In January 2022, the President of the Personal Data Protection Office (“DPDO“) of Poland fined both a data controller and processor for their failure to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the data controller failed to exercise its GDPR right to audit and inspect the data processor, which lead to a significant data breach of the data controller’s customer personal data. This is DPDO’s most significant fine to date imposed on a controller.
We set out the key details of this case further down in this article. But more importantly, we have set out below some key recommendations to help controllers avoid making these same mistakes.
1. Contractual protection
The case demonstrates that just implementing Article 28 compliant data processing terms with processors is unlikely to be enough to demonstrate compliance.
However, it is still advisable, in the first instance, to ensure that the contractual safeguards in place with processors document the parties’ ongoing obligations, robustly protect personal data and alleviate risk.
During negotiations, controllers should consider seeking some of the following provisions:
- obligations on processors to update/review their technical and organisational security measures;
- the right to object and vet the appointment of potential sub-processors;
- the right to control the audit procedure (and if applicable, perform it themselves onsite or through a trusted external party, rather than relying on reports provided by the processor). Audits to be performed preferably at regular intervals, and the parties’ liability for costs should be documented;
- obligations on processors on request (and not just at termination) to delete, destroy or put personal data beyond use;
- obligations on processors to notify the controller of personal data breaches within a specified timescale (e.g. 24 hours) and in any event “without undue delay” and to cooperate in respect of investigating and resolving the breach before reporting it to the supervisory authority; and
- inclusion of indemnity protection for the controller in respect of the processor’s breach of data protection laws.
2. Practical ways to verify your data processors and maintain data security
Supervisory authorities will now undoubtedly push data controllers to demonstrate that they have taken active steps to check and monitor the effectiveness of security measures. Consequently, the contractual rights that accompany them (as set out above) should be exercised in practice.
The practical measures needed to ensure security measures are up to scratch will vary depending on the type of business, industry sector and the data involved etc. However, some general recommended practices that data controllers may consider implementing in their business operations are:
- Due diligence questionnaires – If your processor is also your supplier/vendor, the use of these questionnaires may be helpful at the outset of the relationship as well as throughout. These questionnaires should contain specific technical questions relating to the processor’s IT and data security environment and confidentiality offering. This should therefore help the controller understand the processor’s:
- technical security measures;
- underpinning documentation such as records of processing, data protection policies and data protection impact assessments etc.;
- data protection officer (if applicable) or relevant contact person and personnel involved in the proposed processing activities (subject to confidentiality); and
- history of breaches or security incidents (if any).
In addition, the processors’ answers to the other, more general questionnaire topics such as financial, CSR and commercial should also help controllers paint a better picture of the organisation who will be potentially processing their personal data. It is common for these questionnaires to be completed on an annual basis.
- IT security certifications and policies – certifications such as ISO 27001 will help organisations demonstrate that they have formally satisfied stringent objectives and requirements in respect of IT security. Organisations are required to re-certify on a yearly basis, which should therefore push organisations to maintain ongoing high IT security standards and risk mitigation practices. Controllers should choose processors who hold such certifications.
- Auditing – Controllers should actively conduct audits and inspections of their processors throughout the entire lifecycle of their business arrangement. The agreed procedure for this (such as the frequency, access, documentation, personnel involved etc.) should be clearly documented in the Article 28 data processing terms – as set out in the above section. Therefore, it is important for controllers to choose processors who are willing to cooperate in respect of auditing.
- Regular contract reviews and updates – The contract(s) in place with processors (including the Article 28 compliant data processing terms and any underpinning commercial contracts) should be reviewed and updated regularly if necessary. This will be important because the nature, flow and use of the data processed by the parties may change over time. Therefore, regularly reviewing and updating these agreements will, among other things, ensure the parties:
- pick up any new legislative/regulatory changes or wider legal trends which may assist the party’s data processing and security obligations; and
- reflect and document any external commercial/operational changes of the parties which may affect their data processing and security obligations, such as proposed service level changes, new internal systems, new overseas facilities or sub-processors where the personal data may need to be transferred/accessed etc.
What are the potential consequences of failing to follow the above recommendations? The case facts below provide an answer to this.
Forum Marketing and Sales SA (“Forum“), a B2B and B2C electricity and gas supplier had a contractual agreement in place with (“PIKA“) who provided archive management services (such as digital archiving) to Forum. This contract was entered into in February 2016 (although the parties entered into a number of subsequent annexes) and the parties subsequently entered into a separate data processing agreement in May 2018.
In April 2020, Forum (as data controller) reported to the DPDO that it had suffered a data breach. Forum reported that a significant amount of its customers’ personal data had been copied by external parties without authorisation as a result of certain software changes made to its IT system by PIKA (the processor). The changes were made in order to improve efficiency and shorten the document search function time, and were implemented after Forum notified PIKA of the system’s slow operation. This required PIKA to create a new database containing personal data of Forum’s customers. It was reported that personal data of over 137,314 customers had been subject to the breach, which included details such as names, addresses, telephone numbers, email addresses, personal civil identification numbers (PESEL), types and numbers of identification documents and contract details (such as date, reference number, fuel type and meter numbers). At the time of the breach, Forum also failed to notify these data subjects that their personal data had been breached.
It was reported that PIKA did not consult Forum on the software changes made to the system and therefore Forum did not verify or supervise the implementation of such modifications before they went live. This then highlighted Forum’s general failure to exercise its contractual right to audit and inspect PIKA’s processing activities and security measures throughout the parties’ relationship, pursuant to Article 28(3)(h) of the GDPR. It was noted that before the parties entered into the data processing agreement in May 2018, Forum did not conduct any verification checks because PIKA was seen to be a market leader, and the parties had worked together for several years prior without any security incidents occurring. The only verification actions which Forum purported to take was that it sent a due diligence questionnaire to PIKA in May 2020 long after the breach had already been discovered.
As Forum failed to audit and verify PIKA’s technical and organisational measures, the insufficient software changes were implemented by PIKA freely and without restriction, which directly resulted in the personal data breach. It was found that PIKA failed to implement the changes in accordance with general ISO standards and its own security policies. It also failed to comply with the obligations contained in the data processing agreement, which required it, among other things, to implement data pseudonymisation. Forum may have discovered these defects sooner if it had actively performed its controller obligations in respect of auditing and upholding technical and organisational measures – this may have significantly reduced the risk of the data breach from occurring or being as widespread as it was.
In short, the DPDO ruled that:
- Forum was in breach of articles: 5(1)(f), 24(1), 25(1), 28(1) and 32(1) and (2) of the GDPR.
- Forum failed to (1) implement appropriate technical and organisational measures ensuring the security of personal data resulting in a breach of confidentiality, (2) verify the processor on whether it provided sufficient guarantees when implementing appropriate technical and organisational measures, and (3) protect the rights of data subjects.
- Forum was fined PLN 4,911,732 (equivalent to just over 1 million EUR).
- PIKA was in breach of articles: 32(1) and (2), and articles 32(1) and (2) in conjunction with article 28(3)(c) and (f) of the GDPR.
- PIKA failed to implement appropriate technical and organisational measures ensuring the security of personal data resulting in a breach of confidentiality.
- PIKA was fined PLN 250,135 (equivalent to just over 50,000 EUR).
A UK perspective
Although the above case concerned the DPDO in Poland, it is also worth noting that similar trends have arisen in the UK recently in respect of controllers failing to take active steps to check and monitor the effectiveness of security measures in accordance with Article 32 of the GDPR.
The ICO fined British Airways (“BA“) £20 million in 2020 for failing to protect the personal data of more than 400,000 of its customers. It was found that BA was processing a significant amount of personal data without adequate security measures in place. BA was then subsequently subject to a cyber-attack in 2018 which, due to its inadequate security measures, it failed to detect for more than two months.
Should you need any advice in relation to exercising your rights under data processing agreements or data security incidents in general, please do contact a member of our Data Privacy, Cybersecurity and Digital Assets team, who will be more than happy to assist.