Poland

PIKA Sp. z o.o.

53,000 €

GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2022-01-19.

Rank · Sector

#100

of 595 in Industry and Commerce

Rank · Poland

#22

of 110

Rank · All fines

#676

of 3,042

Case details

Authority: Polish National Personal Data Protection Office (UODO)
Date: 2022-01-19
Controller / Processor: PIKA Sp. z o.o.
Sector: Industry and Commerce
Quoted Articles: Art. 28 (3) c), f) GDPR, Art. 32 (1), (2) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Polish DPA has fined PIKA Sp. z o.o. in the amount of EUR 53,000.

The fine is related to a fine imposed on Fortum Marketing and Sales Polska S.A.. PIKA was acting as a processor for Fortum. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data.The data breach occurred at the time of the introduction of a change in the company's IT environment by PIKA. As part of this change, an additional Fortum customer database was created. However, the server on which the database was stored did not have sufficient security measures, which is why the unauthorized persons were able to access the data.
The DPA also found that PIKA had failed to pseudonymize and encrypt the data. In addition, PIKA had used real customer data rather than test data to test the system changes.

For this reason, the DPA concluded that PIKA had failed to take appropriate technical and organizational measures to ensure the protection of personal data.

Open original source Links to the regulator's original publication or another source.