Are you a controller? You need to quickly identify data breaches

by Aneta Siwek

17 June 2021 ​

In its decision of 22 April 2021 (file no. DKN.5130.3114.2020), the President of the (Polish) Personal Data Protection Office (PDPO) imposed an administrative fine of PLN 1,136,975 on the data controller – Cyfrowy Polsat S.A.

Cyfrowy Polsat S.A. failed to ensure adequate mechanisms allowing quick identification of personal data protection breaches as part of collaboration with an entity providing courier services to the company. The controller was accused of violating Article 24(1) and Article 32(1) and (2) of the General Data Protection Regulation (GDPR).

What the company was fined for

The President of the PDPO accused the controller of being too slow in identifying data protection breaches. It pointed out that a fair amount of time had passed between the event causing the data protection breach and the controller finally identifying it. Consequently, it took even several months to report the breach and to notify of the incident the persons whose rights and freedoms were affected.

In the opinion of the President of the PDPO, the company failed to properly evaluate the effectiveness of technical and organisational measures taken to ensure the security of the processing of personal data contained in documents delivered to the company's customers by courier service.

The President of the PDPO also pointed to the failure to meet the requirement set out in Article 34(2) read together with Article 33(3)(c) GDPR – the controller failed to notify data subjects of possible consequences of a personal data breach.

No proper risk assessment

In the opinion of the President of the PDPO, the company failed to properly assess the risk and therefore it was underestimated. The assessment carried out by the company turned out to be incomplete as it omitted certain situations where the risk of data breach was high. The company also failed to sufficiently document that breaches were assessed on a case-by-case basis.

The decision shows that notifying the supervisory authority of a personal data breach within the time limit set out in Article 33 GDPR or within the time limit set out in special regulations applicable to the controller does not exempt the controller from the obligation to take actions aimed at efficient and quick identification of personal data breaches.

In order to carry out an appropriate risk assessment, both the controller and the processor are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk related to the processing. They should also make sure that the implemented measures allow for immediate identification of a breach and for immediate notification of the breach to the supervisory authority and the data subject. Even if the processor does not respond to a breach quickly, the controller remains liable for identifying a personal data breach.

Delayed notification of breaches

According to Article 34(1) GDPR, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Prevention and immediate response to breaches are key elements of any data security policy. Following the Article 29 Working Party guidelines on personal data breach notification, referred to by the President of the PDPO, individuals should be notified of a breach “without undue delay”, i.e. as soon as possible.

The lack of effective mechanisms to quickly identify personal data breaches, and to minimise their scale eventually caused that Cyfrowy Polsat S.A. was fined for breaching its obligations under Articles 24(1) and 32(1) and (2) GDPR. The mechanisms implemented after administrative proceedings had been initiated and after the President of the PDPO had presented its own analyses did not protect the company from the consequences of breaches and from the fine.

In the opinion of the President of the PDPO, it was possible for the Company to take effective measures to minimise the scale of breaches and to faster identify breaches related to courier services, also during the pandemic.

Despite the fact that the controller has formally implemented data protection policies and procedures regarding notification of breaches and has signed a personal data processing agreement, it failed to develop in practice appropriate mechanisms to control the processor's fulfilment of its obligations. Thus, it did not identify on an ongoing basis personal data protection breaches related to the shipment of documents containing personal data. As a result, data subjects were notified of the breach only after a considerable time lag.

As indicated in recital 85 GDPR, a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as:

• loss of control over their personal data;
• limitation of their rights, discrimination, identity theft or fraud;
• financial loss;
• unauthorised reversal of pseudonymisation;
• damage to reputation;
• loss of confidentiality of personal data protected by professional secrecy;
• any other significant economic or social disadvantage.

Summary

The above case proves how important it is for the controller not only to formally develop and implement appropriate procedures for personal data protection across the organisation. The same applies to the relations between the controller and entities commissioned to provide certain services related to data processing. What is most important is to actually respect the obligations resulting from these procedures and to use risk-adjusted measures that allow for their actual use and ongoing updating, if necessary.