UODO - DKN.5112.1.2020

From GDPRhub
UODO - DKN.5112.1.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 03.12.2020
Published: 14.12.2020
Fine: 1968524 PLN
Parties: n/a
National Case Number/Name: DKN.5112.1.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: PUODO decisions (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish Data Protection Authority (PUODO) imposed a fine of approximately €443,000 on a mobile operator for not complying with the principles of data confidentiality and accountability set out in the GDPR.

English Summary

Facts

In December 2019 the mobile operator reported to PUODO a personal data protection breach, regarding the subscribers of pre-paid services. The breach consisted in obtaining by an unauthorised person access to such data and obtaining by him/her 142 222 records of confirmation of registration of pre-paid services, containing personal data of 114 963 customers in the scope of name and surname, PESEL registration number, series and ID card number, telephone number, NIP number and name of the entity. Due to the extent of the personal data disclosed, this violation resulted in a high risk of infringing the rights and freedoms of natural persons.

In connection with the incident PUODO decided to carry out in the company an inspection of the compliance of personal data processing with the GDPR provisions. In relation to the infringements found during the inspection PUODO initiated administrative proceedings ex officio in respect of the infringement of the provisions on personal data protection in the absence of implementation of appropriate technical and organisational measures ensuring a degree of security corresponding to the risk.

Dispute

Has the mobile operator implemented appropriate technical and organisational measures to ensure the security of the data processed?

Holding

The Polish DPA found that a mobile operator violated GDPR provisions and imposed a fine on the company.

Comment

An incident of personal data leakage occurred in the company as a result of gaining unauthorised access to the data of subscribers of pre-paid services by using the vulnerability of the IT system, i.e. the service generating the confirmation of prepaid card registration. The vulnerability of the service generating the confirmation of registration consisted in lack of verification.

PUODO found during the proceedings that the company did not carry out comprehensive regular testing, measurement and evaluation of the effectiveness of technical and organisational measures aimed at ensuring processing safety. The company did not carry out tests aimed at verifying the security features of application A and system B concerning the vulnerability of the IT system related to the existing personal data infringement. Such actions were taken only after the occurrence of the incident in December 2019.

In the documentation kept by the company describing the data processing process and the applied organisational and technical measures, issues concerning regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing were not regulated.

According to the company's assessment, the use of the vulnerability of the system for the attack in question, resulting in access to the data, was not dependent on a lack of proper testing, measurement or evaluation of the system, as the indicated activities were regularly and properly conducted by the company. The company did not agree with the allegation that regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing had not been carried out at the company. The company claimed to have conducted a wide range of activities aimed at verifying the correct functioning of the IT system, application A and [...] system B used to register prepaid cards.

Prior to the occurrence of the breach, the company adopted data protection measures in the form of: procedures defining the methodology of risk analysis, the procedure of classification of information security levels, the information security policy, the procedure of managing the IT system together with annexes (particular procedures).

After examining the case, the DPA concluded that the company breached the principle of confidentiality, the correct implementation of which ensures that the data is not made available to unauthorised persons, as a result of using the vulnerability of the IT system, which resulted in obtaining the data of subscribers of pre-paid services from the company's database system and realising the risk of breaching the rights and freedoms of natural persons whose data are processed by the company. PUODO emphasized that the security measure adopted by the company to ensure the resilience of IT systems consisting of verification only, as a result of which data confidentiality was breached, cannot be considered as a security measure referred to in the GDPR provisions. The vulnerability of the service consisted in the failure to verify all required parameters.

In response to the notice of initiation of administrative proceedings, the company indicated that before the occurrence of the infringement it had adopted data protection measures in the form of procedures specifying the methodology of risk analysis, procedures for classifying information security levels, information security policy, procedures for managing the IT system together with annexes. In the opinion of PUODO, the measures adopted by the Company could be effective if, as part of the procedures implemented, they also include provisions for regular testing, measuring and evaluating the effectiveness of technical and organisational measures to ensure the security of processing and which would be complied with by the company. However, in the documentation kept by the company describing the data processing process and the applied organisational and technical measures, obtained in the course of control activities, these issues have not been regulated. In the opinion of PUODO, the lack of regulations in the procedures adopted by the Company ensuring regular testing, measurement and evaluation of the effectiveness of the applied technical and organisational measures to ensure the security of data processing has contributed to the occurrence of personal data protection violations.

In the opinion of the Polish DPA, it is not sufficient to carry out the tests only in the event of an emerging threat, without a procedure establishing a timetable to ensure that the effectiveness of the implemented measures is regularly tested, measured and evaluated. The company, according to the collected material, despite the adopted solutions, was not able to detect vulnerabilities due to the lack of regular testing of the system B implemented by the company, which, according to the company's explanations obtained during the audit, was supposed to verify [...] and the compliance of the application id with [...] registering the application.

It should be emphasised that regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing is a fundamental obligation of each controller and processor under Article 32(1)(d) GDPR. The controller is therefore obliged to verify both the selection and the level of effectiveness of the technical measures applied at each stage of the processing. The comprehensiveness of this verification should be assessed in terms of its adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and objectives of the processing. However, in the actual state of affairs in question, the company has partially fulfilled this obligation by verifying and modifying the level of effectiveness of the implemented safeguards in situations where there was a suspicion of vulnerability - then work was undertaken to protect against the given vulnerability. As mentioned above, no tests were carried out to verify the security features of application A and [...] system B related to a personal data breach.

It should therefore be stressed that reviewing a situation of organisational or legal change, as well as taking action only when vulnerability is suspected, cannot be considered as regular testing, measuring and evaluating of the effectiveness of the technical and organisational measures applied to ensure the security of data processing. They are undertaken in connection with the occurrence of a specific event, e.g. an organisational change at the data controller's premises. They are therefore more like a risk analysis, which should be carried out in the situation of this type of change in the organisation and course of personal data processing. Meanwhile, the indicated testing, measurement and evaluation, in order to constitute the implementation of the requirement resulting from Article 32(1)(d) GDPR, must be carried out on a regular basis, which means the conscious planning and organisation, as well as the documentation (in relation to the principle of accountability referred to in article 5(2) GDPR) of this type of activities at specific intervals, regardless of the changes in the organisation and course of data processing caused, for example, by an organisational change at the controller. However, the Company has not undertaken such actions, which determines the breach of this provision of GDPR.

The authority has referred in detail to the risk analysis carried out in the company. PUODO stated that the risk analysis carried out was only aimed at proving that there is no high risk of infringing the rights and freedoms of natural persons, and thus that it is not necessary to implement additional technical and organisational measures. However, such an approach resulted in a lack of proper assessment of the risks to the process of processing personal data of subscribers of pre-paid services and, as a consequence, their improper protection, which resulted in a breach of personal data protection. The DPA stressed that like other organisational measures, the risk analysis should also be periodically reviewed and updated. The lack of a reliable risk analysis, combined with the lack of regular testing, measurement and evaluation of the effectiveness of the technical and organisational measures implemented to ensure the security of the processing has led to a breach of data protection data, but also prejudges the breach by the company of the obligations imposed on the controller under Article 24(1) GDPR, Article 25 (1) GDPR, Article 32(1)(b) GDPR and Article 32(1)(d) GDPR and Article 32 GDPR#2"Article 32(2) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

DECISION
DKK 5112.1.2020
Pursuant to Article 104 § 1 of the Act of 14 June 1960 on the Code of Administrative Procedure (Journal of Laws of 2020, Article 7(1), Article 60 and Article 101 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and Article 57(1)(a), Article 58(2)(i), Article 83(3), Article 83(4)(a), Article 83(4)(a), Article 83(2)(i) and Article 57(1)(a), Article 58(2)(i), Article 83(3), Article 83(4)(a) and Article 83(4)(a) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2010, item 1781). (b) and d and Article 32(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.05.2016, p. 1, as amended), following administrative proceedings concerning the processing of personal data by V.M.P. Sp. z o.o. based in W, President of the Office for Personal Data Protection

by establishing an infringement by V.M.P. Sp. z o.o. with its registered office in W. of the provisions of Articles 5(1)(f), 5(2), 25(1), 32(1)(b) and (d) and 32(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, as amended), consisting of V.M.P. Sp. z o.o. not implementing it. o. with its registered office in W., imposes on V.M.P. Sp. z o.o. with its registered office in W. an administrative fine of PLN 1,968,524.00 (in words: one million nine hundred and sixty-eight thousand five hundred and twenty-four zlotys).

EXPLANATORY MEMORANDUM


The Office for the Protection of Personal Data [...] December 2019 received a notification of a personal data protection breach submitted by V.M.P. Sp. z o.o. (hereinafter referred to as: the Company), registered under the signature DKN.405.499.2019, informing about the personal data protection breach of the subscribers of pre-paid services, consisting in obtaining by an unauthorised person access to such data and obtaining by him/her 142 222 records of confirmation of registration of pre-paid services, containing personal data of 114 963 customers in the scope of name and surname, PESEL registration number, series and ID card number, telephone number, NIP number and name of the entity. The incident subject to the notification took place in the period from [...] to [...] December 2019. Due to the extent of the personal data disclosed, this violation resulted in a high risk of infringing the rights and freedoms of natural persons.

In connection with the reported infringement, the President of the Office for Personal Data Protection (hereinafter referred to as the President of the Office) decided to carry out in the Company an inspection of the compliance of personal data processing with the provisions on personal data protection, i.e. with Regulation 2016/679 of the European Parliament and of the Council (EU) of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Journal of Laws of the EU L 119 of 4 May 2016, p. 1, as amended), hereinafter referred to as Regulation 2016/679 or the FRA, and the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781). The scope of control included the method of processing, including data protection, within the framework of providing telecommunications services to subscribers of pre-paid services. In the course of the inspection (inspection ref. [...]), oral explanations were received from the Company's employees and system A used to register personal data of pre-paid service subscribers was inspected. The facts are described in detail in the control protocol, which was signed by the Management Board of V.M.P. Sp. z o.o.

On the basis of the information and evidence gathered in the control proceedings, it was established that in the process of processing the data of pre-paid service subscribers, the Company, as the controller, breached the provisions on personal data protection. Those deficiencies consisted in the breach of the principle of data confidentiality expressed in Article 5(1)(f) of Regulation 2016/679 and the obligations which reflect that principle, specified in Articles 24(1), 25(1), 32(1)(b) and (d), and 32(2) of Regulation 2016/679 by not implementing appropriate technical and organisational measures ensuring a level of security corresponding to the risk of data processing by means of IT systems used for recording personal data of subscribers of pre-paid services.

 

The audit found that:

1) The subject of the Company's activity is the provision of wireless telecommunication services.

2) The legal basis and the purpose of personal data processing in the Company in the process of registration of pre-paid services is the performance of an agreement for a telecommunications service concluded by means of an actual action, i.e. sending an SMS, MMS, downloading data or initiating a telephone call, based on the Act of 16 July 2014. Telecommunications Law (Journal of Laws of 2019, item 2460).

3) The obligation to obtain personal data for the prepaid service (registration of prepaid cards) was introduced by Article 60b Section 2 in connection with Section 1 of the Act of 16 July 2004. Telecommunications Law (Journal of Laws of 2019, item 2460 as amended), which entered into force on 25 July 2016. For subscribers of pre-paid services who concluded an agreement before the date of entry into force of the Act of 10 June 2016 on counter-terrorism activities (Journal of Laws of 2016, item 904), i.e. before 2 July 2016, the obligation of the subscriber to provide his or her personal data to the service provider was introduced by Article 60 of that Act.

4) The scope of personal data processed in connection with the registration of a pre-paid service in the case of a subscriber who is not a natural person includes data in the form of the name of the entity, NIP number, telephone number, whereas if the registration is carried out by an attorney, personal data of the attorney in the scope of the name and surname and PESEL number or series and number of the identity document are also obtained. If the registration of a prepaid card is made by a natural person, the name and surname, PESEL number, identity card or other document number and telephone number are collected. Moreover, personal data in the form of e-mail addresses and telephone number are collected for contact purposes.
5) The aforementioned data is collected at the stage of card registration by means of the point of sale (points of sale, hereinafter referred to as "POS") - performed by external entities with which the Company has signed cooperation agreements, also specifying the principles of entrusting the processing of personal data. For entities which do not have their own software solutions to provide the prepaid card registration service, the Company has developed application A for the registration of these cards.

6) The process of data registration via POS is carried out through application A available from the level of public network by means of a web browser. Personal data to this application is entered by the POS on the basis of a presented identity document.

7) Application A makes it possible to generate a printout of the registration confirmation. The solutions adopted for entities using their own IT systems for the registration of prepaid cards, e.g. cash systems or terminals, do not allow the printing of the card registration confirmation.

8) The central system used in the Company is an IT system called B, with which application A used to register prepaid cards is connected.

9) The creator of system B is T. Sp. z o.o. s.k.a. with its registered office in W. Ww. The company also maintained system B from [...] April 2014 to [...] June 2017. The operation and maintenance of system B from [...] July 2017 to the present day is carried out by employees of A.S.A. under a framework agreement.

(10) Basic personal data is recorded in one central database table of system B based on the database engine [...], which contains registration data entered by POS via A and data from the systems of wholesale customers, i.e. not having access to A but using their IT systems.

11) Producer A is W. J. M. P. S. s.c. with its registered office in W. It developed the above mentioned application, which started operating from [...] September 2014. The operation, development and supervision of application A has been also handled by W. J. J. M. P. S. s.c. until now. A is an application used for entering data into system B through a network interface [...]. Originally, the maintenance of the web-service enabling the exchange of information between application A and the central system B was handled by T. (from [...] April 2014 to [...] June 2017). From [...] July 2017 to the present day, the maintenance of the web service enabling the exchange of information between the application and the central system B and the maintenance of the system is provided by A. S.A. based in K.

12) In the course of the audit, it was found that from [...] to [...] December 2019, an incident of personal data leakage occurred in the Company as a result of gaining unauthorised access to the data of subscribers of pre-paid services by using the vulnerability of the IT system, i.e. the service generating the confirmation of prepaid card registration. The vulnerability of the service generating the confirmation of registration consisted in lack of verification [...]. Correct verification consisted in generating a confirmation of registration only if [...]. System B did not verify [...].

(13) Technical and organisational measures applied in the Company since [...] May 2018. (date of application of Regulation 2016/679), i.e. prior to the occurrence of the infringement, were reviewed and updated as necessary in the event of organisational or legal changes (copy of the e-mail informing about the need to review the monitoring applied together with a questionnaire).

14) The Company did not carry out comprehensive regular testing, measurement and evaluation of the effectiveness of technical and organisational measures aimed at ensuring processing safety. In situations where there was a suspicion of susceptibility, work was carried out to protect against a given susceptibility (print-outs from system C confirming remedial actions taken concerning confirmed suspicions of system susceptibility). The above is also confirmed, inter alia, by explanations submitted by the controlled entity in a letter of [...] March 2020 and by screenshots from system C sent for evidential purposes, indicating the performance of vulnerability tests [...] and verification of the data entered.

15) The Company did not carry out tests aimed at verifying the security features of application A and [...] system B concerning the vulnerability of the IT system related to the existing personal data infringement. Such actions were taken only after the occurrence of the incident on [...] December 2019.

16) In the documentation kept by the Company describing the data processing process and the applied organisational and technical measures, obtained in the course of control activities, i.e. "V.M. Personal Data Processing Policy", "[...] Procedure [...]", "[...] Plan [...]", issues concerning regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing were not regulated.

17) The company took corrective measures and removed the vulnerability of the IT system by modernising it through correlation [...]. Currently [...]. It has introduced a limitation [...]. Where there is a need to re-generate the application, this is possible [...].

 

Therefore, by letter of [...] June 2020. (ref. letter [...]), the President of the Office for Personal Data Protection informed the Company of the initiation of administrative proceedings ex officio in respect of the infringement of the provisions on personal data protection in the absence of implementation of appropriate technical and organisational measures ensuring a degree of security corresponding to the risk. In the course of the proceedings, the President of the Office for the Protection of Personal Data established the factual status of the case in accordance with the findings of the control ref. [...] (points 1-17 above). The President of the Office also obtained additional explanations from the Company (submitted by the Company's proxy in letters dated [...] July 2020 and [...] August 2020), which indicated, inter alia, that:

 

1) Since the beginning of its activity, the Company has offered pre-paid services in the model not requiring the provision of personal data. The requirement to provide data was introduced by the Act of 10 June 2016 on counter-terrorist activities (i.e. Journal of Laws of 2019, item 796).  For the entry into force of the provision of Article 43 of the above mentioned Act, defining the scope of the collected data, the legislator set a 30-day deadline. As the Plenipotentiary pointed out, one month for implementation of such large changes is definitely too short a time to implement and test any IT system of such scale. The deadline imposed by the legislator increased the risk of errors and shortcomings.

2) At this stage of the proceedings, it was not proved who the attacker was. The use of the vulnerability showed that the attacker had previously had access to the system and knew [...]. Currently, the Company does not know if and for what period the attacker may have had access to the system. In the Company's opinion, it is up to the President of the Office to prove whether the data was made available to an unauthorised person.

3) The investigation on unauthorised access conducted by the District Prosecutor's Office in W. was discontinued by virtue of the decision of [...] July 2020 due to failure to detect the perpetrator. Therefore, the Company does not know whether the vulnerability was used to make personal data available to an unauthorised person. This circumstance requires clarification by the authority in the course of the proceedings.

4) The Company, referring to the allegation of violation of Article 25.1 of the TTE Directive, points out that the provisions of the TTE Directive apply from [...] May 2018, at the time of introducing the changes required by the Act on Counter-Terrorism Activities, the Company was not obliged to observe the principle of data protection in the design phase. However, at further stages of processing, this principle is basically the same as the obligation to secure personal data pursuant to Article 32 of the GCU, as the principle of data minimisation contained in Article 25(1) of the GCU does not apply in this case due to the fact that the scope of personal data is defined by law.

5) When deciding to implement and use System B, the Company has carried out numerous tests, measurements and assessments of whether it is appropriate to properly perform its functions, including securing personal data of subscribers entered into it. The risk for the rights and freedoms of data subjects has been constantly assessed by the Company. Each time in case of organizational or legal changes in the Company, technical and organizational measures were reviewed and updated.

6) In the opinion of the Company, the way of using the vulnerability indicates that the personal data of persons affected by the infringement in question were not collected as a result of external bypassing the system. Using knowledge to hack into the system is a more difficult risk to avoid than an external attack consisting in a breach of security.

7) According to the Company's assessment, the use of the vulnerability of the system for the attack in question, resulting in access to the data, was not dependent on a lack of proper testing, measurement or evaluation of the system, as the indicated activities were regularly and properly conducted by the Company. This is confirmed by the printouts from system C concerning the vulnerabilities [...] and the verification of the data input, which prove that although V. did not carry out tests specifically related to the vulnerabilities used in the attack of [...]-[...] December 2019, other tests [...] aimed at detecting the vulnerabilities and improving the quality of the data were carried out.

8) The Company does not agree with the allegation that regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing were not carried out at the Company. The Company conducted a wide range of activities aimed at verifying the correct functioning of the IT system, application A and [...] system B used to register prepaid cards. The Company has on several occasions comprehensively carried out technical and organisational security reviews, such as the audit in November 2019, the review of contracts, the certification audit, reviews and assessments of security and risk with the participation of the Management Board, carried out in December 2019. These activities were continued in 2020, among others in connection with the implementation of ISO.

9) Prior to the occurrence of the breach, the Company adopted data protection measures in the form of: procedures defining the methodology of risk analysis, the procedure of classification of information security levels, the information security policy, the procedure of managing the IT system together with annexes: [...] Procedure [...], [...] Procedure [...], [...] Policy [...], [...] Procedure [...], [...] Procedure [...], [...] Procedure [...], [...] Procedure [...] and [...], and elements [...]: [...] Plan [...], [...] Plan [...], [...] Plan [...].

10) The Company, by letter of [...] August 2020, explained that the scope of the data to which the infringement referred in the letter of [...] July this year was much narrower than that indicated in the personal data infringement notification of [...] December 2019, point 5. The infringement of the full scope of personal data occurred only in 4522 cases, i.e. it referred to first names and surnames, PESEL number and subscriber document number. In the remaining scope, the infringement referred to: first names, surnames and PESEL number (108702 cases) or subscriber's document number (10167 cases). 

11) The Company filed a copy of the following certificates obtained on [...].07.2020: ISO/IEC 27001:2013 certifying the implementation and maintenance by the Company of an information security management system for services provided by a telecommunications operator and ISO/IEC 27701:2019 certifying the implementation and maintenance by the Company of a personal data management system as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013 for privacy management of services provided by a telecommunications operator.

(12) As explained in [...] October 2020. (supplemented by a letter dated [...] October 2020. ), the Company indicated that the requirements for maintaining certificates of compliance of the management system in the Company with the implemented standards mean in particular: verifying that a number of comprehensive reviews of the security and functioning of the management system (personal data and information security) have been carried out (prior to receiving the certificate), committing (in the agreement with the institution issuing the certificate) at least once a year (in the coming years) to a similar comprehensive management review and to perform at least one internal audit in the area of each standard, and covering the functioning of the information security and data protection management system in the Company by an annual audit of an independent institution issuing the certificate.

13) In accordance with the requirements of maintaining certificates of compliance with the implemented standards, the Company shall perform and document successively the measurement of effectiveness of technical and organisational measures aimed at ensuring the security of processing through: measuring the number of personal data processing processes (activities) with a full description in relation to all personal data processing processes (evidence: "[...]"), measuring the number of IT systems processing personal data with a full description in relation to all systems (evidence: "[...]"). ), a measurement of the number of processes for which a risk analysis was carried out for the purpose of assessing the impact of processing on the protection of personal data (evidence: "[...]"), a measurement of the number of identified security incidents (including personal data breaches) and a measurement of the number of complaints by persons for the lack of appropriate safeguards), a formal definition of the objectives set for the Company in the area of personal data protection and information security (evidence: [...]. ...] effective from [...] December 2019 ), preparation and implementation of a procedure for measuring these objectives, internal vulnerability testing of IT systems, penetration tests carried out in July 2020 by an external company I. sp. z o.o.

 

After considering all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following:

Article 5 of Regulation 2016/679 indicates the rules concerning the processing of personal data which must be respected by all controllers, i.e. entities which determine the purposes and means of the processing of personal data themselves or jointly with others. According to Article 5(1)(f) of Regulation 2016/679, personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organisational means. The principle of integrity and confidentiality mentioned in this provision states that data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organisational means. Data confidentiality is a property which ensures that the data are not made available to unauthorised entities.

In accordance with Article 24(1) of the Regulation, taking into account the nature, scope, context and purposes of the processing, and the risks of violation of the rights or freedoms of natural persons of varying degrees of likelihood and seriousness, the controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with this Regulation and to demonstrate this. Those measures shall be reviewed and updated as necessary.

Article 24(1) sets out the basic and main responsibilities of the controller, which shall be the responsibility of the implementation of appropriate technical and organisational measures to ensure that the processing complies with the requirements of Regulation 2016/679. This concerns in particular the implementation of the principles set out in Article 5(1) of Regulation 2016/679.

However, pursuant to Article 25(1), the controller shall, both when determining the means of processing and during the processing itself, implement appropriate technical and organisational measures designed to ensure the effective implementation of data protection principles (data protection by design).

Pursuant to Article 32(1)(b) of Regulation 2016/679, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, and the risk of harming the rights or freedoms of individuals of varying likelihood and seriousness, the controller and processor shall implement appropriate technical and organisational measures to ensure a degree of security appropriate to those risks, including, where appropriate, the ability to ensure the continuing confidentiality, integrity, availability and resilience of the processing systems and services, and pursuant to Article 25(1)(b) of Regulation 2016/679, the controller and the processor shall implement appropriate technical and organisational measures to ensure a degree of security appropriate to those risks, including, inter alia, the ability to ensure the continuing confidentiality, integrity, availability and resilience of the processing systems and services, and pursuant to Article 25(1)(b) of Regulation 2016/679. 32(1)(d) of the Regulation to regularly test, measure and evaluate the effectiveness of the technical and organisational measures to ensure the security of processing.

In accordance with Article 32(2) of Regulation 2016/679, when assessing whether the degree of security is adequate, the controller shall in particular take account of the risks represented by the processing, in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

Article 32 of Regulation 2016/679 thus concretises the principle of integrity and confidentiality set out in Article 5(1)(f) of Regulation 2016/679. However, Article 5(2) of Regulation 2016/679 requires the controller to demonstrate, in this case, that it has ensured adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organisational means.

The principle of confidentiality, the correct implementation of which ensures that the data is not made available to unauthorised persons, as is apparent from the established facts - has been breached as a result of using the vulnerability of the IT system, which resulted in obtaining the data of subscribers of pre-paid services from the Company's database system and realising the risk of breaching the rights and freedoms of natural persons whose data are processed by the Company.

The President of the Office for the Protection of Personal Data indicated in the notice of initiation of administrative proceedings that the Company has not fulfilled the obligation resulting from Article 32(1)(b) and (d) of Regulation 2016/679, consisting in the selection of effective technical and organisational measures to ensure the security of the processed data, including the ability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services, as well as solutions ensuring regular testing, measuring and evaluating the effectiveness of the adopted technical and organisational measures, which also failed to comply with the obligations of the controller to ensure and demonstrate the compliance of the processing with the requirements of the Regulation, referred to in Article 3(2) of Regulation 2016/679. 24(1) and the obligation to effectively implement the data protection principles referred to in Article 25(1) of Regulation 2016/679, and consequently infringed the principle of confidentiality laid down in Article 5(1)(f) of Regulation 2016/679 and the principle of accountability resulting from Article 5(2) of Regulation 2016/679.

It should be emphasized that the security measure adopted by the Company to ensure the resilience of IT systems consisting of verification only [...], as a result of which data confidentiality was breached, cannot be considered as a security measure referred to in the aforementioned provisions of Regulation 2016/679. The personal data protection of pre-paid service subscribers was breached as a result of using the vulnerability of the IT system [...] enabling unauthorised access to data. The vulnerability of the service [...] consisted in the failure to verify all required parameters, i.e. [...]. The correct verification was to consist in [...] only if [...]. System B did not verify [...] or whether the application came from this [...].

In response to the notice of initiation of administrative proceedings, the Company indicated that before the occurrence of the infringement it had adopted data protection measures in the form of procedures specifying the methodology of risk analysis, procedures for classifying information security levels, information security policy, procedures for managing the IT system together with annexes: [...] Procedure [...], [...] Procedure [...], [...] Policy [...], [...] Procedure [...], [...] Procedure [...], [...] Procedure [...], [...] Procedure [...] and procedure [...], and elements [...]: [...] Plan [...], [...] Plan [...], [...] Plan [...].

In the opinion of the President of the Office for Personal Data Protection, the measures adopted by the Company could be effective if, as part of the procedures implemented, they also include provisions for regular testing, measuring and evaluating the effectiveness of technical and organisational measures to ensure the security of processing and which would be complied with by the Company. However, in the documentation kept by the Company describing the data processing process and the applied organisational and technical measures, obtained in the course of control activities, these issues have not been regulated.

As indicated by the Provincial Administrative Court in Warsaw in the judgment under no. II SA/Wa 2826/19 of 26 August 2020. "This provision [Article 32 of the GAC] does not require the controller to implement any technical and organisational measures which are to constitute personal data protection measures, but requires the implementation of adequate measures. Such adequacy should be assessed in terms of the way and purpose for which personal data are processed, but also taking into account the risks associated with the processing of these personal data, which may vary in height. (...) The measures adopted are to be effective, in specific cases some will have to be low-risk measures, others will have to be high-risk measures, but it is important that all measures (and each individual measure) are adequate and proportionate to the degree of risk', a position which this body shares.

In the opinion of the President of the Office for Personal Data Protection, the lack of regulations in the procedures adopted by the Company ensuring regular testing, measurement and evaluation of the effectiveness of the applied technical and organisational measures to ensure the security of data processing has contributed to the occurrence of personal data protection violations.

At the same time, it appears from the evidence gathered during the audit that regular testing, measuring and evaluation of the effectiveness of technical and organisational measures to ensure the safety of processing was not carried out in the Company. In situations where there was a suspicion of susceptibility, only works aimed at protecting against a given susceptibility were carried out (print-outs from system C confirming remedial actions taken concerning confirmed suspicions of system susceptibility). The above is also confirmed, inter alia, in explanations submitted by the controlled entity in the letter of [...] March 2020 and in printouts of screenshots from system C, sent for evidential purposes, indicating the performance of susceptibility tests [...] and verification of the entered data. However, no tests aimed at verifying the security features of application A and [...] system B concerning the vulnerability of the IT system related to the existing personal data breach were conducted. Such actions were taken only after the occurrence of the [...] December 2019 incident. Technical and organisational measures applied in the Company since [...] May 2018. [...] until the occurrence of the breach, they were reviewed and updated only in the event of organisational or legal changes (a copy of the e-mail informing about the need to review the applied monitoring together with a questionnaire).

It should be noted that, as it results from the material collected during the inspection, the creator of system B was T. Sp. z o.o. s.k.a., which also dealt with the maintenance of system B, as well as the maintenance of [...] enabling the exchange of information between application A (developed by W.J.M.P.S. s.c. and operating from [...] September 2014) and the central system B in the period from [...] April 2014 to [...] June 2017. Those functions have subsequently been taken over by A.S.A. and are still performed to date.

The change of operator, in the opinion of the President of the Office, should entail a comprehensive assessment of the effectiveness of the technical and organisational solutions implemented to ensure the security of data processed in the Company's IT systems. The evidence gathered in the course of the proceedings has not provided evidence for such an assessment to be carried out in this situation. It should be stressed that this change took place already during the period of validity of Regulation 2016/679, in which the EU legislator left the data controllers a two-year period for adapting data processing to the requirements of the regulation.

As explained in [...] January 2020. The company indicated that the last comprehensive review of technical and organisational measures was carried out in May 2018. As can be seen from the subsequent explanations of [...] July 2020, 'The Company, in deciding to implement and use System B, has carried out numerous tests, measurements and assessments of whether it is appropriate for it to properly fulfil its functions, including securing the personal data of subscribers entered in it'. The Company further points out that "The risk to the rights and freedoms of data subjects has been constantly assessed by the Company. Each time in case of organizational or legal changes in the Company, technical and organizational measures were reviewed and updated. It proves that these activities were carried out according to individual needs of the Company. During the use of the above mentioned system, the Company made every effort to ensure that the system fulfilled its functions and properly protected the data entered into it. As indicated above, taking into account the state of technical knowledge that the Company had at its disposal at the time of this event, the technical solutions adopted and applied by it were at the highest possible level".

The President of the Office for the Protection of Personal Data cannot agree with this position, because in order to detect the vulnerability used, it would be sufficient to verify the basic principle of system B operation, i.e. to check whether [...], while failure to take this action indicates ineffective or inappropriate performance of the reviews indicated by the Company. Verification of the correctness of validation of [...] of the above-mentioned data does not require any specialist knowledge or large financial outlays, but only access to the system. Moreover, it should be stressed that the vulnerability identified as a result of a personal data protection breach is related to the technical means used to identify users, and consequently their rights in the system. As indicated by the Company in the personal data breach notification of [...] December 2019, 'the breach consisted of using [...] for its purpose is [...], due to a design error it allowed [...]. The identification argument [...], which should be validated in such a way that only knowing [...] is not really taken into account. Therefore, it was possible to invoke [...] when specifying [...]. The attacker used [...]'. The verification of the correctness of the validation assumed [...] is so obvious and fundamental that the only correct conclusion that can be drawn is that the implementation of a system for the processing of personal data for use without the correct functioning of the above mentioned validation demonstrates a gross negligence of the basic obligations of the controller of personal data, in the context of Article 32 GDPR.

According to the Company, "the use of the system's vulnerability to the attack in question, resulting in gaining access to data, was not dependent on the lack of proper testing, measurement or evaluation of the system, because the indicated activities were regularly and properly conducted by the Company. This is confirmed by the printouts from system C concerning the vulnerability [...] and the verification of the data input, which prove that although V. did not carry out tests specifically related to the vulnerability used in the attack of [...]-[...] December 2019, other tests [...] aimed at detecting the vulnerability and improving the quality of the data being carried out".

In the opinion of the President of the Office, it is not sufficient to carry out the tests only in the event of an emerging threat, without a procedure establishing a timetable to ensure that the effectiveness of the implemented measures is regularly tested, measured and evaluated. The Company, according to the collected material, despite the adopted solutions, was not able to detect vulnerabilities due to the lack of regular testing of the system B implemented by the Company, which, according to the Company's explanations obtained during the audit, was supposed to verify [...] and the compliance of the application id with [...] registering the application.

It should be emphasised that regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing is a fundamental obligation of each controller and processor under Article 32(1)(d) of Regulation 2016/679. The controller is therefore obliged to verify both the selection and the level of effectiveness of the technical measures applied at each stage of the processing. The comprehensiveness of this verification should be assessed in terms of its adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and objectives of the processing. However, in the actual state of affairs in question, the Company has partially fulfilled this obligation by verifying and modifying the level of effectiveness of the implemented safeguards in situations where there was a suspicion of vulnerability - then work was undertaken to protect against the given vulnerability. As mentioned above, no tests were carried out to verify the security features of application A and [...] system B related to a personal data breach.

            Nor can it be considered that the activities, as indicated by the Company, consisting in subjecting technical and organisational measures to reviews and updates in the event of organisational or legal changes, constitute fulfillment of the administrator's obligation to ensure regular, measurable and testing. Such actions do not exhaust the requirement of regularity. The tests should be performed regardless of whether such changes in the Company's operations take place or not. However, the changes referred to by the Company should be a factor causing the need to re-analyse the risks and their impact on the security of the processed data, the result of which should be taken into account when applying a security measure, which is regular testing.

It should therefore be stressed that reviewing a situation of organisational or legal change, as well as taking action only when vulnerability is suspected, cannot be considered as regular testing, measuring and evaluating of the effectiveness of the technical and organisational measures applied to ensure the security of data processing. They are undertaken in connection with the occurrence of a specific event, e.g. an organisational change at the data controller's premises. They are therefore more like a risk analysis, which should be carried out in the situation of this type of change in the organisation and course of personal data processing. Meanwhile, the indicated testing, measurement and evaluation, in order to constitute the implementation of the requirement resulting from Article 32(1)(d) of Regulation 2016/679, must be carried out on a regular basis, which means the conscious planning and organisation, as well as the documentation (in relation to the principle of accountability referred to in Article 5(2) of Regulation 2016/679) of this type of activities at specific intervals, regardless of the changes in the organisation and course of data processing caused, for example, by an organisational change at the controller. However, the Company has not undertaken such actions, which determines the breach of this provision of Regulation 2016/679.

The President of the Office for the Protection of Personal Data shares the view expressed by the Voivodship Administrative Court in Warsaw in the judgment of 3 September 2020 under the number II SA/Wa 2559/19, according to which: "Regulation 2016/679 introduced an approach in which risk management is the cornerstone of personal data protection activities and is a continuous process. Entities processing personal data are obliged not only to ensure compliance with the guidelines of the above mentioned regulation through one-off implementation of organisational and technical security measures, but also to ensure continuous monitoring of the level of threats and to ensure accountability for the level and adequacy of implemented safeguards. This means that it becomes necessary to be able to prove to the supervisory authority that the solutions introduced to ensure the security of personal data are adequate to the level of risk, as well as taking into account the nature of the organisation and personal data processing mechanisms used. The controller is to carry out a detailed analysis of the conducted data processing and risk assessment, and then apply such measures and procedures as will be adequate to the estimated risk.

The consequence of such an orientation is the resignation from the lists of security requirements imposed by the legislator in favour of an independent selection of safeguards based on a risk analysis. Controllers are not indicated any specific security measures and procedures. The controller is to carry out a detailed analysis of the data processing processes and risk assessment on his own, and then apply such measures and procedures as will be appropriate to the estimated risk.

In the context of the aforementioned judgment, it should be pointed out that the risk analysis carried out by the controller of personal data should be documented and justified on the basis, first of all, of the determination of the factual situation existing at the time of its performance. In particular, account should be taken of the characteristics of the processes taking place, assets, vulnerabilities, threats and existing safeguards, within the framework of the processing of personal data.

The term asset is used to indicate everything that constitutes value for the organisation, the company - the personal data controller. Some assets will represent a higher value than others, and also from this perspective they should be evaluated and secured. The interconnection of existing assets is also very important, e.g. the confidentiality of assets (personal data) will depend on the type and manner of processing of these data. Determining the value of assets is necessary to estimate the effects of a possible incident (personal data breach).

Determination of existing safeguards is necessary, among other things, in order not to duplicate them. The effectiveness of these safeguards must also be absolutely checked, since the existence of an untested safeguard may, on the one hand, eliminate its value, on the other hand, it may give a false sense of security and may result in the omission (undetection) of a critical vulnerability which, if used, will have very negative consequences, including, in particular, a personal data breach.

Vulnerability is commonly referred to as a weakness or gap in security that may disrupt the operation of a threat and may lead to incidents or violations of personal data protection. Identifying threats is about identifying which threats and from what direction (reason) they may arise.

A method of risk analysis is, for example, to define the level of risk as the product of the probability and consequences of an incident. Typically, a risk matrix is used to visualize risk levels, showing the risk levels for which the organisation defines appropriate actions.

The risk analysis presented in the course of the audit, carried out in May 2018, does not fully reflect the actual state of play of the process [...], subject to audit, in relation to the occurrence of a personal data breach reported by the Company [...] December 2019. According to the material collected during the audit, the review of technical and organisational measures was carried out by the Company only before the application of the general regulation. However, it cannot be considered real and factual, as it did not lead to the disclosure of vulnerabilities in the functioning of the system. 

It should be stressed that examination of the likelihood of a given event occurring should not be based solely on the frequency of occurrence of events in a given organisation, because the fact that a given event has not occurred in the past does not mean that it cannot occur in the future.

The threat indicated in the presented risk analysis in the form of "unauthorised access by third parties or unauthorised disclosure of data to third parties" should not be determined by the Company at the level "Not applicable", as this event may occur in any organisation for many different reasons, while the answer "Not applicable" would be justified if the Company did not process personal data in this process. However, as is evident from the evidence established in the course of the inspection and administrative proceedings, it is precisely this threat that has materialised by using an unidentified vulnerability existing in the process of personal data processing [...] in connection with the existing breach of personal data protection of pre-paid service subscribers.

The adoption of the value "Medium/low" and the assessment at the level "2" for the threat of "no vulnerability testing of IT systems" also indicates a superficial approach to the risk of violation of rights and freedoms of natural persons by the Company. The adopted assessment should reflect the real situation prevailing in a given organisation and should be based primarily on the facts established during the examination of that situation, carried out in the form of an audit, check or on the basis of the established facts. However, as is evident from the evidence gathered during the audit, in 2019, the Company did not review the technical and organisational measures applied, which in itself disqualifies the assessment made at this level, and as indicated above, the actions taken incidentally do not exhaust the regularity.

The above findings make it possible to unequivocally state that the risk analysis carried out was only aimed at proving that there is no high risk of infringing the rights and freedoms of natural persons, and thus that it is not necessary to implement additional technical and organisational measures. However, such an approach resulted in a lack of proper assessment of the risks to the process of processing personal data of subscribers of pre-paid services (a process called [...]) and, as a consequence, their improper protection, which resulted in a breach of personal data protection.

It should also be noted that the risk analysis presented was carried out in May 2018, thus for a period of more than one and a half years (from May 2018 to December 2019), the Company did not take any actions to verify the assumptions and assessments made in it. Meanwhile, like other organisational measures, the risk analysis should also be periodically reviewed and updated and, according to the material gathered, the next risk analysis for the process [...] was not carried out until [...] December 2019, i.e. after the personal data breach had occurred. It should be emphasised that any check, audit or review must be based on complete and reliable information. The functioning of any organisation, especially in the sphere of personal data protection, must not be based on unreliable or unrealistic grounds, and disregard for the value of basic information may result, as indicated above, in a false sense of security and a failure by the controller of personal data to take the actions to which it is obliged, which in turn may result, as in the present case, in a breach of personal data protection, causing, due to the extent of the personal data to be violated, a high risk of infringing the rights and freedoms of individuals.

As indicated by the Provincial Administrative Court in Warsaw in the judgment under no. II SA/Wa 2826/19 of 26 August 2020. "(...) activities of a technical and organisational nature are the responsibility of the controller of personal data, but cannot be selected in a completely free and voluntary manner, without taking into account the degree of risk and the nature of the protected personal data.", which this authority takes as its own view.

Therefore, the lack of a reliable risk analysis, combined with the lack of regular testing, measurement and evaluation of the effectiveness of the technical and organisational measures implemented to ensure the security of the processing has led, which should be reiterated, to a breach of data protection data, but also prejudges the breach by the Company of the obligations incumbent on the controller under Articles 24(1), 25(1), 32(1)(b) and (d) and 32(2) of Regulation 2016/679.

However, with regard to the copies submitted, obtained [...] July 2020. certificates: ISO/IEC 27001:2013 certifying the implementation and maintenance by the Company of an information security management system for services provided by a telecommunications operator and ISO/IEC 27701:2019 certifying the implementation and maintenance by the Company of a personal data management system as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002: 2013 for the management of privacy with respect to services provided by a telecommunications operator and the explanations provided in this respect, it should be considered that in the course of the proceedings, the Company has remedied the shortcoming in the form of lack of procedures ensuring that the effectiveness of the adopted measures is regularly tested, measured and evaluated in the documentation maintained by the Company describing the data processing process and the organisational and technical measures applied.

As indicated by the Company in the submitted explanations, the requirements for maintaining certificates of compliance of the management system in the Company with the implemented standards mean, among other things, that the functioning of the information security and data protection management system is subject to an annual internal audit conducted by the Company and an external independent institution issuing the certificate. The above means that the Company has implemented solutions ensuring regular testing, measurement and evaluation of the effectiveness of the adopted measures ensuring data processing security. However, these solutions were not implemented until [...] July 2020, i.e. after a significant period of time since the occurrence of a breach of personal data protection of pre-paid service subscribers.

Referring to the Company's explanations and the circumstances indicated therein, that at the time of introducing the changes required by the Act on Counter-Terrorism Activities, the Company was not obliged to comply with the principle of data protection in the design phase, referred to in Article 25(1) of Regulation 2016/679, the President of the Office points out that the Act on Counter-Terrorism Activities entered into force on 2 July 2016, i.e. after the entry into force of Regulation 2016/679, which was published in the EU Official Journal on 4 May 2016. According to Article 99(1) of Regulation 2016/679, the said regulation enters into force on the twentieth day after publication in the Official Journal of the European Union and applies from 25 May 2018. (Article 99(2)). Thus, on 24 May 2016, Regulation 2016/679 entered into force with direct application from 25 May 2018. As highlighted in recital 171 of Regulation 2016/679 (the recitals contain a justification for the provisions of the enacting terms of the act, which is the Regulation), processing which is already under way on the date of application of this Regulation should be brought into line with its provisions within two years of its entry into force. Bearing in mind that systems B and A are operational from 2014, the Company is adapting the systems used to the requirements imposed by the provisions of the Act on Counter-Terrorism Activities, amending the Act of 16 July 2014. The Telecommunications Law (Journal of Laws of 2019, item 2460), should already at this stage take into account the obligations imposed by the provision of Article 25 of Regulation 2016/679. The implementation of the obligations imposed by the Act on Counter-Terrorism Activities coincided with the obligation to adjust data processing to the requirements of Regulation 2016/679.

It is also important to emphasise that the aforementioned Article 25(1) of Regulation 2016/679, despite naming the obligation of the controller indicated in it as 'data protection at the design stage', concerns not only the design stage, but also the stage of data processing itself. The implementation of safeguards is a continuous process and not just a one-off action by the controller. The measures mentioned in it, such as 'data minimisation' or 'pseudonymisation', are only an example of the measures which should be taken to meet the requirement to implement data protection principles and to give the processing the necessary safeguards to meet the requirements of the regulation and protect the rights of data subjects.

In its explanations, the company argues that at this stage of the procedure, it has not been demonstrated who the attacker was. The way the vulnerability was exploited indicated that the attacker had previously had access to the system and knew how to construct the relevant query. Currently, the Company does not know whether the attacker could have had access to the system and how long this access could have been granted. In the Company's opinion, it is up to the President of the Office to prove whether data was made available to an unauthorised person.

 Referring to the above statement of the Company that the President of the Office is responsible for proving whether the data has been disclosed to an unauthorised person, it should be emphasized that the President of the Office has no authority to conduct proceedings aimed at detecting the perpetrator of a crime and assessing whether a crime has been committed, as the law enforcement authorities are entitled to conduct such proceedings and assess whether a crime has been committed and to qualify the criminal act. However, there is no doubt that data has been made available, which is confirmed by the decision of the Regional Prosecutor in W. of [...] July 2020, ref. [...], to discontinue the investigation for failure to detect the perpetrator of the crime. However, the competences of the President of the Office shall include the assessment whether the data controller processes data in accordance with the requirements arising from the provisions on personal data protection and the controller's responsibility for processing data in a manner infringing those provisions.

It should therefore be reiterated that it is the responsibility of each controller to process data in accordance with the principles set out in Article 5 of Regulation 2016/679, in this case Article 5(1)(f). However, pursuant to Article 5(2) of Regulation 2016/679, it shall be responsible for complying with paragraph 1 and must be able to demonstrate compliance (accountability). This shall oblige the controller to exercise due diligence both when granting authorisations to process data and when withdrawing authorisations from a former employee, contractor or contractor. The circumstances of taking a decision on dissolution of the legal relationship with the employee, contractor or contractor may increase the risk of attempts at unauthorised access to the entity's resources. Therefore, constant monitoring of IT systems is the duty of the controller ensuring that the requirements imposed by Article 32(1)(b) and (d) of Regulation 2016/679 are met. It is the Company's responsibility to prove to the supervisory authority that it has implemented appropriate data security measures and protected the data against access by unauthorised persons, e.g. those whose authorisation has expired, as well as to prove that it has taken all possible measures to ensure that the confidentiality of the data is not violated and is not liable for such violation.

The Company's claim that it does not know whether and how much power the attacker may have had and for what period of time this power may have been applied, confirms that the technical and organisational measures implemented by the Company to ensure data security were insufficient. The lack of knowledge of this information also proves that the Company has no control over data processing, which constitutes a breach of the principle of accountability.

The above proves that the findings of the President of the Office are correct, that the Company has not correctly implemented the requirements of Regulation 2016/679 to the extent specified in Article 24(1), Article 25(1), Article 32(1)(b) and (d) and Article 32(2) of Regulation 2016/679, which led to a breach of the protection of personal data of pre-paid service subscribers. The breach of the aforementioned provisions of Regulation 2016/679 has also resulted in a breach of the principle of confidentiality expressed in Article 5(1)(f) of Regulation 2016/679 and the principle of accountability referred to in Article 5(2) of Regulation 2016/679.

To sum up, despite the removal by the Company of deficiencies in ensuring the security of the processed data, including the vulnerability of IT systems used to process personal data of subscribers of pre-paid services, which is the reason for breaching the confidentiality of personal data, there are premises justifying the application to the Company of the powers vested in the President of the Office to impose an administrative penalty for breaching the principle of data confidentiality (Article 2(1)(b) of the Act of Accession of the Republic of Poland to the European Union). 5(1)(f) of Regulation 2016/679) and, consequently, the principle of accountability (Article 5(2) of Regulation 2016/679) in connection with the breach of the controller's obligations when implementing technical and organisational measures in the course of data processing, in order to effectively implement data protection principles (Article 5(2) of Regulation 2016/679). 25(1) of Regulation 2016/679); obligations to ensure the confidentiality, integrity, availability and resilience of processing systems and services (Article 32(1)(b) of Regulation 2016/679); the obligation to regularly test, measure and evaluate the effectiveness of the technical and organisational measures adopted to ensure the security of processing (Article 32(1)(d) of Regulation 2016/679) and the obligation to take account of the risks represented by the processing resulting from unauthorised access to personal data processed (Article 32(2) of Regulation 2016/679).

The exercise by the President of the Office of the Office of the right to do so results primarily from the fact that the controller has failed to observe the basic principles of data processing, i.e. the principle of confidentiality, as well as the principle of accountability, which provides for an absolute obligation to demonstrate to the President of the Office the compliance with the provisions of the General Data Protection Regulation. 

Pursuant to Article 58(2)(i) of Regulation 2016/679, each supervisory authority shall have the power to impose, in addition to or instead of the other remedies provided for in Article 58(2)(a) to (h) and (j) of that Regulation, an administrative fine pursuant to Article 83 of Regulation 2016/679, depending on the circumstances of the specific case. 

In deciding to impose an administrative fine on the Company and in determining the amount of the fine, the President of the Office for the Protection of Personal Data has, in accordance with Article 83(2)(a) to (k) of Regulation 2016/679, taken into account, and deemed to be aggravating for the Company, the following circumstances of the case:

a) The nature and gravity of the infringement, the number of persons harmed (Article 83(2)(a) of Regulation 2016/679). The infringement found in this case, which resulted in gaining unauthorised access to the data processed by the Company by an unauthorised person or persons, and as a consequence in gaining personal data of subscribers to the Company's pre-paid services, is of significant importance and serious nature, as it poses a high risk of negative legal consequences for a large number of persons whose data were accessed by the unauthorised person or persons. The breach by the Company of its obligations to apply measures to protect the processed data from being made available to unauthorised persons, entails not only a potential, but also a real possibility of using the data by third parties without the knowledge and against the will of the data subjects, contrary to the provisions of Regulation 2016/679, e.g. in order to establish legal relations or incurring obligations on behalf of the data subjects. The fact that the Company, which processes personal data in a professional manner as part of its business activity, bears greater responsibility and demands than the entity processing personal data as a secondary activity, incidentally or on a small scale, also has a significant impact on the high gravity of the breach. In the course of its commercial activities, the Company, as the data controller, should take all necessary actions and exercise due diligence in the selection of technical and organisational measures ensuring data security and confidentiality. The factual findings made by the President of the Office for the Protection of Personal Data prove that the Company did not meet this requirement at the time of the infringement;

b) Duration of the infringement (Article 83(2)(a) of Regulation 2016/679). The President of the Office considers the long duration of the infringement as an aggravating circumstance. Although the mere period during which the unauthorised person(s) had access to the personal data processed by the Company was relatively short (although still sufficient to copy all available data), the state of the infringement was long. It occurred before the date of application of Regulation 2016/679, that is, before [...] May 2018, and was definitively brought to an end, in the course of the procedure that led to this Decision, when the Company obtained, on [...] July 2020, the certificates ISO/IEC 27001:2013, ISO/IEC 27701:2019, ISO/IEC 27001:2013 and ISO/IEC 27002:2013, attesting to the implementation of procedures ensuring that the effectiveness of the measures adopted is regularly tested, measured and evaluated in the documentation kept by the Company describing the data processing and organisational and technical measures applied.

c) The extent of the damage suffered by the persons concerned by the infringement (Article 83(2)(a) of Regulation 2016/679). In this case, there is no evidence that the persons whose access has been granted to the data by an unauthorised person or persons have suffered material damage. Nevertheless, the mere violation of the confidentiality of their data already constitutes non-financial damage (harm) to them; individuals whose data have been unlawfully accessed may at least be afraid of losing control over their personal data, of identity theft or identity fraud, or of financial loss.

d) Intentional or unintentional nature of the breach (Article 83(2)(b) of Regulation 2016/679). Unauthorised access to personal data of subscribers to the Company's pre-paid services has become possible as a result of the Company's failure to exercise due diligence and undoubtedly constitutes an unintentional breach. Nevertheless, the Company, as the controller, shall be liable for any irregularities found in the data processing process. The fact that the Company, although it assumed that the system would verify [...], did not carry out a test for the correctness of the system's operation in accordance with the assumed requirements deserves a negative assessment. In this state of affairs, the Company's negligence should be considered as gross.

When determining the amount of the administrative fine, the President of the Office for Personal Data Protection took into account, as a mitigating circumstance affecting the reduction of the fine, the good cooperation of the Company with the supervisory authority undertaken and conducted in order to remedy the infringement and mitigate its possible negative effects (Article 83.2.f of Regulation 2016/679). It should be pointed out here that apart from proper performance of the procedural obligations incumbent on the Company both during the control proceedings and in the administrative proceedings concluded with the issuance of this decision, the Company has fully complied with the recommendations of the President of the Office to supplement the notification of the data subjects about the infringement. The Company has also taken concrete and quick actions, which resulted in removing the breach. In particular, the Company removed from the IT system used by a person or unauthorised persons his/her vulnerability to a breach of protection of personal data processed in the system. The Company has also implemented ISO standards which guarantee a high level of procedures regulating, among others, the processing of personal data in the Company, including regular reviews and audits of security and functioning of personal data management and information security systems.

 

The fact that the President of the Office has applied in this case a sanction in the form of an administrative fine, as well as its amount, has not been influenced by any other circumstances indicated in Article 83(2) of Regulation 2016/679:

(a) actions taken by the Company to minimise the damage suffered by the data subjects (Article 83(2)(c) of Regulation 2016/679);

(b) the degree of liability of the Company, taking into account the technical and organisational measures implemented by it under Articles 25 and 32 of Regulation 2016/679 (Article 83(2)(d) of Regulation 2016/679);

(c) relevant previous breaches of Regulation 2016/679 by the Company (Article 83(2)(e) of Regulation 2016/679);

(d) the category of personal data concerned by the infringement (Article 83(2)(g) of Regulation 2016/679);

(e) the manner in which the supervisory authority became aware of the breach (Article 83(2)(h) of Regulation 2016/679);

(f) the compliance with previous measures referred to in Article 58(2) of Regulation 2016/679 on the same matter (Article 83(2)(i) of Regulation 2016/679);

(g) the application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679);

(h) the financial benefit or avoidance of losses directly or indirectly derived from the breach (Article 83(2)(k).

 

Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection decided that the imposition of an administrative fine on the Company is necessary and justified by the gravity, nature and scope of the alleged infringements. It should be stated that the application to the Company of any other remedy provided for in Article 58(2) of Regulation 2016/679, and in particular the application of a warning (Article 58(2)(b)), would not be proportionate to the irregularities found in the processing of personal data and would not guarantee that the Company will not commit further negligence in the future.

With regard to the amount of the fine imposed on the administrative company, the President of the Office for the Protection of Personal Data considered that in the established circumstances of this case - i.e. in view of the finding of a breach of several provisions of Regulation 2016/679 (the principle of confidentiality of data, expressed in Article 5(1)(f), and reflected in the form of the obligations set out in Article 5(1)(b) of Regulation 2016/679), the Commission has not yet adopted a decision on the amount of the fine. 25(1), Article 32(1)(b) and (d) and Article 32(2), which consequently means a breach of the principle of accountability referred to in Article 5(2)), both Article 83(4)(a) of Regulation 2016/679, which provides, inter alia, for a breach of the obligations of the controller referred to in Article 5(2), will apply. 25 and 32 of Regulation 2016/679, the possibility of imposing an administrative fine of up to EUR 10 000 000 (for an undertaking of up to 2% of its total annual worldwide turnover in the preceding business year) and Article 83(5)(a) of Regulation 2016/679, according to which infringements of, inter alia, the basic processing rules referred to, inter alia, in Article 5 of that Regulation shall be subject to an administrative fine of up to EUR 20 000 000 (for an undertaking of up to 4% of its total annual worldwide turnover in the preceding business year, the higher amount being applicable).

Therefore, pursuant to Article 83(3) of Regulation 2016/679, the President of the Office for Personal Data Protection has set the total amount of the administrative penalty payment at a level not exceeding that of the most serious infringement. In the presented facts, the most serious infringement by the Company of the principle of confidentiality set out in Article 5(1)(f) of Regulation 2016/679, and consequently the principle of accountability set out in Article 5(2) of Regulation 2016/679, should be considered the most serious infringement. This is supported by the serious nature of the infringement and the circle of persons affected by it (123.391 - one hundred and twenty three thousand three hundred and ninety one subscribers of prepaid services, of which the Company is the administrator). What is important is that in relation to the above mentioned number of persons, there is still a high risk of illegal use of their personal data, because the purpose for which the person or persons who are not authorised to use the data by [...] containing personal data is unknown.

Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in zlotys according to the average exchange rate of the euro as published by the National Bank of Poland in the exchange rate table as at 28 January of each year, and if in a given year the National Bank of Poland does not publish the average exchange rate of the euro as at 28 January - according to the average exchange rate of the euro published in the table of exchange rates of the National Bank of Poland nearest to that date.

In view of the above, the President of the Office for Personal Data Protection, pursuant to Article 83(4)(a) and Article 83(5)(a) in connection with Article 83(3) of Regulation 2016/679 and in connection with Article 103 of the Act on Personal Data Protection of 10 May 2018, imposed on the Company - applying the average euro exchange rate of 28 January 2020 - for the infringements described in the operative part of this decision. (1 EUR = 4.2794 PLN) - an administrative fine of 1,968,524.00 PLN (equivalent of 460,000 EUR).

In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine applied in the established circumstances of the present case fulfils the functions referred to in Article 83 section 1 of Regulation 2016/679, i.e. will be effective, proportionate and dissuasive in this individual case.

In the opinion of the President of the Office for the Protection of Personal Data, the penalty imposed on the Company will be effective, because it will lead to the state in which the Company will apply such technical and organisational measures which will ensure the level of security of the processed data corresponding to the risk of infringement of the rights and freedoms of the data subjects and the seriousness of the risks accompanying the processing of such personal data. Therefore, the effectiveness of the penalty is equivalent to a guarantee that from the moment of completing this procedure the Company will approach the requirements set forth in the regulations on personal data protection with the utmost care.

The financial penalty applied is also proportional to the infringement found, including in particular its severity, the circle of individuals affected and the risk they bear in connection with the infringement. In the opinion of the President of the Office for Personal Data Protection, the financial penalty imposed on the Company is also proportional to the Company's net revenues for 2019 [...] and will not be excessive for the Company. It should be noted that the Management Board of the Company has taken steps to ensure that the Company can continue as a going concern [...].

The amount of the fine has therefore been set at such a level that, on the one hand, it constitutes an adequate response by the supervisory authority to the degree of breach of the administrator's duties, but, on the other hand, it does not result in a situation in which the payment of the financial penalty will have negative consequences in the form of a significant deterioration of the Company's financial situation. In the opinion of the President of the Office for Personal Data Protection, the Company should and is able to bear the consequences of its negligence in the area of data protection, hence the imposition of a penalty of PLN 1,968,524.00 is fully justified.

In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine will fulfil a repressive function in these specific circumstances, as it will be a response to the Company's breach of the provisions of Regulation 2016/679, but also a preventive one, as it will contribute to the prevention of future breaches of the Company's obligations under the provisions on personal data protection, both when processing data by the Company itself and in relation to entities acting on its behalf.

In the opinion of the President of the Office for the Protection of Personal Data, the financial penalty applied meets, in the established circumstances of this case, the prerequisites referred to in Article 83 section 1 of Regulation 2016/679 due to the seriousness of the breaches found in the context of the basic requirements and principles of Regulation 2016/679 - in particular the confidentiality principle expressed in Article 5 section 1 letter f of Regulation 2016/679.

The purpose of the penalty imposed is to ensure that the Company complies with Regulation 2016/679 in the future.

In view of the above, the President of the Office for Personal Data Protection has decided as in the operative part of this decision.

The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325 as amended). Pursuant to Article 74 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court suspends the execution of a decision concerning an administrative fine.

In the proceedings before the Voivodship Administrative Court, a party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.

Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data, an administrative fine shall be paid within 14 days from the expiry of the time limit for lodging a complaint with the Voivodship Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for Personal Data Protection may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the event of a postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for Personal Data Protection shall charge interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Article 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2020, item 1325 as amended), from the day following the date of submission of the application.