Polish DPA: Identifying breaches too late puts customers at risk

22 April 2021

Cyfrowy Polsat S.A. did not implement appropriate technical and organizational measures in its cooperation with the courier company. This resulted in numerous breaches identified with a long delay. Because of this negligence the Polish Data Protection Authority imposed a fine on the company in the amount of over PLN 1.1 million.

Lost correspondence with personal data or delivery of such a mail to the wrong recipient - these are the breaches that the company often reported to the Polish DPA. In addition, the analysis of these breaches carried out by the Polish DPA showed that the controller reported the breaches to the supervisory authority, as well as notified the affected persons about the incident two or even three months after it occurred.

In the course of the proceedings, it turned out that the controller notified the breaches as soon as he received information about them from the courier company with which he had concluded an agreement. However, in the Polish DPA's opinion, it is the controller who should undertake effective activities that would firstly minimise the scale of the breaches, and secondly allow the faster identification of such incidents and consequently notify about them the affected persons and the supervisory authority.

The lack of adequate organizational and technical measures implemented to allow for quick identification of breaches caused that for a long-time data subjects were unaware of the risk of their data being used by unauthorized persons, e.g., for the so-called identity theft. Neither could they have taken action to mitigate such a risk during that time. Meanwhile, the scope of personal data in the lost or delivered to the wrong recipient correspondence was wide. Moreover, the mail contained other data, such as contract ID, contract number, invoice numbers.

Despite the fact, that the breaches were related to irregularities on the part of the courier company, it was the fined data controller who incorrectly realized the supervision over the enforcement of contractual provisions, which resulted in the late identification of breaches. Moreover, it was possible for the controller to introduce and enforce new solutions that would both limit the number of breaches and enable faster identification of them. However, it was only in the course of the proceedings that the company implemented mechanisms which made it possible to significantly limit the cases of giving out correspondence to an unauthorised person. It also implemented solutions allowing to track mail, which enabled it to identify and report the loss of correspondence with personal information more quickly. As a result, the company's process of identifying data protection breaches has been significantly shortened. Faster identification of breaches, and consequently, notification of data subjects about the breach of their personal data, enables them to take appropriate actions in order to minimize the adverse effects of those breaches.

The Polish DPA decided to impose a fine on the company for the GDPR breaches, as the application of other remedies would not be proportionate to the irregularities identified. Nor would it guarantee that this controller would not commit similar negligence in the future.

The full text of the decision is available in Polish here

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl


The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.