One decision and two financial penalties
On February 11, 2022, information about a record penalty for the administrator for violating data protection appeared on the polish data protection supervisory authority – President of the Personal Data Protection Office’s website. On January 19, 2022, the President of PDPO imposed penalties on two entities – decision number DKN.5130.2215.2020.
Link to the source of information and link to the content of the decision
This is quite an unusual decision, in which two entities were fined in one judgment. Both the controller and the processor. There have been many errors in the entire process of processing and providing services by the processor to the administrator. Here are a few of them:
(-) the processor operated inconsistently with the commonly known ISO standards, which it referred to in its own policies,
(-) the processor did not comply with the provisions of its own “Security Policy”,
(-) the processor also failed to comply with the provisions of the contract for entrusting the processing of personal data, in which it undertook, inter alia, to implement pseudonymization of data, which was to be treated as a mechanism guaranteeing an appropriate level of data security,
(-) the processor in the test system used real personal data,
(-) the controller did not require the processor to provide the risk assessment documentation,
(-) the controller, despite the implemented procedures and knowledge of how, in accordance with commonly used practices, the introduction of changes to IT systems should proceed, at no stage of implementation has supervised whether the implementation is actually in line with generally applicable standards.
As a result of a series of errors and omissions, a breach occurred and this was the reason for the imposition of administrative financial penalties. These applications of the Personal Data Protection Office are not somehow special new, but what is a kind of new quality in this decision is the conclusion that arises after analyzing its content. Namely that provided for in Art. 28.3. let. h) of the GDPR, the right to audit the processor in connection with art. 32.1. d) GDPR is not a “right” but “obligation“. As a result, it boils down to the mandatory auditing of the processing processes that have been entrusted to processors.
It is difficult to disagree with this approach, since audits are laterally recognized as an organizational measure to ensure the security of personal data processing. If this approach of the Polish authority becomes permanent, it will mean more work and cooperation between administrators and processors.
May 29, 2022
Tomek