others, that violation of the administrator's obligations referred to in Art. 33 and 34 of Regulation 2016/679, is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher.
Pursuant to the content of Art. 83 section 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 section 2 lit. a) - h) and letters j) Regulation 2016/679. When deciding to impose an administrative fine on the Bank, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in this case and having an aggravating effect on the amount of the administrative fine imposed:
1. The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679). In this case, a violation of the provisions of Art. 33 section 1 of Regulation 2016/679 (consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach) and Art. 34 section 1 of Regulation 2016/679 (consisting in failure to notify data subjects about a personal data protection breach without undue delay). They are related to an event involving the disclosure of personal data of the Bank's clients in the scope of: names and surnames, date of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, usernames and/or passwords, earnings data and/or owned property, series and number of ID cards, telephone number, information about banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, information about property insurance policies, i.e., among others policy numbers, dates of issue, sums insured, insurance premiums, information regarding the insured property, as a result of the theft of a parcel containing the Bank's documentation during its transport at a courier company, and then abandoning the open parcel in a public place, as a result of which the documentation was read unauthorized person (at least one). This event is of significant importance and serious nature, as it may lead to material or non-material damage to persons whose data has been breached, and the probability of its occurrence is high. Due to a personal data protection breach involving the loss of a shipment containing banking documentation, information covered by banking secrecy was unlawfully disclosed, which further increases the seriousness of the breach and indicates the possibility of negative consequences of the event for the data subjects.
Additionally, the fact that the infringement consisting in failure to notify persons about a breach of the protection of their personal data concerned the personal data of many persons, as it concerned 158 persons, should be considered an aggravating circumstance, and although in the present case there is no evidence that the persons whose data were an unauthorized person has gained access, they have suffered property damage, the very violation of the confidentiality of their data constitutes non-material damage (harm) to them. Individuals whose data was obtained in an unauthorized manner may at least feel fear of losing control over their personal data, identity theft or identity fraud, discrimination, or finally financial loss. As indicated by the District Court in Warsaw in its judgment of August 6, 2020, ref. no. file XXV C 2596/19, fear, and therefore the loss of safety constitutes real non-pecuniary damage involving the obligation to repair it. In turn, the Court of Justice of the EU, in its ruling of December 14, 2023, in the case of Natsionalna agentia za prihodite (C-340/21), emphasized that "Art. 82 section 1 GDPR must be interpreted as meaning that the data subject's fear of possible misuse of personal data by third parties as a result of a breach of that regulation may in itself constitute "non-pecuniary damage" within the meaning of that provision. .
The President of the Personal Data Protection Office also considers the long duration of the Bank's violation of the provisions of Regulation 2016/679 to be an aggravating circumstance, because it should be emphasized that the violation that is the basis for these proceedings continues and the violation itself is continuous. The bank has still not reported the breach, which is justified by the low risk of violating the rights and freedoms of the affected natural persons; it also did not notify people about the breach of the protection of their personal data. In turn, the Administrator received information about a breach of personal data protection, i.e. the discovery of abandoned documents of the Bank's clients, on November 24, 2018, so over the years, the risk of violating the rights and freedoms of persons affected by the breach could have materialized, and why could they not counteract due to the Bank's failure to fulfill the obligation to report a personal data protection breach to the President of the Personal Data Protection Office and the obligation to notify data subjects about it.
2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679). In accordance with the Guidelines of the Article 29 Working Party on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, approved by the EDPB on May 25, 2018), intentionality "includes both knowledge and intentional action in connection with the characteristics of the prohibited act." The bank made a conscious decision not to notify the President of the Personal Data Protection Office or the data subjects about the violation. There is no doubt that the Bank, when processing personal data on a mass scale, must have knowledge in the field of personal data protection, including knowledge of the consequences of identifying a personal data protection breach resulting in a high risk of violating the rights and freedoms of natural persons (and this knowledge may be required not only from administrator but also from the data protection officer appointed by him). Undoubtedly, the decision of the President of the Personal Data Protection Office of January 19, 2022 (described below, in point 3), to which the Bank's complaint was dismissed by the judgment of the Provincial Administrative Court in Warsaw, is also a source of knowledge for the Bank regarding obligations related to personal data protection violations. of November 15, 2022 (reference number II SA/Wa 546/22). Imposed of the above-mentioned decision, an administrative fine together with an extensive justification in which the President of the Personal Data Protection Office cited the applicable provisions and guidelines, contains the necessary information about the Administrator's obligations related to the identified personal data protection breach. It can therefore be concluded that the Administrator, being aware of his responsibility, neglected his obligations related to the data protection breach and neglected to report the personal data protection breach to the President of the Personal Data Protection Office and to notify data subjects about the breach. Finally, the very initiation of these proceedings by the President of the Personal Data Protection Office regarding the obligation to report a personal data protection breach to the supervisory authority and to notify data subjects about the breach should at least raise doubts for the Administrator as to the validity of the position he has adopted.
3. Any relevant previous violations on the part of the controller or processor (Article 83(2)(e) of Regulation 2016/679). When deciding on the imposition and amount of an administrative fine, the supervisory authority is obliged to pay attention to any previous violations Regulation 2016/679. The EDPB in its Guidelines 04/2022[4] on the calculation of administrative fines under the GDPR adopted on May 24, 2023, clearly states: "The existence of previous violations may be considered an aggravating factor when calculating the amount of the fine. The weight given to this factor should be determined taking into account the nature and frequency of previous violations. However, the absence of previous infringements cannot be considered as a mitigating circumstance since compliance with the provisions of [Regulation 2016/679] is the norm' (point 94 of the Guidelines).
The President of the Personal Data Protection Office had already conducted administrative proceedings against the Bank (described further in this point) regarding the breach of the obligation arising from Art. 34 section 1 of Regulation 2016/679 due to failure to notify data subjects about a personal data protection breach without undue delay. By decision of January 19, 2022, ref. no. (…), the President of the Personal Data Protection Office imposed an administrative fine on the Bank in the amount of PLN 545,748 for violating this provision of Regulation 2016/679. The above decision, as mentioned in point 2, was upheld by the judgment of the Provincial Administrative Court in Warsaw of November 15, 2022, dismissing the Bank's complaint (due to the submission of a cassation appeal by the Bank, the case is currently awaiting resolution by the Supreme Administrative Court) . The repeated violation of the provisions of Regulation 2016/679 by failing to notify data subjects about a breach of personal data protection without undue delay, and also by failing to notify the President of the Office of Personal Data Protection about a detected breach of personal data protection, proves the Bank's disregard for the obligations related to the processing of personal data, downplaying the incident and not recognizing its effect on Data Subjects. The violation of the provisions of Regulation 2016/679, which is the subject of these proceedings, and is not, as indicated, a one-off case, deserves a negative assessment, which is reflected in the imposition of an administrative fine on the Bank.
According to EDPB Guidelines 04/2022 "Although all previous infringements may constitute information about the controller's or processor's general approach to compliance with the provisions of the GDPR, greater importance should be attached to infringements relating to the same subject matter, as they are closer to the infringement that is the subject of the current proceedings, in particular where the controller or processor has previously committed the same infringement (repeated infringements)” (paragraph 88 of the Guidelines). “In the first place, account must be taken of the time at which the earlier infringement occurred, given that the longer the time between that infringement and the infringement that is the subject of the ongoing proceedings, the less significant is the earlier infringement” (point 84 of the Guidelines). Due to the fact that the supervisory authority has already investigated Santander Bank Polska S.A. proceedings regarding violation of Art. 34 section 1 of Regulation 2016/679, which resulted in the issuance of a decision imposing an administrative fine, this circumstance should undoubtedly be considered as having an aggravating effect on the amount of the administrative fine imposed.
Moreover, in other administrative decisions issued, the supervisory authority found a violation of the provisions on the protection of personal data by the Administrator: - in the decision of December 17, 2020 (reference number (...)) violation of the provisions of Art. 6(1) 1 and art. 21 section 3 in connection with Art. 12 section 3 of Regulation 2016/679; - in the decision of April 22, 2021 (reference number (...)), violation of the provision of Art. 6(1) 1 in connection with joke. 5(1) 1 letter f of Regulation 2016/679; - in the decision of June 29, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of June 30, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of July 7, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of August 19, 2022 (reference number (...)), violation of the provision of Art. 15 section 1 in connection with joke. 12 section 3 of Regulation 2016/679; - in the decision of August 30, 2022 (reference number (...)), violation of the provision of Art. 15 section 1 in connection with joke. 12 section 3 of Regulation 2016/679; - in the decision of September 28, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of November 10, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of November 18, 2022 (reference number (...)), violation of the provision of Art. 12 section 3 in connection with joke. 15 section 3 of Regulation 2016/679; - in the decision of January 9, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of August 22, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 in connection with joke. 21 section 2 and section 3 of Regulation 2016/679; - in the decision of September 22, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of December 8, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of January 23, 2024 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of January 30, 2024 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679.
The violations described above, which resulted in the supervisory authority applying corrective measures, including the final penalty imposed on the Administrator, are also important. The supervisory authority notices a connection between previously identified violations and currently analyzed violations, such as a similar modus operandi of the Bank, consisting in intentional failure to provide authorized entities with specific personal data and information, which occurred, for example, in the case of a violation of Art. 15 section 1 and art. 34 section 1 of Regulation 2016/679, or even the frequency of violations of personal data protection provisions committed by the Administrator. As can be seen from the list of decisions issued by the President of the Personal Data Protection Office presented above, at the turn of the last 4 months, the supervisory authority has already issued 3 decisions in which it applied to Santander Bank Polska S.A. corrective agent.
Therefore, issuing numerous warnings and then imposing a financial penalty in the case with reference number (…), justifies not only the imposition of a financial sanction in these proceedings, but also its high level.
Due to the above, in the present case it should be considered that there are grounds for treating the premise of Art. 83 section 2 lit. e) Regulation 2016/679 as aggravating.
4. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). In this case, the President of the Personal Data Protection Office found the Bank's cooperation with him unsatisfactory. This assessment concerns the Administrator's reaction to the letters of the President of the Personal Data Protection Office informing about the obligations of the administrator in connection with a data protection breach, and finally to the initiation of administrative proceedings regarding the obligation to report a personal data protection breach and notify data subjects about the breach. Actions that were correct in the opinion of the President of the Personal Data Protection Office (reporting the violation to the President of the Personal Data Protection Office and notifying the persons affected by the violation) were not taken by the Bank even after the President of the Personal Data Protection Office initiated administrative proceedings in the matter.
5. Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679). The personal data disclosed do not belong to the special categories of personal data referred to in Art. 9(1) 1 of Regulation 2016/679, nor the data indicated in Art. 10 of Regulation 2016/679, however, the fact that the abandoned documentation included a wide range of them in the form of: name and surname, date of birth, bank account number, address of residence or stay, PESEL registration number, e-mail address, username and/or password, data on earnings and/or owned assets, ID card series and number, telephone number, information on banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, and also information on property insurance policies , i.e., among others policy numbers, date of issue, insurance sum, insurance premium, information regarding the insured property, this involves a high risk of violating the rights and freedoms of natural persons. PESEL number, i.e. an eleven-digit numerical symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender designation and control number, and therefore closely related to the private sphere of the natural person and is also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, is data of a special nature and requires special protection. There is no other such specific data that would clearly identify a natural person. It is not without reason that the PESEL number serves as a data identifying each person and is commonly used in contacts with various institutions and in legal circles. The PESEL number together with the name and surname clearly identifies a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person.
In this context, it is worth recalling the EDPB guidelines 04/2022, which states: "Regarding the requirement to take into account the categories of personal data affected by the breach (Article 83(2)(g) [Regulation 2016/679]), in [ Regulation 2016/679] clearly indicates the types of data that are subject to special protection, and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Art. 9 and 10 [Regulation 2016/679] and data not covered by these articles, the dissemination of which immediately causes harm or inconvenience to the data subject (e.g. location data, private communications data, national identification numbers or financial data, such as transactions or credit card numbers). Generally speaking, the more such categories of data are affected by a breach or the more sensitive the data are, the more weight a supervisory authority can assign to such a factor. The amount of data relating to each data subject also matters, because with the amount of data relating to each data subject, the scale of violations of the right to privacy and personal data protection increases.”
It is worth pointing out once again the emerging case law in this area, for example in the judgment of November 15, 2022, ref. no. II SA/Wa 546/22 the Provincial Administrative Court in Warsaw indicated: "It was also obvious that the authority, when determining the penalty, had to take into account the fact that the breach concerned highly sensitive data (including PESEL, address, health data)" . This view was also shared by the above-mentioned The court in its judgment of June 21, 2023 in case no. no. II SA/Wa 150/23, where the Provincial Administrative Court in Warsaw indicated: "To sum up, the Court is of the opinion that the disclosure of the PESEL number indicates a high risk of violating the rights and freedoms of natural persons."
When determining the amount of the administrative fine, the President of the Personal Data Protection Office found no grounds to take into account mitigating circumstances affecting the final penalty. All the conditions listed in Art. 83 section 2 lit. a)-j) of Regulation 2016/679, in the opinion of the supervisory authority, constitute either aggravating or only neutral conditions. Also applying the premise specified in Art. 83 section 2 lit. k) of Regulation 2016/679 (requiring account to be taken of any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found.
Other circumstances indicated below, referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the Personal Data Protection Office to be neutral in his opinion, i.e. having neither an aggravating nor mitigating effect on the amount of the administrative fine imposed:
1. Actions taken by the controller to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679). Based on the evidence collected in the case, no such actions were found to have been taken by the Controller.
2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 (Article 83(2)(d) of Regulation 2016/679. Violation of the provisions of Regulation 2016/679 assessed in these proceedings (failure to report a personal data protection breach to the President of the Personal Data Protection Office and failure to notify about a personal data breach of data subjects) has no connection with the technical and organizational measures used by the administrator.
3. The manner in which the supervisory authority learned about the breach (Article 83(2)(h) of Regulation 2016/679). The President of the Personal Data Protection Office was not informed about the breach of personal data protection that is the subject of this case in accordance with the procedure for such situations specified in art. 33 of Regulation 2016/679. About the occurrence of the breach in question related to the event involving the disclosure of personal data of the Bank's clients, as a result of the theft of a parcel containing banking documentation relating to 158 people during its transport in a courier company, and then abandoning the open parcel in a public place, as a result of which the documentation was reviewed unauthorized person, the President of the Personal Data Protection Office obtained information from a message on the website (...), which described the incident of "leakage of bank customer documents", which "were found in a cardboard box scattered in a gated housing estate in K." Failure to report a personal data protection breach to the supervisory authority and to notify data subjects about the personal data protection breach is the sole subject of these proceedings, and in the circumstances of the facts under consideration, the supervisory authority assumed that it would not treat this condition as an aggravating circumstance.
4. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679). Before issuing this decision, the President of the Personal Data Protection Office did not apply to the Administrator any measures listed in Art. 58 section 2 of Regulation 2016/679, therefore the Administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.
5. Application of approved codes of conduct under Art. 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679). The administrator does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.
6. Financial benefits or avoided losses obtained directly or indirectly in connection with the breach (Article 83(2)(k) of Regulation 2016/679). The President of the Personal Data Protection Office did not find that the Administrator obtained any financial benefits or avoided any such benefits in connection with the breach. precipitate. Therefore, there are no grounds to treat this circumstance as aggravating the Administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - obtained on the part of the entity committing the infringement.
The President of the Personal Data Protection Office does not notice any other aggravating or mitigating factors applicable to the circumstances of this case.
In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the established circumstances of this case fulfills the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.
Taking into account the administrative fine imposed on the Bank by the previous decision of the President of the Office for Personal Data Protection (reference number (...)), it should be assumed that its amount was not effective, therefore the President of the Personal Data Protection Office decided to increase the amount of the penalty imposed by this decision. The penalty will be effective if its imposition will result in the Bank, which processes personal data professionally and on a mass scale, in the future fulfilling its obligations in the field of personal data protection, in particular in the scope of reporting personal data protection breaches to the President of the Personal Data Protection Office and notifying about breach of the protection of personal data of persons affected by the breach.
In the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function as it will be a response to the Bank's violation of the provisions of Regulation 2016/679. It will also have a preventive function; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the Bank and other data controllers that it is reprehensible to ignore the obligations of controllers related to the occurrence of a personal data protection breach, which are aimed at preventing its negative and often painful effects for the persons affected by the breach, as well as removing these effects or at least limiting them.
Pursuant to the content of Art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "PDA", the equivalent of the amounts expressed in euros referred to in Art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28 each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the next exchange rate table of the National Bank of Poland after this date.
Taking the above into account, the President of the Personal Data Protection Office, pursuant to Art. 83 section 4 lit. a) in connection with Art. 103 of the Personal Data Protection Act, for the violation described in the operative part of this decision, imposed on the Bank - applying the average euro exchange rate of January 29, 2024 (1 EUR = PLN 4.3653) - an administrative fine in the amount of PLN 1,440,549 (which is equivalent of EUR 330,000).
In the opinion of the President of the Personal Data Protection Office, the fine imposed in the amount of PLN 1,440,549 (in words: one million four hundred and forty thousand five hundred and forty nine zlotys) meets the conditions referred to in Art. 83 section 1 of Regulation 2016/679 due to the seriousness of the identified violation in the context of the basic objective of Regulation 2016/679 - protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative fine imposed on the Bank, the President of the Office of Personal Data Protection concluded that it is proportional to the financial situation of the Administrator and will not constitute an excessive burden for him.
From the "Annual Report of Santander Bank Polska S.A." presented by the Administrator. for 2022" shows that the Bank's total revenues (i.e. interest, commissions and dividends) in 2022 amounted to PLN 13,061,886,000, therefore the amount of the administrative fine imposed in this case is approx. 0.01% wt. amount of proceeds. At the same time, it is worth emphasizing that the amount of the imposed penalty of PLN 1,440,549 is only 0.55% of the maximum amount of the penalty that the President of the Personal Data Protection Office could - applying in accordance with Art. 83 section 4 of Regulation 2016/679, a maximum penalty of up to 2% of the total annual turnover from the previous financial year (i.e. PLN 261,237,720) - imposed on the Bank for the violations found in this case.
The amount of the penalty was set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of violation of the administrator's obligations, but on the other hand, it does not result in a situation in which the need to pay a financial penalty will result in negative consequences, in the form of a significant reduction in employment or significant decline in the Bank's turnover. According to the President of the Personal Data Protection Office, the Bank should and is able to bear the consequences of its negligence in the field of data protection, as evidenced by the Bank's Annual Report, sent to the President of the Personal Data Protection Office on January 5, 2024.
At the same time, the President of the Personal Data Protection Office, pursuant to Art. 83 section 3 of Regulation 2016/679 decided to impose one penalty for two violations attributed to the Administrator in the proceedings with reference number DKN.5131.59.2022. The source of both violations is the same event, i.e. the loss of a shipment of banking documents containing data of the Bank's customers, and the subsequent decision of the Bank not to report this fact to the President of the Personal Data Protection Office and not to notify about the breach of personal data protection of data subjects. These events are so contextually, spatially and temporally related that, in accordance with the EDPB Guidelines No. 4/2022 on the calculation of administrative fines under the GDPR, they should be treated as one behavior of the controller, leading to the imposition of one fine (point 28 of the Guidelines). .
Finally, it is necessary to point out that when determining the amount of the administrative fine in this case, the President of the Personal Data Protection Office applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022 regarding the calculation of administrative fines under the GDPR adopted on May 24, 2023. In accordance with the provisions presented in this document instructions:
1. The President of the Personal Data Protection Office categorized the violations of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The violations of both provisions of Regulation 2016/679 (Article 33(1) and Article 34(1)) found in this case include - in accordance with Art. 83 section 4 lit. a) of Regulation 2016/679 - to the category of infringements punishable by the lower of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 10,000,000 or up to 2% of the enterprise's total annual turnover in the previous financial year). Therefore, they were considered in abstracto (in isolation from the individual circumstances of a specific case) by the EU legislator as less serious than the violations indicated in Art. 83 section 5 of Regulation 2016/679).
2. The President of the Personal Data Protection Office assessed the violations identified in this case as violations of low seriousness (see Chapter 4.2 of Guidelines 04/2022). As part of this assessment, the following conditions were taken into account, among those listed in Art. 83 section 2 of Regulation 2016/679, which concern the subject matter of the infringements (constituting the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83(2)(a) of Regulation 2016/679), intentional or unintentional nature of the breaches (Article 83(2)(b) of Regulation 2016/679) and the categories of personal data affected by the breaches (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. It should be noted here that consideration of their combined impact on the assessment of the violations identified in this case, treated as a whole, leads to the conclusion that their level of seriousness, also in concreto, is low (in the scale of the seriousness of violations presented in point 60 of Guidelines 04/2022). The consequence of this is that - as the starting amount for calculating the penalty - a value ranging from 0 to 10% of the maximum amount of penalty that can be imposed on the Bank. Considering that the provision of Art. 83 section 4 of Regulation 2016/679 obliges the President of the Personal Data Protection Office to adopt as the maximum penalty for violations indicated in this provision the amount of EUR 10,000,000 or - if this value is higher than EUR 10,000,000 - an amount constituting 2% of the Company's turnover in the previous financial year, The President of the Personal Data Protection Office decided that the so-called dynamic maximum penalty amount - EUR 59,844,162 - resulting from the application of a 2% indicator applied to the Bank's turnover for 2022, the value of which amounted to EUR 2,992,208,096 (equivalent to PLN 13,061,886,000). Having a range from EUR 0 to EUR 59,844,162, the President of the Personal Data Protection Office adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the amount of the penalty of EUR 2,393,766,000 (representing 4% of the dynamic maximum amount of the penalty).
3. Pursuant to the advice of the European Data Protection Board presented in point 66 of Guidelines 04/2022 (in relation to enterprises with an annual turnover exceeding EUR 500 million), the President of the Personal Data Protection Office did not consider it justified to use the possibility of reducing the amount adopted based on the assessment of the seriousness of the violation. output, which these guidelines (in Section 4.3) provide for enterprises of smaller size and economic strength. The EDPB points out that in the case of large entities (and the Bank is undoubtedly one of them in this case, as evidenced by its turnover) "the size of the enterprise is already reflected in the dynamic statutory maximum amount" (point 66 of Guidelines 04/2022) .
4. The President of the Personal Data Protection Office assessed the impact of the other circumstances specified in Art. 83 section 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer - as assumed by Guidelines 04/2022 - to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its behavior before, during and after the infringement. occurrence. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement is presented above. The President of the Personal Data Protection Office found (which was justified in the part of the justification for the decision presented above) that the aggravating circumstances in this case, and therefore additionally increasing the penalty imposed by this decision, are the relevant previous violations on the part of the Bank found by the President of the Personal Data Protection Office (Article 83 section 2(e) of Regulation 2016/679), as well as the degree of cooperation of the Bank with the President of the Personal Data Protection Office in order to eliminate the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). The remaining premises (from Article 83(2)(c), d), h), i), j), k) of Regulation 2016/679) - as indicated above - had no impact, neither mitigating nor aggravating, on the assessment violations and, consequently, the penalty. Therefore, due to the existence of additional aggravating circumstances related to the subjective side of the violations (assessment of the Bank's conduct before and after the violations), the President of the Personal Data Protection Office found it justified to increase the amount of the penalty determined on the basis of the assessment of the seriousness of the violations (point 2 above). In the opinion of the President of the Personal Data Protection Office, its increase to EUR 2,600,000 is adequate to the impact of these premises on the assessment of violations.
5. The President of the Personal Data Protection Office stated that the amount of the administrative fine determined in the manner presented above does not exceed - pursuant to Art. 83 section 3 of Regulation 2016/679 - the legally defined maximum penalty for the most serious violation (see Chapter 6 of Guidelines 04/2022). In the case of both violations of the provisions of Regulation 2016/679 found in this case, the legally determined maximum penalty amount (dynamic) is the same - as indicated above in point 2, EUR 59,844,162, i.e. 2% of the Bank's turnover achieved in 2022 Therefore, both violations have the same seriousness, and the above-mentioned penalty amount of EUR 2,600,000 clearly does not exceed the maximum penalty provided for each of them individually.
6. Even though the amount of the penalty determined in accordance with the above principles does not exceed the legally defined maximum penalty, the President of the Personal Data Protection Office found that it requires additional correction due to the principle of proportionality mentioned in Art. 83 section 1 of Regulation 2016/679 as one of the three sentencing directives (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine of EUR 2,600,000 would be an effective penalty (due to its severity, it would allow achieving its repressive goal, which is to punish illegal behavior) and deterrent (effectively discouraging both the Company and other administrators from committing future violations of the provisions of Regulation 2016 /679). However, such a penalty would be - in the opinion of the President of the Personal Data Protection Office - a disproportionate penalty both in relation to the gravity of the identified violations (which in abstracto and in concreto is low - see points 1 and 2 above), and because it is excessive - in relation to this gravity. – ailment. The principle of proportionality requires, among other things, that the measures adopted by the administrative authority do not go beyond what is appropriate and necessary to achieve legitimate objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 […] ; Comment on Article 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Selected sectoral regulations. Therefore, taking into account the proportionality of the penalty, the President of the Personal Data Protection Office further reduced the amount of the penalty - to EUR 330,000 (equivalent to PLN 1,440,549). In his opinion, such determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is the threshold above which a further increase in the amount of the penalty will not result in an increase in its effectiveness and deterrent nature. On the other hand, reducing the fine to a greater extent could be at the expense of its effectiveness and dissuasive nature, as well as coherent - in relation to other supervisory authorities and the EDPB - understanding, application and enforcement of Regulation 2016/679, and the principle of equal treatment of entities on the market internal EU and EEA.
In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.
[1] Above the guidelines updated and supplemented the Article 29 Working Party Guidelines on the reporting of personal data breaches in accordance with Regulation 2016/679 (Wp250 rev.01), adopted on October 3, 2017.
[2] Guideline 01/2021 of the European Data Protection Board on examples for notification of personal data breaches adopted on 14 December 2021, version 2.0 (hereinafter "Guideline 01/2021").
[3] https://www.zbp.pl/getmedia/2d3304db-34e6-4929-94cc-b9390456ff7a/infodok-2023-07-09-wydanie-55-sklad-231023-gk08
