The Polish data protection authority ('UODO') published, on 28 February 2022, its decision in DKN.5130.2215.2020, as issued, on 19 January 2022, in which it fined PIKA Sp. z o. o., PLN 250,135 (approx.€52,500), for a violation of Articles 32(1) and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation into a data breach, notified to the UODO by Fortum Marketing and Sales Polska S.A.

Background to the decision

In particular, the UODO commenced its investigation, following notification of a data breach from Fortum, the data controller, which concerned the copying of a customer database by unauthorised third parties. The UODO noted that the data breach happened when changes were introduced in the ICT environment by PIKA, as the server on which the database was deployed lacked appropriate configuration to ensure the security of data transmission from the new server to other ICT elements of the Fortum environment used to process personal data.

Findings of the UODO

The UODO found that PIKA did not take all measures required under Article 32 of the GDPR to ensure the security of data processing and did not help Fortum to fulfil its obligation as specified under this provision, which, in turn, resulted in the data breach. Additionally, the UODO found that PIKA had neither encrypted nor pseudonymised the data stored in the database, and had, therefore, acted inconsistently with ISO standards, as well against its own security policy which rereferred to these standards.

Outcomes

As such, the UODO imposed a fine of PLN 250,135 (approx.€52,500) on PIKA.

You can read the press release here and the decision here, both only available in Polish.