Poland

TUiR Warta S.A.

18,850 €

GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2020-12-09.

Rank · Sector

#172

of 322 in Finance, Insurance and Consulting

Rank · Poland

#37

of 110

Rank · All fines

#1,111

of 3,042

Case details

Authority: Polish National Personal Data Protection Office (UODO)
Date: 2020-12-09
Controller / Processor: TUiR Warta S.A.
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR
Type of violation: Insufficient fulfilment of data breach notification obligations

Summary

An insurance agent hired by the controller had sent an email to unauthorized third parties in regard to insurance policies that contained personal data of two of the company's customers after they had mistakenly provided false email addresses. The leaked data included data such as the names, email adresses and postal addresses of the data subjects. The controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours. The controller believed that there was no breach requiring notification because the data subjects themselves had mistakenly provided incorrect e-mail addresses. The Polish DPA states that this circumstance does not release the controller from its obligation to report this data breach in a timely manner.

Open original source Links to the regulator's original publication or another source.