Third fine for the Surveyor General of Poland – for failure to notify the personal data breach
The Polish DPA has imposed another administrative fine of PLN 60,000.00 on the Surveyor General of Poland (GGK). The reason for this sanction was the failure to notify the personal data breach to the supervisory authority and to communicate it to the individuals whose personal data had been disclosed. The decision also orders to communicate the affected persons about the personal data breach.
At the beginning of April 2022, land and mortgage register numbers were visible for more than 48 hours in the service maintained by the Surveyor General of Poland, i.e. www.geoportal.gov.pl. With a land and mortgage register number, it is easy to determine a range of property owners' data, including inter alia their personal identification numbers (PESEL numbers), first and last names, parents' names, and property address. However, the Polish DPA learned of the personal data breach not from the controller, who should notify it to the supervisory authority, but from the media. Therefore, in a letter dated April 7, 2022, the Polish DPA informed the Surveyor General of Poland about the obligation to notify the personal data breaches to the supervisory authority, and about the need to communicate it to the persons affected by such an incident when it is likely to result in a high risk to the rights and freedoms of natural persons, i.e., lead, for example, to so-called identity theft.
As there was still no notification of a personal data breach from the GGK, the supervisory authority initiated administrative proceedings. During this proceeding, the GGK maintained that land and mortgage register numbers do not constitute personal data. In addition, the GGK maintained that land and mortgage register numbers are also visible in other services, and the brief appearance of the numbers on www.geoportal.gov.pl did not result in any risk to the rights and freedoms of natural persons.
Land and mortgage register numbers constitute personal data
In its administrative decision, the Polish DPA recalled the definition of personal data set forth in Article 4(1) of the GDPR, according to which personal data is any information about an identified or identifiable, directly or indirectly, natural person. The supervisory authority also cited the judgment of the Voivodeship Administrative Court in Warsaw (ref. II Sa/Wa 2222/20), in which the court confirmed the position of the DPA that land and mortgage register numbers constitute personal data. The judgment dismissed the GGK's complaint against the decision of the Polish DPA related to the imposition of a PLN 100,000 fine for, among other things, unjustified disclosure of data in the form of land and mortgage register numbers on the Geoportal website.
Failure to communicate a personal data breach to the data subject may result in negative consequences for that person
Responding to the GGK's allegation that there are services where land and mortgage register numbers are disclosed, the DPA noted that the controller cannot justify its unlawful action by the fact that there are private entities operating websites that provide access to the contents of land and mortgage registers. In addition, the assessment of the risk of infringement of natural persons rights or freedoms should be made from the point of view of the interests of the affected person, not the interests of the controller. Such a person can then assess by himself or herself whether, in his or her opinion, the security incident is likely to cause negative consequences for him or her and take appropriate remedial action. In contrast, the lack of such notification of a data breach not only takes away such an opportunity, but may cause negative consequences for such a person.
The DPA noted the possibility of a number of negative consequences for a natural person. In doing so, it emphasized the key role of the PESEL number, which should be particularly protected.
In the opinion of the DPA, the failure to notify a data breach to the supervisory authority prevents it from responding appropriately to such incidents, as well as from verifying the actions taken by the controller after such an incident.
The GGK's argument that, despite making land and mortgage register numbers visible, there were no negative consequences for those whose data were visible, was not shared. The DPA stressed that the obligation to communicate a personal data breach to a natural person does not depend on the materialization of negative consequences for such a person, but on the mere possibility of a high risk to the rights or freedoms of natural persons .
In issuing the decision imposing the administrative fine, the DPA took into account, among other things, that in its view the personal data breach was of a high gravity and serious nature, and that the failure to notify the incident to the DPA, as well as the failure to communicate it to the individuals, was intentional. Also relevant for determining the fine was the fact that the Polish DPA learned about the personal data breach from the media, and not from the controller itself.