Poland’s Supreme Administrative Court Revives GDPR Fines Against Fortum & Pika Over 95,000-Record Breach

Key Takeaways

• Supreme Court Reinstates Regulator’s Findings: Poland’s Supreme Administrative Court overturned a lower court ruling and revived the data protection authority’s decision imposing fines on Fortum and Pika.
• Controller and Processor Both Accountable: The regulator found failures on both sides, reinforcing that GDPR accountability extends beyond contractual language to real-world oversight and security controls.
• Nearly $1.35 Million Fine for Controller: Fortum faces a fine of approximately $1.35 million (PLN 5 million), while Pika was fined roughly $67,000 (PLN 250,000).
• 95,000 Individuals Affected: The breach stemmed from IT system changes that resulted in unauthorized access to a database containing sensitive customer data.
• Testing Environments Under Scrutiny: The decision highlights regulatory expectations around security testing, pseudonymization, firewall configuration, and adherence to standards such as ISO/IEC 27001 and 27002.

Deep Dive

Poland’s highest administrative court has revived a GDPR enforcement case against Fortum Marketing and Sales and its IT provider Pika, siding with the country’s data protection authority and reopening the path for multimillion-złoty fines tied to a 2020 data breach affecting more than 95,000 people.

The Supreme Administrative Court of Poland upheld a cassation appeal filed by the President of the Personal Data Protection Office, overturning an earlier ruling from the Provincial Administrative Court in Warsaw that had thrown out the regulator’s decision. The story begins in April 2020, when Fortum reported a personal data breach to the supervisory authority. The incident stemmed from changes in an IT environment used as a digital archive.

After performance issues were flagged, Pika undertook modernization work. As part of that effort, it created an additional database and populated it with Fortum’s customer data. But the new database was accessed incorrectly, allowing unauthorized individuals to access and copy personal data.

The scope was significant. Names, addresses, identity document details, contact information, and contract data were exposed. Ultimately, authorities determined that more than 95,000 individuals were affected.

Fortum initially concluded the breach did not pose a high risk to the rights or freedoms of affected individuals and did not notify them. Only after intervention by the President of the Personal Data Protection Office were data subjects informed and given recommendations to mitigate potential harm.

Regulator Finds Failures on Both Sides

In its administrative decision, the regulator concluded that both controller and processor failed to implement appropriate technical and organizational measures required under the GDPR.

For Fortum, the authority found that the company:

• Failed to verify, before entering into the processing agreement, whether Pika provided sufficient security guarantees
• Did not exercise its right of control under Article 28(3)(h) GDPR
• Failed to effectively oversee the implementation of IT changes

For Pika, the regulator identified:

• A lack of security testing during development
• The use of real personal data in a test environment without prior pseudonymization
• Incomplete configuration of technical safeguards, including the absence of a properly configured firewall

The authority referenced ISO/IEC 27001 and 27002 standards, emphasizing that real personal data should not be used in testing environments unless equivalent production-level safeguards are applied.

Concluding that there had been a breach of the principle of confidentiality and a failure to ensure the security of processing, the regulator imposed administrative fines of nearly $1.35 million (PLN 5 million) on Fortum and more than $67,000 (PLN 250,000) on Pika.

Supreme Court Reinstates the Regulator’s Findings

The Provincial Administrative Court in Warsaw initially overturned the regulator’s decision, finding that the authority had not sufficiently demonstrated the established facts and had not comprehensively assessed the evidence. It suggested that further analysis of technical standards, market practices, and the potential preventive effect of additional audits was required.

The Supreme Administrative Court disagreed.

In granting the cassation appeal, it held that the supervisory authority had clarified all relevant circumstances, comprehensively assessed extensive evidence, and consistently justified its conclusions. It found that the lower court had incorrectly applied procedural provisions when questioning the completeness of the factual findings.

The Supreme Administrative Court also rejected the provincial court’s suggestion that it was unclear whether a data “leak” had occurred or whether there had merely been a short-term opportunity for unauthorized access. The loss of confidentiality, it said, had been clearly established.

The lower court’s judgment was repealed, and the case was remitted for reconsideration. When reviewing the matter again, the Provincial Administrative Court in Warsaw is expected to acknowledge the completeness of the regulator’s factual findings as reflected in the collected evidence.

Contractual allocation of responsibilities does not dilute accountability. Oversight must be real, testing environments must be treated as risk surfaces, and confidentiality failures, even those born of system upgrades, will be scrutinized closely under the GDPR.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.