The incident must be notified to the supervisory authority and the data subjects
Mediation Promotion and Legal Education Lex Nostra Foundation was punished with an administrative fine of over 13 000 PLN (3 000 EUR) for failing to notify the personal data breach to the supervisory authority without undue delay, and for failing to communicate the incident to the data subjects.
Additionally, the Polish Data Protection Authority ordered the Foundation to communicate the infringement to data subjects within 3 days from the delivery of the decision.
In the autumn of 2020, the Polish DPA received a notice of a suspected breach of the personal data protection provisions by the Mediation Promotion and Legal Education Lex Nostra Foundation consisting in the loss of personal data of many persons, which took place in early 2020, as a result of the theft of files containing personal data of beneficiaries. Therefore, there was a concern as to whether the Foundation properly secured the documents against loss and administered the personal data contained therein in accordance with the requirements under the GDPR.
The Polish DPA asked the Foundation to indicate whether, due to the loss of personal data of many persons as a result of the theft of files containing personal data of beneficiaries, the breach was notified to the supervisory authority. In response to the letter, the Polish DPA received a reply stating that the Foundation did not notify the incident and that the Foundation's analysis of the breach gave an assessment of its severity at a low level. On this basis, the Foundation concluded that there was no need to notify the supervisory authority. In the course of further steps it was found that the breach concerned 96 persons and that the lost documentation included the following categories of data: name, surname, correspondence address, telephone number. What is important, in the case of 3-4 people, probably also the PESEL Number (Polish acronym for „Universal Electronic System for Registration of the Population”) was lost. However, it should be noted that special categories of personal data were not processed.
Due to failing to notify of the personal data protection breach to the Polish DPA and failing to communicate to the data subjects, the supervisory authority initiated administrative proceedings against the Foundation.
Pursuant to the GDPR, in case of a personal data breach, the controller shall notify the personal data breach to the supervisory authority without undue delay ‒ if possible, no later than 72 hours after the breach is identified. And in case of a high risk for the rights or freedoms of natural persons resulting from the breach, the controller must notify the data subject of the incident.
It should be emphasized that a risk to the rights or freedoms of natural persons occurs when the violation may result in physical, material or non-material damage to natural persons. The possible consequences do not have to materialize; the mere potential risk to the rights and freedoms should prompt the personal data controller to notify the breach and communicate the data subject about the incident. It is without significance that the Foundation is not able to precisely indicate the categories of personal data contained in the lost documentation, which may have contributed to Foundation’s incorrect assessment of the risk of the breach. The punished entity also did not try to verify the actual scope of personal data that had been subject to the breach.
The Foundation, by deciding not to communicate the breach to the supervisory authority as well as to the data subjects, has in practice deprived these persons of the possibility to counteract the potential damage. By communicating the data subject without undue delay, the controller enables the data subject to take the necessary preventive measures to protect the rights or freedoms against the negative consequences of the breach. In the course of the proceedings it was found that the lost documentation cannot be restored. Therefore, if the Foundation does not have copies of the stolen documents, is unable to reproduce them or does not process these data using the IT system, and thus is not able to communicate the data subjects, it should notify them in a general way, e.g. by issuing a public announcement.
In the opinion of the Polish DPA, the applied administrative fine fulfils its functions, and therefore ‒ in this individual case ‒ is effective, proportionate and dissuasive.
The original press release is available in Polish here.
The full text of the decision is available in Polish here.
For further information, please contact the Polish DPA: firstname.lastname@example.org