Almost PLN 240 thousand fine for a company whose employee lost a flash drive with personal data
An employee of the catering company Res-Gastro M. Gaweł Sp. k. from Kolbuszowa in the Podkarpacie region, lost a flash drive with personal data. The President of the Personal Data Protection Office determined that the manner of processing personal data in this company was inconsistent with the applicable provisions of the GDPR, due to an incorrectly conducted risk analysis, which did not foresee the risk of losing the data carrier. As a result, appropriate organisational and technical measures have not been taken to ensure secure data processing.
The company itself informed about the incident, and during the proceedings it cooperated with the President of the Personal Data Protection Office, which had a significant impact on the final fine. If it were not for this, the fine would be much higher. The amount of the fine is also inter alia the result of the company's high turnover.
An employee of this company lost a flash drive containing unencrypted files containing personal data of another employee, namely name and surname, address, citizenship, gender, date of birth, personal identification number (PESEL numbe)r, passport series and number, telephone number, e-mail address, photos and data on the amount of earnings. The flash drive also contained encrypted files with financial data.
In the course of the proceedings, the company demonstrated that it had documents such as a risk register or confirmations of monitoring of GDPR procedures. However, the rules for using external data carriers, including their encryption, turned out to be a problem. The company informed employees on how to encrypt files in an instructional video. And this, as the Personal Data Protection Office noted, shifted the responsibility for the way data is processed onto them.
What was the problem?
- The President of the Personal Data Protection Office found that the company misjudged the risk to the data. It was assumed that data carriers could be stolen or destroyed – but it was not taken into account that the medium could simply be lost without bad intentions.
- In addition, despite the assumption of various events, cryptographic solutions for the protection of personal data on external media have not been implemented. An instructional video "how to encrypt files on a flash drive and what program to use for this purpose" is not enough in view of the scope of data processed on such media.
- Another problem was that the company had failed to regularly measure, test and evaluate the effectiveness of the security measures in place.
The President of the Personal Data Protection Office imposed a fine of PLN 238,345 on Res-Gastro. The full text of the President's decision can be found at the following link: