Failure to notify a personal data breach without undue delay as a reason for imposing a fine
Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. (WARTA S.A. Insurance and Reinsurance Company) infringed the provisions of the General Data Protection Regulation, because it did not notify a personal data breach to the President of the Personal Data Protection Office. The supervisory authority therefore imposed a fine on the company in the amount of PLN 85 588.
In May 2020, the Personal Data Protection Office (UODO) received information from a third party about the personal data breach which consisted in sending by e-mail an insurance policy by an insurance agent, being a processor for the WARTA S.A. Insurance and Reinsurance Company, to an unauthorised addressee.
The attached document contained personal data in the scope of, among others, names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car). Important in this case is the fact that the supervisory authority has been informed of the personal data breach by an unauthorised addressee who has taken possession of documents not intended for him or her, and the confidentiality of the persons concerned has been breached.
Therefore, the supervisory authority requested the Company to clarify whether, in connection with sending of electronic correspondence to an unauthorised recipient, an analysis was carried out in terms of the risk to the rights and freedoms of natural persons necessary to assess whether there was a data protection breach resulting in the need to notify the UODO and the persons affected by the breach. In the letter, the supervisory authority indicated to the company how it could notify the breach and called for explanations.
The Company confirmed that there had been an incident related to a personal data breach and that an assessment had been conducted in terms of the risk to the rights and freedoms of natural persons. It was on the basis of that assessment that the fined company found that the breach did not require notification to the UODO. The company considered that the breach was caused by sending the insurance policy document to the wrong e-mail address indicated by the customer himself or herself. In addition, the unauthorised recipient addressed the company with a request for and the company asked for a permanent deletion of the message with a request for feedback confirming its deletion.
Despite the letter from UODO requesting clarification, the company still did not notify a personal data breach and did not communicate the incident to the persons affected by the breach. The supervisory authority has therefore initiated administrative proceedings. It was only as a result of the initiation of the proceedings that the company notified a personal data breach and informed two persons affected by the breach.
Such action by the company resulted in a long duration of the breach, which must be regarded as an aggravating circumstance. All the more so, since five months have elapsed from being informed of the personal data breach to the notification of the personal data breach to the supervisory authority.
In the course of the proceedings, the UODO considered that the fact that the breach occurred as a result of a mistake of a customer who provided the wrong e-mail address cannot cause the lack of qualification of the event as a personal data breach. When allowing the possibility to use e-mail for communication with the customer, the controller should be aware of the risks associated with, for example, incorrect e-mail address provided by the customer. Therefore, in order to minimise these risks, the controller should take appropriate organisational and technical measures, such as verification of the address provided or encrypting the documents sent in this way.
Also, the fact of requesting the wrong recipient to permanently delete the correspondence received cannot determine that a risk to the rights and freedoms of the data subjects is not high. The controller is not sure whether the unauthorised addressee has not made, for example, a copy of the documents or has not recorded them.
When imposing an administrative fine, the President of the UODO also took into account mitigating circumstances, such as the fact that the breach concerned the personal data of two persons and that the company asked the wrong recipient to permanently delete the correspondence received. However, it is worth mentioning that a request for deletion of data is not tantamount to guaranteeing that the data is actually erased by an unauthorised person and does not preclude possible negative consequences of their use.
The full decision in Polish is available at: https://uodo.gov.pl/decyzje/DKN.5131.5.2020.