Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Poland: UODO fines Fortum Marketing over PLN 4.9M for failure to implement technical and organisational security measures

The Polish data protection authority ('UODO') published, on 28 February 2022, its decision in DKN.5130.2215.2020, as issued, on 19 January 2022, in which it fined Fortum Marketing and Sales Polska S.A. PLN 4,911,732 (approx.€1,026,708), for violations of Articles 5(1)(f), 24(1), 25(1), 28(1), 32(1), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation into a data breach.

Background to the decision

In particular, the UODO commenced its investigation, following notification of a data breach from Fortum, which concerned the copying of a customer database by unauthorised third parties. The UODO noted that the data breach happened when changes were introduced in the ICT environment by PIKA Sp. z o. o., Fortum's data processor, as the server on which the database was deployed lacked appropriate configuration to ensure the security of data transmission from the new server to other ICT elements of the Fortum environment used to process personal data.

Findings of the UODO

The UODO found that Fortum did not carry out audits, including inspections, to verify that PIKA correctly fulfilled its obligations under the GDPR, thereby violating Article 25(1) of the GDPR. Additionally, the UODO found that the technical and organisational measures applied by Fortum, met the requirements specified in Article 32 of the GDPR, to a very limited extent only, due to the fact that, Fortum did not, among other things, adhere to its own practice of implementing changes in the IT environment based on internal regulations and did not perform the requisite verification of the processor in the scope of activities aimed at improving the operation of the service.


As such, the UODO imposed a fine of PLN 4,911,732 (approx.€1,026,708) on Fortum.

You can read the press release here and the decision here, both only available in Polish.

UPDATE (18 March 2022)

EDPB publishes English summary of UODO's decision

The European Data Protection Board ('EDPB') published, on 17 March 2022, an English summary of the UODO's decision to impose a fine of PLN 4,911,732 (approx.€1,026,710) on Fortum.

You can read the English summary here.