UODO - DKN.5130.2815.2020

From GDPRhub
UODO - DKN.5130.2815.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 57(1)(a) GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 11.01.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: DKN.5130.2815.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Decyzje Prezesa UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish DPA (UODO) reprimanded a company for using outdated software, ineffective safeguards for the IT system and the failure to adequately test, measure and evaluate the effectiveness of technical and organizational measures to ensure the security of personal data processed in the IT systems.

English Summary[edit | edit source]

Facts[edit | edit source]

The Company notified the Office for the Protection of Personal Data (UODO) of a breach in the protection of personal data of its employees, customers, and patients stored in an IT system. As a result, the Company was deprived of access to the aforementioned system and the personal data contained therein. The Company determined the scale of the breach, which showed that the encrypted databases contained approximately 80,000 employee, customer and patient data records concerning first and last names, parents' first names, date of birth, bank account number, address of residence, PESEL registration number, e-mail address, ID card series and number, telephone number and health data. The Company has not determined that there is a high risk of infringement of the rights or freedoms of natural persons due to the recovery of the encrypted data and has opted out of notifying data subjects of the breach. At the request of the authority, the company provided additional explanations, after which the DPA ex officio initiated administrative proceedings.

Holding[edit | edit source]

The DPA found that the controller violated GDPR provisions because the technical measures implemented by the Company have not ensured an adequate level of security of the data processed through the IT systems, and issued a reprimand to the Company.

Comment[edit | edit source]

What's interesting, the UODO found that the breach did not pose a high risk to the affected individuals, as there was no breach of the confidentiality attribute of the personal data as a result of the malware attack, which resulted in the encryption of the personal data. There were also no other negative consequences related to the lack of access to the data, as the entire incident occurred during a period when, due to the state of epidemic emergency, the spa entity was not conducting its activities anyway.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Pursuant to Article 104 § l of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256 as amended) in connection with Article 7 and Article 60 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and Article 57(1)(a) and Article 58(2)(b) in connection with Article 5(1)(f), Article 24(1), Article 25(1), Article 32(1) and (2) of 2 of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 04.05.2016, p. 1 as amended), having conducted administrative proceedings on the processing of personal data by U, President of the Office for Personal Data Protection,

concluding that U. S.A. infringed the provisions of Article 5(1)(f), Article 24(1), Article 25(1) and Article 32(1) and (2) of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 119 of 04.05.2016, p. 1, as amended. ), hereinafter referred to as "Regulation 2016/679", consisting in the selection of ineffective safeguards for the IT system and the failure to adequately test, measure and evaluate the effectiveness of technical and organisational measures to ensure the security of the personal data processed in the IT systems affected by the breach, in particular with regard to vulnerabilities, errors and their possible effects on these systems and actions taken to minimise the risk of their occurrence, shall issue a warning to U. S.A.

Justification

U. S.A. (hereinafter referred to as the "Company") on [...] May 2020 reported to the President of the Office for Personal Data Protection (hereinafter also referred to as the "President of the Office for Personal Data Protection") a breach of the protection of personal data of employees, customers and patients, which occurred on the night of [...] to [...] April 2020. The personal data protection breach consisted in breaking the security of the Company's IT system used by it to process personal data, and then encrypting the data processed in it. As a result, the Company was deprived of access to the aforementioned system and the personal data contained therein. The Company determined the scale of the breach, which showed that the encrypted databases contained approximately 80,000 employee, customer and patient data records with respect to first and last names, parents' first names, date of birth, bank account number, address of residence, PESEL registration number, e-mail address, ID card series and number, telephone number and health data. According to the notification of [...] May 2020. The Company did not identify a high risk of violation of the rights or freedoms of natural persons due to the recovery of the encrypted data and waived the notification of the breach to the data subjects.

By letters dated [...] May 2020 and [...] June 2020. The President of the Office for Personal Data Protection requested the Company to provide additional explanations, including, inter alia:

whether, in connection with the reported personal data protection breach, the Company conducted an internal investigation which made it possible to determine how the data was encrypted by the malware; what were the circumstances, source and causes of the breach;
Whether the Company determined the scale of the resulting data breach, in terms of the number of individuals, as a result of the malware;
whether the Company analysed the impact of inaccessibility of the compromised IT systems on the rights and freedoms of the data subjects, and whether it submitted evidence that the Company conducted the above-mentioned analysis
whether, and if so in what way, the Company regularly tested, measured, and evaluated the effectiveness of technical and organizational measures aimed at ensuring the security of personal data processed in IT systems subject to the breach, in particular with respect to vulnerabilities, errors, and their possible effects on these systems, and actions taken to minimize the risk of their occurrence; and sending evidence that the Company performed the above-mentioned actions
on what basis the security measures applied to minimise the risk of the breach recurrence (described in point 9B of the breach notification) were deemed sufficient.
In explanations provided by letters dated [...] June 2020 and [...] July 2020. The Company stated that:

An analysis of the infected devices was carried out, but due to the diversity of the IT infrastructure it was not possible to clearly identify the source and cause of the breach.
According to the information obtained from the ISP, in the period prior to the encryption of the data, no increased network traffic to the Internet suggesting the removal of data was observed. There was also no suspicious network traffic suggesting an external attack.
An assessment of technical measures in terms of IT infrastructure, backup procedures and security measures for access and software legality was carried out, based on which hardware was replaced and software was updated. A [...] was introduced, the [...] service was fully implemented, workstation and password policy restrictions were increased and the backup policy was extended. Furthermore, it is planned to commission an audit of the local network and infrastructure by a certified external company. In the Company's opinion, the security measures applied seek to minimise the risk of a similar event occurring in the future.
In connection with the suspension of the operation of health resorts from [...] March 2020 pursuant to the Ordinance of the Minister of Health of 13 March 2020 on the proclamation of a state of epidemic emergency in the territory of the Republic of Poland (Journal of Laws of 2020, item 433), at the time of the occurrence of the breach, the Company did not provide any services to customers or patients. In view of the above, in the opinion of the Company, the interests of data subjects have not been violated.

In connection with the reported breach of personal data protection and explanations submitted by the Company in the aforementioned letters, the President of the Office for Personal Data Protection on [...] October 2020 initiated ex officio administrative proceedings regarding the possibility that the Company, as a data controller, violated its obligations under Regulation 2016/679, i.e. Article 5(1)(f), Article 24(1), Article 25(1) and Article 32(1) and (2), in connection with the breach of the protection of personal data of the Company's employees, customers and patients (ref. letter [...]).  

In response to the notice of initiation of administrative proceedings, by letter dated [...] October 2020. The Company submitted explanations in which it indicated, inter alia, that:

The breach of the protection of personal data in the form of loss of their availability following the encryption of data in the Company's systems revealed risks whose probability of occurrence the Company assessed as negligible. The restriction of access to data caused by the malicious encryption software called "Devos" resulted in a re-analysis of the risk, taking into account additional threats, and security measures were taken to minimise the possibility of their occurrence in the future, as well as to minimise damage in the event of their occurrence. As a result of the incident, measures were taken to seal the IT system and make it immune to similar events in the future. The Company replaced the system software in use, e.g. Systems A and B were replaced with systems C and D, and system E with system F. Additional changes were made in the scope of [...]. Furthermore, changes were made to the access and backup procedures.
As an additional external audit to verify the measures taken to seal the infrastructure and minimise vulnerabilities, an audit of the infrastructure is planned by an independent external specialist company.
The process of recovering encrypted data has been outsourced to a specialised external company.
The Company has an agreement with the law firm selected in 2018 for the unification of security procedures and policies, which specifies the scope of work undertaken for this purpose. Among other things, this work also includes a risk analysis of organisational, physical and personal security, including the identification of areas of potential risk in data processing. The original analysis took into account the vulnerabilities and threats to these systems and their possible effects, so measures were taken to minimise the risk of their occurrence. These include ongoing software and hardware updates, as well as the separation of the guest WiFi network, the implementation of the G [...] solution to [...]. The analysis carried out included protection against computer viruses, but the risk of data encryption was not included in the analysis as an event with a high probability of occurrence.
In this state of affairs, having examined all the evidence collected in the case, the President of the Office for the Protection of Personal Data stated as follows:

Pursuant to Article 34 of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, item 1781) - hereinafter referred to as the Act of 10 May 2018, The President of the DPA is the competent authority for data protection and the supervisory authority within the meaning of Regulation 2016/679. Pursuant to Article 57(1)(a) and (h) of Regulation 2016/679, without prejudice to its other tasks under that Regulation, each supervisory authority on its territory shall monitor and enforce the application of this Regulation; it shall conduct proceedings for infringements of this Regulation, including on the basis of information received from another supervisory authority or another public authority.

Article 5 of Regulation 2016/679 formulates the principles relating to the processing of personal data that must be respected by all controllers, i.e. entities that alone or jointly with others determine the purposes and means of processing personal data. According to Article 5(1)(f) of Regulation 2016/679, personal data must be processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organisational means ("confidentiality and integrity"). This principle is concretised in further provisions of the Regulation. According to Article 24(1) of Regulation 2016/679, taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and seriousness, the controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with this Regulation and to be able to demonstrate it. These measures shall be reviewed and updated as necessary.

Pursuant to Article 25(1) of Regulation 2016/679, having regard to the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons with different degrees of probability and seriousness arising from the processing, the controller shall, both when determining the means of processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, designed to implement effectively the principles of data protection, such as data minimisation, and to give the processing the necessary safeguards to meet the requirements of this Regulation and to protect the rights of the data subjects.

It follows from the wording of Article 32(1) of Regulation 2016/679 that the controller is obliged to apply technical and organisational measures appropriate to the risk of violation of the rights and freedoms of natural persons with different likelihood and gravity of occurrence. The provision specifies that when deciding on the technical and organisational measures, account should be taken of the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons of varying probability and seriousness. It follows from the cited provision that the determination of appropriate technical and organisational measures is a two-step process. First, it is important to determine the level of risk involved in the processing of personal data taking into account the criteria indicated in Article 32 of Regulation 2016/679, and then it is necessary to determine what technical and organisational measures will be appropriate to ensure a level of security corresponding to that risk. These arrangements, where applicable, in accordance with points (a), (b) and (d) of that Article, should include measures such as pseudonymisation and encryption of personal data, the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services, and regular testing, measuring and evaluating the effectiveness of technical and organisational measures to ensure the security of processing. Pursuant to Article 32(2) of Regulation 2016/679, when assessing whether the degree of security is adequate, the controller shall in particular take into account the risks involved in the processing, in particular arising from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed.

As indicated by Article 24(1) of Regulation 2016/679, the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and gravity are factors that the controller is obliged to take into account when building the data protection system, also in particular from the point of view of the other obligations indicated in Article 25(1), Article 32(1) or Article 32(2) of Regulation 2016/679.

Taking into consideration the scope of personal data processed by the Company, including among others special category data in the form of health-related data, as well as categories of persons whose data are processed (including patients), in order to properly fulfil the obligations imposed by the aforementioned provisions of the Regulation, the Company was required to take measures to ensure an adequate level of data protection by implementing appropriate technical and organisational measures, inter alia, by using for the processing of personal data software which has the current technical support of the producer, measures aimed at the optimum configuration of the operating systems used, and by regularly measuring and assessing the effectiveness of technical and organisational measures to ensure the security of processing in the form of security tests with regard to IT infrastructure and applications. The nature and type of these activities should result from the performed risk analysis, which should identify vulnerabilities related to the used resources and threats resulting from them, and then define adequate security measures. In this context, it should be pointed out that the lack of technical support from the manufacturer is a vulnerability in relation to the level of security of the software used, and thus poses a high risk in the form of reduced resistance of the system to, inter alia, malicious software. Incorrect estimation of the risk level makes it impossible to apply appropriate security measures for a given resource and increases the probability of its occurrence. As a result, the risk, which in the Company's opinion had a low degree of probability, materialized, i.e. the security of the Company's IT system used for processing personal data was broken and, subsequently, the data processed in it was encrypted.

The collected evidence indicates that the technical measures implemented by the Company failed to ensure an appropriate level of security of the data processed by means of IT systems. As a result of the aforementioned, an incident took place, as a result of which the safeguards used by the Company were broken and data in the IT systems used by the Company to process personal data were encrypted. The "Devos" encryption malware deactivated anti-virus protection, which resulted in disabling the operation of security mechanisms of operating systems. The infection took place at night and the irregularities were only discovered in the morning hours (due to the fact that the spa was not operating due to the pandemic - also the IT department was operating with reduced staffing).

Explaining the security issues, the Company informed that it has always used and continues to use IT systems licensed and supported by the software manufacturer, including in a letter dated [...] July 2020 indicating that "the replacement of workstations with the previous version of the E system to the current version supported by the manufacturer - [...] is in progress. On the basis of the list of changes carried out by the Company after the breach, aimed at appropriate protection of the processed data, in the scope of software replacement, it was found that the E operating system was used for work, for which, according to the information provided on the manufacturer's website, the technical support period ended [...] January 2020. (https:// [...]) and database system B, for which technical support ended [...] July 2019. (https:// [...]). This means that, as of that moment, according to the information provided by the software manufacturer, no software updates and security updates and patches were issued for the aforementioned systems. In the absence of application by the controller of other technical and organisational measures aimed at minimising the risk of a breach of data security in connection with the termination of support by the manufacturer of software used by the Company to process personal data, it shall be concluded that the Company failed to ensure appropriate security of data processed with their use. Consequently, this prejudges the Company's failure to implement appropriate technical and organisational measures at the time of processing personal data in order for the processing to be carried out in accordance with Regulation 2016/679 and to give the processing the necessary safeguards, which it was obliged to do pursuant to Articles 24(1) and 25(1) of Regulation 2016/679, as well as the failure to apply technical and organisational measures ensuring a degree of security appropriate to the risk by ensuring the ability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services, which the controller is obliged to do pursuant to Art. 32(1)(b) of Regulation 2016/679, and of failing to assess whether the degree of security is adequate, taking into account the risks involved in the processing of personal data, the obligation to carry out which arises from Article 32(2) of Regulation 2016/679. Indeed, as indicated by the Provincial Administrative Court in Warsaw in its judgment of 26 August 2020, ref. II SA/Wa 2826/19 "(...) activities of a technical and organisational nature are the responsibility of the personal data controller, but they cannot be selected in a completely free and voluntary manner, without taking into account the degree of risk and the nature of the protected personal data."

In this context, it should be pointed out that the use of operating systems and IT systems used to process personal data after the end of technical support by their manufacturer significantly reduces their security level. In particular, the lack of built-in and updated security features increases the risk of malware infections and attacks through the emergence of new security vulnerabilities. These systems become more vulnerable to cyber attacks, such as ransomware blocking access to data and demanding a ransom for its recovery.

In its letters to the President of the Office for Personal Data Protection, the Company explained that it conducted a periodic assessment of technical measures in the IT infrastructure. However, according to the Company's letter dated [...] July 2020, quote: "To date, all tests were performed only for internal purposes, so there was no need to create additional documentation of such tests. The tests mainly concerned the performance of components within the software in use and resistance to failure (power failure, disk failure, component failure). Software legality audits were also performed."

Moreover, as it results from the Company's letter of [...] October 2020, in accordance with the security policy adopted by the Company, the control is a continuous process and lasts from the moment of launching a computer station in the production environment and consists in verification of access rights and correctness of operation of system elements. Irregularities were corrected on an ongoing basis through security patches, updates of the software in use and replacement of components. In the case of the above activities, the Company did not create additional documentation, as these were standard activities related to the maintenance and service of a computer station.

It should be noted that the tests performed in the above-mentioned scope do not fully exhaust the controller's obligation set out in Article 32.(1)(d) of Regulation 2016/679. Technical and organisational safeguards with regard to IT systems used for the processing of personal data were not fully tested. As a result, the controller was not able to demonstrate or conclude that the security measures in place have the hallmarks of sufficiency. The indicated testing, measuring and evaluation, in order to constitute the implementation of the requirement arising from Article 32(1)(d) of Regulation 2016/679, must be carried out on a regular basis, which means consciously planning and organising, as well as documenting (in connection with the principle of accountability referred to in Article 5(2) of Regulation 2016/679) such activities at specific time intervals, regardless of changes in the organisation and course of data processing processes caused. However, the Company did not undertake such actions, which prejudges the violation of this provision of Regulation 2016/679.

It must be emphasised that regular testing, measuring and assessing the effectiveness of technical and organisational measures to ensure the security of processing is a fundamental obligation of each controller and processor under Article 32(1)(d) of Regulation 2016/679. The controller is therefore obliged to verify both the selection and the level of effectiveness of the technical measures used at each stage of processing. The comprehensiveness of this verification should be assessed through the prism of adequacy to the risks and proportionality to the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing. However, in the present state of affairs, the Company partially complied with this obligation by verifying and modifying the level of effectiveness of the implemented safeguards in situations where there was a suspicion of a vulnerability - then work was undertaken to protect against the vulnerability in question. However, such actions of the controller cannot be considered as the fulfilment of the obligation specified by the above-mentioned provision of Regulation 2016/679. As mentioned above, the tests concerning the verification of the security of IT systems used for the processing of personal data, covered by the personal data protection breach in question, were not carried out on a regular basis.

The effectiveness of these tests, which, according to the Company's explanations, were carried out with regard to "the efficiency of components within the software in use and resistance to failures", may also raise reservations. They did not result in replacing those IT systems that lost the producer's support, which, as indicated above, significantly reduced the level of security of the data processed by the Company.

The findings do not provide a basis for concluding that the technical and organisational measures applied by the Company were adequate to the state of technical knowledge, implementation costs, and the nature, scope, context, and purposes of the processing; in the opinion of the President of the Office for Harmonisation in the Internal Market, these measures were not properly reviewed and updated, which in consequence did not ensure effective implementation of the data protection principles.

As indicated by the Provincial Administrative Court in Warsaw in its judgment of 3 September 2020, ref. II SA/Wa 2559/19, "Regulation 2016/679 introduced an approach in which risk management is the cornerstone of personal data protection activities and has the nature of a continuous process. The entities processing personal data are obliged not only to ensure compliance with the guidelines of the aforementioned Regulation by implementing organisational and technical security measures on a one-off basis, but also to ensure continuous monitoring of the level of threats and ensure accountability regarding the level and adequacy of safeguards implemented. It means that it becomes necessary to be able to prove to the supervisory authority that the introduced solutions aimed at ensuring personal data security are adequate to the level of risk, as well as take into account the nature of a given organization and personal data processing mechanisms used. The controller is supposed to carry out on his own a detailed analysis of the performed data processing processes and make a risk assessment, and then apply such measures and procedures which are adequate to the assessed risk.

The consequence of such an orientation is the resignation from the lists of security requirements imposed by the legislator in favour of an independent selection of safeguards on the basis of threat analysis. No specific security measures and procedures are indicated to administrators. The controller is obliged to carry out a detailed analysis of the conducted data processing processes and a risk assessment, and then to apply such measures and procedures that are adequate to the assessed risk. The analysis of the infringement shows that the internal testing methodology adopted by the Company was not able to demonstrate a reliable assessment of the security status of IT systems indicating all vulnerabilities and resistance to security breach attempts due to unauthorised action of a third party and malicious software. In view of the above, the assessment of the state of security proved to be insufficient as regards the application of appropriate technical and organisational safeguards. It should be pointed out that the earlier application of security measures, which were implemented only after the breach, would have significantly reduced the risk of such a threat occurring.

In connection with the above findings, it should be concluded that the Company, by failing to apply technical and organisational measures to ensure the security of the processed data, resulting in a personal data protection breach notified to the President of the DPA on [...] May 2020, violated Article 5(1)(f) of Regulation 2016/679, reflected in the form of obligations set out in Article 24(1), Article 25(1), Article 32(1) and Article 32(2) of Regulation 2016/679.  

Acting on the basis of Article 58(2)(b) of Regulation 2016/679, according to which each supervisory authority has the power, within the scope of its proceedings, to issue a reminder to the controller or processor in case of a breach of the provisions of this Regulation by the processing operations, the President of the DPA considers it justified to issue a reminder to the Company with regard to the identified breach of Article 5(1)(f) in connection with Article 24(1), Article 25(1) and Article 32(1) and (2) of Regulation 2016/679.

Recital 148 of Regulation 2016/679 provides that, in order to make the enforcement of the Regulation more effective, sanctions, including administrative pecuniary sanctions, should be imposed for breaches of the Regulation - in addition to or instead of the corresponding measures imposed under this Regulation by the supervisory authority. Where the infringement is minor, a fine may be substituted for a warning. Due regard should however be paid to the nature, gravity and duration of the breach, whether the breach was intentional, the measures taken to minimise the damage, the degree of liability or any relevant previous breach, the manner in which the supervisory authority became aware of the breach, the compliance with the measures imposed on the controller or processor, the application of codes of conduct and any other aggravating or mitigating factors.

Determining the nature of the breach involves determining which provision of Regulation 2016/679 has been breached and classifying the breach into the relevant category of breached provisions, i.e. those indicated in Article 83(4) of Regulation 2016/679 and/or Article 83(5) and (6) of Regulation 2016/679. The assessment of the seriousness of the breach (e.g. low, medium or significant), will be indicated by the nature of the breach, as well as "the scope, the purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them". Related to the purpose of the processing of personal data is the determination of the extent to which the processing fulfils the two key elements of the 'limited purpose' principle, i.e. purpose specification and compatible application by the controller/processor. When choosing a remedy, the supervisory authority takes into account whether damage has been or is likely to be suffered due to the breach of Regulation 2016/679, although the supervisory authority itself is not competent to grant specific compensation for the damage suffered. By delimiting the duration of the breach, it can be determined that the breach was promptly remedied, lasted a short time or lasted a long time, which consequently allows for an assessment of, for example, the purposefulness or effectiveness of the controller's or processor's actions. The Article 29 Working Party, in its guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 adopted on 3 October 2017, referring to the intentional or unintentional nature of a breach, indicated that, in principle, "intentionality" includes both knowledge and deliberate action, in relation to the characteristics of the criminal act, while "unintentionality" means the absence of intent to cause a breach, despite the failure of the controller/processor to comply with the duty of care required by law. Intentional violations are more serious than unintentional ones and, consequently, are more often associated with the imposition of an administrative fine.

The President of the Office for Harmonization in the Internal Market considered that in the established circumstances of the case, a warning to the Company is a sufficient measure. The President of the Office for Harmonisation in the Internal Market considered as a mitigating circumstance that the Company undertook a number of remedial measures to minimise the risk of the breach recurring (replacement of hardware and software, change of procedures, conducting another risk analysis, conducting a security audit). Moreover, the Company notified the President of the Office for Harmonisation in the Internal Market of the breach of personal data protection. Based on the circumstances of the case, there are also no grounds to believe that the data subjects suffered any damage as a result of this breach, in connection with the suspension of the operation of health resorts from [...] March 2020 under the Regulation of the Minister of Health of 13 March 2020. - at the time the infringement occurred, the Company did not provide any services to clients or patients.

Thus, the breach concerns a one-off event and, therefore, we are not dealing with a systematic act or omission that would constitute a serious threat to the rights of persons whose personal data are processed by the Company. The above circumstances justify issuing a warning to the Company for the identified breach, which will also ensure that similar incidents do not occur in the future. Nevertheless, should a similar event occur again in the future, any admonition issued by the President of the PDPA against the Company will be taken into account when assessing the prerequisites for the possible imposition of an administrative penalty, in accordance with the principles set out in Article 83(2) of Regulation 2016/679.

In this factual and legal state, the President of the Office for Personal Data Protection decided as in the operative part.

The decision is final. Pursuant to Article 7(2) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781, as amended) in conjunction with Article 13 § 2, Article 53 § 1 and Article 54 § 1 of the Act of 30 August 2002. - Law on Proceedings before Administrative Courts (Journal of Laws of 2019, item 2325), a party has the right to lodge a complaint against this decision with the Voivodship Administrative Court in Warsaw within 30 days of its delivery to the party. The complaint shall be lodged via the President of the Office for Personal Data Protection. The entry fee for the complaint amounts to PLN 200. The party has the right to apply for the right to assistance, including exemption from court costs.