WSA Warsaw (Poland) - II SA/Wa 2559/19

From GDPRhub
WSA Warsaw (Poland) - II SA/Wa 2559/19
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 32(1)(d) GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 58(2) GDPR
Article 83 GDPR
Decided: 03.09.2020
Published:
Parties: Morele.net
National Case Number/Name: II SA/Wa 2559/19
European Case Law Identifier:
Appeal from: UODO (Poland)
UODO - ZSPR.421.2.2019
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Provincial Administrative Court in Warsaw (WSA Warsaw) upheld the €660000 fine imposed on the company Morele.net by the Polish DPA (UODO). Morele.net had violated the principle of data confidentiality and had failed to ensure the security of personal data processed.

English Summary

Facts

In November 2018, the company reported to the supervisory authority two violations related to obtaining by an unauthorised person access to the database, and consequently - to personal data of customers of the company's online shops. After the inspection, the DPA concluded that the company had breached the rules on personal data protection. The deficiencies consisted in the violation by the company of the principle of data confidentiality, consisting in the failure to ensure the security and confidentiality of the processed personal data, which resulted in unauthorised persons gaining access to the personal data of the company's customers, and in the violation of the principle of legality, reliability and accountability by not showing that personal data from instalment applications collected before 25 May 2018 were processed by Morele.net Sp. z o.o. on the basis of the consent of the person to whom the data referred.

In September 2019 UODO imposed a fine on the shop Morele.net in the amount of 2,830,410 PLN (660,000 EUR).

The company appealed against this decision to the Provincial Administrative Court in Warsaw.


Dispute

Did the technical and organisational measures applied by the company comply with the standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the company's activity in 2018? Were the technical and organisational measures applied by the company appropriate taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and objectives of the processing, as well as the risk of infringement of the rights or freedoms of natural persons of different probability and seriousness of the threat?

Holding

The Provincial Administrative Court in Warsaw dismissed the appeal. The Court agreed with UODO and found that the fine imposed was justified.

Comment

Although it has to be concluded that the company has indeed breached the rules of the processing of personal data, the DPA's decision was questionable. The reason for these reservations was, among other things, the failure to carry out the proof provided by the penalised company, i.e. the request for expert opinion. In particular, the UODO arbitrarily considered that the company should have used two-factor authentication and that it ineffectively monitored potential threats to the rights and freedoms of persons whose data were processed by the company, which contributed to the event of gaining unauthorised access to client data from the company's database system. The supervisory authority referred to the recommendations of various organisations dealing with data security. However, the refusal to accept the request for expert opinion evidence was doubtful. The company wanted the expert opinion for: a) establishing the technical and organisational standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the company's activity in 2018; b) assessing whether the technical and organisational measures applied by the company complied with the standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the company's activity in 2018; c) assessing whether the technical and organisational measures applied by the company were appropriate taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and objectives of the processing, as well as the risk of infringement of the rights or freedoms of natural persons of different probability and seriousness of the threat.

The Court was expected to address this issue in detail. Unfortunately, the Court only briefly stated that, since the authority had sufficient evidence in the case, it was not necessary to carry out any other evidence in the light of the findings. This approach by the Court deserves to be criticised, and the grounds for the judgment do not, in my opinion, meet the requirements for the grounds for judgments by administrative courts. The Court practically only stated that the supervisory authority was right and did not address the disputed issues in this case.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Sentence</div><P> Provincial Administrative Court in Warsaw composed of the following composition: Chairman Judge of the Provincial Administrative Court Agnieszka Góra-Błaszczykowska, Judge of the Provincial Administrative Court Joanna Kube (spokesman), Judge of the Provincial Administrative Court Sławomir Antoniuk, Reporter for senior sec. court. Agnieszka Wiechowicz, after examining at the hearing on August 20, 2020 the case from the complaint of [...] Sp. z o. o. with its seat in [...] against the decision of the President of the Personal Data Protection Office of [...] September 2019 No. [...] on the imposition of a financial penalty in connection with the processing of personal data, dismisses the complaint </td></tr><tr class="niezaznaczona"><td class="info-list-label-uzasadnienie" colspan="2"><div class="lista-label"> Substantiation</div><P> President of the Personal Data Protection Office, hereinafter: "President of the Office", "supervisory authority", "authority" by decision of [...] September 2019 No. [...], pursuant to Art. 104 § 1 of the Act of June 14, 1960 - Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended), hereinafter: "kpa" and art. 7 sec. 1 and 2, art. 60, art. 101, art. 103 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, as amended), hereinafter: "uodo", in connection with art. 5 sec. 1 lit. f, art. 5 sec. 2, art. 6 sec. 1, art. 7 sec. 1, art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b and art. 32 sec. 2, art. 58 sec. 2 lit. i and art. 83 sec. 3, art. 83 sec. 4 lit. a, art. 83 sec. 5 lit. a Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) ( Dz. Urz. UE L 119 of 04/05/2016, page 1 and Dz. Urz. EU L 127 of 23/05/2018, page 2), hereinafter: "GDPR", "Regulation 2016/679", after conducting administrative proceedings on the processing of personal data by M. Sp. z o. o. with its seat in K., ul. F. [...], hereinafter: "Company", "M." found a breach by M. of the provisions of Art. 5 sec. 1 lit. a and lit. f, art. 5 sec. 2, art. 6 sec. 1, art. 7 sec. 1, art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b and lit d, art. 32 sec. 2 GDPR and imposed on M. a fine in the amount of PLN 2,830,410 (equivalent to EUR 660,000), according to the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28, 2019.</P><P> On [...] November 2018, M. reported to the President of the Office two breaches of personal data protection, which related to the unauthorized access to the database of customers of online stores [...], [...], [.. .], [...], [...], [...], [...], [...], [...], [...], [...] and obtaining by an unauthorized person access to the account of the Company's employee, and, consequently, obtaining personal data of customers making purchases in the above-mentioned online stores.</P><P> Then, on [...] December 2018, the Company reported to the President of the Office another violation consisting in obtaining unauthorized access to the account of the Company's employee.</P><P> From [..] to [...] January 2019, authorized employees of the Office carried out an inspection at M., in order to verify the compliance of the processing of personal data by the Company with the provisions of the GDPR and the Personal Data Protection Act. [...], [...], [...], [...], [...], [...], [...], [...], [. ..], [...], [...], administered by the Company.</P><P> The President of the Office, in a letter of [...] June 2019, initiated ex officio administrative proceedings regarding the deficiencies identified during the audit.</P><P> In the notice of initiation, it was stated that the Company had committed:</P><P> 1. breach of the principle of confidentiality of data expressed in Art. 5 section 1 lit. f GDPR reflected in the form of obligations set out in Art. 24 paragraph 1, art. 25 sec. 1 and art. 32 sec. 1 lit. bid, art. 32 sec. 2 GDPR, as it has only partially fulfilled the obligation to provide appropriate technical security measures for the processed data. Failure to fulfill the obligation under Art. 32 sec. 2 of Regulation 2016/679 consisted in the selection of ineffective technical and organizational measures at the level of access control and authentication, monitoring of network traffic in the production environment, failure to assess the ability to continuously ensure confidentiality, failure to assess the risk of gaining access to the Company's employee panel and the risk of violating rights or freedoms persons whose data is processed by the Company. The company did not take sufficient steps to assess the selection of technical and organizational measures from the angle of risk adequacy. These irregularities could lead to violations of personal data protection and, as a consequence, exposure of the Company's clients to property damage;</P><P> 2. breach of the principle of legality expressed in art. 5 section 1 lit. a GDPR, accountability rules under Art. 5 sec. 2 GDPR, detailed in art. 7 sec. 1 and art. 6 sec. 1 point a of this regulation. The company is not able to precisely indicate the date of launching the functionality of saving data from installment applications (probably in 2016) and does not have a documented analysis of the data processing process in this regard. Around [...] December 2018, at the verbal order of the Vice President of RS, the Company removed the database containing customer data from "installment applications". No specific analysis has been carried out in this respect and no data deletion has been documented. As the content of the consents collected by the Company was not presented during the inspection, it was assumed that the administrator did not demonstrate that he obtained consent from data subjects for the processing of data from installment applications, and thus the Company processed personal data in this respect without a legal basis.</P><P> The President of the Office, justifying the decision of [...] September 2019, indicated that:</P><P> 1. In the facts of the case the principle of confidentiality, expressed in Art. 5 sec. 1 lit. fa, specified in art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit bid and art. 32 sec. 2 of the GDPR as a result of accessing the Company's employee panel twice and gaining access to the database of all the Company's customers by unauthorized persons. Gaining access to the panel of the Company's employees and to the data of all clients from the Company's database system resulted in the materialization of the risk of violating the rights</P><P> and freedom of natural persons whose data is processed by the Company, in the form of the use of a method called phishing, aimed at phishing data, including credentials to a bank account by impersonating the Company</P><P> in SMS messages and the use of the fact of placing the order by the customer.</P><P> In the opinion of the President of the Office, it was the ineffective authentication measure that contributed to the event of obtaining unauthorized access to the employee's panel. Due to the access of many people to the panel, which contains the data of the current purchase transactions of individual customers, including employees (attachments [...] and [...] to the inspection protocol), also taking into account the risks related to obtaining unauthorized access to data, the use of an authentication measure solely in the form of a login and password was insufficient.</P><P> The ability to ensure continuous confidentiality was not sufficiently assessed and the risk of obtaining unauthorized access to the employee panel was not taken into account.</P><P> The supervisory authority noted that work on introducing additional technical security measures, including in the form of two-step authentication of access to the employee's panel, the Company undertook immediately after finding a violation consisting in gaining access to the employee's panel by an unauthorized person.</P><P> It argued that access control and authentication are basic security measures to protect against unauthorized access to the IT system used to process personal data. Providing access to authorized users and preventing unauthorized access to systems and services is one of the standard security elements, which is indicated, among others, by PN-EN ISO / IEC 27001: 2017-06 standard.</P><P> With art. 32 sec. 1 of Regulation 2016/679, one of the factors that should be taken into account when selecting the appropriate technical and organizational measures is the state of technical knowledge, which should be assessed taking into account market conditions, in particular the availability and market acceptability of a given technical solution. Indications specifying in this matter are provided by the applicable standards and norms, in particular ISO standards, which are also subject to constant reviews and changes conditioned by technological progress.</P><P> The European Network and Information Security Agency (ENISA) in its Guidelines for SMEs on the security of personal data processing - https://www.enisa.europa.eu/publications/ guidelines-for-smes-on-the-security-of-personal-data-processing), taking into account the above-mentioned standards (in version</P><P> of 2013) and the provisions of Regulation 2016/679, as part of access control</P><P> and authentication, recommends the use of a two-factor authentication mechanism for systems involving access to personal data.</P><P> In line with the risk-based approach resulting, inter alia, from with art. 25 sec. 1 of Regulation 2016/679, the selection of an appropriate authentication measure should be based on the risk assessment of the transaction or service carried out with it. The PN-ISO / IEC 29115: 2017-07 standard ("Information technology - Security techniques - Framework for the reasonable assurance of authentication levels"), similarly to recitals 75 or 85 of Regulation 2016/679, indicates the possible consequences and effects of authentication failure depending on the level of authentication used. incl. unauthorized disclosure of confidential information or financial loss.</P><P> The legitimacy of applying properly selected technical means in the field of access control and authentication is also indicated by other organizations dealing with information security.</P><P> The O. Foundation, an international non-profit organization that aims to develop and disseminate best practices for software developers, in the document "[...], lists the greatest threats to web applications along with methods to prevent them. One of them is to break through. authentication measure (usually single-step) As a preventive measure, it is recommended to use multi-step authentication as a way to significantly minimize the risk of security breaches.</P><P> Both this document and the standard cited above refer to the development of the US federal agency - the National Institute of Standards and Technology (NIST) document - "NIST 800-63B: Digital Identity Guidelines: Authentication and application lifecycle management "(Digital Identity Guidelines: Authentication and Lifecycle Management) (https://nvlpubs.nist.gOv/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf.)</P><P> Both the PN-ISO / IEC 29115: 2017 07 standard, the NIST 800-63B document and the studies of the OWASP organization indicate that the selection of the appropriate authentication agent should be preceded by a risk analysis and should be constantly reviewed.</P><P> In the opinion of the President of the Office, the ineffective monitoring of potential threats to the rights and freedoms of persons whose data is processed by the Company contributed to the event of obtaining unauthorized access to customer data from the Company's database system.</P><P> Pursuant to Art. 32 sec. 2 and recital 83 of Regulation 2016/679, the controller, when assessing whether the level of security is appropriate, takes into account in particular the risk associated with the processing (in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed) and which may, in particular, lead to physical, material or non-material damage.</P><P> The President of the Office stated that the Company processing personal data over</P><P> 2,200,000 users, which is the processing of personal data on a large scale, and taking into account the scope of the data and the context of the processing, was required to more effectively assess and monitor potential threats to the rights and freedoms of the data subjects.</P><P> Regularly testing, measuring and evaluating the effectiveness of technical measures</P><P> and organizational measures to ensure the security of processing is the responsibility of each administrator and processor under Art. 32 section 1 lit. d of Regulation 2016/679. The administrator is therefore obliged to verify both the selection and the level of effectiveness of the technical measures used. The comprehensiveness of this verification should be assessed through the prism of adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing.</P><P> In the opinion of the authority, in the actual state of the case, the Company was partially fulfilling this obligation, verifying only the level of effectiveness of the implemented security measures in terms of known vulnerabilities in the implemented software - as evidenced by security audits of IT systems already operating for processing the data of the Company's clients.</P><P> In the opinion of the President of the Office, the Company thus did not undertake any actions aimed at assessing the selection of technical and organizational measures through the prism of risk adequacy. Technical measures applied by the Company</P><P> and organizational, contributed to a limited extent to meeting the requirements</P><P> with art. 32 of Regulation 2016/679, as foreseeable risks have not been adequately minimized and limited during the processing.</P><P> Performing reviews and updating of implemented solutions are also a requirement formulated directly in Art. 24 sec. 1 sentence 2 of Regulation 2016/679,</P><P> and also resulting from art. 25 sec. 1 of Regulation 2016/679, creating an obligation to ensure privacy in the design phase (privacy by design) and imposing on the controller an obligation to implement appropriate technical measures both in the phase of determining the processing methods and in the phase of the processing itself. Taking into account the nature, scope, context and purpose of data processing and the resulting risks for the rights and freedoms of natural persons, the controller is obliged to implement appropriate technical and organizational measures.</P><P> The authority submitted that the earlier application of implemented [...] December</P><P> 2018, two-factor authentication (which the Company has been working on since [...] November 2018) as well as the implemented response procedure and proper configuration of alert levels (adequate to risks) in the network traffic monitoring system would significantly reduce the risk of unauthorized access by an unauthorized person and thus would minimize the risk of violating the rights or freedoms of natural persons whose data is processed by the Company, i.e. disclosure of data to unauthorized recipients.</P><P> 2. In addition, the authority indicated that the Company breached the principle of compliance with the law, reliability (Article 5 (1) (a) of the GDPR) and accountability (Article 5 (2) of the GDPR) when processing data from installment applications. Requirement</P><P> with art. 5 sec. 1 lit. a imposes on the controller an obligation to process data in accordance with the law, fairly and transparently for the data subject. Ensuring the lawfulness of data processing operations means, inter alia, the need to meet at least one of the conditions for the legality of data processing, as specified in art. 6 of Regulation 2016/679 and the need to ensure compliance with other provisions on the protection of personal data.</P><P> According to Art. 6 sec. 1 lit. and Regulation 2016/679, the processing is lawful if the data subject has consented to the processing of his personal data for one or more specific purposes. According to Art. 4 point 11 of Regulation 2016/679, the consent of the data subject means a voluntary, specific, informed and unambiguous demonstration of the will to which the data subject, in the form of a statement or a clear affirmative action, allows the processing of personal data concerning him.</P><P> However, from the content of Art. 7 sec. 1 of Regulation 2016/679, if the processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his personal data. The administrator should implement organizational or technical measures to prove the consent of the data subject,</P><P> in particular, in a way that allows the fact of receiving consent to be preserved.</P><P> To be correct for the purposes of evidence, related to the administrator in accordance with art. 7 sec. 1 of Regulation 2016/679, the burden of proof is the collection and recording of information on who gave consent and what its content was, when it was given, what information was received by the data subject when submitting the declaration of consent, what information was provided on the manner of consent, and whether consent has been withdrawn and if so, when. The administrator has the above-mentioned information on the consent expressed by the data subject is a detail of the general principle of accountability formulated in Art. 5 sec. 2 of Regulation 2016/679. If the controller is not able to demonstrate that and what consent to the processing of data has been expressed by the data subject, this consent may be questioned.</P><P> During the inspection, it was found that the Company obtained data from installment applications, which was to make it easier for customers to submit subsequent applications for installment purchases (auto-completion of the installment form).</P><P> The company is not able to precisely indicate the date of launching the functionality of saving data from installment applications (probably in 2016) and does not have a documented analysis of the data processing process in this regard.</P><P> During the inspection, the company did not present declarations of consent to such processing, nor any clauses or templates of consents used before the application of Regulation 2016/679, therefore it was found that the administrator did not demonstrate that it had obtained appropriate consent from persons whose data was collected in the period from 2016 (as indicated in the explanations - the period from which the Company started obtaining data from installment applications) to May 2018 for the processing of data from installment applications.</P><P> In the printout, the so-called of the ticket system there is only an indication that only in connection with the amendment to the provisions on the protection of personal data ("in connection with</P><P> z RODO "), two consents should be added on the https // [...] / website.</P><P> Around [...] December 2018, the Company, at the verbal order of the Vice President of RS, removed the database containing customer data from the so-called "installment applications". No detailed analysis has been carried out in this respect and no data deletion has been documented.</P><P> Due to the fact that consents were obtained after the entry into force of Regulation 2016/679, and the process itself lasted from 2016 (explanations by the Company), it was assumed that the deleted database contained data collected without a legal basis.</P><P> Moreover, the President of the Office indicated that the contract was in force at that time</P><P> z [...] Bank SA with its seat in W., at ul. S. [...] prohibited the Company from collecting data from installment application forms. As it results from the agreement of [...] November 2017, concluded between the Company and the bank, the Company was not entitled to use the data obtained for the purposes of implementing the provisions of the agreement, to create its own personal data files for which it would be the administrator.</P><P> In the opinion of the authority, the mere fact of completing the data processing process, in the absence of other evidence, is not enough to conclude that the processing was carried out in accordance with the law, including on the basis of a properly formulated premise of consent.</P><P> On the basis of the principle of legality and fairness indicated in Art. 5 section 1 lit. and Regulation 2016/679, it follows that the controller must always be able to demonstrate that the personal data are processed lawfully. On the other hand, the principle of accountability (Article 5 (2) of Regulation 2016/67) requires the controller to be able to demonstrate that it complies with its obligations under the provisions on the protection of personal data. These requirements apply to all stages of data processing.</P><P> The President of the Office, pursuant to Art. 58 sec. 2 lit. and Regulation 2016/679 found that in the case under consideration there were premises justifying the imposition of an administrative fine on the Company provided for in Art. 83 of the Regulation 2016/679. He indicated that when deciding to impose an administrative fine on the Company, pursuant to Art. 83 sec. 2 lit. ak of Regulation 2016/679, took into account the following circumstances of the case, aggravating and affecting the size of the imposed financial penalty:</P><P> a) The Company failed to comply with the obligation to apply appropriate technical and organizational measures to ensure a level of security corresponding to the risk of unauthorized access to the personal data of its clients, which resulted in the access to the Company's employee panel by an unauthorized person or persons twice, and consequently also access to the database all customers of the Company in the total number of approximately 2,200,000 (approximately two million two hundred thousand) people;</P><P> b) the violation of Art. 5 sec. 1 lit. fw conj. with art. 32 sec. 1 lit. bidw with art. 32 sec. 2 of Regulation 2016/679, consisting in obtaining unauthorized access to the Company's employee panel by an unauthorized person or persons, and consequently also access to the Company's customer database, is of considerable importance and serious nature, as it creates a high risk of negative legal consequences for approximately 2,200. 000 (approximately two million two hundred thousand) people to whose data the person or unauthorized persons had access; Importantly, due to the double breach of the confidentiality of the Company's IT system, the risk is proportionally higher than 600 (six hundred) people;</P><P> c) violation of Art. 5 sec. 1 lit. f, art. 32 sec. 1 lit. bid and art. 32 sec. 2 of Regulation 2016/679, arose as a result of failure to exercise due diligence by the Company and was undoubtedly unintentional, nevertheless, the Company as the controller is liable for any irregularities found in the data processing process; the fact that the Company, despite the declaration of monitoring the network system, deserves a particularly reprehensible assessment</P><P> and responding in the 24/7 system (twenty-four hours, seven days a week), it did not find in real time, i.e. on [...]. 10.2018 - [..]. 10.2018, increased traffic on the gateway server and did not take any remedial actions during this time to prevent access to the data of approximately 2,200,000 (approximately two million two hundred thousand) natural persons who are the Company's clients. In this state of affairs, the oversight of the Company was considered by the supervisory authority to be gross;</P><P> d) the breach consisting in failure to ensure the security and confidentiality of data lasted at least from [...] November 2018 (when the Company's customers informed about receiving SMS messages calling for an additional fee</P><P> in the amount of PLN 1, in order to complete the order, along with a link to the fake electronic payment gateway D. by [...] December 2018 (i.e. introduction of additional technical security measures by the Company). In the opinion of the authority, the relatively short period of this breach may not have a mitigating effect on the resolution, as the breach concerned a large number of natural persons and should be assessed strictly due to the nature, importance and scope, as well as possible long-term consequences for data subjects.</P><P> When determining the amount of the administrative fine, the President of the Office also took into account the mitigating circumstances affecting the final penalty, i.e .:</P><P> a) taking all possible actions by the Company to remove the violation. Successively in relation to the reported violations, introduced</P><P> in the Company, among others two-step authentication of access to the employee's panel, updated the traffic tracking tool in the Panel system, reset of passwords to external websites and developer databases;</P><P> b) good cooperation on the part of the Company in order to remove the infringement and mitigate its possible negative effects. Within the prescribed period, the Company sent explanations and replied to the request of the President of the Office, therefore the degree of this cooperation was assessed as full;</P><P> c) there is no evidence that the data subjects have suffered material damage, but the very breach of confidentiality of data constitutes non-pecuniary damage (harm); this is because natural persons whose data has been accessed without authorization may, at the very least, fear losing control of their personal data, identity theft or fraud, and finally financial loss;</P><P> d) it has not been found that the Company has previously infringed the provisions of Regulation 2016/679, which would be relevant to the present proceedings.</P><P> On the other hand, the following circumstances had no influence on the imposition and the amount of the administrative fine itself:</P><P> a) The Company does not apply the approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of Regulation 2016/679,</P><P> b) no measures were previously applied to the Company in the same case,</P><P> referred to in Art. 58 sec. 2 of Regulation 2016/679,</P><P> c) there is no evidence that the Company obtained financial benefits and avoids losses due to the breach.</P><P> Taking into account the above, the President of the Office decided that the imposition of an administrative fine on the Company is necessary and justified by the weight, nature and scope of the alleged infringements. It stated that applying to the Company any other remedy provided for in Art. 58 sec. 2 of Regulation 2016/679, and in particular stopping at an admonition (Article 58 (2) (b)), would not be proportionate to the identified irregularities in the processing of personal data and would not guarantee that the Company</P><P> in the future, he will not commit a similar negligence as in the present case.</P><P> Regarding the amount of the administrative fine imposed on the Company, the President of the Office decided that in the established circumstances of the case - ie in the event of a breach of the principle of confidentiality of data, expressed in Art. 5 sec. 1 lit. f of Regulation 2016/679 (and reflected in the form of obligations set out in Article 24 (1), Article 25 (1) and Article 32 (1) (b) and (b), Article 32 (2) of Regulation 2016/679), and moreover, violations of the principles of legality, reliability and transparency, as expressed in Art. 5 sec. 1 lit. a Regulation 2016/679 and the principle of accountability, expressed in art. 5 sec. 2 (detailed in Articles 6 and 7 of Regulation 2016/679) - Art. 83 sec. 5 lit. and Regulation 2016/679, according to which the violation of the basic principles of processing, including the terms of consent, of which these principles</P><P> and terms of speech, among others in art. 5, art. 6, art. 7 of this regulation are subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year, with the higher amount being applicable.</P><P> The authority considered the violation of the confidentiality principle stipulated in Art. 5 sec. 1 lit. f of the Regulation 2016/679, which is supported by the serious nature of the infringement and the group of people affected by it (approximately 2,200,000 - approximately two million two hundred thousand users of online stores administered by the Company). Importantly, in relation to the above-mentioned number of people, there is still a high risk of unlawful use of their personal data, because the purpose for which an unauthorized person took steps to gain access to this information is unknown.</P><P> The breach by the Company of the principle of legality and reliability expressed in art. 5 sec. 1 lit. a and the principles of accountability under Art. 5 sec. 2 of Regulation 2016/679, the supervisory authority found it a minor breach. In the case of the second of the identified infringements, the group of people affected by it is much smaller (approx. 35,000 - thirty-five thousand - users submitting installment applications).</P><P> Bearing in mind the above, the President of the Office, pursuant to Art. 83 sec. 3 and art. 83 sec. 5 lit. and Regulation 2016/679, in connection with art. 103 of the Personal Data Protection Act, for the violations described in the operative part of this decision, imposed an administrative fine on the Company in the amount of PLN 2,830,410 (which is equivalent to EUR 660,000).</P><P> In the opinion of the supervisory authority, the applied fine meets, in the established circumstances of this case, the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it will be effective, proportionate and dissuasive in this individual case.</P><P> The penalty imposed on the Company will be effective as it will lead to</P><P> in which the Company will apply such technical and organizational measures that will provide the data processed with a degree of security corresponding to the risk of violating the rights and freedoms of data subjects and the importance of threats accompanying the processing of such personal data.</P><P> The applied fine is also proportional to the breach found, in particular its severity, the group of natural persons affected and the risk they incur in connection with the breach, as well as proportionate to its financial situation and will not constitute an excessive burden for it.</P><P> Moreover, the imposed administrative fine will fulfill a repressive function in these specific circumstances, as it will be a response to the Company's breach of the provisions of Regulation 2016/679, but also preventive, as the Company itself and other administrators will be effectively discouraged from violating the provisions on protection personal data in the future.</P><P> In a complaint to the Provincial Administrative Court in Warsaw of October 16, 2019, M. requested that the Court</P><P> with a request to the Court of Justice of the European Union for a ruling</P><P> in the preliminary ruling procedure whether administrative courts in Poland provide effective legal protection against a legally binding decision of a supervisory authority, i.e. exercise full jurisdiction to determine the factual and legal circumstances relevant to the resolution of the case referred to in Art. 78 sec. 1 of the GDPR and in recital (143) of the GDPR preamble, in a situation where the proceedings before the President of the Office are single-instance and there is no authority or court that will substantively assess the decision of the President of the Office or has the competence to make factual findings, while Art. 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and Art. 47 of the Charter of Fundamental Rights guarantees the injured party the right to have the case decided by a court having full jurisdiction over the case.</P><P> The appellant applied for the revocation of the decision of the President of the Office of [...] September 2019 and for awarding the costs of the proceedings, including the costs of legal representation according to the prescribed standards.</P><P> The complainant asked for admission and taking evidence from the documents attached to the complaint (Annexes 3-5; Annex 3: analysis of the risk of violating the rights and freedoms of data subjects, Annex 4: firewall screens, Annex 5: screens and letters regarding the amendment of the message www.) in order to prove the facts indicated in the substantiation of the complaint.</P><P> The contested decision was accused of violation:</P><P> procedural regulations that may have a significant impact on the outcome of the case, i.e .:</P><P> 1.Art. 78 sec. 1 GDPR in connection with with art. 6 sec. 1 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and Art. 13 of the ECHR by preventing an effective judicial remedy;</P><P> 2.Art. 47 of the Charter of Fundamental Rights by preventing M. from considering the case by a court with full jurisdiction in the case, i.e. one that may at least establish the facts and modify the decision, which violates the Company's right to a fair trial;</P><P> 3.Art. 107 § 1 point 5 of the Administrative Procedure Code, due to the defectiveness of the formulation of the decision of the contested decision, consisting in the failure to specify by the President of the Office which actions or omissions of M., determined in the course of administrative proceedings, the authority considered to be a breach of the provisions of the law mentioned</P><P> in the operative part of the decision, for which finding an infringement, the authority imposed a fine, which in turn makes it impossible to see the result of the application of the norm of substantive law by the authority in a specific case in the context of specific facts and evidence, and thus excludes the instance control of the decision in the scope of a specific and individually marked offense and specification of the subject matter of the matter covered by the seriousness of the settled case;</P><P> 4.Art. 61 § 4 of the Code of Administrative Procedure in connection with with art. 47 of the Charter of Fundamental Rights and Art. 6 sec. 3 lit. a) of the Convention for the Protection of Human Rights and Fundamental Freedoms through lack of information in the content of the notification of the President of the Office of [...] June 2019.</P><P> to initiate proceedings regarding the alleged acts (specific actions or omissions of the Company in violation of the provisions of the GDPR), while the proceedings concluded with a decision should be treated as proceedings</P><P> on the violation of the provisions on the protection of personal data within the meaning of art. 60 of the PDPA, which consequently led to a restriction of M's rights of defense, preventing the applicant from responding to specific allegations and presenting exhaustive evidence to counter specific allegations;</P><P> 5.Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure, art. 80 of the Code of Administrative Procedure in the context of the complainant's compliance with the requirements specified in Art. 32 sec. 1 of the GDPR, due to the lack of a comprehensive and substantive assessment of the collected evidence, i.e. the security measures applied by the Company, the comprehensive assessment of which should lead the authority to establish that the complainant had implemented technical measures to protect the processed personal data, which led to incomplete determination of the facts of the case , in particular as regards the circumstances affecting the applicant's compliance with the condition</P><P> with art. 24 sec. 1 GDPR and art. 32 sec. 1 GDPR, which in accordance with art. 83 sec. 2 GDPR affects the imposition and amount of the administrative penalty;</P><P> 6.Art. 78 § 1 of the Code of Administrative Procedure in connection with with art. 84 § 1 of the Code of Administrative Procedure in connection with with art. 7 of the Code of Administrative Procedure and Art. 77 § 1 of the Code of Administrative Procedure</P><P> in the context of Art. 24 sec. 1 GDPR and Art. 32 sec. 1 GDPR, by the President of the Office dismissing the request for evidence to be taken by M.</P><P> from an expert opinion, on the circumstance:</P><P> - establishing technical and organizational standards for security measures</P><P> in the economic activity of entrepreneurs in the area of e-commerce on a scale</P><P> and a nature similar to the scale and nature of M.'s activity in 2018;</P><P> - assessment of whether the technical and organizational measures used by M. corresponded to the standards of security measures in the economic activities of entrepreneurs in the area of e-commerce, with a scale and nature similar to the scale and nature of M.'s activity in 2018;</P><P> - assessing whether the technical and organizational measures used by M. were appropriate, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probability and severity of the threat, which could impact on the outcome of the case. The President of the Office independently made findings which, in fact, were statements of the authority not supported by any evidence (e.g. risk analysis performed by experts) - requiring the knowledge of a special team of experts, to which the complainant could not comment at the stage of administrative proceedings, which</P><P> as a result, it led to the recognition by the President of the Office that under the conditions specified in Art. 32 GDPR, "an appropriate technical and organizational measure" for M. was the introduction of double authentication, while only an expert opinion - as one of the means of evidence - may constitute the basis for such a categorical determination of the authority, which led to the authority making erroneous factual findings;</P><P> 7.Art. 83 § 3 of the Code of Administrative Procedure in connection with with art. 86 sec. 3 updp, by collecting testimonies from witnesses LW, JF, SK, JK, WP, BM without first instructing these people about the right to refuse to testify and answer questions and about responsibility for false testimony during the control proceedings, which could have a significant impact on the outcome of the case, while the testimonies of properly instructed witnesses could lead to findings other than those of the authority;</P><P> 8.Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure in connection with with art. 77 § 4 of the Code of Administrative Procedure, art. 80 kpa, art. 81 of the Code of Administrative Procedure, art. 84 § 1 of the Code of Administrative Procedure in connection with with art. 8 § 1 of the Code of Administrative Procedure and Art. 10 § 1 of the Code of Administrative Procedure, by the authority making factual findings and assessments based on:</P><P> 1) PN-EN ISO / IEC 27001: 2071-06 (p. 15 of the decision),</P><P> 2) 2016 guidelines of the European Network and Information Security Agency.</P><P> (p. 16 of the decision),</P><P> 3) OWASP Top 10 - 201T document (p. 16 of the decision),</P><P> 4) NIST 800: 63B (p. 16 of decisions),</P><P> 5) CERT Polska annual reports for 2016, 2017 and 2018 (p. 17 of the decision),</P><P> in a situation where there is no source material (evidence) in the files of the administrative proceedings that would allow (i) to make the findings binding on the complainant contained in pages 15 to 17 of the rationale of the decision, (ii) to assess the source material and the correctness of the authority's findings by the complainant and even (iii) commenting on this source material</P><P> pursuant to art. 10 § 1 of the Code of Administrative Procedure, which consequently led to the authority making findings from the evidence collected outside the administrative proceedings;</P><P> 9) art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure, art. 80 of the Code of Administrative Procedure, due to the lack of a comprehensive assessment and drawing logical and consistent conclusions from the evidence collected by the administrative authority in which the complainant participated, i.e. the ENISA guidelines on the security of personal data processing issued in 2016 (p. 16 of the decision). on the acceptance by the authority that ENISA recommends the use of the two-factor authentication mechanism for systems involving access to personal data, while ENISA in these guidelines recommends the use of two-factor authentication only</P><P> in the case of high risk, and the authority has not carried out such a risk assessment or questioned the content of the assessment made by the Company;</P><P> 10.Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure, art. 80 of the Code of Administrative Procedure due to the lack of a comprehensive assessment of the logical and consistent conclusions drawn from the evidence and collected by the authority outside the administrative proceedings in which the complainant participated, i.e .:</P><P> - PN-EN ISO / IEC 27001: 2071-06 standards (p. 15 of the decision),</P><P> - "OWASP Top 10 - 2017 document" (p. 16 of the decision),</P><P> - NIST 800: 63B (p. 16 of the decisions),</P><P> consisting in assuming that these guidelines recommend the use of multi-step authentication, suggesting that multi-step authentication should also be used by the Company, while these documents only provide general recommendations regarding examples of technical measures that may be used, and the choice of appropriate measures</P><P> depending on the specific case of a risk assessment which the authority has not carried out;</P><P> 11.Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure, art. 80 of the Code of Administrative Procedure, through any evaluation of the evidence, inconsistent with the logic and principles of life experience, consisting in the statement that the Company has insufficiently assessed the ability to continuously ensure confidentiality and did not take into account the risk of obtaining unauthorized access to the employee's panel, while the correct assessment of the material evidence collected in the case should lead to a finding that the Company did not infringe in this respect;</P><P> 12.Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure, art. 80 of the Code of Administrative Procedure, through any assessment of the evidence that is inconsistent with the logic and principles of life experience, consisting in the authority stating in the content of the decision that the Company did not undertake any actions aimed at assessing the selection of technical and organizational measures through the prism of adequacy to risks, while in the course of the proceedings the authority did not conduct an evidence investigation in this regard and did not make any factual findings as to the risk of violating the rights and freedoms of natural persons;</P><P> 13. Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure, art. 80 of the Code of Administrative Procedure, due to the lack of a comprehensive assessment of the evidence and drawing logical and consistent conclusions from the evidence collected by the authority, consisting in the acceptance by the authority that:</P><P> - "The infringement concerned approximately 2,200,000 (approximately two million two hundred thousand) users" - p. 5,</P><P> - "Obtaining access to the database of all clients of the Company by unauthorized persons. Gaining access to the panel of the Company's employees and to the data of all clients from the database system of the Company resulted in the materialization of the risk of violating the rights and freedoms of natural persons whose data is processed by the company" - p. 14,</P><P> - "it poses a high risk of negative legal consequences for about 2,200,000 people to whose data the person or unauthorized persons had access" - p. 23,</P><P> - "data leakage of 2,200,000 (about two million two hundred thousand) people" - p. 24,</P><P> while the collected evidence leads to a different conclusion, i.e. no breach, no leakage of 2,200,000 users (persons) and criminal copying of only a fragment of the applicant's customer database - 600 people, as the authority correctly established (point 20 factual findings), that "there was no case of data export from the database server with the use of modules for exporting a specific table", i.e. downloading the full database of the complainant in the amount of about 2,200,000 people, which consequently translated into an incorrect determination of the facts of the case with regard to the circumstances affecting the determination and the amount of the administrative penalty;</P><P> 14.Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure, art. 80 of the Code of Administrative Procedure, due to the lack of a comprehensive evaluation of the evidence and the drawing of logical conclusions, in line with the principles of life experience, from the collected evidence, consisting in the acceptance by the authority that the complainant "despite the declaration of monitoring the network system and reacting in the 24/7 system, did not find</P><P> in real time, i.e. on [...]. 10.2018 - [...]. 10.2018 increased traffic on the server's gateway and did not take any remedial actions during this time ", when the authority also established (point 19 of the facts) that the increase in data traffic was the integration of M. with A., and therefore there were no grounds to suspect a criminal interference in the applicant's IT systems and no other circumstances that would justify such a criminal interference, which consequently led to erroneous finding by the complainant a breach of Article 5 (1) (f), Article 32 (1) (b) and Article 32 (2) of the GDPR recognized by the authority as gross negligence (point c) p. 24);</P><P> 15.Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure and Art. 80 of the Administrative Procedure Code and Art. 81a § 1 of the Code of Administrative Procedure by assuming that the Company processed personal data collected in installment applications before [...] May 2018, while the correct assessment of the evidence should lead to the conclusion that this circumstance was not proven in the course of administrative proceedings, and insurmountable doubts as to the facts should be resolved in favor of the party, while the unjustified assumption of the authority as to the factual status consequently led to the incorrect assumption that the Company violated the principles of legality and fairness expressed in Art. 5 sec. 1 lit. 1 GDPR and the principle of accountability under Art. 7 sec. 2 GDPR and imposing an administrative penalty on the Company;</P><P> 16. Art. 7 of the Code of Administrative Procedure, art. 77 § 1 of the Code of Administrative Procedure and Art. 107 § 1 point 6 of the Code of Administrative Procedure by accepting that the Company did not properly collect consents for data processing before [...] May</P><P> 2018, while the correct assessment of the evidence should lead to the conclusion that this circumstance was not proven in the course of the administrative procedure, and the authority did not take the steps necessary to thoroughly clarify the facts, including during the control procedure and later in the administrative procedure The President of the Office did not ask the Company for explanations in this respect, in particular, he did not ask the Company to present the content of the collected consents for the processing of personal data, which consequently led to incorrect recognition that the Company violated the principles of legality and fairness expressed in Art. 5 sec. 1 lit. 1 GDPR and the principle of accountability under Art. 7 sec. 2 GDPR and imposing an administrative penalty on the Company;</P><P> 17. Art. 107 § 1 point 6 of the Administrative Procedure Code and Art. 107 § 3 of the Code of Administrative Procedure, by drawing up a justification in an incomprehensible manner, inconsistent with the obligations imposed on the authority with regard to the preparation of a justification, consisting in:</P><P> - the lack of an exhaustive indication of the facts which the authority considered proved, the evidence on which it relied, and the reasons for which other evidence was denied credibility and probative force, and assumptions were made that were not supported by evidence or logical justification or documents that did not constitute evidence gathered in the case or not being a source of law, including:</P><P> (a) an unsubstantiated and reasoned assessment that M's precautionary measures were inadequate to the risks and non-compliant;</P><P> b) the assessment that was unsupported by evidence and arguments that the application by the company of an authentication measure solely in the form of a login and password was insufficient (p. 15),</P><P> c) an unsupported and reasoned assessment that the ability to continuously ensure confidentiality has not been sufficiently assessed and that the risk related to obtaining unauthorized access to the Employee Panel has not been taken into account (page 15),</P><P> d) an unsubstantiated assessment that the Company did not undertake activities aimed at assessing the selection of technical and organizational measures from the angle of risk adequacy (page 19);</P><P> (e) an unsubstantiated and reasoned assessment that early implementation</P><P> and the introduction of additional measures, including two-factor authentication would significantly minimize the risk of violating the rights and freedoms of natural persons;</P><P> f) assuming by the authority, not justified by arguments and evidence, that since "consents were obtained after the date of application of Regulation 2016/679,</P><P> and the process itself started in 2016 (explanations by the Company), it should be assumed that the deleted database contained data collected without a legal basis "(p. 21 of the decision);</P><P> - no indication by the authority of the calculation of such and not another amount of the administrative penalty, and the indication by the authority of only those not supported</P><P> in the collected evidence,</P><P> - internal contradictions in the justification, including in point 20 of the factual findings, the authority found that "there was no case of data being exported from the database server using table-specific export modules", while already in d) on p. 24 of the decision, the authority stated that there had been "data leakage of 2,200,000 people";</P><P> which in consequence prevents real substantive control of the decision;</P><P> 18. Art. 107 § 1 point 6 of the Code of Administrative Procedure in connection with with art. 72 uodo and art. 83 sec. 1 and 2 GDPR, due to the lack of justification by the authority for the amount of the administrative penalty imposed in the scope, inter alia, calculating and quantifying the impact of the circumstances which, in the opinion of the authority, mitigated or exacerbated M.'s liability, which in the opinion of the authority made it impossible to actually control the content of the decision.</P><P> Moreover, the contested decision alleged infringement of substantive law, which had an impact on the outcome of the case:</P><P> 1.Art. 32 sec. 1 and 2 of the GDPR based on the assumption that pursuant to art. 32 sec. 1 and 2 of the GDPR results in the obligation to apply effective technical measures</P><P> and organizational (p. 14), while the obligation under Art. 32 sec. 1 and 2 of the GDPR applies to the application (implementation) of appropriate measures to ensure a degree of security corresponding to this risk;</P><P> 2.Art. 24 sec. 1 GDPR and 32 par. 1 and 2 of the GDPR, by their improper application, i.e. formulating assessments regarding technical suitability / inadequacy</P><P> and organizational safety measures without prior risk assessment,</P><P> in particular by assuming that the technical ones used by the Company</P><P> and organizational security measures were inadequate (i.e. in the opinion of the authority insufficient), and the security measure indicated by the authority in the form of double authentication would be appropriate (taking into account the state of technical knowledge, the cost of implementation and the nature, context and purpose of processing as well as the risk of violating the rights and freedoms of natural persons) ), while the authority (i) did not substantially question the risk assessment made by the complainant, (ii) formulated risk assessments in an arbitrary manner, in particular without the participation of experts, without specifying the risk assessment method and without basing the formulated assessments in the evidence, (iii ) failed to conduct the administrative procedure in terms of the risk assessment made by the complainant and the assessment of its correctness;</P><P> 3. infringement of Art. 5 sec. 2 GDPR in connection with with art. 7 sec. 1 and in connection with with art. 11 sec. 1 of the GDPR by misinterpreting them and assuming that the Company is required to demonstrate the legality of the processing of personal data, despite the fact that the processing of personal data has been completed, while the provisions of the GDPR require to demonstrate accountability, including showing the legal basis and correctness of the collected consents, only with regard to the data currently processing processes processed by the administrator;</P><P> 4.Art. 72 of the Personal Data Protection Act with art. 83 sec. 2 lit. g and g of GDPR, by not applying them, in a situation where the authority has established such circumstances as: the nature of the category of data to which the breach was found and the authority's receipt of information</P><P> about the breach by the complainant (self denunciation), i.e. the circumstances which, in the light of Art. 83 sec. 2 GDPR provide the basis for mitigating the imposed administrative penalty;</P><P> 5.Art. 83 sec. 2 GDPR:</P><P> - lit. a) due to the fact that the authority does not take into account the data leakage in the established facts in connection with the crime of breaking into the Company's IT systems as a mitigating circumstance,</P><P> - lit. a) due to the failure of the authority to take into account the short duration of the infringement as a mitigating circumstance in the established facts, in a situation where the complainant's quick reaction to the suspected violation should be positively assessed by the authority in the course of determining the amount of the administrative penalty imposed,</P><P> - lit. a) by its incorrect application and assuming that the nature, gravity and duration of the infringement justify the application of the measure referred to in Art. 58 sec. 2 lit. and GDPR, while the nature of the violation, its gravity and duration do not justify the imposition of a fine, because according to the evidence collected</P><P> in the case, the infringement concerned about 600 records (out of over 2,200,000 records in the M database), it was short-lived (lasted no more than 10 days), and for 600 people it concerned only ordinary data related to</P><P> with the functioning of the account in the online store and the implementation of the sales contract,</P><P> - lit. b) by misinterpreting it and assuming that the unintentional nature of the infringement aggravates the justification for the imposition of a fine and its amount, while the above-mentioned the provision distinguishes between the intentional or unintentional nature of the violation of the provisions of the GDPR and assigns milder sanctions to the former situation,</P><P> - lit. d) by wrongly applying it and assuming that the degree of the Company's liability justifies the imposition of a penalty, while the circumstances being the subject of this case, in particular:</P><P> a) the level of implementation of the GDPR in the Company, including the use of the procedure,</P><P> b) organizational and technical security measures applied, including IT security,</P><P> c) appointment of the Data Protection Officer,</P><P> d) full cooperation with the supervisory authority and the Police,</P><P> e) being a victim of a crime,</P><P> indicate that access to customer data by unauthorized persons was an extraordinary circumstance,</P><P> - lit. f) by its incorrect application and failure to indicate, by how much (in amount or</P><P> in percent), the penalty was reduced due to the good and full cooperation of the Company</P><P> with the President of the Office,</P><P> - lit. k) by its improper application and by establishing that the lack of evidence indicating that the Company obtained financial benefits or avoided a loss is a circumstance not affecting the imposition and size of an administrative fine, while (i) the Company incurred high financial and marketing losses in in connection with the situation, (ii) the Company informed the data subjects of the situation despite the failure to fulfill the obligation to inform data subjects referred to in Art. 34 sec. 1 GDPR, (iii) the company cooperated</P><P> with law enforcement authorities (Police), (iv) the Company agreed to carry out an inspection by the President of the Office in January 2019, despite the existence of premises justifying the impossibility of conducting an inspection in connection with another inspection carried out in the Company, which violation directly affects the disproportionality of the penalty imposed administrative.</P><P> In response to the complaint, the President of the Office requested that it be dismissed, maintaining his existing factual and legal arguments.</P><P> Referring to the allegations of the complaint, he stated that the standards cited in the decision</P><P> and international standards (PN-EN ISO / IEC 27001: 2071-06) or the standards of the American National Institute of Standards and Technology NIST (NIST 800: 63B) are standards commonly known and used in the field of information security and, as such, they had to be , how</P><P> and supervisory authority, evaluation criteria and source of common and up-to-date knowledge</P><P> on the manner of performance of the obligations specified in the provisions of Regulation 2016/679. They are based on internationally recognized core values, i.e. confidentiality, integrity and availability, which the EU legislator also refers to in Art. 32 sec. 1 lit. b GDPR. On the organizational level, these types of norms are commonly known and accepted standards.</P><P> The President of the Office refused to consider the Company's application for admission</P><P> and taking evidence from an expert opinion in the scope indicated in the application, because it concerned the conduct of an expert opinion on the circumstances and facts unquestionably established during the inspection and the conducted proceedings. The degree of complexity of the case, including the assessment of the evidence gathered in the case, did not exceed the scope of information, which is the responsibility of the authority.</P><P> The President of the Office found the allegation unjustified with regard to the collection of testimonies from witnesses without their prior instruction on the right to refuse testimony and answer questions, and on liability for false testimonies in the course of the control proceedings, i.e. violation of Art. 83 § 3 of the Code of Administrative Procedure in connection with Art. 86 § 3 uodo It indicated that pursuant to Art. 84 sec. 1 point 4 of the PDPA, the inspecting body has the right to request written or oral explanations and to hear the person as a witness</P><P> to the extent necessary to establish the facts. This provision distinguishes collecting information in the course of an inspection by collecting explanations from employees or representatives of the inspected entity, and interviewing employees or representatives of the inspected entity as witnesses. During the inspection activities, the inspectors obtained oral explanations from: LW, JF, SK, JK, WP, BM, as evidenced by the "Records of oral explanations" in the case files. Thus, since during the control of the above-mentioned persons were not questioned as witnesses, the inspectors acted correctly by not instructing them about the right to refuse to testify and answer questions, and</P><P> on liability for false testimony. Such an instruction would be incorrect as it is not required by law.</P><P> In addition, in the procedural letter of [...] March 2020, in addition to the response to the complaint, the President of the Office emphasized that in the contested decision it was reasonably assumed that a third party had obtained the personal data of about 2,200,000 data subjects in an unauthorized manner . He pointed out that pursuant to Art. 4 point 12 of the GDPR, breach of personal data protection means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.</P><P> The fact of unlawful disclosure or unauthorized access,</P><P> referred to in art. 4 point 12 of Regulation 2016/679, to personal data processed by the Company results both from the material collected during the inspection and from the explanations provided by the Company both before and during the proceedings.</P><P> In the notification of a personal data breach of [...] November 2018, the Company indicated that the reported personal data breach affected approximately 2,200,000 (two million two hundred thousand) users. also</P><P> in this notification, the Company indicated that it has information from an unauthorized person, that it is in possession of a database covering the following categories of data: name, surname, e-mail address, telephone number, encoded password, information about the status of the person (natural person or company), shipping address identifier, whether the user is active, Account Manager id, account creation date, account modification date, information whether the user has verified his e-mail address. On [...] December 2018, the "extortionist" sent an e-mail correspondence to the Company, in which he provided a sample of his database containing 106 records. The company sent the notification e-mail to approximately 2,200,000 customers</P><P> on unauthorized access to the customer database, thus concluding that the data of so many people were affected by the infringement.</P><P> During the inspection, it was found that the database sample sent to the Company by the "extortionist" contained data categories identical to those indicated in the infringement notification sent to the President of the Office of [...] November 2018.</P><P> Comparing the columns of the table from the sample provided with the table of shop users allowed the President of the Office to assume that an unauthorized person had access to the entire user database, as he had full knowledge of the scope of personal data processed by the Company.</P><P> The Provincial Administrative Court in Warsaw considered the following:</P><P> The court found no grounds to refer a question to the CJEU contained in the complaint, as it had no doubts as to the possibility of ensuring effective legal protection when examining the complaint in the case at hand.</P><P> Since, as a rule, decisions imposing pecuniary sanctions are subject to appeal to an administrative court, like all administrative decisions, it cannot be assumed that the application of this rule in the present case violates the right to a fair trial.</P><P> The provision of art. 184 of the Polish Constitution introduces a presumption that in</P><P> in the field of public administration, the right to a court will be exercised by the administrative judiciary (see the judgment of the Constitutional Tribunal of June 14, 1999, file no. K 11/98, OTK ZU No. 5/1999, item 97), that is, in justified cases, justice in this area may be entrusted to common courts (see the decisions of the Constitutional Tribunal of: May 9, 2000, reference number SK 15/98, OTK ZU no. 4/2000, item 113; November 14, 2007, reference number SK 53) / 06, OTK ZU No. 10 / A / 2007, item 139).</P><P> According to Art. 2 of the Act of August 30, 2002 - Law on proceedings before administrative courts (i.e. Journal of Laws of 2019, item 2325, as amended), hereinafter: "ppsa", administrative courts are appointed to hear administrative court cases . In turn, in the provision of art. 3 § 2 point 1 of the PPSA, it was indicated that the control of public administration activities by administrative courts includes adjudicating on complaints against administrative decisions.</P><P> The decision issued by the President of the Office is included in the catalog of decisions subject to judicial and administrative review, as it is an administrative decision.</P><P> There is no doubt that in the light of the constitutional model of judicial review of the activities of public administration, the administrative court, as a rule, does not have the competence to make findings of fact in the administrative case under examination. This task rests with the public administration body. This cognition is limited, because granting administrative courts the competence to consider an administrative case substantively (e.g. to impose an administrative fine) would lead to the judicature of the public administration (the executive) in the performance of the tasks and competences entrusted to it (see the judgment of the Constitutional Tribunal of November 13 2007, ref. SK 40/06, OTK ZU No. 10 / A / 2007, item 137).</P><P> The very empowerment of administrative bodies to impose administrative fines falls within the constitutional order and cannot be perceived as the administration's encroachment on the competences of the judiciary (Article 10 of the Constitution). Administrative pecuniary penalties cannot be equated with a fine or other criminal law institutions. Financial penalties do not have to be imposed only in criminal proceedings (cf. the judgment of the Constitutional Tribunal of 29 April 1998, file reference number K 17/97; publ. OTK 1998/3/30).</P><P> The court dismissed the evidence motions contained in the complaint, from the documents attached to the complaint, as attachments 3 to 5. Since the case files contain the documents indicated in attachments 4 and 5, respectively: firewall screens and a letter regarding the change of the www message, then it was unnecessary to take supplementary evidence from these documents, pursuant to Art. 106 § 3 of the PPSA According to art. 133 ppsa, the administrative court decides on the basis of the case files. Therefore, the basis for adjudication by this court is the evidence gathered by public administration bodies throughout the proceedings.</P><P> On the other hand, the evidence attached to the complaint, as Annex 3, called the analysis of the risk of violation of the rights and freedoms of data subjects, and constituting a document of [...] December 2018, entitled "Assessment of the seriousness of the violation of personal data protection</P><P> w M. sp. z oo "does not remain, according to the Court, in connection with the assessment of the legality of the contested act.</P><P> The complaint cannot be considered, because the Court, when reviewing the legality of the contested administrative decision, pursuant to Art. 1 § 1 and § 2 ppsa, did not find that the President of the Office, by issuing the decision of [...] September 2019, violated the provisions of substantive law to a degree that had an impact on the outcome of the case, or the provisions of administrative proceedings to a degree that could significantly impact on the outcome of the case.</P><P> The contested decision meets the conditions set out in Art. 107 § 1 point 5 of the Administrative Procedure Code, i.e. it contains the designation of the administrative body, date of issue, designation of the party, reference to the legal basis, decision, factual and legal justification, instruction, signature with name and position. The matrix of the decision, i.e. the decision, is formulated clearly and precisely, it is understandable. The sentence shall decide on the imposition of an administrative penalty in connection with the violation of the provisions of applicable law indicated therein. In justification of the decision, the authority explained the legal grounds for the decision.</P><P> In the notice of initiation of the administrative procedure of [...] June 2019, the authority indicated which violations found during the inspection caused by the notification of violations of personal data protection of shop customers [...], [...], [... ], [...], [...], [...], [...], [...], [...], [...]. [...], whose administrator is the Company, are the subject of the proceedings, describing them and stating their legal qualification.</P><P> The decision of the President of the Office of [...] September 2019 indicates for what the supervisory authority imposed an administrative fine on the complaining Company and, contrary to the allegations of the complaint, provides the reasons for its imposition. The operative part of the decision indicates the provisions of Regulation 2016/679, the violation of which was found in the course of the proceedings. On the other hand, its justification contains a description of these infringements and their legal qualification.</P><P> The fact of unlawful disclosure or unauthorized access,</P><P> referred to in art. 4 point 12 of Regulation 2016/679, to personal data processed by the Company, it results clearly from the material collected</P><P> on the subject matter.</P><P> The opinion of the authority should be shared that the most serious breach determining the penalty imposed was the breach of the expressed confidentiality principle</P><P> in art. 5 sec. 1 lit. fw conj. with art. 32 sec. 1 lit. bidw with art. 32 sec. 2 GDPR.</P><P> The provision of art. 5 GDPR lays down rules regarding the processing of personal data that must be respected by all administrators, i.e. entities that independently or jointly with others determine the purposes and methods of personal data processing. According to Art. 5 sec. 1 lit. f GDPR, personal data must be processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures ("integrity</P><P> and confidentiality ").</P><P> According to the content of Art. 32 sec. 1 lit. b GDPR, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probabilities and severity, the controller and the processor implement appropriate technical and organizational measures to ensure a level of security corresponding to this risk, including, but not limited to, the ability to ensure confidentiality, integrity, and availability at all times</P><P> and resilience of processing systems and services. And with art. 32 sec. 1 lit. d of Regulation 2016/679 there is an obligation to regularly test and measure</P><P> and assessing the effectiveness of technical and organizational measures to ensure the security of processing.</P><P> Pursuant to Art. 32 sec. 2 GDPR, the controller, when assessing whether the level of security is adequate, takes into account in particular the risk related to the processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise way processed.</P><P> The provision of art. 32 of the GDPR also constitutes a specification as indicated in art. 5 sec. 1 lit. f GDPR, the principles of integrity and confidentiality, according to which personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, and accidental loss, destruction or damage, by appropriate technical or organizational measures .</P><P> As correctly established by the authority, the breach of the confidentiality principle occurred through unauthorized access to the employee's panel and obtaining the data of all clients of the Company's database system. This resulted in the materialization of the risk of violating the rights and freedoms of natural persons whose personal data M. processed. The risk was the use of phishing in order to obtain data.</P><P> In the Court's opinion, the authority had grounds to assume that the reason for obtaining unauthorized access to the employee's panel was an ineffective means of authentication, which was only the login and password. M. insufficiently assessed the ability to ensure continuous confidentiality and did not take into account the risk of gaining unauthorized access to the employee panel.</P><P> Performing reviews and updating of implemented solutions is also a requirement formulated directly in Art. 24 sec. 1 sentence 2 of Regulation 2016/679,</P><P> and also resulting from art. 25 sec. 1, which imposes an obligation on the controller to implement appropriate technical measures both in the phase of determining the methods of processing and in the phase of the processing itself. Taking into account the nature, scope, context and purpose of data processing and the resulting risks for the rights and freedoms of natural persons, the controller is obliged to implement technical and organizational measures appropriate to these circumstances.</P><P> and aspects of personal data processing.</P><P> As correctly established by the supervisory authority, the ineffective monitoring of potential threats to the rights and freedoms of persons whose data was processed by the Company contributed to unauthorized access to customer data</P><P> from the Company's database system.</P><P> M., whereas it processes the personal data of over 2,200,000 users, as well as the scope and context of their processing, it should more effectively assess and monitor potential threats to the rights and freedoms of data subjects.</P><P> It is the data controller who is obliged to verify both the selection and the</P><P> and the level of effectiveness of the technical and organizational measures used. The comprehensiveness of this verification should be assessed through the prism of adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing.</P><P> The authority had grounds to assume that the Company was only partially fulfilling this obligation, as it only verified the level of effectiveness of the implemented security measures in terms of known vulnerabilities in the implemented software - as evidenced by security audits of the already functioning IT systems used to process the data of the Company's clients. However, it did not take appropriate steps to evaluate appropriate technical measures</P><P> and organizational through the prism of adequacy to risks, to which it was required by Art. 32 sec. 1 sentence 1 of the Regulation 2016/679, as well as art. 25 sec. 1 of this regulation. On the other hand, the lack of effective monitoring measures made it possible for the incidents to occur.</P><P> Thus, the assumption that the Company applied technical and organizational measures that did not fully meet the requirements of Art. 32 of Regulation 2016/679 was justified as the foreseeable risk was not adequately minimized and limited during the processing.</P><P> The GDPR has introduced an approach in which risk management is the cornerstone of personal data protection activities and is an ongoing process. Entities processing personal data are obliged not only to ensure compliance with the guidelines of the above-mentioned of the regulation through a one-off implementation of organizational and technical security measures, but also to ensure the continuity of monitoring the level of threats and ensuring accountability in terms of the level and adequacy of the introduced security. This means that it becomes necessary to prove to the supervisory authority that the implemented solutions aimed at ensuring the security of personal data are adequate to the level of risk, as well as taking into account the nature of the organization and the personal data processing mechanisms used.</P><P> The consequence of such an orientation is the resignation from the lists of safety requirements imposed by the legislator, in favor of the independent selection of security measures based on the analysis of threats. Administrators are not directed to specific security measures and procedures. The administrator is to independently conduct a detailed analysis of the data processing processes carried out and perform a risk assessment, and then apply such measures</P><P> and procedures that will be adequate to the assessed risk.</P><P> As another allegation, the authority indicated a violation of Art. 5 sec. 1 lit. a and art. 5 sec. 2 GDPR, i.e. the principles of legality and reliability as well as the principles of accountability in the processing of personal data from installment applications. The authority assumed that the violation was less serious when the penalty was imposed.</P><P> In the opinion of the Court, also in this respect the findings and assessment of the supervisory authority turned out to be correct.</P><P> The position of the President of the Office should be shared that the explanations of the Company regarding the completed process of data processing from installment applications, in the absence of other evidence, are not sufficient to conclude that the processing itself was carried out in accordance with the law, including on the basis of a properly formulated premise of consent. The fact that the legislator, in Art. 4 point 2 of the GDPR also includes the deletion of personal data as part of the processing, as a result of the fact that the process of deleting the personal data held by the administrator must also comply with the provisions of art. 5 of Regulation 2016/679 to the rules on the processing of personal data.</P><P> The process of removing the database from installment applications carried out by the Company was not preceded by any analysis documented by the Company and was not carried out on the basis of the procedures applicable in the Company specifying the rules and periods for deleting personal data resulting from legal provisions or the administrator's goals. The company was not able to demonstrate that from 2016 to May 2018, it obtained customer data from installment applications in order to facilitate the completion of future loan applications, based on a correctly formulated premise of consent.</P><P> In the opinion of the Court, the administrative fine applied by the President of the Office performs the functions referred to in Art. 83 sec. 1 GDPR, i.e. it is effective, proportionate and dissuasive in this individual case.</P><P> The authority justified the imposition of an administrative financial penalty, indicating the grounds on which it relied, taking into account the nature, gravity and duration of the violation and the circumstances both aggravating and mitigating the penalty.</P><P> Referring to the complainant's allegation that the supervisory authority failed to justify the failure to apply another remedy to M. from the catalog listed in Art. 58 sec. 2 lit. ah and lit. j GDPR, instead of an administrative fine, it should be indicated that pursuant to Art. 58 sec. 2 lit. and GDPR, each supervisory authority has the right to apply, in addition to or instead of other remedies provided for in Art. 58 sec. 2 GDPR, an administrative fine pursuant to Art. 83 of the Regulation, depending on the circumstances of a particular case. Therefore, the authority is not required to justify why it has not applied a different remedy. On the other hand, it is obliged to justify the imposition of an administrative financial penalty, which it did in the contested decision, indicating the grounds on which it relied and taking into account the nature, gravity and duration of the infringement, as well as the circumstances mitigating the penalty. In the case at hand, the authority found that the nature, gravity and duration of the infringement qualify for the imposition of the financial penalty in question.</P><P> In the justification of the contested decision, the President of the Office indicated, pursuant to Art. 83 sec. 2 lit. a-k GDPR, what circumstances did he consider as those that contribute to the aggravation of the penalty and those that support the leniency of the penalty, and spoke about the inadvertent penalty (paragraph 3). Therefore, the adjudicating body in the case cannot be effectively accused of the arbitrariness of the decision made.</P><P> The allegation in the complaint that the authority did not specify how it determined the amount of the administrative fine, e.g. by indicating the starting amount of the fine, is unfounded. The conditions for imposing an administrative fine are defined in Art. 83 GDPR. The amount of the imposed fine is the result of the conditions specified in Art. 83 sec. 2 and 3 GDPR.</P><P> As for the allegation that the expert evidence requested in the course of administrative proceedings was not carried out, it should be pointed out that since the authority had sufficient evidence in the case, it was unnecessary to conduct any other evidence, in the light of the findings.</P><P> The allegation of infringement of Art. 83 § 3 of the Code of Administrative Procedure in connection with</P><P> with art. 86 sec. 3 updp In this respect, the Court agrees with the position taken by the authority in this matter in response to the complaint.</P><P> The Court also found all the other pleas in the complaint to be unfounded.</P><P> Therefore, since all the allegations raised by the applicant Company, both concerning the infringement of substantive and procedural law, turned out to be ineffective and there are no grounds to conclude that the authority committed other infringements of law that could constitute the annulment or revocation of the contested decision, the Provincial Court Administrative in Warsaw, pursuant to art. 151 ppsa, ruled as in the sentence. </td></tr></table></div><!-- Stopka -------------------------------------------------------------------------><div class="dolne-linki"> <a
			href="/cbo/find?p=1"><span
			class="navl">Back to the list</span></a></div><div class="disclaimer"></div><BR><hr style="margin-bottom:1"/><div id="sp"> Powered by SoftProdukt</div></div></div></div><script type="text/javascript">
function logExtHref(doc, href)
{var callback={success: function(o){},failure: function(o){},argument:{}};
 var d= new Date();
 var url= "/cbo/servlet/logExtHref?doc="+doc+"&href="+href+"&d="+d.getTime();
 YAHOO.util.Connect.asyncRequest('GET', url, callback);
}
</script><script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-1768873-2', 'nsa.gov.pl');
  ga('send', 'pageview');

</script></BODY><script type="text/javascript" src="/yui/yahoo/yahoo-min.js"></script><script type="text/javascript" src="/yui/connection/connection-min.js"></script></html>