Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Poland: UODO fines Res-Gastro PLN 238,345 for data security failures

On May 17, 2024, the Polish data protection authority (UODO) announced that it published its decision DKN.5131.29.2023, in which it imposed an administrative fine of PLN 238,345 (approx. $60,880) on Res-Gastro M. Gaweł Sp. k. (Res-Gastro) for violation of Articles 5(1)(f), 5(2), 24(1), 25(1), 32(1) and 32(2) of the General Data Protection Regulation (GDPR) for failure to adopt appropriate technical and organizational measures to ensure the security of data processing.

Background

The UODO stated that an employee of Res-Gastro lost a pen drive that contained unencrypted files with the personal data of another employee, including their name, address, citizenship, gender, date of birth, PESEL number, passport series and number, telephone number, e-mail address, photos, and salary data. The pen drive also contained encrypted files with financial data.

Furthermore, the UODO found that Res-Gastro demonstrated that it had documents such as a risk register and confirmation of monitoring GDPR procedures. However, there were issues with the guidelines for utilizing external data carriers, including their encryption. Specifically, Res-Gastro provided an instructional video to employees on encrypting files, giving them authority over how data was processed.

Findings of the UODO

In particular, the UODO found that Res-Gastro failed to, among other things:

  • implement appropriate technical and organizational measures ensuring a level of security corresponding to the risk of data processing using external data carriers, including protection against accidental loss, destruction, or damage and disclosure to unauthorized persons, thereby violating Articles 24(1), 25(1), 32(1), and 32(2) of the GDPR; and
  • implement appropriate technical and organizational measures to ensure regular testing, measurement, and assessment of the effectiveness of the above-mentioned measures, resulting in a violation of Articles 5(1)(f) and 5(2) of the GDPR being the principles of integrity and confidentiality and principles of accountability.

Outcomes

In light of the above, the UODO imposed a fine of PLN 238,345 (approx. $60,880) on Res-Gastro. The UODO also ordered Res-Gastro to adapt its processing operations to the GDPR by implementing appropriate technical and organizational measures to ensure regular testing, measuring, and assessing the effectiveness of technical and organizational measures to ensure the security of processing within three months of the decision.

You can read the press release here and the decision here, both only available in Polish.