Personal data breach resulting from data subjects' mistakes have to be notified!

On 29 December 2020, the Polish Data Protection Authority (President of the Personal Data Protection Office, hereinafter: the PUODO) published a new administrative sanction imposed on WARTA S.A. Insurance and Reinsurance Company (Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A.) in the amount of approx. € 20.000,00. WARTA S.A. had failed to notify a personal data breach without undue delay to the supervisory authority and data subjects affected by the breach. In the result, the President of the Personal Data Protection Office found that the company violated art. 33(1) and art 34(1) GDPR.

The personal data breach about which WARTA S.A. should have notified the PUODO consisted in sending an insurance policy via an e-mail to an unauthorised recipient by an insurance agent who operated on behalf of the company as its processor. The misaddressed document contained personal data of two persons including the subject of the insured matter, the scope of the insurance, payments, addresses of residence, their PESEL numbers (personal identification numbers), names and surnames. The PUODO was informed about the personal data breach by the very unauthorised recipient who came into possession of the aforementioned personal data. The Polish Data Protection Authority requested clarification from WARTA S.A.

Responding to the PUODO's inquiry, WARTA S.A. confirmed that the personal data breach occurred and that an assessment had been conducted in terms of the risk to natural persons' rights and freedoms. The company explained that it had not notified the supervisory authority about the incident since:

1. it was the data subject who provided the company with an incorrect e-mail address to which the insurance policy was sent;
2. the unauthorised recipient contacted the company of their own accord, so one can assume that they were aware of the importance of the received information and the relevant regulations.

Under these circumstances, WARTA S.A. assumed a little likelihood of negative consequences for data subjects resulting from the breach. Hence, it only asked the unauthorised recipient to permanently delete the misaddressed e-mail and subsequently provide the company with the confirmation of the e-mail's removal. Even after the PUODO's inquiry, the company still neither notified a personal data breach nor provided the data subjects affected by the breach with relevant information about the incident. The PUODO disagreed with the company's argumentation and commenced administrative proceedings in October 2020, which prompted WARTA to notify a personal data breach finally and to communicate the incident to the data subjects affected by the breach.

The Polish Data Protection Authority emphasised that the personal data breach in the case in question caused a high risk of infringement of natural persons' rights or freedoms because of the data whose confidentiality was violated. The PUODO deemed that the WARTA's request to the unauthorised recipient to permanently delete the wrongly received correspondence was irrelevant for personal data breach severity assessment. The supervisory authority noted that there was namely no certainty that, before doing so, the person in question had not preserved the personal data contained in the misaddressed document. In the PUODO's opinion, there was no sufficient guarantee that the unauthorised recipient's intentions would remain the same in the course of the time, and the possible consequences of using such categories of data may be significant for the affected data subjects. There was no basis for the unauthorised recipient to be considered and treated as a "trusted one". In the decision, it was also noted that the company could not verify any possible declaration from the unauthorised recipient about the deletion of the misaddressed e-mail.

Furthermore, the PUODO also referred in its decision to the fact that the breach resulted from the data subject's mistake while providing the e-mail address to which their insurance policy was sent. In the Polish Data Protection Authority's opinion, controllers that allow their customers to communicate with them via e-mail should envisage possible related risks and take appropriate organisational and technical measures, such as, e.g. verification of the e-mail address provided by data subjects. WARTA S.A should have also informed the data subjects affected by the personal data breach without undue delay about the incident in order to enable them to prevent potential damages.

Thus, the PUODO found that WARTA S.A. infringed art. 33(1) and art 34(1) GDPR. In its decision, the Polish Data Protection Authority emphasised that the company made a conscious decision not to notify it and the data subjects initially since it notified similar data breaches to the PUODO in the past and therefore should have been aware that this obligation should have been fulfilled this time as well. The company's wrong personal data breach severity assessment also deprived the data subjects of a chance to take preventive measures against damages that may have resulted from their personal data's disclosure.

Commentary

The PUODO's decision is final under Polish law and can only be contested in an administrative court. However, at this point, from its analysis, a few conclusions can be inferred that may provide the needed guidance regarding the supervisory authority's future practice:

• requesting an unauthorised recipient to delete the permanently received misaddressed electronic correspondence cannot always be considered as a factor that mitigates the risks for data subject's freedoms and rights resulting from a personal data breach;
• controllers that allow natural persons to communicate with them via electronic means of communication should implement appropriate technical and organisational measures to ensure contact details' accuracy, e.g. by encrypting the attachments or introducing means to verify the e-mail address.
• disclosure of data subjects' personal identification numbers in connection with their names, residential addresses, telephone numbers and e-mail addresses, represents a high risk of violation of the rights or freedoms of individuals and should always be notified to the competent supervisory authority;
• even seemingly trivial personal data breaches should be carefully analysed and notified to the competent supervisory authority and if it is necessary to the affected data subjects;
• a personal data breach that was caused by the data subject's conduct should also be notified toa the competent supervisory authority;

In our opinion, the PUODO's position regarding data breach notification presented in the decision may induce controllers to inform affected data subjects about  even the most trivial incidents to be on the safe side. Furthermore, it remains unclear what kind of appropriate technical and organisational measures should be implemented by controllers to verify e-mail addresses provided by data subjects. Mere sending a confirmation link to such an address does not namely seem to be a sufficient guarantee since an unauthorised recipient may as well click on such a link. After all, as the PUODO noted itself, an unauthorised recipient should not always be trusted.

Article provided by: Xawery Konarski and Mateusz Kupiec (Traple Konarski Podrecki & Partners, Poland)

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)