The controller should carry out a fair risk analysis

The Personal Data Protection Office (UODO) has imposed an administrative fine on Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A. in the amount of almost PLN 160 000 (EUR 35 000) for failing to notify a personal data protection breach. In addition, the company was fined for failing to communicate the breach to the data subject, which the supervisory authority also required it to do.

The UODO was informed of the situation by the insurance intermediary company. In the process of data processing, it played a dual role. On the one hand, it was a data controller, and on the other hand, a processor acting for insurance companies. The breach consisted in the sending by email by the financial intermediary worker to the wrong recipient an analysis of insurance needs and an insurance offer containing data such as a name, surname, PESEL number (Personal Identification Number), city, postal code or information about the subject of insurance. The entity, being a data controller in the form of name and surname, decided to notify a data breach to the UODO in relation to the disclosed personal data contained in the attachments. It considered that the combination of these data in conjunction with the data contained in the attached documents could result in a breach with a risk to the rights or freedoms of a natural person. In the wrongly sent correspondence there were personal data contained in offers and calculations from several insurance companies. The entity that committed the breach acted at the same time as the processor of the insurance companies and therefore notified them of the breach. The verification carried out by the UODO showed that in connection with this incident several insurance companies, as data controllers, had notified the data breach. No such notification was received from Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A.

The UODO asked the company for explanations. The company confirmed that the personal data breach had indeed occurred, however, based on the performed assessment in terms of the risk to the rights and freedoms of natural persons, it was concluded that no breach occurred that would require notifying the President of the UODO and notifying the data subject. It should be noted that the assessment was made using a form developed by the Company.  Moreover, the risk analysis carried out by the Company raised doubts of the supervisory authority and was not carried out in a correct manner. Errors, as well as irregularities in the assessment carried out, consisting in particular in the underestimation of results in particular criteria, the lack of consideration of significant factors for particular criteria, or taking into account factors, which should not be applied, indicate that the analysis was carried out in an arbitrary manner and was not used as a tool to help the Company assess whether it should notify the breach to the supervisory authority and communicate the breach to the data subject, but rather to demonstrate the absence of such obligations.

In addition, the company provided a statement made by an unauthorised recipient of the message indicating that he was not in possession of the documents sent and that he was not aware of the content of the documents attached to the message, as he had not read them before deleting the message. However, such a statement does not exclude the assumption that there has been a high risk to the rights or freedoms of the data subject, nor does it exclude the possibility of adverse effects in the future.

In the opinion of the UODO, a security breach occurred in this case because the personal data was made available to an unauthorised recipient, who cannot be considered a "trusted recipient", and the scope of the data determines that there was a high risk to the rights or freedoms of natural persons. This gives rise to an obligation on the part of the company to notify the personal data breach to the supervisory authority.

In the opinion of the UODO, the fine will be effective and will fulfil its function.

The full content of the decision is available (in Polish) at:

2021-07-01 Metadane artykułu