The controller and the processor are responsible for the processing of personal data
Following the acceptance of the cassation appeal filed by the President of the Personal Data Protection Office, the Supreme Administrative Court set aside the challenged judgment of the Voivodeship Administrative Court in Warsaw in the case concerning violations of personal data protection regulations by Fortum Marketing and Sales S.A. and Pika Sp. z o.o. Earlier, the Voivodeship Administrative Court had annulled the decision of the President of the Personal Data Protection Office imposing administrative fines on Fortum, as the controller of personal data, and on Pika, as the processor. The case concerned the liability of the controller and the processor for violations of the provisions of the GDPR.
The case dates back to April 2020, when Fortum Marketing and Sales S.A. notified a personal data breach to the supervisory authority. The breach was related to the introduction of changes in the ICT environment serving as a digital archive. In response to performance issues in the system reported by Fortum, the processor — Pika Sp. z o.o. — undertook modernization measures consisting of creating an additional database and populating it with the controller’s customer data. However, the newly created database was made available in an improper manner, which enabled unauthorised persons to access the customers’ data and copy them.
The broad scope of the disclosed data included, among other things, first and last names, residential addresses, personal identification numbers, identity document details, contact information, and information regarding concluded contracts. Ultimately, it was determined that the personal data breach concerned the data of more than 95,000 natural persons. Initially, the controller concluded that there was no high risk to the rights or freedoms of the data subjects and therefore did not notify them about the incident. Only later, following the intervention of the President of the Personal Data Protection Office were the affected individuals notified that their data had been disclosed and provided with recommendations aimed at limiting the potential consequences of the breach.
The notification of the personal data breach in question prompted the supervisory authority to assess whether the controller and the processor had fulfilled their obligations under the provisions of Regulation (EU) 2016/679 concerning the proper protection of data and the organisation of the personal data protection system. During the administrative proceedings, the President of the Personal Data Protection Office determined that both the controller and the processor had failed to implement appropriate technical and organizational measures required by the GDPR. The supervisory authority indicated that Fortum Marketing and Sales S.A., prior to concluding the data processing agreement, had not verified whether Pika Sp. z o.o. provided sufficient guarantees of security. It also failed to exercise its right of audit (arising from Article 28(3)(h) of the GDPR) and did not exercise effective supervision over the process of implementing changes in the system. On the other hand, with regard to Pika, the President of Personal Data Protection Office found that security measures had not been tested at the development stage, real personal data had been used for testing purposes without prior pseudonymisation, and technical safeguards had not been fully configured, including such basic measures as a firewall.
The supervisory authority also referred to applicable security norms and standards, in particular ISO/IEC 27001 and ISO/IEC 27002, emphasising that when working on systems that process personal data, the use of real data in test environments should be avoided or such data should be protected with the same safeguards as in production environments.
In the opinion of the President of the Personal Data Protection Office, there had been a breach of the principle of data confidentiality and a failure to fulfil the obligation to ensure the security of processing, which justified the imposition of administrative fines. As a result of finding infringements of the provisions of the Regulation (EU) 2016/679, the President of the Personal Data Protection Office exercised the power to impose an administrative fine on the data controller — Fortum Marketing and Sales S.A. — in the amount of nearly PLN 5 million (for violations of Articles 5(1)(f), 25(1), 28(1), and 32(1) and (2) of the GDPR), and on the processor — Pika Sp. z o.o. — in the amount of over PLN 250,000 (for violations of Articles 32(1) and (2) in conjunction with Article 28(3)(c) and (f) of the GDPR).
The Voivodeship Administrative Court in Warsaw set aside the decision of the President of the Personal Data Protection Office, finding that the supervisory authority had not demonstrated the established facts in a sufficiently clear and convincing manner. Instead, it merely cited the conflicting positions of the parties and failed to conduct a comprehensive assessment of the evidence. The court also pointed to the need to supplement the evidentiary proceedings with findings concerning technical standards and market practices, and to consider whether additional audits could have prevented the incident in question.
However, the Supreme Administrative Court did not share this assessment. Upholding the cassation appeal filed by the President of the Personal Data Protection Office, it found that the supervisory authority had clarified all circumstances relevant to the subject matter of the proceedings and had subjected the extensive body of evidence gathered in the case to a comprehensive assessment consistent with the law, providing a coherent justification for its decision. According to the Supreme Administrative Court, the Voivodeship Administrative Court in Warsaw had incorrectly applied procedural provisions by questioning the completeness of the factual findings and the validity of the assessment of evidence carried out by the supervisory authority. The Supreme Administrative Court also held that the issue of the controller’s supervision over the activities undertaken by the processor — both before the occurrence of the breach and during the implementation of IT system changes — had been described and analysed by the supervisory authority in detail and exhaustively in the reasoning of the contested decision. Furthermore, the Supreme Administrative Court considered it entirely incomprehensible that the Voivodeship Administrative Court in Warsaw had stated that it was necessary to determine whether, in the case at hand, there had been a “data leakage” or merely a “short-term possibility for unauthorized persons to gain access to personal data.” In this respect as well, the Supreme Administrative Court found that the issue of loss of confidentiality — which determined the scope of the case — had been clearly established by the President of the Personal Data Protection Office.
As a result of upholding the cassation appeal, the Supreme Administrative Court of Poland annulled the judgment of the Voivodeship Administrative Court and remitted the case for reconsideration, indicating that, upon reconsideration, the Voivodeship Administrative Court in Warsaw should recognise the completeness of the factual findings established by the supervisory authority, as reflected in the evidence gathered in the case.