Data controllers have to verify processors under GDPR – some remarks on Fortum case
Case description
In April 2020, the controller, Fortum Marketing and Sales SA, notified the President of the PDPO of a data breach, reporting that data of the controller’s customers had been copied in the course of changes in the ICT environment, in a document digital filing system. Fortum used the services of the processor, PIKA sp. z o.o., with regard to this system.
In April 2020, Fortum reported the data breach to the President of the PDPO, stating that Fortum customer data had been copied. This incident was connected with modification of an ICT environment for the service described above to streamline the entire document filing system. The breach concerned a new database containing Fortum customer information such as first name, surname, residential address, personal civil identification number (PESEL), identification document type and number, e-mail address, telephone number, number and address of place of supply and agreement details (such as agreement date and number, type of fuel, meter number). It was stated that 137 314 people were affected by the breach.
At first, in April, the President of the PDPO launched an investigation regarding Fortum ex officio. In response to a notice, Fortum explained that PIKA had not consulted Fortum on the changes made and the manner in which they were made. Fortum’s relationship with PIKA was based on an agreement for storage (document archiving) and associated services, concluded in 2016, and on a data processing agreement of May 2018. In a response of June 2018 to questions posed by the regulator, the controller explained that prior to the agreement engaging a processor being concluded, it did not take additional steps to verify the processor, because Fortum had been doing business with PIKA for many years, and it was the archiving and digitization service market leader. No security incidents had occurred up until that time. Fortum acknowledged that it had not exercised right of inspection with regard to PIKA as provided for in article 28(3)(h) of the GDPR[1]. In May 2020, and thus after the breach had been discovered, the controller sent a questionnaire to the processor, which was the first step of the verification process.
Fortum stated in June 2020 that when making the change, PIKA did not follow the established procedures and did not submit a conceptual plan for the changes, or functional or technical plans, to the controller.
Fortum reported that the software was not working properly, PIKA found the cause and commenced measures to solve the problem without consulting Fortum.
Next, the President of the PDPO sent a notice to PIKA of July 2020, stating that it had been classified as a party to the ongoing administrative proceedings. When submitting explanations, PIKA informed that it had not consulted the controller on the changes made to the software.
President of the PDPO ruling and arguments
The President of the PDPO made the following findings in a decision of 19 January 2022:
- Fortum was in breach of article 5(1)(f), article 24(1), article 25(1), article 28(1) and article 32(1) and (2) of the GDPR, due to failure to implement the appropriate technical and organizational measures to protect personal data, resulting in a data breach, failure to verify a processor, or also for instance failure to determine whether the processor sufficiently ensured that appropriate technical and organizational measures were taken to render processing compliant with the GDPR and protect the rights of data subjects. An administrative fine of PLN 4 911 732 was imposed for the breach;
- PIKA was in breach of article 32(1) and (2) and article 32(1) and (2) in conjunction with article 28(3)(c) and (f) of the GDPR, due to failure to implement the appropriate technical and organizational measures to protect personal data, and to prevent a data breach. An administrative fine was imposed on PIKA of PLN 250 135.
The regulator determined the following:
- Insufficient safeguards were in place to protect a database in which personal data were processed, leading to unauthorized disclosure (such safeguards are a standard element of protection under norm ISO 27001:2017-06);
- There was no pseudonymization of personal data in the newly created database and this, combined with a failure to ensure other effective safeguards, led to a data breach;
- PIKA’s policies did not contain specific provisions on the procedure for making changes to ICT systems used to process personal data;
- PIKA’s method of keeping records of work for customers in its in-house system did not sufficiently protect personal data because the individual stages of the work were not adequately documented;
- PIKA was in breach of the agreement with Fortum on engaging a processor, due to a failure to implement pseudonymization;
- PIKA did not exercise due diligence when placing real personal data into the newly created database;
- Fortum did not monitor how the changes made as part of the service were in fact being implemented;
- As the controller, Fortum was not exempt from personal data protection requirements due to engaging a processor;
- Fortum failed to conduct audits, including inspections, of the processor under article 28(3)(h) of the GDPR; this is one of the most important security measures, and is a right connected with a controller’s obligation under article 28(1) of the GDPR to select a processor ensuring sufficient guarantees.
The President of the PDPO found that both the controller and the processor failed to implement appropriate technical and organizational measures to protect processed personal data, and thus were in breach of article 32 of the GDPR.
The President of the PDPO also found that where parties do business long-term without audits or inspections being conducted periodically and systemically, this does not guarantee that the processor duly performs duties required by law and under an agreement on engaging a processor. An existing business relationship can only be a starting point for verifying a processor. The conclusion of an agreement on engaging a processor without proper verification does not sufficiently comply with a controller’s obligations under article 28(1) of the GDPR.
Commentary
This was the first time that the President of the PDPO fined a controller and processor in a single case simultaneously. The decision sets a precedent by demonstrating the importance of controller compliance with article 28(1) of the GDPR, i.e. verifying a processor before entering into an agreement engaging a processor .
The regulator also found that the processor’s obligation under article 28(3)(h) of the GDPR to make available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR and allow audits, including inspections, conducted by the controller or auditor mandated by the controller, must entail true conduct of audits of that kind by the controller. In other words, outsourcing does not release a controller from the obligation to monitor the processor, and this includes checks to determine whether it complies with the agreement on engaging a processor. In practice, this means that any controller who outsources is required to decide whether or not it verified the processor prior to the conclusion of the agreement, according to the procedure provided for in article 28(3) of the GDPR, and to plan processor audits following article 28(3)(h) of the GDPR.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).