[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdu5A53tquxtv4BmTv_D1ayZhBj5iKndQ9bgW_EizUqg":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"76df9230-7e90-4ea0-9216-2cfd1a138f4a","UODO (Poland) - DKN.5131.7.2022","uodo-poland-dkn-5131-7-2022-1fd9b1","Holding ← Older revision Revision as of 12:44, 26 June 2026 Line 83: Line 83: === Holding === === Holding === First, the DPA held that the controller had violated the principles of integrity and confidentiality enshrined in Article 5(1)(f) and the principle of accountability laid down in [[Article 5 GDPR#2|Article 5(2) GDPR]]. It had also violated Articles 24(1), 25(1), 28(1), 32(1) and 32(2) GDPR, which specify these principles. The DPA issued the controller a reprimand. First, the DPA held that the controller had violated the principles of integrity and confidentiality enshrined in Article 5(1)(f) and the principle of accountability laid down in [[Article 5 GDPR#2|Article 5(2) GDPR]]. It had also violated Articles [[Article 24 GDPR|24(1)]], [[Article 25 GDPR|25(1)]], [[Article 28 GDPR|28(1)]], [[Article 32 GDPR|32(1)]] and [[Article 32 GDPR|32(2)]] [[Article 32 GDPR|GDPR]], which specify these principles. The DPA issued the controller a reprimand. The DPA found the controller had failed to implement appropriate technical and organisational measures itself and also failed to properly verify whether the (sub-)processors had provided sufficient guarantees that they had implemented such measures. The data protection agreements required in [[Article 28 GDPR#1|Article 28(1) GDPR]] were very general in nature, and none of the parties in the chain of contracts had conducted a risk analysis to select appropriate security measures. In addition, the controller had not continuously monitored the processing activities. The DPA found the controller had failed to implement appropriate technical and organisational measures itself and also failed to properly verify whether the (sub-)processors had provided sufficient guarantees that they had implemented such measures. The data protection agreements required in [[Article 28 GDPR#1|Article 28(1) GDPR]] were very general in nature, and none of the parties in the chain of contracts had conducted a risk analysis to select appropriate security measures. In addition, the controller had not continuously monitored the processing activities. Second, the DPA held that the two processor and the sub-processor had violated Articles 32(1) and 32(2) GDPR read in conjunction with [[Article 28 GDPR#4|Article 28(4) GDPR]]. They had all failed to implement appropriate technical and organisational measures to ensure the security of personal data processing. The sub-processor was largely held responsible for the data breach – it had started using the app to process customers’ personal data without authorisation from the controller or the processors. Furthermore, the DPA pointed out the sub-processor should have verified whether the application would allow access to the personal data through it even after the termination of the employment relationship. The DPA reprimanded the processors and fined the sub-processor €2,415. Second, the DPA held that the two processor and the sub-processor had violated Articles [[Article 32 GDPR|32(1)]] and [[Article 32 GDPR|32(2) GDPR]] read in conjunction with [[Article 28 GDPR#4|Article 28(4) GDPR]]. They had all failed to implement appropriate technical and organisational measures to ensure the security of personal data processing. The sub-processor was largely held responsible for the data breach – it had started using the app to process customers’ personal data without authorisation from the controller or the processors. Furthermore, the DPA pointed out the sub-processor should have verified whether the application would allow access to the personal data through it even after the termination of the employment relationship. The DPA reprimanded the processors and fined the sub-processor €2,415. == Comment == == Comment ==","Poland's Data Protection Authority (UODO) has issued a reprimand to a data controller for violating GDPR principles of integrity, confidentiality, and accountability. The controller also failed to implement adequate technical and organizational measures and properly vet subprocessors. Additionally, two processors and a sub-processor were reprimanded for failing to implement appropriate security measures. The sub-processor was largely responsible for the data breach, having used an app to process personal data without authorization and failing to ensure continued access controls after employment termination. The sub-processor was fined €2,415.","Poland's UODO reprimands controller and processors, fines sub-processor €2,415 for GDPR violations.","Help UODO (Poland) - DKN.5131.7.2022: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 12:37, 26 June 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators42 edits Tag: submission [1.0] Latest revision as of 12:44, 26 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators42 editsm Tag: Visual edit Line 83: Line 83: === Holding ====== Holding === First, the DPA held that the controller had violated the principles of integrity and confidentiality enshrined in Article 5(1)(f) and the principle of accountability laid down in [[Article 5 GDPR#2|Article 5(2) GDPR]]. It had also violated Articles 24(1), 25(1), 28(1), 32(1) and 32(2) GDPR, which specify these principles. The DPA issued the controller a reprimand.First, the DPA held that the controller had violated the principles of integrity and confidentiality enshrined in Article 5(1)(f) and the principle of accountability laid down in [[Article 5 GDPR#2|Article 5(2) GDPR]]. It had also violated Articles [[Article 24 GDPR|24(1)]], [[Article 25 GDPR|25(1)]], [[Article 28 GDPR|28(1)]], [[Article 32 GDPR|32(1)]] and [[Article 32 GDPR|32(2)]] [[Article 32 GDPR|GDPR]], which specify these principles. The DPA issued the controller a reprimand. The DPA found the controller had failed to implement appropriate technical and organisational measures itself and also failed to properly verify whether the (sub-)processors had provided sufficient guarantees that they had implemented such measures. The data protection agreements required in [[Article 28 GDPR#1|Article 28(1) GDPR]] were very general in nature, and none of the parties in the chain of contracts had conducted a risk analysis to select appropriate security measures. In addition, the controller had not continuously monitored the processing activities.The DPA found the controller had failed to implement appropriate technical and organisational measures itself and also failed to properly verify whether the (sub-)processors had provided sufficient guarantees that they had implemented such measures. The data protection agreements required in [[Article 28 GDPR#1|Article 28(1) GDPR]] were very general in nature, and none of the parties in the chain of contracts had conducted a risk analysis to select appropriate security measures. In addition, the controller had not continuously monitored the processing activities. Second, the DPA held that the two processor and the sub-processor had violated Articles 32(1) and 32(2) GDPR read in conjunction with [[Article 28 GDPR#4|Article 28(4) GDPR]]. They had all failed to implement appropriate technical and organisational measures to ensure the security of personal data processing. The sub-processor was largely held responsible for the data breach – it had started using the app to process customers’ personal data without authorisation from the controller or the processors. Furthermore, the DPA pointed out the sub-processor should have verified whether the application would allow access to the personal data through it even after the termination of the employment relationship. The DPA reprimanded the processors and fined the sub-processor €2,415.Second, the DPA held that the two processor and the sub-processor had violated Articles [[Article 32 GDPR|32(1)]] and [[Article 32 GDPR|32(2) GDPR]] read in conjunction with [[Article 28 GDPR#4|Article 28(4) GDPR]]. They had all failed to implement appropriate technical and organisational measures to ensure the security of personal data processing. The sub-processor was largely held responsible for the data breach – it had started using the app to process customers’ personal data without authorisation from the controller or the processors. Furthermore, the DPA pointed out the sub-processor should have verified whether the application would allow access to the personal data through it even after the termination of the employment relationship. The DPA reprimanded the processors and fined the sub-processor €2,415. == Comment ==== Comment == Latest revision as of 12:44, 26 June 2026 UODO - DKN.5131.7.2022 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 28(1) GDPR Article 28(4) GDPR Article 32(1) GDPR Article 32(2) GDPR Type: Investigation Outcome: Violation Found Started: 02.03.2022 Decided: 13.04.2026 Published: 25.06.2026 Fine: 2,415 EUR Parties: n\u002Fa National Case Number\u002FName: DKN.5131.7.2022 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: av The DPA fined a sub-processor €2,415 for failure to implement technical and organisational measures to guarantee the security of processing: former employees of the sub-processor still had access to customers’ personal data that was shared in an app. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An electricity sales company (the controller) had outsourced some of its operations to two processors and one sub-processor. Employees of the sub-processor had used a smartphone application between July 2020 and March 2021 to send pictures of customer contracts containing the personal data of individuals residing at addresses visited during door-to-door sales (the data subjects). The controller had not authorised this practice, and former employees of the sub-processor could still access the personal data through the app. The controller identified the use of the app as a data breach and notified the supervisory authority about it in April 2021. The DPA initiated administrative proceedings in March 2022. Holding First, the DPA held that the controller had violated the principles of integrity and confidentiality enshrined in Article 5(1)(f) and the principle of accountability laid down in Article 5(2) GDPR. It had also violated Articles 24(1), 25(1), 28(1), 32(1) and 32(2) GDPR, which specify these principles. The DPA issued the controller a reprimand. The DPA found the controller had failed to implement appropriate technical and organisational measures itself and also failed to properly verify whether the (sub-)processors had provided sufficient guarantees that they had implemented such measures. The data protection agreements required in Article 28(1) GDPR were very general in nature, and none of the parties in the chain of contracts had conducted a risk analysis to select appropriate security measures. In addition, the controller had not continuously monitored the processing activities. Second, the DPA held that the two processor and the sub-processor had violated Articles 32(1) and 32(2) GDPR read in conjunction with Article 28(4) GDPR. They had all failed to implement appropriate technical and organisational measures to ensure the security of personal data processing. The sub-processor was largely held responsible for the data breach – it had started using the app to process customers’ personal data without authorisation from the controller or the processors. Furthermore, the DPA pointed out the sub-processor should have verified whether the application would allow access to the personal data through it even after the termination of the employment relationship. The DPA reprimanded the processors and fined the sub-processor €2,415. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. [1] See: point 1 of the Company's explanations provided in a letter dated: August 14, 2023. [2] See: point 8 of the Company's explanations provided in a letter dated: June 7, 2021. [3] See: point 3 of the Sub-Agent's explanations provided i","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=UODO_(Poland)_-_DKN.5131.7.2022&diff=52004&oldid=52003","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F7\u002F7b\u002FLogoPL.png","2026-06-26T12:44:38+00:00","2026-06-26T14:00:33.36423+00:00",7,[18],{"name":19,"type":20},"UODO","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,34,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":21,"icon":23,"name":24,"slug":25},{"category":35},{"id":36,"icon":23,"name":37,"slug":38},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]