Record fine imposed on controller for personal data breach

An administrative fine of over PLN 4.9 million has been imposed on Fortum Marketing and Sales Polska S.A. for failing to implement appropriate technical and organisational measures to ensure personal data security and failing to verify the processor. In turn, the processor received a fine of PLN 250,000.00.

After analysing the notification of personal data breach from Fortum Marketing and Sales Polska S.A., the supervisory authority initiated ex officio administrative proceedings on the infringement of personal data protection regulations by the above-mentioned company.

The personal data breach involved the copying of the controller's customer data by unauthorized persons. This occurred when a change was made to the ICT environment.

The changes were made by the processor with which the controller cooperates on the basis of agreements concluded, including the personal data processing entrustment agreement.  During the changes, an additional Fortum customer database was created. However, this database was copied by unauthorized persons because the server on which it was deployed did not have properly configured security measures.

The controller learned of the incident not from the processor, but from two independent Internet users who notified him that they had unauthorized access to the database.

In the course of its proceedings, the Polish DPA found that the company, in its contractual provisions with the processor, specified the personal data security requirements to be applied, including pseudonymisation and encryption of personal data.

During the process of making changes to the system, actual personal data of the controller’s customers were used, and the effectiveness of the safeguards used was not verified before the new solution was handed over to Fortum. In addition, the security features were not tested during the work conducted for this purpose.

The processor acted contrary to generally known ISO standards, and at the same time contrary to the provisions of its own "Security Policy" which refers to these standards. It also failed to comply with the provisions of the personal data processing entrustment agreement , in which it obliged , among other things, to implement data pseudonymisation, which it was supposed to treat as a mechanism guaranteeing an adequate level of data security. If an unauthorized person came into possession of pseudonymized data at that time, e.g. as a result of a personal data breach, he/she would not be able to attribute it to a specific person without having additional information about that person.

The breach resulted from the processor's failure to comply with basic security principles involving the failure to protect personal data against unauthorised access. Thus, the processor is directly responsible for the personal data breach of the controller's customers, and such gross negligence in the processing of personal data, in the case of a professional entity, constitutes an aggravating circumstance and is connected with the administrative fine imposed on it.

In the course of the proceedings, the controller explained that the application of a specific solution aimed at improving the performance of the service by the processor should be preceded by an analysis which takes into account both the benefits and potential risks resulting from the specific planned solution. However, the controller did not receive such results of the risk analysis from the processor. Neither did it receive the concept of functional and technical design changes or other alternative solutions. In the course of the proceedings it was determined, however, that the controller did not require the processor to provide the above-mentioned documentation when making the changes. The controller reported the need to improve the system's operation, and having received information about the introduction of a new solution, proceeded to working on and testing the new solution.

What is equally important in this case is the fact that the controller, despite implemented procedures and knowledge on how to introduce  changes into IT systems according to common practices, did not supervise at any stage of the implementation whether the implementation was actually carried out in compliance with common standards. Fortum did not enforce agreements with the processor, did not follow its own practice of implementing changes into the IT environment based on internal regulations, and did not verify the processor with regard to the activities carried out in order to improve the functioning of the service. Yet, according to the GDPR, it is the controller that implements appropriate technical and organisational measures to ensure that the processing is carried out in compliance with the provisions of the regulation. The implementation of technical and organisational measures should not only consist in a one-time application by the controller of relevant regulations, rules for processing personal data in a given organisation, but also in a regular review of these measures and, if necessary, updating previously adopted solutions.

Furthermore, the controller is also obliged to regularly test, measure and evaluate the effectiveness of the technical and organisational measures to ensure the security of processing. Both the implementation of appropriate security measures and their testing is not a one-time activity. It should take the form of a continuous process whereby the controller reviews and, if necessary, updates the safeguards adopted previously.

If the controller had verified the processor's implementation of changes aimed at improving the operation of the personal data processing system, if it had required a work plan and further implementation in accordance with the procedure adopted by Fortum, it would have significantly reduced the risk of unauthorised persons gaining access to the data processed in the system. Thus, it could minimize the risk to the rights or freedoms of data subjects.

Considering the established circumstances, the supervisory authority concluded that there were premises justifying the imposition of administrative fines on the controller and the processor.

Full text of the decision (in Polish)