Fortum Marketing and Sales Polska S.A. was fined more than PLN 4.9 million for failing to implement adequate technical and organisational measures to ensure personal data security and for failing to verify persons processing personal data. In turn, a fine of PLN 250,000 was imposed on a processing entity subordinate to the controller.
The breach concerned the copying of the controller’s customers’ data by unauthorised persons when making changes to the IT environment. The processor was responsible for the implementation of the modifications. During the change, an additional customer database was created, and the server on which it was placed did not have the appropriate security configuration. The controller was informed of this incident not by the processor, but by two individuals who gained unauthorised access to the database as a result of the processor’s actions. Moreover, in the process, personal data was used instead of test data, and the effectiveness of the safeguards applied was not verified before implementation.
The processor acted in violation of ISO standards referring to information security and the provisions of its own security policy, which referred to these standards. The processor also failed to comply with the provisions of the data processing agreement, in which it undertook to ensure an adequate level of data security.
The implementation of solutions aimed at improving the efficiency of services should be preceded by an analysis taking into account the potential benefits and risks associated with the planned implementation. However, no such analysis was carried out. In the justification of his decision, the President of the PDPO indicated that the controller did not follow his own rules of introducing changes in the IT environment and did not examine the legality of the actions taken by the processor.