Your data cannot be well protected without proper safeguards

Failure to implement appropriate technical and organisational measures to ensure the security of personal data processing and failure to regularly test, measure and evaluate the effectiveness of the measures used were among the reasons for the administrative fine of over PLN 47,000 imposed by the Polish supervisory authority.

The Personal Data Protection Office received information from a third party indicating the loss of documentation kept in electronic form by the controller. This documentation contained, inter alia, personal data of the controller's employees and persons who were parties to civil law contracts. In relation to this information, the supervisory authority addressed to the controller further letters requesting for explanation. The controller admitted that the ransomware attack had resulted in the blocking of access to the personal data of the company's employees. It could not decipher the data, so it assumed that it would be most beneficial to refrain from interfering in the system.

The controller did not notify the personal data breach to the supervisory authority. In the opinion of the controller, the incident did not constitute an incident having the characteristics of a data breach within the meaning of the GDPR.

Failure to implement adequate measures

In the opinion of the Polish supervisory authority, taking into account the scope of personal data processed, as well as the categories of persons, the controller was obliged to implement appropriate technical and organisational measures that would ensure an adequate level of data protection. The selection of appropriate measures should result from the conducted risk analysis; unfortunately, in the proceedings in question, there was nothing to indicate that the controller had conducted it properly for the electronically processed data.

The GDPR gives a lot of flexibility to the controller by not imposing specific requirements for the selection of safeguards. It is up to the controller to analyse the data processing itself, assess the risks and then apply the appropriate measures and procedures.

Notwithstanding the circumstances surrounding the risk analysis, in the present case, the controller also failed to apply adequate security measures, resulting in a breach of the IT system's safeguards and encryption of personal data. This action was not stopped by the security mechanisms adopted by the entity. The entity did not take immediate steps to ensure that access to personal data was quickly and effectively restored.

The Personal Data Protection Office has consistently reminded that when implementing security measures, the controller cannot limit itself to developing them once. It is also necessary to test them and verify whether they are adequate to the existing risks. The controller has also not been able to demonstrate that the technical and organisational measures it has applied are sufficient.

The controller, despite the suggestion by the supervisory authority to conduct an in-depth analysis of the incident, still did not see the signs of a personal data breach in it. It also did not see it as a risk to the rights and freedoms of data subjects.

Unsatisfactory cooperation

In the present case, the cooperation with the controller, which was not satisfactory, was also relevant for its assessment. The controller replied to the supervisory authority's letters in a very laconic, often incoherent manner. The letters often did not bear the signatures of persons authorised to represent the entity, and there was also a situation when the reply to the supervisory authority was addressed by a completely different company.

Full text of the decision