»GDPR: 85,000PLN penalties for an email sent to the evil recipient as a result of ... client error -Dzieńcznik.pl ---
The insurance company got this punishment from UODO.ANDt first glance, it looks very harsh, but the full circumstances of the case were important, and especially the incorrect assessment of the weight of the incident according to UODO.This punishment is interesting for one more reason.Every day, hundreds of people get letters from various companies, forms and data of other clients.Because someone (usually the client who is given a random person) was wrong in the e-mail address.
The mail hit not where you need
The next penalty "for the GDPR" is exactly PLN 85588 and was received by the Insurance and Resecurity Towarzystwo Warta S.AND.The circumstances of the case were not complicated at first glance.The insurance policy was sent by the agent by e -mail to the wrong addressee.As a result, an unauthorized person received data of other persons regarding names, names, residence or correspondence addresses, PESEL numbers, telephone numbers, e -mail addresses and information on the subject of insurance (passenger car), the scope of insurance, payments, assignments, as well as additional entries resultingunder the insurance contract.
The following circumstances were important in this matter:
- zgłoszenie trafiło do UODO ze strony adresata korespondencji, a nie ze strony towarzystwa ubezpieczeniowego;
- klient sam podał błędny adres poczty elektronicznej i to było przyczyną incydentu.
It was a client's mistake.Is it irrelevant?
If the customer made a mistake, can you accuse something of an insurance company?In this way, every customer could intentionally and maliciously play "for a punishment" for a company that he does not like.It simply deliberately provides bad data (e.g..Colleagues) and then waits for a colleague to report the case to UODO.It must be clarified here that the cause of the violation does not change the fact of its occurrence.The data went to an unauthorized person, so in accordance with the regulations there was a violation.This is not negotiable.
However, the violation cannot be finished.After the incident, it should be assessed whether it had an impact on the rights and freedom of the person to whom they concerned.This, in turn, affects the possible notification of the UODO case (if the risk for a natural person was not negligible) and the need to notify the data subject (if the risk was high).
The company adopted a lack of high probability of negative effects because ... it sent to an unauthorized recipient a request for permanent removal of messages along with a request for feedback confirming its removal.Warta also assumed that since the unauthorized recipient himself turned to her with a notification of the event, he was aware of the importance of the case and should rather not do anything wrong.
Uodo, however, bent over this or unauthorized recipient?
Was it a "trusted recipient"?
UODO himself in the decision admitted that the risk associated with such an event could be differentiated on the basis of the recipient's recognition as "trusted". Mówią o tym wytyczne Grupy Roboczej ANDrt.29.Only that, according to the guidelines, being a trusted recipient can mean that e.g..This recipient is a different department of a given organization or e.g..supplier, whose services the administrator is constantly using.Such a "trusted" recipient is someone whom the stories and procedures of the administrator know to some extent.In this case, according to UODO, the "trusted" recipient was not.So you can joke that if we don't know who the recipient is, by default we should imagine him as a man in a balaclava.
Remember!This is what any recipient of a badly addressed email may look like
Pretty seriously, according to UODO in this case, there was no question of a "trusted" recipient and the company should behave in the same way as always when such a data catalog is disclosed to an unauthorized person (surnames, PESEL-E, vehicles, etc..).The risk should be assessed as a large one, the case should be reported to UODO and should be reported to the person to whom the data concerned.UODO, however, learned about the case from an unauthorized addressee (UPS!), And the case to the persons who concerned the data concerned only after the administrative procedure was launched (the second UPS!).Therefore, the office decided that he would apply a penalty, counting probably on sending a signal to other companies, from which - looking from the emails that flow to the editorial box - he meets the same situations every day.The reason for imposing a penalty is not to meet the obligations related to informing about the UODO incident and the person to whom they concerned.
If you are interested in details, look at the UODO - DKN decision.5131.5.2020
Influence on other companies
Warta will pay this penalty, but many data administrators can get a very valuable lesson out of it.Better to report everything. W przywołanej wyżej decyzji UODO przypomniał wytyczne Grupy Roboczej ANDrt.29, w których stwierdzono, że
Data from UODO shows that usually the first thing the administrators do is to explain that the leakage was not so scary.Sometimes excuses are heavily stretched.In our editorial practice, we met with an interesting case in such a category.
A certain hospital had a poor pseudo-protection data.The server logs showed that two people obtained access to the data - someone who informed us and someone else (probably the editor of the danger, but it was not certain).The hospital learned about the incident from us.Therefore, we received from the hospital a request to present a statement that we were the "this other person" and that what we did could be considered an unmistakable security test.It was bizarre.We did not transfer the statement and advised the hospital not to take the risk that we were looking at the data (and whether we were we ....Who knows that?).
The case of Freshmail was similar, which also assumed that we were accessing data, so it wasn't so bad.However, it must be admitted that Freshmail informed the UODO case.
We are also tempted to recall the Ochnik case, which was supposed to inform about the leak, but as if not.This company also tried to oblige customers to keep secret information about the leak, which is never a good idea.
Finally, dear administrators of personal data, let me know in the comments (anonymously) how many penalties you would get if UODO learned about how many violations you did not report.And remember: it looks like it is better to report more than less.
