Seen at the European Data Protection Board, a decision from the Polish S.A.:
Background information
Date of final decision: 19 January 2022
Cross-border case or national case: National Case.
Controller: Fortum Marketing and Sales Polska S.A.
Legal Reference: Integrity and confidentiality (Art. 5(1)(f)), Responsibility of the controller (Art. 24(1)), Data protection by design and by default (Art. 25(1)), Processor (Art. 28(1), Art. 28(3)(c) and Art. 28 (3)(f))), Security of processing (Art. 32(1) and Art. 32(2)).
Decision: infringement of the GDPR, administrative fine.
Key words: responsibility of the controller, technical and organisational measures, record fine
Summary of the Decision
An administrative fine of approx. PLN 4.9 million (EUR 1,080,000) has been imposed on Fortum Marketing and Sales Polska S.A. for failing to implement appropriate technical and organisational measures to ensure personal data security and failing to verify the processor. In turn, an administrative fine has been imposed on the processor that received a fine of PLN 250,000.00 (EUR 55,000).
Origin of the case
The controller has specified in its contractual provisions with the processor the personal data security requirements to be applied, including pseudonymisation and encryption of personal data.
During the process of making changes to the system, actual personal data of the controller’s customers were used, and the effectiveness of the safeguards used were not verified before the new solution was handed over to Fortum. In addition, the security features were not tested during the work conducted for this purpose.
The changes were made by the processor with which the controller cooperated on the basis of agreements concluded, including the personal data processing entrustment agreement. During the changes, an additional Fortum customer database was created. However, this database was copied by unauthorized persons because the server on which it was deployed did not have properly configured security measures
Key Findings
The controller learned of the incident not from the processor, but from two independent Internet users who notified him that they had unauthorized access to the database.
The personal data breach involved the copying of the controller’s customer data by unauthorized persons. This occurred when a change was made to the ICT environment.
The breach resulted from the processor’s failure to comply with basic security principles involving the failure to protect personal data against unauthorized access and the controller learned of the incident not from the processor, but from two independent Internet users who notified him that they had unauthorized access to the database.
If the controller had verified the processor’s implementation of changes aimed at improving the operation of the personal data processing system, it would have significantly reduced the risk of unauthorized persons gaining access to the data processed in the system.
Decision
The Polish DPA found that the controller infringed the GDPR provisions i.e. Art. 5(1)(f), Art. 24(1), Art. 25(1), Art. 28(1), Art. 32(1)(2).
The processor was found to have infringed Art. 32(1) and Art. 32(2) and also Art. 32(1) and Art. 32(2) in relation to Art. 28(3)(c) and (f). An administrative fine of PLN 4,911,732 (EUR 1,080,000) has been imposed on Fortum Marketing and Sales Polska S.A and of PLN 250,135 (EUR 55,000) on the processor.
For further information: decision in national language (PL)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.