Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Poland: UODO fines Fortum Marketing over PLN 4.9M for failure to implement technical and organisational security measures
The Polish data protection authority ('UODO') published, on 28 February 2022, its decision in DKN.5130.2215.2020, as issued, on 19 January 2022, in which it fined Fortum Marketing and Sales Polska S.A. PLN 4,911,732 (approx.€1,026,708), for violations of Articles 5(1)(f), 24(1), 25(1), 28(1), 32(1), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation into a data breach.
Background to the decision
In particular, the UODO commenced its investigation, following notification of a data breach from Fortum, which concerned the copying of a customer database by unauthorised third parties. The UODO noted that the data breach happened when changes were introduced in the ICT environment by PIKA Sp. z o. o., Fortum's data processor, as the server on which the database was deployed lacked appropriate configuration to ensure the security of data transmission from the new server to other ICT elements of the Fortum environment used to process personal data.
Findings of the UODO
The UODO found that Fortum did not carry out audits, including inspections, to verify that PIKA correctly fulfilled its obligations under the GDPR, thereby violating Article 25(1) of the GDPR. Additionally, the UODO found that the technical and organisational measures applied by Fortum, met the requirements specified in Article 32 of the GDPR, to a very limited extent only, due to the fact that, Fortum did not, among other things, adhere to its own practice of implementing changes in the IT environment based on internal regulations and did not perform the requisite verification of the processor in the scope of activities aimed at improving the operation of the service.
Outcomes
As such, the UODO imposed a fine of PLN 4,911,732 (approx.€1,026,708) on Fortum.
You can read the press release here and the decision here, both only available in Polish.
UPDATE (18 March 2022)
EDPB publishes English summary of UODO's decision
The European Data Protection Board ('EDPB') published, on 17 March 2022, an English summary of the UODO's decision to impose a fine of PLN 4,911,732 (approx.€1,026,710) on Fortum.
You can read the English summary here.
