• Date of final decision: 18 October 2023
• National case
• Legal Reference(s): Article 35 (Data protection impact assessment), Article 83 (General conditions for imposing administrative fines)
• Decision: Administrative fine
• Key words: Administrative fine, Insurance, Data subject rights, Responsibility of the controller, Personal data breach

Summary of the Decision

Origin of the case  

The Polish Supervisory Authority (SA) was informed that unauthorised recipient had received a document confirming the award of compensation in an email attachment. The e-mail from the insurance company contained personal data such as first name, last name, mailing address, brand, model and registration number of the car, as well as the policy number, damage number and the  amount of the claim awarded. The unauthorised recipient informed the insurance company of the receipt of an e-mail with an attachment containing someone else's personal data, but did not receive any response.
The controller, in response to a question from the Polish SA, indicated that it was aware of the incident and explained that the e-mail was sent to unauthorised recipient as a result of human error”. The insurer also informed that it made a risk analysis based on "the ENISA methodology” recommended by the Polish SA. The analysis showed low risk to the rights and freedom of the data subject, and on that basis, the company noted this incident in the controller’s internal register, but did not notify it to the supervisory authority. Due to the lack of notification, the Polish SA initiated ex officio administrative proceedings against the company.

Key Findings 

The Polish SA decided to impose an administrative fine, on the basis of on  Article 83 (2) (a) GDPR, taking into account aggravating circumstances such as: long duration of the breach, intentionality of the finding of a breach of data protection regulations in other proceedings pending against the company, unsatisfactory level of cooperation with the supervisory authority. 
The Polish SA also pointed out that this company is subject of specific obligations imposed by Article 35 (1) of the Act of September 11, 2015 on Insurance and Reinsurance Activities, according to which the  insurance company and its employees, as well as persons and entities by means of which the insurance company performs insurance operations are obliged to maintain the secrecy pertaining to individual insurance contract.

Decision 

The President of the Polish SA has imposed the administrative fine in the amount of  € 24.000 (PLN 103.752) on the insurance company. The reason for imposing the administrative fine was a failure to notify the personal data breach to the supervisory authority.
 

For further information: national decision (Polish)