Background
In Poland, the Social Insurance Institution (Zakład Ubezpieczeń Społecznych, “ZUS”) is responsible, amongst other things, for collecting social security contributions and distributing them in accordance with the laws of Poland. It is administered using an online Electronic Services Platform (“PUE”, combined the “ZUS PUE Platform”). Similar to the United Kingdom’s Government Gateway, the ZUS PUE Platform is accessible to individuals and employers.
During February 2021, Santander Bank Polska S.A. (the “Bank”), a controller within the meaning of Article 4 GDPR, notified the Data Protection Authority in Poland (the “UODO”) of a personal data breach. Despite their employment ending at the Bank, a former employee was able to log into the ZUS PUE Platform system via the Bank’s credentials and gain unauthorised access to, and browse, records belonging to 10,500 data subjects. The Bank’s former employee logged onto the ZUS PUE Platform five times during the period June 2020 and February 2021, inclusive. The Bank, with reference to ZUS, was unable to ascertain the extent of the records the former employee had viewed on each occasion and which data subjects.
The records contained personal data belonging to each data subject, namely; first name, last name, address, and national identification number. The records also contained special category data, namely; information relating to sickness leave constituting data concerning health.
The UODO wrote to the Bank during March 2021 setting out its rationale as to why the Bank should notify data subjects within the meaning of Article 34 GDPR – i.e. the UODO determined that the nature of the data the former employee had access to was “high risk” data.
The Bank disagreed and concluded that a personal data breach within the meaning of Article 4(12) GDPR had not occurred. In support of its analysis, the Bank relied upon the fact that, whilst the former employee had access to the 10,500 records held within the ZUS PUE Platform, ZUS refused to produce evidence setting out how many data subjects were actually impacted and what personal data was actually accessed. The Bank stated that their notification to the UODO was simply made only for prudence.
Instead, the Bank published a general notification on their internal messaging platform to current employees at the time of the general notification. It did not refer specifically to the above-mentioned incident and is said to only relate to a hypothetical situation in which a personal data breach might occur.
The Decision
The UODO commenced administrative proceedings against the Bank in July 2021 (DKN.5131.33.2021).
The UODO decided that due to the fact the Bank’s former employee had unauthorised access to the ZUS PUE Platform, it was possible that the former employee viewed personal data and special category data belonging to data subjects (as set out above) and, as a consequence, that this posed a high risk of violating the rights and freedoms of natural persons (as per Article 34(1) GDPR).
The UODO relied upon guidance issued by the Article 29 Data Protection Working Party (WP29), namely: “[t]his risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation” (our emphasis added).
Due to the scope of data involved, and the specific facts of the case, the UODO concluded that there had been a personal data breach within the meaning of Article 4(12) GDPR and that the Bank was in breach of Article 34(1). The Bank did not notify data subjects of the personal data breach without undue delay.
The UODO: (1) imposed a fine of EUR 120,000 (which is calculated as 0.011% of the total annual global turnover of the Bank from the previous financial year); and (2) ordered the Bank to notify data subjects who were employed by the Bank during the time the former employee had unauthorised access to the ZUS PUE Platform pursuant to Article 34(2) GDPR.
In its decision, the UODO noted that the Bank’s cooperation was unsatisfactory during the investigation and during the administrative proceedings. However, the decision does not go as far as to say that the Bank had breached its obligation to cooperate with the UODO under Article 31 GDPR.
Conclusion
During the administrative proceedings, the Bank revealed that an internal policy existed to prevent leavers from gaining unauthorised access to the ZUS PUE Platform after termination of their employment with the Bank. However, at least two other former employees’ access to the ZUS PUE Platform was not revoked on termination of their employment (referred to as Ms B and Ms C); however, they did not access the ZUS PUE Platform.
This decision is a reminder that organisations should ensure that their leaver process and procedures are fit for purpose and that regular audits are carried out to ensure compliance. This is in line with the ICO’s recent guidance on ransomware and data protection compliance (see article in this month’s newsletter here).
