Another fine for telecom operator for failure to notify the personal data breach
The Polish SA, finding a violation of the Telecommunications Law, consisting in the failure to notify the personal data breach to the supervisory authority within 24 hours after having become aware of it and the failure to communicate the personal data breach to the subscriber without undue delay, imposed a fine of PLN 250,000 on P4 Sp. z o.o.
The Polish SA received an email from a third party that indicated that person was an unauthorised recipient of a set of documents relating to the conclusion of a telecommunications contract. Accordingly, the Polish SA requested the company to provide information on the personal data breach which involved allowing an unauthorised third party to consult the indicated documents, and to provide an assessment in terms of the obligation to notify the personal data breach to the supervisory authority and communicate such a breach to the data subject.
Incorrect e-mail address
The company responded, stating that in addition to the data necessary to conclude the contract, the customer had indicated a phone number and e-mail address for contact. During the contracting process, an email containing a copy of the contract and its attachments was generated and sent to the address specified by the customer. The controller also stated that the customer subsequently returned with the information that the e-mail address indicated in the contract was incorrect and asked the controller to delete it.
The company acknowledged that it is possible not to carry out the sending of documents via e-mail by marking a special field in the sales system, which, however, the controller's employee did not do, and therefore the e-mail with copies of documents was sent.
In the company's opinion, there were no grounds for treating the incident in question as a personal data breach, and therefore the company did not notify the aforementioned breach to the Polish SA and did not communicate it to the customer (subscriber).
Response time is important
After the company received a notice from the Polish SA on initiating administrative proceedings, the controller sent a notification of a personal data breach to the supervisory authority, along with the letter communication to the subscriber on the personal data breach.
Pursuant to the Telecommunications Law, a provider of publicly available telecommunications services shall notify a personal data breach to the Polish SA no later than 24 hours after having become aware of it.
In addition, where a personal data breach is likely to adversely affect the rights of a subscriber or end-user who is an individual, the provider of publicly available telecommunications services shall also immediately communicate such a breach to the subscriber or end-user (such notification shall be made without undue delay after having become aware of the personal data breach).
For both the obligation to notify the supervisory authority and the obligation to communicate a data breach to the subscriber, the timing of the detection of the breach is important. A data breach is considered to have been detected when the provider has obtained sufficient knowledge of the occurrence of the security incident that led to the data breach to provide notification as required by the relevant regulations.
In the case in question, the controller obtained twice the information that would allow it to become aware of the personal data breach. The first time was when the customer himself or herself approached the controller with the information that the e-mail address he or she had indicated was incorrect and asked for its removal, which was noted by the company in the relevant notification. And the second time, when the controller received a letter from the Polish SA with a request to provide information on the personal data breach which involved allowing an unauthorised third party to consult a set of documents (a contract).
In the opinion of the Polish SA, already obtaining the first of the above-mentioned information (along with knowledge of the applicable procedure for sending documents in electronic form) was sufficient to become aware of the personal data breach. Meanwhile, the company notified the personal data breach to the supervisory authority and communicated it the subscriber only after the administrative proceedings in the case had been initiated and after reviewing the case file.
In the case at hand, there was a personal data breach involving the company's making the subscriber data contained in the contract available for a third party via email. In addition, this breach is likely to have an adverse effect on the subscriber's rights, in particular, it may result in the unauthorised use of personal data, property damage, or violation of personal rights.
Not only did the controller fail to notify the data breach to the Polish SA within the statutory timeframe, but it also failed to comply without undue delay with its obligation to communicate the personal breach to the customer. This is particularly important to enable the subscriber or end-user to take the necessary preventive measures to protect rights or freedoms from the negative consequences of the breach.
In the opinion of the Polish SA, the scope of the breach, its duration and its consequences justify the need to impose a fine on the company.
It should also be noted that the notification to the supervisory authority of a personal data breach no later than 24 hours after having become aware of it, considered within the framework of this administrative proceedings, was not the first such case in the controller's activities to date, which had an impact on the administrative fine imposed.