On July 19, 2023, the Polish data protection authority (UODO) announced its decision in Case No. DKN.5131.8.2021, as issued on May 31, 2023, in which it fined an unnamed company PLN 47,000 (approx. $10,000) for violations of the General Data Protection Regulation (GDPR), following the anonymous notification of a personal data breach to the UODO.

Background to the decision

In particular, the UODO stated that it received a notification of a data breach, caused by a ransomware attack, that led to the loss of the personal data of employees and contractors of the company.

Findings of the UODO

At the end of its investigation, the UODO determined that the company had violated Article 5(1)(f) of the GDPR by failing to implement adequate technical and organizational measures to ensure the security of personal data. Additionally, the UODO stated that by failing to test and evaluate the effectiveness of said measures, the company had violated Articles 5(2), 32(1), 32(2) of the GDPR.

The UODO found that the company failed to conduct a risk assessment of its data processing activities to inform its data security measures contrary to Articles 24(1) and 25(1) of the GDPR. Additionally, the UODO faulted the company for failing to report the breach to the UODO within 72 hours of becoming aware of the breach and failing to notify the data subjects affected by the breach in violation of Articles 33(1), 34(1), 34(2) of the GDPR.

Further, the UODO held that the company did not cooperate effectively with the UODO during its investigation. In particular, the UODO noted that communication from the company was often inconsistent.

Outcomes

In light of the above, the UODO fined the company PLN 47,000 (approx. $10,000) for the abovementioned violations.

You can read the press release here and the decision here, both only available in Polish.