“Control” is the highest form of trust – why is it worth auditing your processors?

01 Mar 2022
Jakub Wietrzyński

Record-breaking GDPR penalty. February 28 this year. Another information about an administrative fine has appeared on the UODO website.

The President of UODO imposed an administrative fine on Fortum Marketing and Sales Polska. Its amount is almost PLN 5 million (exactly PLN 4,911,732). The reason for the imposition of the penalty was the lack of implementation of appropriate technical and organizational measures ensuring the security of personal data and the lack of verification of the processor.

We can read this information from the general announcement published on the UODO website. As always, however, I encourage you to follow the decision of the President of the Personal Data Protection Office in more detail ( https://www.uodo.gov.pl/decyzje/DKN.5130.2215.2020 ). In that decision, the reasons for the infringement were presented very precisely. they are described from two points of view: the Administrator and the Processor (PIKA Sp. z oo). It is worth noting here that the processor was also fined with an administrative fine (PLN 250,000).

The most important information related to the Decision DKN.5130.2215.2020:

  • the penalty is a result of a breach of personal data protection, consisting in copying data of about 95,000 Fortum Marketing and Sales customers by unauthorized persons;
  • the scope of the data concerned by the violation is very wide and includes, among others: name and surname, address, PESEL number, type, series and number of the identity document;
  • the data was copied as a result of the work of a processor (IT service provider), which did not properly secure the test environment;
  • The company has concluded a personal data processing agreement with a service provider, in which it has established security requirements, but has not verified whether they are actually implemented;
  • work on changes to the system was performed on a copy of production data, and the security of the test environment was not analogous to the production environment;
  • The company has not examined whether the product supplied by the supplier is safe (no verification of the effectiveness of technical and organizational measures).

What can be inferred from this?

  • the processing entrustment agreement itself, even with the most stringent provisions, does not protect the administrator against penalty if he does not control his processor (processor audit),
  • the administrator should be able to provide evidence of conducting vulnerability tests / penetration tests of the implemented IT solutions – actual verification of the effectiveness of technical and organizational measures,
  • in the opinion of the Personal Data Protection Office, unauthorized disclosure of such a category of data as a PESEL number and surname may have a real and negative impact on the protection of the rights or freedoms of natural persons – such a breach requires notification to both the supervisory authority and data subjects,
  • production data, in particular those containing personal data, should not be used in the test environment ,
  • in fact, the processor received a more severe penalty than the administrator (PLN 4.9 million is only 0.18% of Fortum Marketing and Sales’s turnover in 2020, PLN 50 thousand is as much as 1.19% of the turnover achieved by PIKA in 2020) ,

Do we manage processors?

Who of you actually audits your processors as part of the supervision over their processors? I am not talking about the “GDPR survey” sent to the processor, because this, speaking colloquially, is worth a button. Who among you developed and presented to your IT service providers a change management procedure? Who of you regularly conducts vulnerability testing and penetration testing of your IT systems?

In most organizations, the GDPR is associated only with information clauses, clean desk principles and entrustment agreements. In my opinion, this is the result of the lack of proper competences. Not without significance is the lack of experience of people responsible for the implementation of GDPR in organizations. It is a bit easier to write an information clause than to perform a penetration test 😊.

The world shows that the actual security of personal data is a key aspect in ensuring compliance with the provisions of the GDPR. Therefore, I encourage you to turn to external entities for help. Those that specialize in issues related to personal data protection and information security, such as Blue Energy.


Do you want to ensure the security of your personal data, do not wait:

Do you need more information: biuro@grupablue.pl


See also

19 Apr
As an Administrator, can you choose the appropriate technical and organizational security measures necessary to ensure compliance with the GDPR?

The President of the Personal Data Protection Office imposed an administrative fine on the President of the District Court in Zgierz. The fine is not spectacular in terms of amount (PLN 10,000) and was imposed last year, but it is still worth paying attention to.

Read more arrow
21 Feb

From 21:00 on February 21 to 23:59 on March 4, the CHARLIE - CRP alert level applies throughout the country.

Read more arrow
Did not find what you are looking for?
Write to us arrow