22.03.2023

Several infringements of the GDPR lead to administrative fine for housing community

The Personal Data Protection Office imposed an administrative fine of just over PLN 1,500 on a housing community. As part of its proceedings, the SA took into account several infringements in the activities of the controller, including the lack of notification of a personal data breach, the failure to communicate the breach to the data subjects, and that the processing of the data of the members of this community was entrusted without a written agreement.

As the Personal Data Protection Office (hereinafter: SA) found, in response to an anonymous notification of a possible personal data protection breach of housing community members, the breach occurred as a result of the theft of documents, including a copy of the notarial deed, held by the administrator of housing community.

When the rights and freedoms of natural persons are at risk as a result of a breach, they must be notified to the SA

In the case in question, one of the controller’s infringements was the failure to notify the personal data breach to the supervisory authority.

The very fact of occurrence of a personal data breach obliges the controller to take appropriate actions. There is no doubt that in the situation of a security incident identified as a personal data breach, the controller is obliged to notify it to the supervisory authority no later than within 72 hours after having become aware of it. However, this obligation is not absolute. The controller, on the basis of an analysis of the possible risks to the rights and freedoms of natural persons, may exempt itself from this obligation if, in accordance with the principle of accountability, it demonstrates that the risk to the rights and freedoms of natural persons is unlikely. It is then important, in accordance with the principle of accountability, to show a balancing exercise of the possible material and non-material damage that the breach may cause to the data subjects. In the case at hand, the risk of negative consequences for housing community members was more than unlikely and therefore the controller was obliged to notify the personal data breach to the supervisory authority.

If a person knows that his/ her pesronal data has been breached, he/she can counteract its effects

The second reason for imposing an administrative fine on the housing community was the failure to communicate the breach to data subjects.

In this case, the community not only failed to notify to the supervisory authority the personal data breach of all its members, but also to inform two persons whose data were processed on the stolen photocopy of the notarial deed relating to their property. Thus, in practice, it deprived these persons of the opportunity to counteract the potential damage that could arise. In the authority's view, there has been a high risk to the rights and freedoms of these persons in connection with the personal data breach that has occurred, which entails that they must be communicated of it. It should be noted that the administrator of the housing community verbally informed only one of the persons whose data was processed in the stolen documentation about the incident. This tenant, on his own, decided to report the matter to the law enforcement authorities and applied for a new ID card. However, the action of affected person does not exempt the community from issuing an individualised written communication to that person, nor does it exempt the community from addressing an individualised notice to the other person.

The supervisory authority constantly reminds controllers that where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller is obliged not only to notify this fact to the supervisory authority, but also to communicate it to the data subject without undue delay.

At the same time, it should be noted that a high risk to the rights and freedoms does not actually have to materialise. What is important is the mere risk of material or non-material damage to the data subjects.

Since the case at hand concerns a breach that gives rise to such a high risk, therefore, the supervisory authority, in addition to imposing an administrative fine, additionally ordered the controller to communicate the breach to the data subjects within 3 days of the issuing of the decision.

No data processing agreement, no verification of the processor

The supervisory authority also found failings on the part of the housing community in the form of entrusting the processing of personal data of its members, without concluding a written data processing agreement of such data and without verifying the processor.

The housing community and its administrator cooperated on the basis of a civil law agreement describing mutual rights and obligations only in relation to the management of the joint property. This agreement did not refer to legally protected values, which undoubtedly include the sphere of privacy of individuals. It also did not meet the requirements set out in the provisions of the GDPR, so it was considered that no data processing agreement had been concluded between the personal data controller and the data processor.

When using processors, the controller should be convinced that they will provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing of personal data complies with the GDPR and ensures the security of the processing of personal data as one of the fundamental rights. It is a controller which is obliged to assess whether these guarantees are sufficient.

Only this thorough examination of the competence of the selected processor can be the starting point for the controller to conclude an appropriate data processing agreement.

The proceedings showed that the administrator who processed the personal data of the community members conducted it’s processing in unorganised manner. Without any agreement with the controller and outside its control, the administrator processed personal data at its place of residence, without implementing appropriate technical and organisational measures.