A fine of 20 000 euro for an insurance company in Poland

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine equivalent to 20 000 euros, applied to the Polish insurance company, Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. The sanction was applied for violating the provisions of the General Data Protection Regulation.

In May 2020, the Personal Data Protection Office of Poland (UODO) received information from a third party about the personal data breach, which consisted in sending by e-mail an insurance policy by an insurance agent, being a processor for the WARTA S.A. Insurance and Reinsurance Company, to an unauthorized addressee.

The attached document contained personal data as: names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car).

At the request of the supervisory authority, the insurance company confirmed that there had been an incident related to a personal data breach, yet the fined company considered that the breach did not require notification to the UODO.

When imposing an administrative fine, the President of the UODO also took into account that the company asked the wrong recipient to permanently delete the correspondence received. However, it is worth mentioning that a request for deletion of data is not tantamount to guaranteeing that the data is actually erased by an unauthorized person and does not preclude possible negative consequences of their use.

The NCPDP, as the national authority for the supervision of personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.