After less than 1 year from the General Data Protection Regulation (hereinafter – GDPR) entry into force, State Data Protection Inspectorate (hereinafter – Inspectorate) imposed first significant fine for non-compliance with GDPR.
The fine was imposed on the company providing the payment initiation service for infringements of Articles 5, 32 and 33 of the GDPR:
– For inappropriate processing of personal data – there was determined that the company processed more data than it was necessary for payment initiation service provision, and data was retained for longer than established by the company and longer than necessary.
– Disclosure of personal data – there was determined that the company did not choose appropriate organizational and technical measures which would ensure a level of safety appropriate to the risk. It was also pointed out that the safety and management of the company and the management, deployment and maintenance of the IT infrastructure (hardware and software) of the company as a whole were carried out by a single employee, which led to the failure to minimize the potential for unauthorized or unintentional modifications and to implement appropriate personal data protection policy;
– Non-submission of notification of a personal data breach – there was determined that the company did not fulfill obligation – in the case of a personal data breach, the company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Inspectorate.
The imposition of fines by the Inspectorate under the General Data Protection Regulation is a significant signal to other companies to properly implement the GDPR requirements.
This incident utterly emphasizes the fact that companies must have a well-structured and documented investigation procedure for personal data breaches, as well as a responsible person for managing and investigating the violation. Employees must be trained how to act in case of a breach and get fully familiar with the procedures of the company.
It is important to pay attention to the requirements for reporting a personal data breach (Art. 33, Art. 34 of GDPR):
– In the case of a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons, the company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Inspectorate;
– When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company shall communicate the personal data breach to the data subject without undue delay.
It is very important to note that the Inspectorate has stated in its report that in order to minimize and distribute the risk of personal data breach, there cannot be appointed one person who would be responsible for both performing of security functions as well as managing and maintaining IT infrastructure of the entire company.
If you have any further questions, we will be happy to answer them.