UODO (Poland) - DKN.5131.43.2022

From GDPRhub
UODO - DKN.5131.43.2022
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(2) GDPR
Article 33 GDPR
Article 34 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 12.07.2023
Published:
Fine: 11,790 PLN
Parties: n/a
National Case Number/Name: DKN.5131.43.2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: kiki

The Polish DPA imposed a fine of €2,640 against a controller for not notifying data subjects of a breach and for not informing the DPA within the 72 hour time-limit, in violation of Articles 33 and 34 GDPR. Furthermore, the controller breached the principle of accountability, as they were unable to demonstrate compliance.

English Summary[edit | edit source]

Facts[edit | edit source]

In May 2022, the controller, a local business owner, fell victim to a data breach. A file containing the personal data of her clients was stolen from her computer. The stolen data included names, home and email addresses, telephone numbers and national identification numbers of the data subjects.

The controller informed the Polish DPA about this incident but did not reveal any details as to whether the data subjects had been informed about the data breach or whether any risk to their rights and freedoms existed as a result of it. Moreover, the controller contacted the DPA after the 72-hour period prescribed by Article 33(1) GDPR. The DPA requested clarifications but did not receive an answer.

Consequently, in September 2022 the DPA initiated an ex officio investigation regarding the controller's handling of the data breach.

Holding[edit | edit source]

The Polish DPA found that the controller was in breach of Article 33(1) GDPR, Article 33(3) GDPR, Articles 34(1) and 34(2) GDPR, and Article 5(2) GDPR,

Firstly, the Polish DPA held that the controller violated Article 33(1) GDPR as they failed to notify the DPA of the breach within the 72-hour time limit. The controller had also breached Article 33(3) GDPR because the notification did not include all the information required by the provision.

Secondly, the DPA established that the controller had not carried out an assessment as to whether there was a risk to the rights and freedoms of data subjects as a result of the data breach. Moreover, the controller did not inform the data subjects of the data breach. The DPA noted that, in this context, the assessment of the risk under Article 34 GDPR, should be made through the lens of the data subject rather than the interests of the controller, as data subjects must be sufficiently informed to make their own assessment of whether a data breach is likely to cause negative consequences and decide whether to take the appropriate remedial action. Taking into account the nature of personal data stolen, the DPA concluded that there was indeed a risk to the rights and freedoms of data subjects. Hence, they should have been notified of the data breach without undue delay. By not fulfilling this obligation, the controller violated Articles 34(1) and 34(2) GDPR.

Thirdly, the DPA noted that the controller had failed to reply to the requests for clarification and demonstrate that they had carried out of a risk assessment following the data breach. Therefore, the DPA found a violation of the principle of accountability (Article 5(2) GDPR).

As a result, the Polish DPA imposed a €2,640 fine on the controller for the violations of Article 33(1) GDPR, Article 33(3) GDPR, Articles 34(1) and 34(2) GDPR, and Article 5(2) GDPR. Moreover, in line with Articles 34(4) and 58(1)(a) GDPR, the DPA ordered the controller to properly notify the data subjects of the data breach within 3 days from the date of the DPA's decision.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 755), art. 7(1) 1, art. 60, art. 101, art. 101a section 2  and art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), as well as Art. 57 section 1 letter a) and letter h), art. 58 section 2 lit. e) and point i), art. 83 section 1 and section 2, art. 83 section 4 lit. a) in connection with Art. 33 section 1 and section 3 and art. 34 section 1, 2 and 4 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on data protection) (OJ EU L 119 of 4/05/2016, p. 1, OJ L 127 of 23/05/2018, p. 2 and OJ L 74 of 4/03/2021, p. 35), hereinafter referred to as "Regulation 2016/679", after administrative proceedings initiated ex officio regarding the violation of the provisions on the protection of personal data by Ms. K.W. running a business under the name W. with its place of business in O. at ul. (…), President of the Personal Data Protection Office,

finding a violation by Mrs. K.W. running a business under the name W. with its place of business in O. at ul. (…) provisions: a) Art. 33 section 1 of Regulation 2016/679, consisting in failure to report a personal data protection breach to the President of the Office for Personal Data Protection without undue delay, no later than 72 hours after discovering the breach, and b) Art. 34 section 1 of Regulation 2016/679, consisting in failure to notify data subjects about a breach of personal data protection without undue delay,1) imposes on Ms. K.W. running a business under the name W. with its place of business in O. at ul. (...) an administrative fine in the amount of PLN 11,790 (in words: eleven thousand seven hundred and ninety zlotys),2) ordered by Mrs. K.W. running a business under the name W. with its place of business in O. at ul. (…) notifying – within 3 days from the date of delivery of this decision – data subjects about a breach of the protection of their personal data in order to provide them with the information required in accordance with Art. 34 section 2 of Regulation 2016/679, i.e.: a) description of the nature of the personal data protection breach; b) name and contact details of the data protection officer or designation of another contact point from which more information can be obtained; c) description of the possible consequences of the data protection breach personal data; d) a description of the measures used or proposed by the controller to address the breach - including measures to minimize its possible negative effects.

JUSTIFICATION

The President of the Office for Personal Data Protection (hereinafter referred to as the "President of the Personal Data Protection Office") on (...) May 2022 received an e-mail from Mrs. K.W. running a business under the name W. with its place of business in O. at ul. (...), hereinafter referred to as the "Administrator", information that "On (...) May, between 5:00 p.m. and 6:00 p.m., the crime of stealing documents from my laptop desktop using the UI application occurred. A. The documents contained my clients' data, i.e.: Name, surname, sometimes residential addresses, e-mail addresses, telephone numbers and occasionally PESEL number, along with a question about further proceedings.

Due to the above, on (...) May 2022, the President of the Personal Data Protection Office informed the Administrator about the obligations arising from Art. 33 section 1 and 3 of Regulation 2016/679, i.e. on the obligation to report personal data protection breaches to the supervisory authority. At the same time, the President of the Personal Data Protection Office informed the Administrator about possible ways of reporting a personal data protection breach to the supervisory authority.

The return confirmation of receipt shows that the above-mentioned the correspondence was delivered to the Administrator on (...) May 2022. Due to the fact that after the delivery of the correspondence, no explanations from the Administrator were received, on (...) July 2022, another letter was sent with information on possible ways of reporting a breach of protection personal data to the supervisory authority. Moreover, the President of the Personal Data Protection Office asked the Administrator, pursuant to Art. 58 section 1 letter a) and e) of Regulation 2016/679, to provide information whether in connection with the above-mentioned the possibility of a personal data protection breach, an analysis of the incident was made in terms of the risk of violating the rights and freedoms of natural persons, necessary to assess whether there was a data protection breach resulting in the need to notify the President of the Personal Data Protection Office and the persons affected by the breach. A renewed request to provide explanations was delivered to the Administrator, as indicated in the return acknowledgment of receipt, on (...) July 2022. After the delivery of the correspondence, no explanations from the Administrator were received.

In connection with the above, the President of the Personal Data Protection Office on (...) September 2022 initiated ex officio administrative proceedings regarding the violation of the provisions on the protection of personal data in connection with the processing of personal data within the meaning of Regulation 2016/679 by the Administrator, indicating as the subject of the proceedings the possibility of violation by the Administrator of obligations arising from the provisions of Art. 33 section 1 and art. 34 section 1 and 2 of Regulation 2016/679. At the same time, the President of the Personal Data Protection Office once again asked the Administrator to indicate whether in connection with the above-mentioned In this situation, the incident was analyzed in terms of the risk of violating the rights and freedoms of natural persons, necessary to assess whether there was a data protection breach resulting in the need to notify the President of the Personal Data Protection Office and the data subjects, and to indicate the number of people affected by the breach.

The return confirmation of receipt shows that the Administrator did not collect the advised shipment on time. Therefore, on (...) November 2022, the President of the Personal Data Protection Office again sent a notice of initiation of administrative proceedings to the Administrator. The correspondence was delivered to the Administrator on (...) November 2022. After the delivery of the correspondence, there was no impact of the response to the notice of initiation of administrative proceedings and the questions asked therein.

After reviewing all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:

Pursuant to Art. 4 point 12 of Regulation 2016/679, "personal data breach" means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

Article 33 of Regulation 2016/679 states that in the event of a breach of personal data protection, the data controller shall report it without undue delay - whenever possible, no later than 72 hours after discovering the breach - to the supervisory authority competent in accordance with Art. 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours is accompanied by an explanation of the reasons for the delay (section 1). The notification referred to in section 1, must at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data entries affected by the breach; b) contain the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained; c) describe the possible consequences of a personal data breach; d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects (paragraph 3).

In turn, Art. 34 section 1 of Regulation 2016/679 indicates that in a situation where a breach of personal data protection may result in a high risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject of such a breach without undue delay. Pursuant to Art. 34 section 2 of Regulation 2016/679, a proper notification should: 1) describe the nature of the personal data protection breach in clear and plain language; 2) contain at least the information and measures referred to in Art. 33 section 3 lit. b), c) and d) of Regulation 2016/679, i.e.: a. the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained;b. a description of the possible consequences of a personal data breach;c. a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.

The above-mentioned provisions of Regulation 2016/679 indicate that in the event of a personal data protection breach, the data controller is obliged to report it to the President of the Personal Data Protection Office if the breach involves a risk of violating the rights and freedoms of natural persons - regardless of the level of such risk. However, in a situation where a breach of personal data protection causes a high risk of violating the rights and freedoms of natural persons, the data controller is obliged to notify these persons about the breach of data protection.

There is no doubt that the event of stealing documents from a remote desktop using a UI application. (…), which took place on (…) May 2022, due to the scope of data indicated by the Administrator, constitutes a violation of data confidentiality due to the possibility of getting acquainted with the above-mentioned. data by unauthorized person(s). As a consequence, it should be considered that there has been a security breach resulting in at least unauthorized access to personal data processed by the Administrator, and therefore a breach of personal data protection. At the same time, it should be noted that the scope of data covered by the breach, provided by the Administrator in correspondence sent electronically, received on (...) May 2022 (names and surnames, residential addresses, e-mail addresses, telephone numbers and PESEL numbers) allows to clearly identify these people.

Reporting personal data protection breaches by controllers is an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights and freedoms of data subjects and - if such a risk occurred - whether they have provided appropriate information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfillment of the conditions specified in Art. 34 section 3 lit. a) – letter c) Regulation 2016/679. The President of the Personal Data Protection Office verifies the assessment made by the controller and may - if the controller has not notified the data subjects - request such notification from the controller. Reports of personal data protection breaches allow the supervisory authority to respond appropriately to limit the effects of such breaches, as the controller is obliged to take effective actions to ensure the protection of natural persons and their personal data, which will, on the one hand, allow for control of the effectiveness of existing solutions and, on the other hand, the assessment of modifications and improvements to prevent irregularities similar to those covered by the infringement.

It should be emphasized that the assessment of the risk of violating the rights and freedoms of a natural person should be made from the perspective of the person at risk, and not the interests of the administrator. This is particularly important because, based on a personal data breach notification, an individual can assess for themselves whether they believe a security incident may result in negative consequences for them and take appropriate remedial action. Also, based on the information provided by the controller regarding the description of the nature of the breach and the measures taken or proposed to remedy the breach, an individual can assess whether, after the breach, the data controller still guarantees the proper processing of his or her personal data in a manner that ensures their security. Failure to notify a natural person of a breach in the event of a high risk of violating his or her rights or freedoms deprives him or her not only of the opportunity to respond appropriately to the breach, but also of the opportunity to independently assess the breach, which, after all, concerns his or her personal data and may cause significant consequences for him or her. However, failure to report a personal data protection breach deprives the supervisory authority of an appropriate response to the breach, which is reflected not only in assessing the risk of the breach to the rights and freedoms of a natural person, but also, in particular, in verifying whether the controller has applied appropriate measures to remedy the breach and minimize negative consequences. effects on data subjects, as well as whether it has applied appropriate security measures to minimize the risk of a recurrence of the breach.

In the facts of the case, it should be stated that the Administrator, due to the lack of response to the summons and the letter informing about the initiation of administrative proceedings, did not demonstrate, in accordance with the principle of accountability referred to in Art. 5(1) 2 of Regulation 2016/679 that he assessed the risk of violating the rights and freedoms of natural persons in connection with the personal data protection breach and, consequently, did not demonstrate that the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons.

At the same time, due to the wide scope of data disclosed (including name and surname and PESEL registration number), it should be stated that as a result of the event, there was a high risk of violating the rights and freedoms of natural persons. As indicated by the Article 29 Working Party in the Guidelines for reporting personal data breaches in accordance with Regulation 2016/679 (WP250rev.01), hereinafter referred to as the "WP250 Guidelines", "This risk exists where the breach may lead to physical harm or damage property or non-property for persons whose data has been breached. Examples of such harms include discrimination, identity theft or fraud, financial loss and damage to reputation.” Moreover, the Article 29 Working Party in the WP250 Guidelines indicated that when assessing the risk to natural persons resulting from a breach, the administrator should take into account the specific circumstances of the breach, including the importance of the potential impact and the likelihood of its occurrence, and recommended that during the assessment, the factors indicated in these guidelines should be taken into account criteria. The WP250 Guidelines also explain that when assessing the risks that may arise from a breach, the controller should take into account the gravity of the potential impact on the rights and freedoms of natural persons and the likelihood of its occurrence. Of course, the risk increases when the consequences of a breach are more serious, as well as when the likelihood of their occurrence increases. In case of any doubts, the administrator should report a violation, even if such caution may prove to be excessive.

There is no doubt that the examples of damage referred to in the WP250 Guidelines, due to the scope of data covered by this personal data protection breach, including the PESEL registration number along with the name, surname and address of residence, may occur in the discussed case.

It should be noted here that the PESEL number, i.e. an eleven-digit numerical symbol containing the date of birth, serial number, gender designation and control number, uniquely identifies a specific natural person, and is therefore closely related to the private sphere of the natural person and, as such, is subject to also, as a national identification number, exceptional protection under Art. 87 of Regulation 2016/679. Due to the fact that the PESEL number is data of a special nature, its disclosure to unauthorized entities may result in a high risk of violating the rights and freedoms of natural persons (see: https://www.bik.pl/poradnik-bik/wyluczenie-kredytu- this is how scammers work - where a case was described in which "Only the name, surname and PESEL number were enough for fraudsters to extort several loans worth tens of thousands of zlotys in total. Nothing else was correct: neither the ID card number nor the residential address."

European Data Protection Board in Guidelines 01/2021 on examples for reporting personal data protection breaches, Version 2.0, adopted on 14 December 2021 (hereinafter referred to as "Guidelines 01/2021"), intended to supplement Guidelines WP250 , presented the common experience of the supervisory authorities of the European Economic Area since the entry into force of Regulation 2016/679. Guidelines 01/2021 provides an example (case no. 14, p. 31) relating to a situation where highly confidential personal data was sent by mistake by post. In the mentioned case, the social security number, which is the equivalent of the PESEL number used in Poland, was disclosed. The example clearly states that "The number of people affected by the breach is significant, and the use of Social Security numbers, as well as other, more basic personal data, further increases the risk, which can be described as high."

The European Data Protection Board has no doubt that an individually assigned number uniquely identifying a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve a high risk of violating the rights and freedoms of natural persons.

The European Data Protection Board also points out in other examples provided in Guidelines 01/2021 that data that uniquely identifies a natural person may result in a high risk of violating rights or freedoms. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by the attacker to guess customer passwords or conduct a spear phishing campaign aimed at bank customers. For these reasons, the data breach has been deemed likely to result in a high risk to the rights and freedoms of all data subjects. Therefore, material (e.g. financial losses) and intangible (e.g. identity theft or fraud) damage may occur.” In turn, point 96 states that "When assessing the risk, the controller should take into account the potential consequences and negative effects of a confidentiality breach. As a result of the breach, data subjects may be victims of identity fraud related to data available on a stolen device, therefore the risk is considered high.”

The Provincial Administrative Court in Warsaw did not have similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violating the rights and freedoms of natural persons), in its judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, stated that "There is no doubt that the examples of damage mentioned in the guidelines may occur in the case of persons whose personal data - in some cases, including the PESEL registration number or the series and number of the ID card - have been recorded on shared recordings. Not without significance for such an assessment is the possibility of identifying persons whose data were subject to the breach, based on the disclosed data. Further, the Court in the above-mentioned judgment indicated that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases also the PESEL registration number or the series and number of the ID card, determines the that there is a high risk of violating the rights and freedoms of natural persons.” The PESEL number serves as data identifying each person and is commonly used in contacts with various institutions and in legal circles. The PESEL number together with the name and surname clearly identify a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person.

When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of July 1, 2022 issued in the case with reference number II SA/Wa 4143/21. In justification of this judgment, the Court stated that: "It is necessary to agree with the President of the Personal Data Protection Office that the loss of confidentiality of the PESEL number in connection with personal data, such as: name and surname, registered address, bank account numbers and the identification number assigned to the Bank's clients - CIF number , involves a high risk of violating the rights and freedoms of natural persons. In the event of a breach of data such as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects. Therefore, in the case in question, the Bank should have acted without undue delay, pursuant to Art. 34 section 1 GDPR, to notify data subjects about a personal data breach, so as to enable them to take the necessary preventive actions. Similarly, the Provincial Administrative Court in Warsaw expressed its opinion in the judgment of August 31, 2022, ref. no. no. II SA/Wa 2993/21, pointing out that "(...) the authority correctly assumed that there was a high risk of violating the rights and freedoms of persons affected by the breach in question due to the possibility of easy, based on the disclosed data, identification of persons whose data was covered by the infringement. These data include name and surname, correspondence address, telephone number, and PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify data subjects about the breach without undue delay.

The latest infoDOK report (prepared as part of the social Information Campaign of the DOCUMENTS RESTRICTED DOCUMENTS System, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation), shows that that in the third quarter of 2022, 2,089 credit and loan fraud attempts were recorded. Throughout 2020, there were 6,884 fraud attempts for the total amount of PLN 253.8 million, and in 2021, there were 8,096 loan fraud attempts for a total amount of PLN 336.6 million. This means that the entire year of 2021 was significantly more dangerous than the previous year in terms of the number of fraud attempts and their amounts: there was a 17% increase in the number of fraud attempts and a 32% increase in the total amount of these fraud attempts.

Moreover, as evidenced by case law, judgments in loan fraud cases are not uncommon and have been issued by Polish courts in similar cases for a long time - as an example, the judgment of the District Court in Łęczyca of July 27, 2016 (reference number I C) 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). In justification of the above-mentioned judgment, the Court stated that: "In the case in question, the plaintiff (...) with its registered office in W. purchased the receivable from (...) Spółka z ograniczoną odpowiedzialnością S.K.A. with its registered office in Warsaw. Party to the loan agreement of May 5, 2014. there was a person who unauthorizedly used the data of J. R. (...) Spółka z ograniczoną odpowiedzialnością S.K.A. with its registered office in W. transferred the amount of PLN 500 to the indicated bank account. The key issue in this case was the determination that the defendant had not concluded a loan agreement, which was an allegation raised by the defendant throughout the proceedings. The evidentiary proceedings conducted and the analysis of the documents attached by the plaintiff result in the unambiguous conclusion that in the case under consideration the defendant was not a party to the loan agreement concluded on May 5, 2014. Although the PESEL number of the defendant J. R. was used when concluding the agreement, the indicated place of residence does not correspond to the place of residence of the defendant. The defendant J. R. never lived in Warsaw. The loan amount was transferred to an account that was not owned by the defendant. On the date of conclusion of the loan agreement, the ID card no. (...) expired on March 15, 2014. The mobile phone number indicated in the loan agreement and its annexes does not match the actual telephone numbers used and used by the defendant. In the circumstances of the case under consideration, the Court found that the defendant had demonstrated that it was not a party to the loan agreement that was the subject of these proceedings. Agreements concluded using means of distance communication should require detailed, thorough verification and such verification carried out in the case in question leads to the conclusion that the defendant was not a party to the loan agreement.

Obligation to report a personal data protection breach specified in Art. 33 section 1 of Regulation 2016/679 is also not dependent on whether the risk of violating the rights and freedoms of natural persons has materialized. As indicated by the Provincial Administrative Court in Warsaw in the justification for the judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, "It should be emphasized that the possible consequences of the event do not have to materialize. In the content of art. 33 section 1 of Regulation 2016/679 indicates that the very occurrence of a breach of personal data protection, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons. natural persons". The Provincial Administrative Court in Warsaw made a similar statement in its judgment of January 21, 2022, ref. no. no. II SA/Wa 1353/21, stating that "(...) possible consequences of a personal data breach event do not have to materialize - because in Art. 33 section 1 of the GDPR states that the very occurrence of a personal data protection breach, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority. The fact raised by the Company that there was no physical damage or damage to natural persons as a result of the breach is not relevant to establishing the existence of an obligation on the Company's part to report a personal data protection breach to the President of the Personal Data Protection Office, in accordance with the above. recipe."

In a situation where, as a result of a breach of personal data protection, there is a high risk of violating the rights and freedoms of natural persons, the administrator is obliged to implement all appropriate technical and organizational measures to immediately determine the breach of personal data protection and quickly inform the supervisory authority, as well as the persons whose data applies. The administrator should fulfill this obligation as quickly as possible.

Recital 85 of the preamble to Regulation 2016/679 explains: "In the absence of an appropriate and rapid response, a breach of personal data protection may result in physical harm, material or non-material damage to natural persons, such as loss of control over their own personal data or restriction of rights, discrimination, theft or falsification of identity, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, immediately upon becoming aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay, where practicable and no later than 72 hours after becoming aware of it, unless the controller can demonstrate, in accordance with the principle of accountability, that it is unlikely that that the breach may result in a risk of violating the rights and freedoms of natural persons. If a report cannot be made within 72 hours, the report should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually, without further undue delay.”

In turn, recital 86 of the preamble to Regulation 2016/679 states: "The controller should, without undue delay, inform the data subject about a breach of personal data protection if it may result in a high risk to the rights and freedoms of that person, so as to enable that person to take necessary preventive actions. Such information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimize potential adverse effects. Information should be provided to data subjects as soon as reasonably possible, in close cooperation with the supervisory authority, respecting instructions provided by that authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimize an immediate risk of harm will require immediate information to data subjects, while the implementation of appropriate measures against the same or similar data protection breaches may justify subsequent information.

By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights and freedoms against the negative effects of the breach. Article 34 section 1 and 2 of Regulation 2016/679 is intended not only to ensure the most effective possible protection of the fundamental rights and freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5(1) 1 letter a) Regulation 2016/679 (see Witold Chomiczewski [in:] GDPR. General Data Protection Regulation. Comment. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfillment of the obligation specified in Art. 34 of Regulation 2016/679 is to provide data subjects with quick and transparent information about a breach of the protection of their personal data, along with a description of the possible consequences of the personal data protection breach and the measures they can take to minimize its possible negative effects. Acting in accordance with the law and demonstrating concern for the interests of data subjects, the controller should have provided data subjects with the best possible protection of personal data without undue delay. To achieve this goal, it is necessary to provide at least the information listed in Art. 34 section 2 of Regulation 2016/679, which the administrator failed to fulfill. Therefore, by deciding not to notify the supervisory authority and the data subjects about the personal data protection breach, the controller in practice deprived these persons of reliable information about the breach and the opportunity to counteract potential damage, provided without undue delay.

When applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1(2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - not only in the event of a personal data protection breach, but also when developing technical and organizational security measures to prevent them - these values should be taken into account in the first place.

Consequently, it should be stated that the Administrator did not report a personal data protection breach to the supervisory authority in fulfillment of the obligation under Art. 33 section 1 of Regulation 2016/679 and failed to notify data subjects without undue delay of a breach of data protection, in accordance with Art. 34 section 1 of Regulation 2016/679, which means a violation of these provisions by the Administrator.

Pursuant to Art. 34 section 4 of Regulation 2016/679, if the controller has not yet notified the data subject about the personal data protection breach, the supervisory authority - taking into account the likelihood that the personal data breach will result in a high risk - may require him to do so or may determine that that one of the conditions referred to in section 3. In turn, according to the content of Art. 58 section 2 lit. e) of Regulation 2016/679 states that each supervisory authority has the corrective power to order the controller to notify the data subject about a data protection breach.

Based on Article. 58 section 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Art. 58 section 2 lit. a) - h) and letters j) of this Regulation, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Administrator based on Art. 83 section 4 lit. a) of Regulation 2016/679, which states, among others, that violation of the administrator's obligations referred to in Art. 33 and 34 of Regulation 2016/679, is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher.

When determining the amount of the penalty, the President of the Personal Data Protection Office took into account the following circumstances of the case that had an aggravating effect on the amount of the financial penalty imposed:

a) The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679). Controller conducts activities involving the assessment and estimation of value and quality in the field of (…). According to the information contained on the website: (...), Mrs. K.W. serves as a quality appraiser (...) at the Provincial Inspectorate of the Trade Inspection in X., a court expert for quality (...) at the District Court in B., a court expert at the District Court in O., a court expert at the District Court in B. , tax expert for estimating the quality and value of movable property in terms of quality (...) at the Tax Chamber in Y. Mrs. K.W. he is also a certified court mediator.

The violation detected in this case is of significant importance and serious nature, because reporting personal data protection breaches by data controllers is an effective tool contributing to a real improvement in the security of personal data processing. First of all, based on the information provided by controllers in reports of personal data protection breaches, the supervisory authority may assess whether the controller has correctly analyzed the impact of the breach on the rights and freedoms of the data subjects covered by the breach and, consequently, whether there is a high risk of breach. rights or freedoms of natural persons and it is necessary to notify these persons about a breach of their data. Correctly fulfilled by administrators the obligations specified in Art. 33 section 1 and 34 section 1 and 2 of Regulation 2016/679 also allow for limiting the negative effects of such violations and eliminating or at least limiting the risk of this type of violations in the future, because controllers are obliged to take actions that will ensure proper protection of personal data by applying appropriate security measures and monitoring their effectiveness. . Moreover, it should be emphasized that failure to notify data subjects about a breach of the protection of their personal data may lead to material or non-material damage, and the probability of their occurrence is high. The President of the Personal Data Protection Office considers the long duration of the infringement to be an aggravating factor. More than 12 months have passed since the Administrator received information about the breach of personal data protection until the date of issuance of this decision, during which the risk of violating the rights and freedoms of persons affected by the breach could have materialized, and which these persons could not have counteracted due to the Administrator's failure to comply with the obligations. obligation to notify them of the breach. It should also be emphasized that the administrator sent an inquiry to the President of the Personal Data Protection Office regarding the theft of documents from his laptop desktop using the UI application. However, even at the request of the President of the Personal Data Protection Office, he did not report a personal data protection breach in the manner specified in Art. 33 section 3 of Regulation 2016/679.

b) Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679). In accordance with the Guidelines of the Article 29 Working Party on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, approved by the EDPB on May 25, 2018), intentionality "includes both knowledge and intentional action in connection with the characteristics of the prohibited act." The Administrator made a conscious decision not to notify the President of the Personal Data Protection Office and the data subjects about the breach, despite the fact that the President of the Personal Data Protection Office first informed the Administrator about his obligations in connection with the data protection breach. Finally, the very initiation of these proceedings by the President of the Personal Data Protection Office regarding failure to fulfill the obligation to report a personal data protection breach to the supervisory authority and to notify data subjects about the breach should at least raise doubts for the Administrator as to the validity of the position he has adopted.

c) The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). In this case, the President of the Personal Data Protection Office found that the Administrator did not cooperate with the supervisory authority at all in as part of the performance of his duties. This assessment concerns the lack of reaction of the Administrator to letters sent by the President of the Personal Data Protection Office informing about the obligations of the administrator in connection with the occurrence of a personal data protection breach, and finally, the lack of answers to questions asked to determine all the circumstances of the personal data protection breach. Actions that were correct in the opinion of the President of the Personal Data Protection Office (reporting the violation to the President of the Personal Data Protection Office and notifying persons affected by the violation) were not taken by the Administrator even after the President of the Personal Data Protection Office initiated administrative proceedings in the case.

d) Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679). The personal data subject to the breach do not fall into the special categories of personal data referred to in Art. 9 of Regulation 2016/679, however, the fact that the infringement covered a wide scope (names and surnames, residential addresses, e-mail addresses, telephone numbers and PESEL numbers) involves a high risk of violating the rights and freedoms of natural persons. PESEL number, i.e. an eleven-digit numerical symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender designation and control number, and therefore closely related to the private sphere of the natural person and is also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, is data of a special nature and requires special protection. There is no other such specific data that would clearly identify a natural person. It is not without reason that the PESEL number serves as a data identifying each person and is commonly used in contacts with various institutions and in legal circles. The PESEL number together with the name and surname clearly identifies a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person.

When determining the amount of the administrative fine, the President of the Personal Data Protection Office found no grounds to take into account mitigating circumstances that affect the final penalty.

The other sanctions indicated in Art. had no influence on the fact that the President of the Personal Data Protection Office applied in this case sanctions in the form of an administrative fine, as well as on its amount. 83 section 2 of Regulation 2016/679, circumstances: 1. Actions taken by the controller to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679).

Based on the evidence collected in the case, no such actions were found to have been taken by the Administrator.2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 (Article 83(2)(d) of Regulation 2016/679).

The violation assessed in these proceedings (failure to report a personal data protection breach to the President of the Personal Data Protection Office and failure to notify about a personal data breach of data subjects) is not related to the technical and organizational measures used by the controller. 3. Relevant previous violations of the provisions of Regulation 2016/679 on the part of administrator (Article 83(2)(e) of Regulation 2016/679).

The President of the Personal Data Protection Office did not find any previous violations of personal data protection provisions committed by the Administrator, therefore there are no grounds to treat this circumstance as aggravating. And since such a state (compliance with the provisions on the protection of personal data) is a natural state resulting from the legal obligations incumbent on the Administrator, it cannot have a mitigating effect on the assessment of the violation made by the President of the Personal Data Protection Office.4. The manner in which the supervisory authority learned about the infringement (Article 83(2)(h) of Regulation 2016/679).

On the occurrence of the violation of the provisions of Art. 33 section 1 and art. 34 section 1 of Regulation 2016/679, the President of the Personal Data Protection Office was informed by the Administrator in connection with his inquiry regarding "theft of documents from the desktop of my laptop using the UI application. ". The administrator, despite being instructed on the procedure to be followed in such a situation by the supervisory authority, did not fulfill the obligations specified in the above-mentioned provisions.5. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679).

Before issuing this decision, the President of the Personal Data Protection Office did not apply any measures listed in Art. to the Administrator in the case under consideration. 58 section 2 of Regulation 2016/679, therefore the Administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.6. Application of approved codes of conduct under Art. 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679).

The administrator does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application are not - as stipulated in the provisions of Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.7. Financial benefits obtained directly or indirectly in connection with the infringement or avoided losses (Article 83(2)(k) of Regulation 2016/679).

The President of the Personal Data Protection Office did not find that the Administrator obtained any financial benefits or avoided such losses in connection with the violation. Therefore, there are no grounds to treat this circumstance as aggravating the Administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - occurring on the part of the entity committing the infringement.8. Other aggravating or mitigating factors applicable to the circumstances of the case (Article 83(2)(k) of Regulation 2016/679).

The President of the Personal Data Protection Office, comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the administrative fine imposed.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the circumstances of this case fulfills the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.

It should be emphasized that the penalty will be effective if its imposition leads to the Administrator complying with the applicable legal provisions and permanently ceasing further violations of the provisions of Regulation 2016/679 by not reporting personal data protection violations to the President of the Personal Data Protection Office and not notifying the persons concerned about the violations. data applies.

The administrator is an active entity that has been running a business since (…) October 2016. The President of the Personal Data Protection Office stated this on the basis of data contained in the Central Registration and Information on Economic Activity. The administrator serves as a quality appraiser (...) at the Provincial Inspectorate of the Trade Inspection in X, a court expert for quality (...) at the District Court in B., a court expert at the District Court in O., a court expert at the District Court in B. ., a tax expert for estimating the quality and value of movable property in the field of quality (...) at the Tax Chamber in Y. The administrator is also a certified court mediator.

In the opinion of the President of the Office for Personal Data Protection, the administrative fine will fulfill a repressive function as it will be a response to the Administrator's violation of the provisions of Regulation 2016/679. It will also have a preventive function; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the Administrator and other data controllers the reprehensibility of disregarding the obligations of controllers related to the occurrence of a personal data protection breach, which are intended to prevent its negative and often painful effects for the persons affected by the breach, as well as removing these effects or at least reducing them.

The deterrent nature of the fine is related to the prevention of future violations and the greater importance placed on the implementation of the controller's tasks. When imposing this administrative decision a financial penalty for violating the provisions on the protection of personal data, the President of the Personal Data Protection Office took into account both aspects: firstly - repressive nature: the Administrator has violated the provisions of Regulation 2016/679, secondly - preventive nature: the Administrator will be effectively discouraged from violating the law in the future protection of personal data, while at the same time exercising greater diligence in the implementation of its obligations under Regulation 2016/679.

The purpose of the imposed penalty is to ensure that the Administrator properly performs the obligations provided for in Art. 33 and 34 of Regulation 2016/679, and consequently to conduct data processing processes in accordance with applicable law.

Pursuant to the content of Art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "PDA", the equivalent of the amounts expressed in euros referred to in Art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28 each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the next exchange rate table of the National Bank of Poland after this date.

Taking the above into account, the President of the Personal Data Protection Office, pursuant to Art. 83 section 4 lit. a) in connection with Art. 103 of the Personal Data Protection Act, for the violation described in the operative part of this decision, imposed on the Administrator - using the average euro exchange rate of January 30, 2023 (1 EUR = 4.7160 PLN) - an administrative fine in the amount of PLN 11,790 (equivalent to EUR 2,500 ).

In the opinion of the President of the Personal Data Protection Office, the fine imposed in the amount of PLN 11,790 (in words: eleven thousand seven hundred and ninety zlotys) meets the conditions referred to in Art. 83 section 1 of Regulation 2016/679 due to the seriousness of the identified violation in the context of the fundamental objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data.

Despite being requested, the administrator did not present the financial report. Therefore, the President of the Personal Data Protection Office, applying Art. 101a section 2 of the Personal Data Protection Act, determined the amount of the administrative fine on an estimated basis, taking into account the size of the entity and the specific nature of its business. Consequently, in the opinion of the President of the Personal Data Protection Office, it will not constitute an excessive burden for him.

In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.