UODO sanctions serious data security breaches in disregard of RGPD compliance (RGPD security sanction).
The fine imposed by UODO (the Polish Data Protection Authority) on a media organization reveals serious data security breaches, raising crucial questions about how organizations should manage personal data protection in line with the RGPD.
This decision, handed down on March 6, 2025, illustrates the vigilance of regulatory authorities in their mission to guarantee data security and integrity, under Articles 24(1) and 32 of the RGPD, which surround the obligation to ensure secure data processing conditions. Beyond the fine of PLN 56,824, this case is part of a broader context in which accurate risk assessment and updated privacy policies are essential. The stakes are all the higher for industry professionals, as they demonstrate the importance of a robust and up-to-date data security strategy in the face of ever-changing regulatory requirements.
In this article, we'll look at the breaches found by UODO, how the security gaps were determined, and what implications this has for other data controllers.
If you are looking for a personal data lawyer, contact me!
What were the breaches found by UODO under the RGPD?
The investigation carried out by UODO (the Polish Data Protection Authority) highlighted significant data security breaches, demonstrating critical shortcomings in the personal data management practices of a news organization. This ex officio investigation revealed that the data controller had failed to comply with several obligations set out in the RGPD, essential for guaranteeing the protection of individual data. The main breaches identified were as follows:
- Lack of a risk analysis for the processing of personal data, which is a direct violation of Article 24(1) of the GDPR.
- The controller's data protection and IT security policies had not been reviewed or updated, resulting in inadequate system security.
- The devices used were not encrypted, contrary to the requirements of their own IT security policy.
- Lack of internal policies to ensure that personal data was published in compliance with Polish legislation.
These shortcomings led to a harsh conclusion: the controller did not ensure secure processing of personal data, thus violating Articles 32(1) and (2) of the GDPR. Furthermore, it is important to note that the media organization in question was in liquidation at the time of the investigation and did not submit a defense, adding to the seriousness of the situation. This raises essential questions about the responsibility of companies in terms of data protection and their management in crisis situations.
In sum, the breaches found by the UODO underline the crucial importance of risk analysis and regular updates of privacy policies to avoid such financial penalties and preserve user confidence. This situation underlines how essential it is for data controllers to maintain high standards of data security and data protection practices.
How was non-compliance with data security obligations determined?
The analysis of the shortcomings observed by UODO highlighted a clear failure to comply with data security obligations, as stipulated by the RGPD and national legislation. The shortcomings were identified through a series of audits and assessments that revealed the following issues:
- A significant absence of security protocols adapted to the risks associated with the processing of personal data, in contradiction with Article 32 of the RGPD, which requires appropriate technical and organizational measures.
- Reports confirm that security features were not in line with industry best practice, jeopardizing data confidentiality and integrity.
- Access to personal data was not adequately controlled and supervised, leading to vulnerabilities that could be exploited by third parties.
These breaches highlighted a culture of non-compliance within the company, where data protection appeared to be a secondary concern. Indeed, the way in which personal data was handled revealed shortcomings in staff training on privacy policies and data management. This state of affairs is not without impact on other organizations. The incriminated company also lacked an incident management policy in the event of a data breach, which is nonetheless required for a rapid and effective response under Article 33 of the RGPD.
This underlines once again that data protection cannot be considered a secondary element in an organization's overall strategy. As such, this case highlights the need for all companies, whatever their sector of activity, to implement adequate security measures and cultivate a collective awareness of data protection. In view of the rapidly changing regulatory landscape, it is essential that organizations regularly reassess their data security policies to ensure compliance with the expectations of regulatory authorities. Achieving adequate levels of security is all the more pressing at a time when data breaches are multiplying, making compliance with the RGPD not only a legislative imperative but also a matter of trust between companies and consumers.
What are the implications for other data controllers?
The consequences of this UODO decision go far beyond the targeted media organization. Indeed, this case highlights crucial issues concerning the responsibility of data controllers in implementing the obligations laid down by the RGPD. The implications are significant for other companies, including:
- Increased vigilance: Other data controllers need to increase their vigilance in data protection, taking into account the lessons learned from this case. The importance of rigorous risk analysis and regular updating of privacy policies is paramount to avoid real sanctions.
- Ongoing training: It is essential that companies set up ongoing training programs for their staff regarding data security policies and personal data protection obligations, in compliance with Articles 24 and 32 of the RGPD.
- Documentation and compliance: Data controllers must carefully document their security and data handling processes. This includes assessing and documenting the associated risks, and implementing appropriate security measures.
- Proactive approach: Companies need to adopt a proactive approach to data security. This means not only reacting to existing threats, but also anticipating and implementing preventive measures to limit the risk of breaches.
UODO made it clear that even controllers engaged in journalistic activities, as was the case here, cannot evade the requirement to guarantee data security. Article 85 of the GDPR certainly allows for certain derogations, but not with regard to Articles 24 and 32, which reaffirms the obligation for all to comply with security standards in data processing.
Other organizations need to be aware that integrating security requirements into their day-to-day operations is not just an act of compliance, but also an investment in the trust of their customers and users. This case is a reminder that data protection should never be seen as a mere formality, but as a key element of corporate strategy.
