Poland

ID Finance Poland Sp. z o.o.

235,300 €

GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2020-12-17.

Rank · Sector

#56

of 322 in Finance, Insurance and Consulting

Rank · Poland

#15

of 111

Rank · All fines

#330

of 3,050

Case details

Authority: Polish National Personal Data Protection Office (UODO)
Date: 2020-12-17
Controller / Processor: ID Finance Poland Sp. z o.o.
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Polish DPA (UODO) imposed a fine of EUR 235,300 on ID Finance Poland Sp. z o.o. Due to an error while restarting a server, the settings of the software responsible for the server's security were reset, making the personal data of 140 699 customers publicly available. These data contained, for example, information about the first and last name, address, nationality or even marital status of the data subjects. The database located on this server was downloaded and deleted by an unspecified third party, who demanded a fee from the company for the return of the database. The DPA noted that the controller had taken insufficient technical and organizational measures to ensure the protection of the processing, even though there was a high risk for the data subjects due to the nature of the data processed.

Open original source Links to the regulator's original publication or another source.