Further administrative fine for failure to notify a personal data breach
The President of the Personal Data Protection Office has imposed the administrative fine in the amount of PLN 103 752 on Link4 Towarzystwo Ubezpieczeń S.A. (hereinafter referred to as insurance company) with the seat in Warsaw. The reason for imposing the administrative fine was a failure to notify the personal data breach to the supervisory authority, without undue delay not later than 72 hours after having become aware of the breach.
The Personal Data Protection Office was informed that unauthorised recipient had received a document confirming the award of compensation in an email attachment. The attachment to e-mail from insurance company contained such data as first name, last name, mailing address, make, model and registration number of the car, as well as the policy number, damage number and value or amount of claim awarded. The unauthorised recipient informed the insurance company of the receipt of an e-mail with an attachment containing someone else's personal data, but did not receive any response.
The controller, in response to a question from the supervisory authority, indicated that it was aware of the incident and explained that the e-mail was sent to unauthorised recipient and claim adjuster „as a result of human error”. The insurer also informed that it made a risk analysis on the basis of "the ENISA methodology recommended on the supervisory authority’s website"” and free risk calculator, available on the Internet. The analysis showed low risk to the rights and freedom of the data subject, and on that basis, the company noted this incident in the controller’s internal register, but did not notify it to the supervisory authority. Due to the lack of such notification, the supervisory authority initiated ex officio administrative proceedings against the company.
Deciding to impose the administrative fine, the supervisory authority, based on Article 83 (2) (a) GDPR, took into account aggravating circumstances such as: long duration of the breach, intentionality of the finding of a breach of data protection regulations in other proceedings pending against the company, unsatisfactory level of cooperation with the supervisory authority. The authority also pointed out that this company is subject of specific obligations imposed by Article 35 (1) of the Act of September 11, 2015 on Insurance and Reinsurance Activities, according to which the insurance company and its employees, as well as persons and entities by means of which the insurance company performs insurance operations are obliged to maintain the secrecy pertaining to individual insurance contract.
The supervisory authority emphasised that when assessing the risk to the rights or freedoms of individuals, a probability factor and gravity of potential negative effects should be taken into account together. The authority also reminded that the personal data breach notification by the controller cannot be dependent on occurrence of a violation of the rights and freedoms of individuals. Indeed, the mere risk of such a violation materialising justifies the data breach notification to the supervisory authority.
When examining the case, the authority on several occasions emphasised that assessment of the risk to the rights and freedoms of natural persons, should be made through the prism of the data subject and not through the interests of the controller. A thorough analysis of the incident, including consideration of the likelihood of adverse effects and their severity, is intended first of all to protect the rights of individuals affected by that breach, and who will have to take consequences of it, which are sometimes very serious. The personal data breach notification is also a very important instrument of verification that helps supervisory authority to determine whether the controller has taken appropriate measures to remedy the breach and minimise its adverse effects, and whether it has taken appropriate measures to minimise the risk of its recurrence.