Background information
- Date of final decision: 18 October 2023
- National case
- Legal Reference(s): Article 35 (Data protection impact assessment), Article 83 (General conditions for imposing administrative fines)
- Decision: Administrative fine
- Key words: Administrative fine, Insurance, Data subject rights, Responsibility of the controller, Personal data breach
Summary of the Decision
Origin of the case
The Polish Supervisory Authority (SA) was informed that unauthorised recipient had received a document confirming the award of compensation in an email attachment. The e-mail from the insurance company contained personal data such as first name, last name, mailing address, brand, model and registration number of the car, as well as the policy number, damage number and the amount of the claim awarded. The unauthorised recipient informed the insurance company of the receipt of an e-mail with an attachment containing someone else's personal data, but did not receive any response.
The controller, in response to a question from the Polish SA, indicated that it was aware of the incident and explained that the e-mail was sent to unauthorised recipient as a result of human error”. The insurer also informed that it made a risk analysis based on "the ENISA methodology” recommended by the Polish SA. The analysis showed low risk to the rights and freedom of the data subject, and on that basis, the company noted this incident in the controller’s internal register, but did not notify it to the supervisory authority. Due to the lack of notification, the Polish SA initiated ex officio administrative proceedings against the company.
Key Findings
The Polish SA decided to impose an administrative fine, on the basis of on Article 83 (2) (a) GDPR, taking into account aggravating circumstances such as: long duration of the breach, intentionality of the finding of a breach of data protection regulations in other proceedings pending against the company, unsatisfactory level of cooperation with the supervisory authority.
The Polish SA also pointed out that this company is subject of specific obligations imposed by Article 35 (1) of the Act of September 11, 2015 on Insurance and Reinsurance Activities, according to which the insurance company and its employees, as well as persons and entities by means of which the insurance company performs insurance operations are obliged to maintain the secrecy pertaining to individual insurance contract.
Decision
The President of the Polish SA has imposed the administrative fine in the amount of € 24.000 (PLN 103.752) on the insurance company. The reason for imposing the administrative fine was a failure to notify the personal data breach to the supervisory authority.
For further information: national decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.