PIKA Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
Ngày ra quyết định
19 tháng 1, 2022
Thẩm quyền
Polish National Personal Data Protection Office (UODO)
PL
Ngành
Industry and Commerce
Quốc gia
PL
Luật
GDPRTrạng thái
FINALMô tả
The Polish DPA has fined PIKA Sp. z o.o. in the amount of EUR 53,000. The fine is related to a fine imposed on Fortum Marketing and Sales Polska S.A.. PIKA was acting as a processor for Fortum. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data.The data breach occurred at the time of the introduction of a change in the company's IT environment by PIKA. As part of this change, an additional Fortum customer database was created. However, the server on which the database was stored did not have sufficient security measures, which is why the unauthorized persons were able to access the data. The DPA also found that PIKA had failed to pseudonymize and encrypt the data. In addition, PIKA had used real customer data rather than test data to test the system changes. For this reason, the DPA concluded that PIKA had failed to take appropriate technical and organizational measures to ensure the protection of personal data.