The Polish Data Protection Authority (Urząd Ochrony Danych Osobowych; the “UODO”) has recently imposed a subsequent fine for a failure to implement sufficient technical and organisational security measures, which ended in a personal data breach. This time, the penalty imposed on Fortum Marketing and Sales Polska S.A. (the “Controller") – an energy and heat provider – is a record high of PLN 4.9 million (approx. EUR 1 million). In the same decision dated 19 January 2022, the UODO fined not only the Controller, but also its data processor – PIKA sp. z o.o. (the “Processor”) – a digital archive services entity – with a fine of PLN 250,000 (approx. EUR 53,000). Although the fine imposed on the Controller is a record-breaking one in Poland, it amounts to only 0.18% of its annual turnover. On the other hand, the fine for the Processor is much more severe, as it constitutes 1.19% of its annual turnover.
Summary of the case
The data breach involved unauthorised access to and copying of personal data from a newly created database that contained information on the Controller’s customers, including their residential addresses, PESEL numbers, ID details, e-mail addresses, phone numbers, and some additional data. The Controller wanted to improve the efficiency of its services and entrusted the Processor with implementing some amendments to its IT system, including creating an additional server and a database for digital archive purposes. Data from the database leaked because the server on which it was implemented did not have properly configured security features.
The Controller discovered the vulnerability that led to unauthorised access to the database after two independent Internet users reported that they had gained access to the database. It then notified the UODO of a personal data protection breach, which initiated the proceedings by the authority. The affected data subjects have not been notified.
The decision is the first one where the UODO analyses the way of ensuring security of IT implementation projects in detail. The main findings of the decision, with a much broader practical impact, include:
1. Data security needs to be ensured by implementing, in particular, pseudonymisation of data
The main misconduct of the Processor was the failure to secure and test the newly created database and then to feed it with actual customer data. By not following these rules (quite basic in the context of IT projects), this led to a breach of confidentiality of the personal data of over 95,000 customers. In addition, the Processor – before handing over the new database to the Controller – did not verify the security of the introduced changes.
According to the UODO, protection of personal data against unauthorised access is one of the key obligations of data controllers. Any changes to IT systems should also be made in compliance with the applicable laws (in particular the GDPR), as well as with current security standards such as ISO standards. Primarily, the UODO stressed that:
no data containing person-identifying information or other sensitive data should be used for testing purposes;
if person-identifying data are used for testing purposes, they need to be protected by pseudonymising or modifying them.
2. The data controller must supervise the data processor
To verify whether the data processor complies with data protection and security standards, including binding agreements, the data controller should exercise permanent supervision over the data processor. However, in the analysed case, at no stage of the IT project did the Controller supervise – despite having the relevant procedures and necessary knowledge – whether implementation was carried out in accordance with the binding laws, applicable standards, and the data processing agreement. In particular, as was contested by the UODO, the Controller did not require the Processor to submit any concept of IT changes or functional and technical designs to verify their correctness and compliance with applicable requirements.
Moreover, the Controller did not verify the Processor in any way before concluding the data processing agreement and did not exercise the right of control as required under Article 28(3)(h) of the GDPR. It was only after the breach had been identified that the Controller sent a verification questionnaire to the Processor. In this context, the UODO highlighted that even long-term cooperation of parties, if it is not supported by systematic, periodic audits or inspections, does not guarantee that the data processor will perform its tasks correctly. As highlighted by the UODO, “the performance of audits by the data controller of the data processor, including inspections, should be treated as one of the most important security measures to be applied by the data controller in order to properly fulfil its obligations under Article 32(1) of the GDPR”.
Put simply, the Controller should know how the entity to which it has entrusted the processing of personal data (the Processor) meets the requirements set out in the GDPR and applicable standards. According to the UODO, the most effective way to ensure this knowledge is to perform relevant audits and inspections. The UODO pointed out that had the Controller required a work plan and controlled the implementation of the IT changes in accordance with the adopted procedure, it would have significantly reduced the risk of unauthorised access to the processed personal data.
Thus, the two main conclusions of the decision in this context are: (1) the need to carry out verification proceedings at the pre-contractual stage and in the framework of ongoing projects; and (2) the effective exercise of the audit rights.
3. Internal procedures and other organisational measures are of prime importance when implementing IT solutions
The UODO’s decision also clearly shows how important – in the context of ensuring data security –organisational measures are (including respective internal procedures), as well as their actual observance and, above all, their regular testing, measuring and evaluation. According to the UODO, the Controller’s verification of how the Processor implements the IT changes – in accordance with the adopted procedure – would significantly reduce the risk of unauthorised persons gaining access to data.
The breach occurred as a result of an error consisting in failing to properly configure security features, which could have been easily detected had the Processor followed its internal procedure and had the Controller exercised proper supervision over the Processor. As the UODO also stressed, the implementation of organisational (as well as technical) measures by a data controller is not a one-off action, but should be a process in which the data controller reviews and, if necessary, updates previously adopted measures and safeguards.