On 17 December 2020, the Polish Personal Data Protection Office imposed a fine of PLN1m (around €250,000) on ID Finance Poland. The company was the victim of a cyber attack but the data protection authority (DPA) concluded that the way the company dealt with the incident did not comply with the EU General Data Protection Regulation (GDPR).

The decision is remarkable because it shows how the victim can quickly turn into the offender from a GDPR enforcement perspective. To mitigate enforcement risk in these situations, it is crucial that companies not only try to fix the issues from an IT perspective but also implement a legal defence strategy to avoid fines, other corrective measures imposed by DPAs and potentially follow-on (mass) claims by affected individuals.

What happened?

Data of the company was compromised following a sophisticated cyber attack. The attacker, after copying the data, deleted it from the servers and then requested a ransom payment. After receiving the request, the company began to analyse the security measures on its servers, informed its customers and reported the data breach to the Polish DPA.

However, the DPA said the company should have identified the threat much sooner. This rather stringent approach is in line with recent guidance from the European Data Protection Board (EDPB). (For more on the EDPB guidance, see our blog post.)

Furthermore, the Polish DPA concluded that the company had failed to effectively and quickly implement the appropriate technical and organisational measures (TOMs) to remediate the breach as required under Articles 5, 25 and 32 of the GDPR.

No tolerance for late implementation of necessary TOMs 

Noting that the breach could have been avoided if the organisation had taken immediate action after having been informed about the security vulnerability, the Polish DPA found that the company violated the applicable GDPR requirements relating to data security and decided to impose a fine.

What organisations should do 

This decision is in line with the trend across Europe that DPAs focus very much on the timely, effective implementation of TOMs. In response, following a data breach, it is crucial that organisations take appropriate remediation measures (eg to protect affected individuals) as soon as possible. 

Conscious of the potential difficulties faced by organisations when assessing the adequacy of security measures, many DPAs have published guidance and best practice relating to the implementation of TOMs, such as the EU Agency for Cybersecurity, Germany’s Federal Office for Information security, Germany's Bavarian DPA, the French National Cybersecurity Agency, the French DPA and the UK DPA. However, the guidance is very abstract, so it is still up to the companies to define which TOMs are adequate for protecting personal data.

Companies should also remember that the accountability principle under Article 5(2) of the GDPR also requires comprehensive documentation around the implementation of TOMs. This means that organisations need to document their decision-making around the implementation of specific TOMs in a way (eg in policies or data protection impact assessments) that allows DPAs to understand why specific measures were implemented or not. Otherwise companies face the risk that – even if all their TOMs were appropriate to the perceived risk – they will face sanctions for insufficient documentation, as was the case recently in Finland.