A data breach must be notified to the supervisory authority
The President of the UODO imposed an administrative fine of over PLN 136 000 on ENEA S.A. company for failing to notify a personal data breach.
The Personal Data Protection Office (UODO) received information about the personal data breach from a person who became an unauthorized recipient of personal data. The breach involved sending an email with an unencrypted, non-password protected attachment containing personal data of several hundred people. The sender of the email was a co-worker of the fined company.
The UODO has asked the company to clarify the circumstances of the event, and to provide the analysis of the incident along with its assessment, whether in the occurred situation there was a need of notifying the breach to the supervisory authority and the persons affected.
The fined entity indicated that the assessment regarding the risk of breach of rights and freedoms of natural persons was carried out, on the basis of which the company found that there was no breach resulting in the need of notifying the UODO. Moreover, the company considered that due to the prompt actions taken, such as the unauthorized addressee’s statement that he had permanently destroyed the attachment that he was not authorized to receive, the possibility of adverse effects of this event for the data subjects in the future was eliminated.
Due to the failure to notify the data breach, the supervisory authority initiated administrative proceedings against the company, which in the course of the proceedings maintained its previous positions presented in the correspondence with the Office since June 2020 and continued to fail to notify the breach to the supervisory authority.
In the case in question, an e-mail was sent to an unauthorized recipient along with an attachment in the form of an unencrypted file containing personal data of the addressee of the e-mail and other persons. This means that there was a breach of security leading to accidental disclosure of personal data to a person unauthorized to receive such data, and thus to the breach of confidentiality of the data of these persons, which determines that there was the personal data breach.
Until the day of issue of this decision, the company has not complied with the obligation under Article 33 of the GDPR. When determining the amount of the administrative fine, the Office also took into account mitigating circumstances affecting the final amount of the fine, i.e. actions taken by the controller in order to mitigate the damages suffered by the data subjects.
The UODO reminds that pursuant to Article 33 (1) and (3) of the GDPR, in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reason for the delay.
The full content of the decision is available (in Polish) at: https://www.uodo.gov.pl/decyzje/DKN.5131.7.2020