Panek SA has faced significant consequences for violating GDPR regulations, resulting in a financial penalty imposed by the President of the Personal Data Protection Office (PUODO). The incident highlighted major organizational shortcomings and failures in implementing the technical and organizational measures necessary to ensure data processing security.
How the Violation Occurred
The problem arose during the company’s website redesign process. Due to a lack of proper communication between the data controller (the company) and the data processor (the IT company), a server configuration error occurred. An employee of the subcontractor inadvertently uploaded files containing personal data of clients and employees from the old website onto the new site. These files were indexed by Google, making them publicly accessible.
The leaked data included:
- Names and surnames
- Email addresses
- Home addresses
- Encrypted passwords for the customer portal.
The incident affected a total of 21,453 individuals, including the company’s clients and employees.
Financial Penalties and Liability
As a result of PUODO’s investigation, Panek SA was fined PLN 1,527,855, while the IT company managing the website was hit with an administrative fine of PLN 20,037. The fines were based on:
- The scale of the violation
- The number of individuals whose data was exposed
- The annual turnover of the data controller, in accordance with GDPR regulations.
Organizational Errors and Lack of Supervision
An analysis of the incident revealed significant shortcomings in both the company’s and the subcontractor’s actions:
- Lack of risk analysis – The data controller failed to identify potential risks associated with data migration.
- Insufficient protective measures – The technical and organizational measures implemented were neither tested nor evaluated for effectiveness.
- Lack of supervision – The company did not monitor the website redesign process, assuming that the IT company would ensure an adequate level of protection.
- Unclear data processing agreement – The agreement did not account for the specific requirements regarding the website as a collection of personal data.
The incident underscores the critical importance of properly managing the security of personal data. PUODO emphasizes that the data controller is responsible for ensuring the proper level of protection, even when data processing is outsourced to another entity.
Source: managerplus.pl
