The President of the Personal Data Protection Office imposed a fine of more than PLN 33,000 on a controller who lost the confidentiality of personal data. In addition, the authority ordered him to stop entrusting data to a processor with whom he had cooperated on the basis of an entrustment agreement containing gaps.
The breach of the GDPR arose from a failure to implement adequate technical and organisational measures to ensure data security. The controller also failed to analyse the risks involved in entrusting personal data to an external provider.
The President of the PDPO draws attention to the obligation to conduct a risk analysis and implement and verify security measures. It should be remembered that even a long-standing cooperation between the controller and the processor does not provide adequate guarantees of data security.