A Polish catering company was fined €54,600 for failing to protect personal data after an employee lost a flash drive containing sensitive information, revealing vulnerabilities in the company’s data security.
The Polish Data Protection Authority (UODO) recently fined Res-Gastro M. Gaweł Sp. k., a catering company in Kolbuszowa, Poland, €54,600 for failing to implement adequate technical and organizational measures to protect personal data. The decision, finalized on April 29, 2024, stemmed from a data breach caused by an employee losing a flash drive containing sensitive personal information, including names, addresses, citizenship details, gender, dates of birth, PESEL numbers, passport information, contact details, photos, and salary information. While some files were encrypted, the unencrypted data revealed some critical vulnerabilities in the company’s data security practices.
Res-Gastro violated the GDPR by neglecting encryption protocols, data security testing, and risk analysis for data loss, and shifting the responsibility for encryption to employees through instructional videos.
The investigation found that Res-Gastro violated several GDPR provisions, including Articles 5, 24, 25, and 32, which emphasize the principles and responsibilities for protecting personal data. Article 5 outlines key principles such as lawfulness, fairness, transparency, data minimization, accuracy, and security. Article 24 mandates that data controllers are responsible for implementing measures to ensure compliance. Article 25 requires integrating data protection into systems by design and by default, with a focus on data minimization. Article 32 mandates robust security measures, including encryption, pseudonymization, and regular testing, to safeguard data integrity and confidentiality. The authority found that this company’s risk analysis overlooked the possibility of losing a data carrier, focusing only on theft or destruction. Additionally, Res-Gastro failed to enforce encryption protocols for external devices, instead providing employees with instructional videos on encrypting files, effectively shifting responsibility to staff. Regular testing and evaluation of data security measures were also neglected, further exposing the organization to risk.
Res-Gastro was fined for a data breach, despite self-reporting and cooperating and ordered to implement corrective measures.
Although Res-Gastro self-reported the incident and cooperated with the investigation, which mitigated the severity of the fine, the UODO stressed that these efforts did not absolve the company of responsibility. The authority emphasized the significance of the company’s high turnover in determining the penalty. Alongside the fine, the UODO ordered the implementation of appropriate organizational and technical measures to ensure secure data processing.
This sanction highlights the need for proper data protection measures, prioritizing data security to prevent financial and reputational harm.
This case definitely highlights the importance of adequate data protection practices for businesses. Organizations must conduct comprehensive risk assessments, enforce strict encryption standards, regularly test security protocols, and adopt proactive approaches to GDPR compliance. Neglecting these responsibilities can lead to severe financial and reputational damage. Res-Gastro’s experience serves as a cautionary tale, highlighting the necessity of prioritizing data security to avoid similar penalties and safeguard sensitive information.
