Res-Gastro M. Gaweł Sp. k. – €54,819 Fine (Poland, 2024)

The controller is a company which operates restaurants. On 26 July 2023, the controller notified the DPA about a data breach occurred on 19 July 2023: an employee had lost a flash drive containing unencrypted data about another employee, such as their address, date of birth, passport, picture and salary data. Moreover, some financial data were stored in the drive in an encrypted way. On 26 September 2023 the DPA initiated an ex officio proceeding. The controller stated that it had instructed all employees to encrypt their files when stored in an external flash drive and that the loss occurred in the workplace premises. Firstly, the DPA recalled that, according to Article 5(1)(f) GDPR personal data must be processed in a manner that ensures adequate security of personal data by means of appropriate technical or organizational measures. According to the DPA, a concretization of this principle is Article 24(1) GDPR, which obliges the controller to implement appropriate technical measures and organizational to carry out processing in accordance with the GDPR. Moreover, the DPA pointed out that the controller must also comply with the obligation set by Article 32 GDPR. It noted that this article obliges the controller to carry out a 2-step analysis: firstly, it must determine the risks involved in the processing of personal data and, secondly, determine what technical and organizational measures will be appropriate to ensure a degree of security corresponding to that risk. The DPA observed that the risk assessment analysis conducted by the controller did include the possibility of a flash drive theft, but not of a loss of it. Therefore, the DPA held that the controller failed to take into account all possible risks associated with the use of external data carriers by employees. Moreover, the DPA focused on the fact that, even if the controller had considered this risk, it did not implement sufficient security measures. The DPA acknowledged that the controller had ins