Identifying breaches too late puts customers at risk
Cyfrowy Polsat S.A. did not implement appropriate technical and organizational measures in its cooperation with the courier company. This resulted in numerous breaches identified with a long delay. Because of this negligence the President of the UODO (the Personal Data Protection Office) imposed a fine on the company in the amount of over PLN 1.1 million.
Lost correspondence with personal data or delivery of such a mail to the wrong recipient - these are the breaches that the company often reported to the UODO. In addition, the analysis of these breaches carried out by the UODO showed that the controller reported the breaches to the supervisory authority, as well as notified the affected persons about the incident two or even three months after it occurred.
In the course of the proceedings, it turned out that the controller notified the breaches as soon as he received information about them from the courier company with which he had concluded an agreement. However, in the UODO's opinion, it is the controller who should undertake effective activities that would firstly minimise the scale of the breaches, and secondly allow the faster identification of such incidents and consequently notify about them the affected persons and the supervisory authority.
The lack of adequate organizational and technical measures implemented to allow for quick identification of breaches caused that for a long-time data subjects were unaware of the risk of their data being used by unauthorized persons, e.g., for the so-called identity theft. Neither could they have taken action to mitigate such a risk during that time. Meanwhile, the scope of personal data in the lost or delivered to the wrong recipient correspondence was wide. Moreover, the mail contained other data, such as contract ID, contract number, invoice numbers.
Despite the fact, that the breaches were related to irregularities on the part of the courier company, it was the fined data controller who incorrectly realized the supervision over the enforcement of contractual provisions, which resulted in the late identification of breaches. Moreover, it was possible for the controller to introduce and enforce new solutions that would both limit the number of breaches and enable faster identification of them. However, it was only in the course of the proceedings that the company implemented mechanisms which made it possible to significantly limit the cases of giving out correspondence to an unauthorised person. It also implemented solutions allowing to track mail, which enabled it to identify and report the loss of correspondence with personal information more quickly. As a result, the company's process of identifying data protection breaches has been significantly shortened. Faster identification of breaches, and consequently, notification of data subjects about the breach of their personal data, enables them to take appropriate actions in order to minimize the adverse effects of those breaches.
The President of the UODO decided to impose a fine on the company for the GDPR breaches, as the application of other remedies would not be proportionate to the irregularities identified. Nor would it guarantee that this controller would not commit similar negligence in the future.
The full content of the decision is available (in Polish) at: https://www.uodo.gov.pl/decyzje/DKN.5130.3114.2020