In April 2020, the controller, Fortum Marketing and Sales SA, notified the President of the PDPO of a data breach, reporting that data of the controller’s customers had been copied in the course of changes in the ICT environment, in a document digital filing system. Fortum used the services of the processor, PIKA sp. z o.o., with regard to this system.
In April 2020, Fortum reported the data breach to the President of the PDPO, stating that Fortum customer data had been copied. This incident was connected with modification of an ICT environment for the service described above to streamline the entire document filing system. The breach concerned a new database containing Fortum customer information such as first name, surname, residential address, personal civil identification number (PESEL), identification document type and number, e-mail address, telephone number, number and address of place of supply and agreement details (such as agreement date and number, type of fuel, meter number). It was stated that 137 314 people were affected by the breach.
At first, in April, the President of the PDPO launched an investigation regarding Fortum ex officio. In response to a notice, Fortum explained that PIKA had not consulted Fortum on the changes made and the manner in which they were made. Fortum’s relationship with PIKA was based on an agreement for storage (document archiving) and associated services, concluded in 2016, and on a data processing agreement of May 2018. In a response of June 2018 to questions posed by the regulator, the controller explained that prior to the agreement engaging a processor being concluded, it did not take additional steps to verify the processor, because Fortum had been doing business with PIKA for many years, and it was the archiving and digitization service market leader. No security incidents had occurred up until that time. Fortum acknowledged that it had not exercised right of inspection with regard to PIKA as provided for in article 28(3)(h) of the GDPR. In May 2020, and thus after the breach had been discovered, the controller sent a questionnaire to the processor, which was the first step of the verification process.
Fortum stated in June 2020 that when making the change, PIKA did not follow the established procedures and did not submit a conceptual plan for the changes, or functional or technical plans, to the controller.
Fortum reported that the software was not working properly, PIKA found the cause and commenced measures to solve the problem without consulting Fortum.
Next, the President of the PDPO sent a notice to PIKA of July 2020, stating that it had been classified as a party to the ongoing administrative proceedings. When submitting explanations, PIKA informed that it had not consulted the controller on the changes made to the software.
The President of the PDPO made the following findings in a decision of 19 January 2022:
The regulator determined the following:
The President of the PDPO found that both the controller and the processor failed to implement appropriate technical and organizational measures to protect processed personal data, and thus were in breach of article 32 of the GDPR.
The President of the PDPO also found that where parties do business long-term without audits or inspections being conducted periodically and systemically, this does not guarantee that the processor duly performs duties required by law and under an agreement on engaging a processor. An existing business relationship can only be a starting point for verifying a processor. The conclusion of an agreement on engaging a processor without proper verification does not sufficiently comply with a controller’s obligations under article 28(1) of the GDPR.
This was the first time that the President of the PDPO fined a controller and processor in a single case simultaneously. The decision sets a precedent by demonstrating the importance of controller compliance with article 28(1) of the GDPR, i.e. verifying a processor before entering into an agreement engaging a processor .
The regulator also found that the processor’s obligation under article 28(3)(h) of the GDPR to make available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR and allow audits, including inspections, conducted by the controller or auditor mandated by the controller, must entail true conduct of audits of that kind by the controller. In other words, outsourcing does not release a controller from the obligation to monitor the processor, and this includes checks to determine whether it complies with the agreement on engaging a processor. In practice, this means that any controller who outsources is required to decide whether or not it verified the processor prior to the conclusion of the agreement, according to the procedure provided for in article 28(3) of the GDPR, and to plan processor audits following article 28(3)(h) of the GDPR.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).