Polish DPA imposed  EUR 20,000 fine on the insurance company WARTA S.A. for not notifying a personal data breach and infringing the provision of the General Data Protection Regulation.

Polish DPA received information about an e-mail which includes insurance policy has been send from an insurance agent to an unauthorised addressee. The attached document contained names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car).

Polish DPA has been informed of the personal data breach by an unauthorised addressee who has taken possession of documents not intended for him or her, and the confidentiality of the persons concerned has been breached. The company did not notify a personal data breach and did not communicate the incident to the persons affected by the breach.

In the course of the proceedings, the Polish DPA considered that the fact that the breach occurred as a result of a mistake of a customer who provided the wrong e-mail address cannot cause the lack of qualification of the event as a personal data breach. According to Polish DPA, when allowing the possibility to use e-mail for communication with the customer, the controller should be aware of the risks associated with, for example, incorrect e-mail address provided by the customer. Therefore, in order to minimise these risks, the controller should take appropriate organisational and technical measures, such as verification of the address provided or encrypting the documents sent in this way.

Also, the fact of requesting the wrong recipient to permanently delete the correspondence received cannot determine that a risk to the rights and freedoms of the data subjects is not high. Because the controller cannot be sure whether the unauthorised addressee has not made, for example, a copy of the documents or has not recorded them.

You can read the EU Commission’s announcement here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law