Another controller with the fine for failing to notify the personal data breach
The President of the Personal Data Protection Office has imposed an administrative fine of PLN 20,000 on the District Prosecutor's Office for failing to notify the personal data breach to the supervisory authority and failing to communicate it to the data subjects. The President of the Polish supervisory authority has ordered the controller to communicate the breach to the data subjects.
The Personal Data Protection Office has received an information indicating a possible data protection breach at the District Public Prosecutor's Office. The incident consisted in a local journalist being provided with non-anonymised documentation from a concluded proceedings in response to a request made under the Access to Public Information Act[1]. This journalist then, after receiving a copy of the documents, published them on a local website, anonymising the personal data beforehand.
In view of the controller's failure to notify the personal data breach to the supervisory authority and the failure to communicate it to the data subjects, the supervisory authority initiated ex officio proceedings.
Reaction time is important
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.
Notification of a data protection breach to the supervisory authority by controllers is an effective tool to contribute to real improvements in the security of the processing of personal data. Such actions allow the supervisory authority to provide an appropriate reaction, which may reduce the impact of the breaches. By notifying a breach to the supervisory authority, controllers thereby inform the supervisory authority whether, in their assessment, there is a high risk to the rights and freedoms of natural persons and, if such risk has occurred, whether they have provided relevant information to the individuals affected by the breach. It should be emphasised that where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is obliged to communicate to the data subject of such breach without undue delay.
Thus, the supervisory authority verifies the assessment made by the controller and may, if the controller has not notified the data subjects, require the controller to do so.
Communicating the personal data breach to the individuals
In the present case, the controller failed to communicate it to the data subjects. Failure to communicate an individual of a breach where there is a high risk of violation of their rights or freedoms deprives the individual not only of the opportunity to respond appropriately to the breach, but also of the opportunity to make an independent assessment of the breach, which, after all, affects their personal data and may have momentous consequences for data subject.
Taking into account the wide range of data disclosed, it must be concluded that there was a high risk to the rights or freedoms of individuals as a result of the incident. An additional risk to the rights or freedoms of individuals relates to the disclosure of data on the health of a child.
Risk assessment
The controller should make an assessment of the risk of a breach of a natural person's rights or freedoms, which should be carried out primarily through the lens of the person at risk. The primary objective of the GDPR is to protect the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data. Should there be any doubt, for example, about the performance of the controllers' responsibilities - not only when a personal data breach has occurred, but also when developing technical and organisational security measures to prevent it - these fundamental values should be taken into account in the first place.
In the course of the proceedings, the controller did not provide any analysis in this regard and thus did not document that it had carried out an analysis of the high risk to the rights and freedoms of natural persons affected by the personal data breach in question. The authority therefore considered that the Controller had simply not carried out such an assessment. The incident resulted in a breach of the confidentiality of individuals' data due to the release of improperly anonymised documents.
At this point, it should be emphasised that the supervisory authority does not question the mere making available of the documentation under the procedure of access to public information, but only indicates that the principles of personal data protection must be observed when making it available. The result of the disclosure of the non-anonymised documentation was the disclosure of the personal data contained in its content to a person who was not entitled to receive it, with the consequence that a personal data protection violation occurred. In turn, the controller, by deciding not to notify the personal data breach to the supervisory authority, as well as to communicate it to the data subjects, in practice deprived the data subjects of reliable information about the breach and guidance on how to counteract the potential damage.
[1] Act of 6 September 2001 on Access to Public Information, Journal of Laws 2022, item 902