Poland: Expected Enforcement Actions in 2020 and Beyond. Who Should Beware?
The reorganization of the Personal Data Protection Office (UODO), which took place in December 2019, warrants an assumption that 2020 will see increased activity from the supervisory authority. The UODO’s creation of three new departments indicates that the officers intend to specialize further to boost the efficiency of personal data protection inspections, in particular data breaches. Therefore, it is worth analyzing the definition of a breach, based on the decisions issued by the President of UODO in 2019.
In 2019, the President of UODO issued 94 decisions, five of which resulted in the administrative fines being imposed by the regulator for the infringement of personal data protection laws. Both private and public institutions, including a town hall, were among the entities fined. The financial penalties ranged from PLN 40,000 (ca. €8,700) to PLN 2,830,410 (ca. €618,000). The highest, imposed on online store Morele.net, related to a hacker attack that leaked a large amount of personal data.
It is expected that the President of UODO will act with higher intensity in 2020, considering its recent reorganization and the creation of three new departments – the Department of Complaints, the Department of Inspections and Breaches and the Department of Rulings and Legislation, the latter being responsible, in particular, for addressing the Data Protection Officer’s (DPO) queries. Pursuant to the information provided by UODO, in 2020, the President will scrutinize the following:
Banking (in terms of photocopying identity documents)
Entities utilizing the water meter remote reading system
Authorities processing personal data within the Schengen Information System (SIS) and the Visa Information System (VIS) (i.e., consular services)
Apart from the aforementioned sectors and entities, the President of UODO will also audit any other entities that are reported thereto in connection with the infringement of personal data protection laws.
Decisions Issued by the President of UODO – Pointers for the Future
Decisions issued by the President of UODO gives us an insight, in particular, into how the UODO defines a breach. Before we analyze the relevant decisions, let us recall the relevant elements of a data breach, as defined under the GDPR.
Data Breach Under the GDPR
Article 4(12) of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In practice, three types of breaches are distinguished:
Loss of confidentiality – That is, the disclosure of personal data to an unauthorized individual. For example:
Sharing personal data with unauthorized individuals when sending emails (e.g., sending an email to an unconcerned party or disclosing a recipient list in CC rather than in BCC)
Theft of unsecured (i.e., not cyphered) electronic devices containing personal data (e.g., smartphones, external drives, laptops or USB keys); a recent example includes the theft of a laptop belonging to an employee of the Warsaw University of Life Sciences, which could have resulted in the disclosure of personal data of both current and former students and candidates
Sending documents (e.g., a telecommunications services agreement) to a wrong email address
Sharing medical documentation with an unauthorized individual (e.g., with a person calling a hospital without verifying their identity as a patient’s family member)
An unauthorized individual accessing personal data using malware or through a phishing attack
Loss of accessibility – That is, the temporary or permanent loss or destruction of personal data. For example:
Blocking access to personal data (e.g., a DDoS attack or a blackout preventing access to personal data)
An unauthorized individual purposefully deleting data from a dataset
In the case of securely cyphered data, misplacing the deciphering key
Loss of integrity – That is, the unauthorized alteration of personal data (e.g., an employee, as a prank, changing clients’ surnames by adding a letter).
Insights from UODO’s Decisions
In March 2019, the President of UODO imposed the first financial penalty of PLN 943,000 (circa €225,000) on Bisnode Polska Sp. z o.o., for its failure to meet the notification obligation toward the individuals whose data it had been processing. The company obtained the data from publicly available sources (e.g., from the Central Registration and Information on Business [CEiDG]) and processed it for financial gain. Most of the affected individuals (nearly 6 million) were unaware that the company was processing their personal data, thus being unable to exercise their rights as data subjects under the GDPR (e.g., the right to object to further processing or the right to request correction or deletion). In the regulator’s assessment, the breach had been of a grave nature because it concerned the data subjects’ basic rights and freedoms, as well as one of the fundamental issues (i.e., being notified that their data was being processed). The company met the notification obligation toward only 90,000 individuals (of which 12,000 exercised the right to object to the processing of their personal data), quoting the excessive costs it would have incurred had it notified all the data subjects. Ultimately, the company resorted to merely posting a notification on its website. The President of UODO deemed this insufficient and, in the statement of grounds to the decision, indicated that the company, having been in possession of the contact information, ought to have notified (by mail or phone) the data subjects of its processing of their personal data, where such data originated, what the purpose and duration of the processing had been and what rights the data subjects enjoyed under the GDPR.
Lower Silesian Soccer Association
In April 2019, the President of UODO imposed a financial penalty of nearly PLN 56,000 (circa €13,000) on the Lower Silesian Soccer Association, which had breached the personal data protection laws by failing to ensure the security and confidentiality of the processed personal data of referees licensed in 2015 by posting an overly broad scope of such data online. Apart from names and surnames, the association posted the referees’ Polish Resident Identification Number (PESEL) and residence addresses. In the regulator’s assessment, there were no legal grounds for disclosing such a broad scope of personal data and, in so doing, the controller had potentially risked the data being unlawfully used by unauthorized individuals (e.g., for identity theft or assuming financial obligations). The supervisory authority noted also that the association had taken inadequate measures to rectify the breach, which ultimately proved to be inefficient (i.e. the association had hired an external company to rectify the breach yet failed to verify the actions taken by it; in consequence, the data continued to be accessible).
In September 2019, the President of UODO imposed the highest financial penalty to date, nearly PLN 2.8 million (PLN 2,830,410/circa €673,000), on Morele.net Sp. z o.o., for breaching the personal data protection laws while processing personal data, which consequently led to unauthorized access and to unauthorized third parties obtaining the data of all the clients in the company’s database (nearly 2.2 million data subjects). During the audit, the President of UODO ascertained that the irregularities consisted of:
(1) The company breaching the confidentiality rules by failing to ensure the security and confidentiality of the processed personal data, which allowed unauthorized individuals to access the company’s clients’ personal data (the company had used an inefficient data access validation measure, not accounting for the risk of unauthorized accessed, and it had inefficiently monitored potential threats, while any additional technical security measures were implemented only after the clients’ data had already leaked).
(2) Violation of the legality, accuracy and accountability rule by failing to demonstrate, that the personal data contained in the consumer credit applications filed by Morele.net’s customers had been processed in compliance with the law (i.e., based on data subject’s consent).
In October 2019, the President of UODO issued the decision that ClickQuickNow Sp. z o.o. had violated the personal data protection laws, and imposed a financial penalty of nearly PLN 202,000 (circa €48,000). During the administrative procedure, it was ascertained that the company had been at fault in that:
(1) It failed to provide the data subjects with an easy way of exercising their right to withdraw their consent to their personal data being processed.
(2) It violated the transparency and accuracy rules in the process of withdrawing consent, by providing the data subjects with contradictory information, owing to which the individuals wishing to withdraw their consent had been misled and were unable to do so.
(3) It violated the right to have the data deleted (the right to be forgotten) by introducing a consent withdrawal process rendering it difficult to successfully do so.
(4) It unlawfully processed the personal data of individuals who were not the company’s clients.
(5) It failed to implement appropriate technical and organizational measures to enable data subjects to exercise their rights.
Mayor of Aleksandrów Kujawski
Also in October 2019, the President of UODO imposed the first financial penalty (of PLN 40,000/circa €9,500) on a state entity, i.e., the mayor of Aleksandrów Kujawski, for a number of personal data protection breaches that transpired following an ex officio investigation. The President of UODO ascertained, among others, that the irregularities consisted of:
(1) Failure to execute a personal data processing agreement with the company on whose servers the contents of the Aleksandrów Kujawski Town Hall Public Information Bulletin (BIP) were stored (moreover, no such agreement had been executed with the external company that provided the software for drafting the BIP and handled maintenance services in that regard), which constituted a breach of Article 28(3) GDPR.
(2) Failure to implement internal procedures concerning browsing BIP contents in terms of ensuring data processing in accordance with the limited retention principle, due to which the Aleksandrów Kujawski Town Hall BIP website featured documents, including personal data for longer than the statutory retention periods.
(3) Failure to implement appropriate technical and organizational measures to protect individuals’ rights and freedoms with regard to storing the recordings of the Aleksandrów Kujawski Town Council deliberations solely on YouTube servers, without storing a copy of such recordings within the office’s own resources.
(4) Failure to conduct a risk analysis with regard to the mayor of Aleksandrów Kujawski using a YouTube channel to meet the legal obligation arising from Article 8(2) of the Act of September 6, 2001 on Access to Public Information.
(5) Failure to disclose in the personal data processing activities register, maintained for activities related to publishing information on the Aleksandrów Kujawski Town Hall BIP, all the data recipients and failure to disclose, with regard to these processing activities, the anticipated date of deleting such data in accordance with the limited retention principle.
As it has recently transpired, UODO is getting ready to step up its enforcement initiatives. Considering its increased resources and staff, it is likely that it will react to data protection infringements more promptly and it remains to be seen whether also more severely than in the past. Therefore, all companies established in Poland (not only those listed in the UODO’s 2020 audit plan) should prepare accordingly and ensure their processing activities are in line with the applicable data protection laws.