[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faDg4tj1I7hMv7HAbPw0V0pf8gpmv6rVJPzrmIfO02JM":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"ab1bd0c9-00f5-42a9-80b1-354f3ee0f136","UODO (Poland) - DKN.5131.7.2022","uodo-poland-dkn-5131-7-2022-18d2eb","← Older revision Revision as of 08:56, 30 June 2026 Line 73: Line 73: }} }} The DPA fined a sub-processor €2,415 for failure to implement technical and organisational measures to guarantee the security of processing: former employees of the sub-processor still had access to customers’ personal data that was shared in an app. The DPA fined a sub-processor €2,415 for failure to implement technical and organisational measures to guarantee the security of processing: former employees of the sub-processor still had access to customers’ personal data that was shared on an app. == English Summary == == English Summary ==","Poland's Data Protection Authority (UODO) fined a sub-processor €2,415 for failing to implement adequate technical and organizational measures. Former employees retained access to customer personal data shared via an app, violating GDPR principles of integrity, confidentiality, and accountability. The controller also received a reprimand for insufficient oversight of its processors.","Poland's DPA fined a sub-processor €2,415 for data security violations.","Help UODO (Poland) - DKN.5131.7.2022: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 12:44, 26 June 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators48 editsm Tag: Visual edit← Older edit Latest revision as of 08:56, 30 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators48 editsmTag: Visual edit Line 73: Line 73: }}}} The DPA fined a sub-processor €2,415 for failure to implement technical and organisational measures to guarantee the security of processing: former employees of the sub-processor still had access to customers’ personal data that was shared in an app.The DPA fined a sub-processor €2,415 for failure to implement technical and organisational measures to guarantee the security of processing: former employees of the sub-processor still had access to customers’ personal data that was shared on an app. == English Summary ==== English Summary == Latest revision as of 08:56, 30 June 2026 UODO - DKN.5131.7.2022 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 28(1) GDPR Article 28(4) GDPR Article 32(1) GDPR Article 32(2) GDPR Type: Investigation Outcome: Violation Found Started: 02.03.2022 Decided: 13.04.2026 Published: 25.06.2026 Fine: 2,415 EUR Parties: n\u002Fa National Case Number\u002FName: DKN.5131.7.2022 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: av The DPA fined a sub-processor €2,415 for failure to implement technical and organisational measures to guarantee the security of processing: former employees of the sub-processor still had access to customers’ personal data that was shared on an app. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An electricity sales company (the controller) had outsourced some of its operations to two processors and one sub-processor. Employees of the sub-processor had used a smartphone application between July 2020 and March 2021 to send pictures of customer contracts containing the personal data of individuals residing at addresses visited during door-to-door sales (the data subjects). The controller had not authorised this practice, and former employees of the sub-processor could still access the personal data through the app. The controller identified the use of the app as a data breach and notified the supervisory authority about it in April 2021. The DPA initiated administrative proceedings in March 2022. Holding First, the DPA held that the controller had violated the principles of integrity and confidentiality enshrined in Article 5(1)(f) and the principle of accountability laid down in Article 5(2) GDPR. It had also violated Articles 24(1), 25(1), 28(1), 32(1) and 32(2) GDPR, which specify these principles. The DPA issued the controller a reprimand. The DPA found the controller had failed to implement appropriate technical and organisational measures itself and also failed to properly verify whether the (sub-)processors had provided sufficient guarantees that they had implemented such measures. The data protection agreements required in Article 28(1) GDPR were very general in nature, and none of the parties in the chain of contracts had conducted a risk analysis to select appropriate security measures. In addition, the controller had not continuously monitored the processing activities. Second, the DPA held that the two processor and the sub-processor had violated Articles 32(1) and 32(2) GDPR read in conjunction with Article 28(4) GDPR. They had all failed to implement appropriate technical and organisational measures to ensure the security of personal data processing. The sub-processor was largely held responsible for the data breach – it had started using the app to process customers’ personal data without authorisation from the controller or the processors. Furthermore, the DPA pointed out the sub-processor should have verified whether the application would allow access to the personal data through it even after the termination of the employment relationship. The DPA reprimanded the processors and fined the sub-processor €2,415. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. [1] See: point 1 of the Company's explanations provided in a letter dated: August 14, 2023. [2] See: point 8 of the Company's explanations provided in a letter dated: June 7, 2021. [3] See: point 3 of the Sub-Agent's explanations provided in a letter dated: August 2, 2024. [4] See: points 1 and 3 of the Sub-Agent's explanations provided in a letter dated: July 3, 2024. [5] See: § 2 section 1 letter b) and § 2 section 4 of each of the above-mentioned agreements, as well as point 3 of the Company's explanations provided in a letter dated: November 21, 2022. [6] See: point 1 of Agent 1's explanations provided in a letter dated: November 17, 2021, and point 1 of the Sub-Agent's explanations provided in a letter dated: November 16, 2021. [7] See: point 3 of the Company's explanations provided in a letter dated: November 7, 2025. [8] See: point 4 of the Company's explanations provided in a letter dated: June 7, 2021, point 4 of the Company's explanations provided in a letter dated: November 7, 2025, and point 3 of the Company's explanations provided in a letter dated: November 21, 2022. [9] See: point 1 of the Company's explanations provided in a letter dated November 21, 2022, and the personal data breach notification form sent by the Company, and point 3 of the Company's explanations provided in a letter dated August 12, 2024. [10] See: screenshot sent as Appendix No. 1 to the aforementioned Company's explanations provided in a letter dated November 21, 2022. [11] See: point 2 of the Company's explanations provided in a letter dated August 14, 2023. [12] See: point 9 of the Company's explanations provided in a letter dated June 7, 2021. [13] See: among other things, the entry in box 3B of the personal data breach notification form sent by the Company. [14] See: point 1 of the Company's explanations provided in a letter dated August 12, 2024. [15] See: Item 2 of the Company's explanations provided in a letter dated: August 12, 2024. [16] See: Item 7 of the Company's explanations provided in a letter dated: June 7, 2021. [17] See: Item 1 of the Company's explanations provided in a letter dated: November 21, 2022. [18] See: Appendix No. 5 to the Company's explanations provided in a letter dated: June 7, 2021. [19] See: Appendix No. 3 to the Company's explanations provided in a letter dated: June 7, 2021. [20] See: Appendix No. 6 to the Company's explanations provided in a letter dated: June 7, 2021. [21] See: Appendix to the Sub-Agent's explanations provided in a letter dated: August 9, 2021. 2021 [22] See: item 3 of the Company's explanations provided in a letter dated: August 12, 2024, and item 1 of the Company's explanations provided in a letter dated: August 14, 2023. [23] See: item 2 of the Company's explanations provided in a letter dated: August 10, 2021, and item 3 in fine of the Company's explanations provided in a letter dated: August 12, 2024. [24] See: item 6 of Agent 2's explanations provided in a letter dated: August 4, 2025. [25] See: item 5 of the Company's explanations provided in a letter dated: June 7, 2021. [26] See: Company's explanations provided in a letter dated: November 18, 2021. [27] See: point 5 of the Company's explanations provided in a letter dated June 7, 2021, and appendix no. 4 thereto. [28] See: point 1 of the Company's explanations provid","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=UODO_(Poland)_-_DKN.5131.7.2022&diff=52014&oldid=52004","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F7\u002F7b\u002FLogoPL.png","2026-06-30T08:56:25+00:00","2026-06-30T10:00:19.20701+00:00",7,[18],{"name":19,"type":20},"UODO","vendor","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":21,"icon":23,"name":24,"slug":25},null,"GDPR","gdpr",[27,32,34,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":33},{"id":21,"icon":23,"name":24,"slug":25},{"category":35},{"id":36,"icon":23,"name":37,"slug":38},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]