Long cooperation between controller and processor does not guarantee data security

The Personal Data Protection Office (hereinafter: SA) imposed an administrative fine of more than PLN 33,000 on the controller who lost the confidentiality of personal data. In addition, the supervisory authority ordered the controller to stop entrusting data processing to the entity with which it cooperated on the basis of the contract with deficiencies. As the proceedings showed, both the controller and the processor infringed the GDPR, because they did not implement appropriate technical and organisational measures to ensure data security.

The SA received a personal data breach notification consisting in the loss of data confidentiality. In the notification, the controller also provided the details of the processor providing comprehensive IT services. Notwithstanding the above, the SA also obtained information from media reports about the breach of personal data, contained, among other things, in insurance policies confirming the conclusion of insurance contracts with various insurance companies in the period from May 2015 to November 2020, which were publicly available in IT resources belonging to the controller. The controller confirmed that the personal data breach notification submitted to the SA relates to the same incident as described by the media.

As established, the breach occurred when a shared working resource containing a file repository was separated and made available to employees on the local network and remotely.

Obligations of the controller - risk analysis

Personal data must be processed in a manner that ensures adequate security of such data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures ("integrity and confidentiality"). The controller, taking into account the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organisational measures.

Importantly, these measures shall be reviewed and updated as necessary. The aforementioned obligations are not only incumbent on controllers, but also on processors.

Technical and organisational measures

Determining appropriate technical and organisational measures is a two-phase process. In the first phase, it is necessary to determine the level of risk involved in the processing and in the second phase it is necessary to determine what technical and organisational measures will be appropriate to ensure a level of security corresponding to that risk.

In the case at hand, it was necessary to examine whether the entities had performed a risk analysis, and whether, based on that analysis, they had identified and applied technical and organisational measures to ensure the level of security of personal data corresponding to that risk. In the opinion of the SA, however, such a targeted analysis was not carried out, and the entities contented themselves only with general assumptions. Explanations from both the controller and the processor indicated that these entities only applied the controller's internal regulations, among other things, acting on the basis of the personal data protection policy. The lack of a risk analysis resulted in the selection of inappropriate measures.

In addition to risk analysis, implementation of organisational and technical measures, it is important to verify them

Just as important as the correct selection of technical and organisational measures, taking into account possible risks, is verifying them and determining whether the changes made are correct. Such action by the obliged entities would prevent the personal data breach. The obligations of entities involved in the processing of personal data should not, in the opinion of the SA, be limited to conducting a risk analysis and applying appropriate technical and organisational measures to ensure the security of processing.

The lack of such verification, in view of the failure to implement appropriate technical and organisational measures, resulted in the personal data breach. Certain verification activities were carried out after the personal data breach occurred.

The processor should provide guarantees

A controller using processors’ services should make sure that the processors provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.

In this case, the verification of the competence of the processor was not formalised, as it consisted of an interview, and the services provided by the entity did not raise any objections from the controller. According to the SA, positively assessed cooperation can only be a starting point when verifying whether the processor provides sufficient guarantees for the implementation of appropriate technical and organisational measures. The mere signing of a data processing agreement without a proper evaluation of the processor cannot be considered the fulfilment of the obligation to conduct a processor verification procedure. The determinant for such an assessment cannot only be the long-standing cooperation and use of the services of a given processor.

In the case in question, changes to the information system were not made on the basis of specific procedures, and the correctness of the changes was not verified after they were made. Due to the failure to implement appropriate technical and organisational measures to ensure the security of personal data, an administrative fine was also imposed on the processor. The controller failed to verify the processor's implementation of changes to the IT system in which personal data was processed. According to the SA, such an action would have significantly reduced the risk of unauthorised persons gaining access to the data processed in the system, thereby mitigating the risk to the rights and freedoms of natural persons.

Full text of the decision (in Polish)