Back

The Polish DPA fines both the controller and the processor for the first time

In January 2022, the Polish DPA issued a decision in which it imposed an administrative fine on both a controller (Fortum Marketing and Sales SA) and a processor (Pika sp. z o.o.). The controller was fined over PLN 4,900,000 (around EUR 1,050,000) – the highest fine imposed by the Polish DPA yet – and the processor was fined over PLN 250,000 (around EUR 53,000). This decision is important for both controllers and processors.

The DPA initiated administrative proceedings following a personal data breach notification by the controller. Personal data of the controller’s customers had been copied by unauthorized persons when the processor was making changes in the IT system. The DPA established that the changes to the IT system and the copying of the personal data were undertaken by the processor without informing the controller.

The DPA’s findings included:

  • violation by the controller of article 5(1)(f), article 24(1) and article 32(1) GDPR by failing to implement appropriate technical and organizational measures to ensure the security of personal data, which resulted in a data breach,
  • violation by the controller of article 28(1) GDPR by not vetting the processor as to whether it provided sufficient guarantees to implement appropriate measures so that processing met the GDPR requirements,
  • violation by the processor of article 32(1) GDPR by failing to implement appropriate technical and organizational measures to ensure the security of personal data, including data confidentiality,
  • that the controller is not released from the obligations related to ensuring the security of personal data if it engages a processor,
  • that the controller did not carry out audits of the processor under article 28(3)(h) GDPR, while this is one of the most important security measures and it is related to the obligation of vetting the processor under article 28(1) GDPR.

Our comment

This decision is very important as it shows how crucial it is for the controller to fulfil the obligation under article 28(1) of the GDPR, i.e. verifying whether the processor provides sufficient guarantees to implement appropriate technical and organizational measures so that processing meets the requirements of the GDPR. The DPA also underlined the importance of auditing processors.