P4 company with a PLN 100,000 fine
The President of the Personal Data Protection Office has imposed an administrative fine of PLN 100,000 on P4 company for failing to notify the supervisory authority within 24 hours after having detected a personal data breach.
The reason for the administrative fine is that the company breached the provisions of the telecommunications law and the Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications. Under the provisions of the telecommunications law, a telecommunication undertaking - the data controller - not only has to protect the personal data of its customers, but also, in the event that a breach of the security of personal data is detected, it is obliged to notify the data protection authority, as well as the subscriber or the end user whose data has been breached. In addition, under these provisions, the data controller is required to notify the supervisory authority of the personal data breach within 24 hours.
This decision addresses irregularities with respect to the October 2020 data breach notification and with respect to the four December 2020 data breach notifications that were sent as a single mail to the Personal Data Protection Office (UODO). Thus, a total of five data breaches, notified more than 24 hours after their detection, are covered by the proceedings.
The company explained in the proceedings that the notifications of personal data breach made after the lapse of 24 hours were related to an unintentional mistake of the company’s employees responsible for sending correspondence. The error consisted, inter alia, in the failure to enter the correspondence into the logbook, which resulted in its return by the postal operator.
However, it is important to note that the breach of the deadline for notifying data protection security incidents is not a one-time event. These notifications were not the first ones that the company submitted to the supervisory authority after 24 hours of its detection. The UODO also repeatedly sent letters to the company for submitting explanations regarding the notification of breaches after the deadline.
The UODO has informed the company several times that the personal data breach notification can be made in two ways: electronically and by post; and has indicated that the fastest way is to send the notification via the business.gov.pl platform or the ePUAP platform, which ensures compliance with the deadline set out in the Regulation 611/2013.
The company did not draw any conclusions and, in particular, did not change the way it organised the dispatch of correspondence concerning notifications of personal data breaches addressed to the UODO, continuing to send it through the postal operator, which required the involvement in the process of, inter alia, the company’s employees responsible for its dispatch. In particular, the errors of these employees resulted in the company's failure to meet the aforementioned deadline. The supervision over employees is the responsibility of each employer, that is the data controller. Therefore, it can be concluded that the process of sending notifications of the breach notification was improperly organised in the company. Repeated personal data breach exceeding the 24-hour deadline testify to the failure to apply the appropriate measures to eliminate similar incidents in the future.
It is noted that the company changed its practice of notifying the supervisory authority in February this year. From then on, breaches have been submitted by the company via the ePUAP platform.
The deadline of 24 hours for notification of a data breach arising from Regulation 611/2013 is not accidental. For is important that the UODO reacts in a timely manner to breaches that may prevent or at least limit possible adverse effects for data subjects. This refers, for example, to situations where the breach may lead to identity theft, financial loss or breach of legally protected secrets. Such situations may occur when the scope of disclosed data includes, for example, information appearing in identity cards, thus not only name and surname, but also a PESEL number (personal identification number), document number, an address.
The purpose of notifying breaches to the UODO is primarily to protect the rights or freedoms of natural persons, but also to assess by the supervisory authority whether the controller has correctly fulfilled its obligation to communicate the breach to the data subjects, or whether it has also taken appropriate measures to minimise the risk of a similar breach occurring in the future.
The fine imposed, in the opinion of the UODO, is adequate to the established breach of provisions.
The full content of the decision is available (in Polish) at: https://www.uodo.gov.pl/decyzje/DKN.5131.10.2020