Ikonka home dla okruszków News and events
photo
23.12.2024

Organisational errors in the redevelopment of the website may result in data becoming public

Panek SA company has not implemented adequate technical and organisational measures to ensure the security of data processing, based on the risk analysis carried out. The solutions it implemented were not tested. Panek SA did not assess their effectiveness - therefore it did not know that they were not sufficient.

The President of the Personal Data Protection Office imposed a fine of PLN 1 million 527 thousand 855 on the company. He also imposed an administrative fine of PLN 20,037 on the ITCenter company, which supports Panek SA and processes the data.

The amount of fines imposed by the President of the Personal Data Protection Office depends, inter alia, on the scale of the mistakes made, but also - on the annual turnover of the data controller. This is what the GDPR states.

A data processing problem and data security breach occurred when the company's website was being rebuilt. As a result of a lack of proper communication between the controller and the processor, an employee of the subcontractor mistakenly placed data files from the old website on the new site. These files were indexed by Google and so became available to everyone. This was customer data that included: first name, last name, email address, home address, encrypted password to access the site's customer panel. The approximate number of people affected by the breach was 21,453 - customers and employees of the company.

The data controller (the company) reported this to the President of the Personal Data Protection Office. The latter conducted an investigation, receiving, among other things, explanations both from the company and from the company that built its website.

The latter claimed that it had not received information from the controller about the functionality of the website (inter alia, that it implements the booking process and that it is itself a personal data file). The data processing agreement did not mention the website itself.

The company itself emphasized that the incident would not have occurred if not for a server configuration error, for which the company's IT services are responsible.

The President of the Personal Data Protection Office found that:

  • The controller, although aware of how, according to common practice, the implementation of changes to the IT system should proceed, did not at any stage supervise whether it was proceeding in accordance with common standards and the personal data processing agreement.
  • The controller assumed, on the basis of information from the company serving it, that the entirety of the tasks performed by the ‘specialist entity’ in the area of data security and confidentiality provided sufficient guarantees of protection for clients.

The violation of GDPR provisions in this respect contributed significantly to the breach of confidentiality of personal data.

The controller was required to take measures to ensure an adequate level of data protection. He should have implemented appropriate technical and organisational measures. He should also have conducted measures to optimally secure and configure the resources, tools and devices used (including computer hardware). This should have been done by regularly testing, measuring and evaluating the effectiveness of technical and organisational measures to ensure the security of data processing.

The nature and type of these actions should result from the risk analysis carried out, which should identify the vulnerabilities relating to the resources used and the resulting risks, and then determine the appropriate security measures.

In this case, it should be emphasised that risk analysis and risk management are processes that require the cooperation of all stakeholders and, as such, primarily require the planning, organisation, direction and control of the resources used for processing, the execution of the processing activities themselves and the investigation and detection of possible vulnerabilities and gaps.

In particular, it is necessary to:

  • analyse the impact of each change on the level of security of the data processed.
  • before carrying out any actions, in particular those which consist, for example, in the transfer of a personal data filing system from one location to another, the controller and the processor should exercise the utmost caution, and before implementing the change itself, they should determine the principles of its implementation, in particular in the context of ensuring an adequate level of security of the processed data
  • should check that the operation has been a complete success not only in terms of the efficiency of the application or system, but also in terms of the fulfilment of the GDPR requirements.

The fact that the website contained a database of personal data is crucial from a data protection point of view. This determines the need to implement certain (adequate) technical measures to ensure the security of the processing of personal data. The supervisory authority does not indicate to the controllers which technical conditions they should meet in order to avoid personal data protection breaches and to act in accordance with the GDPR. It is the controller, being aware that he/she is processing personal data and knowing the nature and scope of the data, who, after a diligent risk analysis, decides what adequate organisational and technical measures should be implemented by the controller.

Entrusting the processing of personal data to a processor does not exempt the controller from its obligations under Article 32(1) and (2) GDPR.

The full legal reasoning is contained in the attached decision with reference DKN.5130.2415.2020

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stawki 2, 00-193 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.