Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. – €18,930 Fine (Poland, 2020)

The Polish DPA (UODO) fined Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. EUR 18,930 for a breach of Art. 33 (1) GDPR and Art. 34 (1) GDPR. In May 2020, the DPA received a notification from a third party about a personal data breach involving an insurance agent acting as a processing agent for Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. who sent an insurance policy to an unauthorized addressee by email. The document contained personal data concerning, among others, surnames, first names, residential addresses and information on the subject of the insurance policy. As a result, the supervisory authority asked the controller to clarify whether, regarding the sending of the electronic correspondence to an unauthorized addressee, a risk analysis on the data security of natural persons had been carried out, which is necessary to evaluate whether a data breach had occurred. Such a breach requires notification to the DPA and the individuals affected by the breach. In the letter, the supervisory authority advised the controller how to notify the breach and asked for explanations. Despite the letter requesting explanations, the controller did not report the data breach nor did it inform the data subjects about the incident. The DPA therefore initiated administrative proceedings. Only as a result of the initiation of the procedure did the controller report the personal data breach and inform two individuals affected by the breach.