On May 25, 2021, 3 years will pass since the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) started to apply. During these three years, the supervisory authorities were active, and their decisions allow us to learn about real-life examples in which the data controller reacted badly to the initiated proceedings, which in turn led to serious consequences for him. The situations described below can be a good lesson for anyone who processes personal data on how to prevent things go really wrong when we are already facing an investigation by the supervisory authority. In addition to the description of actual proceedings, practical tips are provided below on how to respond to the actions taken against us by the supervisory authority and communicate with the supervisory authority properly in order to minimize the potential damage.
Failure to notify, even despite clear instructions from the authority
The President of The Personal Data Protection Office – the Polish Data Protection Authority (DPA) received information about a breach of personal data protection coming from a person who became an unauthorized recipient of personal data. The breach consisted in sending an e-mail with an unencrypted, not password-protected attachment containing the personal data of the addressee and several hundred other persons. The sender of the e-mail was a co-worker of the punished company (ENEA S.A.).
The Personal Data Protection Office asked the company to clarify the circumstances of the incident, provide an analysis of the incident and assess whether there is a need to notify the supervisory body about the breach and the persons concerned in connection with the situation.
The punished entity indicated that an assessment was made in terms of the risk of violating the rights and freedoms of natural persons, on the basis of which the company concluded that there was no breach resulting in the need to notify the Personal Data Protection Office. In addition, the company considered that due to prompt action, such as a declaration by an unauthorized addressee that he had permanently destroyed an attachment he was not authorized to receive, the possibility of future negative consequences of this event for data subjects was eliminated.
Due to the lack of notification of the breach of personal data protection, the supervisory authority initiated proceedings against the company, which still has not reported the breach to the supervisory authority.
The DPA found that there was a security breach leading to an accidental disclosure of personal data to an unauthorized person, and thus a breach of data confidentiality. Due to the fact that the company still failed to comply with its obligation to notify the breach, nor did it explain the reasons for exceeding the 72-hour deadline for reporting, a fine (over 136 thousand PLN) was imposed.
In a quite similar case the DPA carried out proceedings regarding TUiR WARTA S.A. as a result of a notification from a third party – an unauthorized recipient of an email sent to an incorrect address. The e-mail was sent by an agent acting as a processor of WARTA and contained a policy with the data of another person.
DPA first asked the Company to clarify whether an analysis had been made in terms of the risk of violating the rights and freedoms of natural persons, necessary to assess whether there was a breach of data protection resulting in the need to notify DPA and the persons affected by the violation. In the letter, the supervisory authority indicated to the company how it may report the breach and requested explanations. The company, despite such clear instructions, stated that there was an incident related to personal data protection, but the risk assessment performed was the basis for recognizing that the breach does not require notification to DPA, because the wrong address was indicated by the company’s client himself, and moreover, the unauthorized recipient turned to the company and was asked for the permanent deletion of the message and to provide feedback confirming its deletion.
The company has still not reported the violation and has not notified the affected persons about the incident. Therefore, the supervisory authority initiated administrative proceedings, during which the company notified the infringement and notified two persons affected by the infringement. DPA found that such an action by the company resulted in a long duration of the infringement, and the notification was delayed (five months).
According to DPA, the fact that the breach occurred as a result of a client’s error (not even the data controller himself, or his processor!), may not have the effect of not classifying the event as a personal data breach. The data controller, allowing the possibility of using e-mail for communication with the client, should be aware of the risks related to, for example, incorrect provision of the e-mail address by the client. Therefore, in order to minimize these risks, the data controller should implement appropriate organizational and technical measures, such as verification of the address provided or encryption of documents sent in this way.
In the opinion of DPA, also the fact of asking the wrong recipient to permanently delete the correspondence received cannot mean that the risk to the rights and freedoms of data subjects is not high. The data controller cannot be sure that the unauthorized addressee did not make e.g. photocopies of documents or did not record them.
When imposing an administrative fine, the DPA also took into account the mitigating circumstances, such as the fact that the breach concerned only two persons’ personal data and that the company asked the wrong recipient to permanently delete the correspondence received.
What can we learn from the examples above:
– the activities of DPA are taken at various stages: first, explanatory actions may be taken, then a formal investigation may be initiated, which turns into an administrative proceedings. DPA’s decision to move to the next stage gives a clear indication that more attention should be paid to the case being investigated by DPA,
– in the course of the proceedings, the DPA can give us clear signals about what position it potentially wants to take. It is worth paying attention to what the authority is asking about and what steps it takes as a result of the answers given to it. If it asks further questions or moves to the next steps of the proceedings, it may be a sign that there is something wrong with our communication and that the proceedings are going in the wrong direction,
– in the event of a delay in fulfilling a specific obligation, always remember to provide information about the reason for the delay,
– remember not to send personal data directly in the body of an e-mail – consider adding an encrypted attachment instead and send the password to the file using a different channel of communication,
– even accidental disclosure of personal data (or such disclosure to which the data subject himself or herself is responsible) may constitute a data breach,
– in the event of a breach, steps must be taken to remove or reduce its consequences. Contacting an unauthorized recipient is often one of the few actions that the data controller can take to minimize the risk, however, even obtaining confirmation of deletion of an incorrectly delivered e-mail does not eliminate the entire risk and the obligation to notify the DPA,
– it is worth providing DPA with evidence that we have implemented measures to prevent the risk, and if it materializes, we have taken appropriate corrective actions.
Failure to cooperate during an inspection
A company named Smart Cities was fined for not cooperating with DPA – by not responding to his letters and not providing access to personal data and other information necessary for the performance of its tasks.
DPA received a complaint about irregularities in the processing of the complainant’s personal data by the Company. DPA asked the Company to respond to the content of the complaint and to answer specific questions regarding the case, including whether the Company concluded a data processing agreement with its contractor. In response, the Company submitted incomplete explanations, so DPA asked for them to be supplemented, and also called for the submission of contracts with a specific, named entity. The Company did not reply to this letter at all.
Due to the above, DPA decided to initiate the procedure and sent a letter informing the Company about it and requesting it to provide further information (e.g. necessary to calculate the administrative fine), but the Company did not collect it.
DPA considered such behavior to obstruct or even prevent access to information requested from the Company, which is undoubtedly in its possession, and as a gross disregard of its obligations regarding cooperation with the supervisory authority in the performance of its tasks. As a result, an administrative fine was imposed on the Company in the amount of over PLN 12 thousand PLN.
In another case, DPA decided to carry out an inspection of the processing of the personal data of land and building owners by the Chief Surveyor of the Country (GGK) on its internet portal. DPA informed GGK about the inspection in a letter in which it indicated the scope of the inspection and the date of its conduct. In order to carry out inspection activities, inspectors authorized by DPA presented their official ID cards and submitted personal authorizations containing information on the scope of the inspection. GGK did not allow the inspection to be carried out to the full extent, claiming that according to its assessment of the scope indicated in the authorizations, it follows that the inspection is to concern the numbers of land and mortgage registers kept for real estate, which, according to it, do not constitute personal data within the meaning of the provisions of law.
Ultimately, GGK agreed to carry out some (incomplete) control activities. As a result, due to the lack of access to the IT systems used by GGK, it was not established during the inspection whether GGK implemented appropriate technical measures to ensure data security. DPA was only able to determine what organizational measures to secure data were applied by GGK and whether a data protection officer was appointed.
Due to the lack of consent of GGK to carry out the inspection to the full extent and the expressed lack of will to cooperate, the inspectors could not establish all the circumstances relevant to the case. This resulted in the imposition of an administrative fine in the amount of PLN 100,000.
In addition, a separate proceeding was conducted before DPA regarding a breach consisting in the processing of personal data without a legal basis, which also resulted in the imposition of an administrative fine on GGK in the amount of PLN 100,000.
What can we learn from the examples above:
– not collecting official correspondence from DPA is never a good idea and will not protect us from possible consequences,
– DPA has its control powers resulting from the provisions of law, and failure to comply with DPA’s orders issued under these powers may be treated as a violation of said provisions and result in the imposition of an administrative penalty,
– it is worth verifying whether we have strong grounds to question the orders issued by DPA, and even how we have them – execute the orders to the extent not questioned by us, and refrain only from those orders for which we have a well-established belief that there are no grounds for issuing them,
– it is worth being pro-active and even if it goes beyond the questions asked, present your own assessment of the situation. Our position should be given with justification and, if possible, with evidence confirming this position,
– imposing an administrative fine for the lack of cooperation during the inspection does not close the case – DPA may still conduct the proceedings on the merits, even despite the lack of cooperation on the part of the inspected party. As a result, a second administrative fine may be imposed.
Failure to fulfill the obligation imposed by the decision of the authority
An entrepreneur running a business in the field of health care received a penalty for failure to comply with an order imposed on him in an administrative decision.
DPA ordered the entrepreneur to notify his patients about the breach of their personal data and to provide them with recommendations to minimize the potential negative effects of the incident. The data controller did not do it.
As a consequence, the persons concerned did not know anything about it, and did not know the possible consequences of such an event and did not know what actions they could take to minimize its possible negative effects.
Since the data controller ignored the order covered by the administrative decision, DPA decided to initiate ex officio proceedings on the imposition of an administrative fine. DPA also during this stage of the procedure provided the entrepreneur with detailed instructions, including how to draft the notifications properly and on the form of their transmission to patients, as well as the method of documenting these activities, which could help the entrepreneur avoid punishment, but was not adequately responded by the entrepreneur. As a result, DPA assessed the entrepreneur’s behaviour as a long-term and deliberate violation, demonstrating a gross disregard by the entrepreneur of obligations related to the protection of personal data. This resulted in the imposition of a fine of over PLN 85,000 PLN.
What can we learn from the example above:
– PUODO has a wide range of powers, including ordering a specific action. Failure to comply with such obligations imposed by PUODO may result in the imposition of a financial penalty,
– not only the violation itself, but also the way of reacting to the actions taken by DPA is important. Failure to react may be considered a deliberate or even gross disregard of duties and will not be without impact on the penalty.