Fortum Marketing and Sales Polska S.A. – €1,129,698 Fine (Poland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Fortum Marketing and Sales Polska was fined for not properly informing customers about a data breach. The breach exposed sensitive customer information, but the company didn't think it was risky enough to notify everyone. This case shows the importance of assessing and communicating risks accurately.
What happened
Fortum failed to notify all affected customers about a data breach that exposed their personal information.
Who was affected
Fortum's customers, whose personal and contract details were exposed in the breach, were affected.
What the authority found
The Polish DPA fined Fortum for not notifying customers about the breach, as it posed a high risk to their personal data.
Why this matters
This case highlights the critical need for companies to evaluate data breaches accurately and communicate with affected individuals. It underscores the importance of transparency and accountability in data protection practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
The controller, Fortum Marketing and Sales Polska S.A. ("Fortum"), trades in electricity and gas fuel, including the sale of electricity and gas to end customers, both in the business sector and to households. Within the scope of its business activity, Fortum cooperates with the processor PIKA Spółka z o.o. ("PIKA"). PIKA provides Fortum with archive services, including digital archives. The parties are bound by a Data Processing Entrustment Agreement from 2018 and a Storage (Document Archive) Agreement with associated services from 2016. Fortum notified the Polish DPA of a personal data protection breach. According to them, the data of 137,314 customers had been copied. The breach of confidentiality concerned a newly created database containing information on Fortum's customers as follows: name and surname, residential or residence address, PESEL number, type, series and number of an identity document, e-mail address, telephone number, number and address of access point and contract data (e.g. date and number of contract, type of fuel, meter number). Fortum did not notify the data subjects of a data breach because, in its assessment, there was no high risk of a breach of the rights or freedoms of natural persons. Fortum presented the analysis results that finally established the number of persons to be notified of a personal data breach due to a high risk of infringement of rights or freedoms of natural persons. The explanations indicated that the data of 120,428 persons had been exposed, of which 95,711 persons should have been notified of the breach. The remaining numbers were business customers and deceased persons. Findings made in the course of the proceedings indicated that PIKA, as a processor to which Fortum had entrusted the processing of personal data of the persons affected by the breach, was also involved in the data breach. PIKA explained that, in case of changes to the systems, the individual departments of its IT division are required to record any
Related Enforcement Actions (1)
Other enforcement actions involving Fortum Marketing and Sales Polska S.A. in PL
Details
Fine Date
19 January 2022
Authority
Urząd Ochrony Danych Osobowych
Fine Amount
€1,129,698
4,911,732 PLN
GDPRhub ID
gdprhub-4765About this data
Cite as: Cookie Fines. Fortum Marketing and Sales Polska S.A. - Poland (2022). Retrieved from cookiefines.eu
Last updated: