I provvedimenti spiegati alle aziende
con guide, checklist, modelli; AI assisted
Osservatorio a cura del dott. V. Spataro 



   email 2024-03-16 ·  NEW:   Appunta · Stampa · Cita: 'Doc 98379' · pdf

Polonia: l'assicurazione manda un certificato ad un estraneo. Sanzione di 24.000 per una omissione.

abstract:



Polish SA: administrative fine of € 24.000 for failure to notify a personal data breach.

Omette di avvisare l'interessato, anche se poteva omettere di avvisare il Garante che comunque viene a sapere e indaga.

Fonte: EDPB
Link: https://www.edpb.europa.eu/news/national-news/2024




analisi:

L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni

.'....... ............ ... .... .' ..... ............ ..... .. ...... ... ....... .....

.. ............ ...... ...... ....'...... .'........

.'....... ..... ........ .. ....... ....., ...... ... ..... ......... .. ....... .'...... ....'..... ... ...../..... ....'.......... . ......

.. ...... .......... ...'............ . ... .'.. ...... ........ ......., .... .....

.. ......... .. .......... ..... ...... ....... .........:

".. .... .. ..... . ....... ........., .'........... .. ........ ... ............ ....... ... .... ...... ............... ......."

.. ......... ........ ....... ...... ...:

.) ....... ............. .... ....... ..., ... ........ .'..... ......... . ........... .... ...... ......, ... ........ .........

.) ... ....... ..... .. ..... .. .. .... ...... ....... ... ....... .'..... ........., ............ ... ..... ....... .. ..... ... ........

..... ......... ... .... ..... ....'.....

. .... .......... ..... ......... ......, ............ .. ... ......... . ..... .........., .. ...... ... .'... . .... .. ... ... ..... .........

.. ....... ... .. .......... ....... ......... ............ ........... .............

. ....:

.-.... .... ... ......... ....... ......... ........ .... .... ..

  • ..... ....,
  • .... ....,
  • ....... .......,
  • .....,
  • ..... ... ............ ...... .. ... ...,
  • .. .... .. ... ...... ......,
  • ...... ...... ...
  • ... ............ .. ... ..... .......



index:




testo:

14 March 2024 

Background information
  • Date of final decision: 18 October 2023
  • National case
  • Legal Reference(s): Article 35 (Data protection impact assessment), Article 83 (General conditions for imposing administrative fines)
  • Decision: Administrative fine
  • Key words: Administrative fine, Insurance, Data subject rights, Responsibility of the controller, Personal data breach

 

Summary of the Decision

 

Origin of the case  

The Polish Supervisory Authority (SA) was informed that unauthorised recipient had received a document confirming the award of compensation in an email attachment. The e-mail from the insurance company contained personal data such as first name, last name, mailing address, brand, model and registration number of the car, as well as the policy number, damage number and the  amount of the claim awarded. The unauthorised recipient informed the insurance company of the receipt of an e-mail with an attachment containing someone else's personal data, but did not receive any response.
The controller, in response to a question from the Polish SA, indicated that it was aware of the incident and explained that the e-mail was sent to unauthorised recipient as a result of human error”. The insurer also informed that it made a risk analysis based on "the ENISA methodology” recommended by the Polish SA. The analysis showed low risk to the rights and freedom of the data subject, and on that basis, the company noted this incident in the controller’s internal register, but did not notify it to the supervisory authority. Due to the lack of notification, the Polish SA initiated ex officio administrative proceedings against the company.


Key Findings 

The Polish SA decided to impose an administrative fine, on the basis of on  Article 83 (2) (a) GDPR, taking into account aggravating circumstances such as: long duration of the breach, intentionality of the finding of a breach of data protection regulations in other proceedings pending against the company, unsatisfactory level of cooperation with the supervisory authority. 
The Polish SA also pointed out that this company is subject of specific obligations imposed by Article 35 (1) of the Act of September 11, 2015 on Insurance and Reinsurance Activities, according to which the  insurance company and its employees, as well as persons and entities by means of which the insurance company performs insurance operations are obliged to maintain the secrecy pertaining to individual insurance contract.


Decision 

The President of the Polish SA has imposed the administrative fine in the amount of  € 24.000 (PLN 103.752) on the insurance company. The reason for imposing the administrative fine was a failure to notify the personal data breach to the supervisory authority.
 

For further information: national decision (Polish)


Link: https://www.edpb.europa.eu/news/national-news/2024

Testo del 2024-03-16 Fonte: EDPB




Commenta



i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.


Ricevi gli aggiornamenti su Polonia: l'assicurazione manda un certificato ad un estraneo. Sanzione di 24.000 per una omissione. e gli altri post del sito:

Email: (gratis Info privacy)






Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza