A company in Poland received a fine for failure to report personal data breaches in a timely manner. The company has stated that this was due to a human error. In this case, the company had to report the breach within 24 hours of the discovery of the incident. But the company submitted the notification to the data protection authority later than that.
You may wonder why the deadline is so short. It is so that the data protection authority can act quickly. For example, in cases where the personal data breach can lead to identity theft, fraud or similar.
A company had to pay a fine due to failure to report personal data breaches in a timely manner to the national data protection authority
In this case, the company breached the provisions of the telecommunications law and the Commission Regulation No 611/2013. According to this regulation, some personal data breaches must be reported by within 24 hours. There was also more than one personal data breach that was not reported in time. There was a total of five incidents. The Polish data protection authority had taken this into account in its decision in the case.
The company had also reported to the Polish data protection authority in an incorrect manner. They had sent the notifications via a postal operator. This process required more involvement of its employees. They did this, even though the Polish data protection authority had recommended the company to submit the notifications electronically. The data protection authority pointed out the quickest way to submit a notification. They said it was through the authority’s website or the ePUAP platform.
The company had to pay a fine for, among other things, not notifying personal data breaches in time
The consequence for the company that did not notify the personal data breach in time to the Polish data protection authority was a fine. The fine was 100 000 Polish złoty.
GDPR rules for reporting personal data breaches to the national data protection authority
The General Data Protection Regulation (EU) 2016/679 (GDPR) also has strict rules regarding notifications of personal data breaches. According to the GDPR, companies must report certain types of personal data breaches to the relevant data protection authority. A company must make the report within 72 hours of the discovery pursuant to Article 33 of the GDPR.
However, in some exceptional cases, a company may report it after 72 hours. In such cases, the company must be able to justify the decision. For example, if there are many personal data breaches at the same time that have different causes. Please note that the company may supplement its report afterwards.
The maximum amount that a company can receive in a fine according to the GDPR is EUR 20 million or 4% of the total annual turnover. The highest of the options applies. In other words, a fine can have devastating financial consequences for a company.
Penalty fee because, among other things, the company had not set a retention period
A company in Finland received a fine from the data protection authority, because it had not set a retention period for processed personal data. The company stored the personal data for as long as the customer had kept its user account. Thus, the company had placed the responsibility on the customer to have to delete their user account, in order for the personal data to be deleted. It is important to know that companies must delete personal data regularly.
In addition, customers had to create a user account in order to shop on the website. The Finnish Data Protection Authority considered this to also be in breach of the GDPR.