Background information
- Date of final decision: 24 April 2024
- National case
- Legal Reference (s): Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 32 (Security of processing), Article 33 (Notification of a personal data breach to the supervisory authority), Article 34 (Communication of a personal data breach to the data subject)
- Decision: Administrative fine, Communication order personal data breach
- Key words: Administrative fine, Data subject rights, Personal data breach, Accountability, Data security, Sensitive data
Summary of the Decision
Origin of the case
The President of the Personal Data Protection Office has imposed a fine on the "Stop LGBT" Legislative Initiative Committee for the way it conducted the collection of signatures. This was because the lists with signatures for the project banning assemblies on LGBT rights were left lying unsecured in the church.
According to information received by the DPA, the “Stop LGBT” Legislative Initiative Committee, which collected signatures, did so in such a way that the lists of support were not protected.
The controller confirmed that the described situation took place, but in his opinion there was no breach of the GDPR provisions. However, the proceeding conducted by the President of the DPA revealed a breach of a number of provisions of the GDPR, including those relating to personal data security.
Key Findings
In the case of the "Stop LGBT" Legislative Initiative Committee, the risk analysis was conducted, but it did not have a date. The analysis also identified only three situations, the occurrence of which could give rise to a risk of breach to the rights and freedoms of natural persons:
- unauthorised access to the data room,
- unauthorised copying of signature cards,
- and unauthorised transfer of information containing personal data.
The risk for each of the listed vulnerabilities has been determined as ‘negligible’. The risks of someone copying/photographing the list with addresses and PESEL number, or of other signatories seeing who among their neighbours had already signed, were ignored. Not to mention bystanders who could also view those data.
The controller assumed that, at low risk, it would be sufficient for the signature cards to be constantly under the supervision of ‘signature collectors’.
As the controller did not recognise the risks for the data subjects, it did not foresee any risk mitigation measures such as shielding the already collected signatures from the view of further persons also expressing support for the legislative initiative or bystanders.
Decision
The President of the Personal Data Protection Office has imposed a fine of 2 500 € for infringement of Articles 24, 25, 32, 33 and 34 of the GDPR.
In the decision, the President of the Personal Data Protection Office indicates how to act correctly in such a situation. The GDPR does not contain a list of technical recommendations for such cases. However, it says what to take into account in order to correctly protect the entrusted data, especially sensitive data.
Signature collectors must ensure that the data are properly secured. It is necessary to constantly supervise the data already collected and protect it from subsequent signatories by covering the part of the list that is already filled with personal data. It is unacceptable to leave such lists unattended.
An incorrect risk analysis also caused the controller to act inappropriately, failing to notify the breach to the supervisory authority. It does not need to do so if the likelihood of a risk of breach to the rights and freedoms of natural persons is low. This was not the case here. This is, after all, about leaving a list with a huge amount of personal data unattended.
The occurrence of a high risk to the rights or freedoms of individuals requires the data controller to communicate the incident to data subjects.
For further information:
- Decision in national language (Polish)