Fortum Marketing and Sales Polska S.A. – €1,000,000 Fine (Poland, 2022)

The Polish DPA has imposed a fine of EUR 1 million on Fortum Marketing and Sales Polska S.A.. The company had reported a data breach to the DPA in accordance with Art. 33 GDPR. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data. The data breach occurred at the time of the introduction of a change in the company's IT environment. The change was made by a processing agent. As part of the change, an additional Fortum customer database was created. However, the server on which the database was stored did not have sufficient security measures, which is why the unauthorized persons succeeded in accessing the data. The DPA also found that the processor failed to pseudonymize and encrypt the data. In addition, the processing agent had been using real customer data, rather than test data, to test the changes to the system. For this reason, the DPA concluded that the controller failed to take appropriate technical and organizational measures to ensure the protection of personal data. In addition, the DPA found that the controller would have been required to monitor the work of the processor to ensure that the protection of personal data is continuously guaranteed.