Case Study: How ignoring GDPR principles can cost millions – an analysis of errors by PANEK SA and ITCenter

At the end of last year, the President of the Personal Data Protection Office (UODO) made a decision that resonated widely across the business world. PANEK SA was fined PLN 1,527,855, while their technology partner, ITCenter, paid PLN 20,037. This case is not only a warning to companies but also a valuable source of conclusions on how to avoid costly mistakes in personal data management.

A GDPR incident, that cost one and a half milion

The whole story began on April 17, 2020, when a serious information security incident occurred during the modernization of the PANEK SA website. Due to an error by an ITCenter employee, files from the old site were copied into a new folder that was made public and indexed by a bot. The result? The data of 21,453 individuals – both clients and employees – was leaked.

What did the database contain? Historical client data, such as:

• Full names,
• Residential addresses,
• Email addresses,
• Encrypted passwords for the website panel,
• Phone numbers.

The most concerning records, however, were those containing PESEL numbers (national identification numbers), which significantly increased the severity of the incident. A detailed description can be found in the decision of the President of the Personal Data Protection Office (UODO) number DKN.5130.2415.2020, which outlines the entire GDPR incident.

Guilty czy victims? Differing perspectives

The UODO decision indicates that responsibility for this incident was shared, but with a clear emphasis on the data controller: PANEK SA.

The Controller argued that ITCenter bore full responsibility for the breach. An employee of that firm allegedly copied the files to a new folder that should have been hidden without consultation. PANEK SA emphasized that they were unaware of this action.

In turn, the Data Processor pointed out that:

1. They had informed the controller of the need to update the outdated content management system (CMS).

2. They did not have full knowledge regarding the contents of the database, including information about personal data.

3. Their actions were limited by the scope of the contract, which did not include comprehensive website security management.

Key errors on both sides

Deficiencies appeared on both sides, which ultimately led to the creation of the vulnerability and the disclosure of data.

The Controller failed to conduct a Risk Analysis. PANEK SA did not perform an assessment of the impact of the changes on the security of personal data, even though the website modernization involved client and employee data. Furthermore, they neglected their duty of supervision by outsourcing the website modernization to an external company without actively monitoring their actions. They failed to ensure that the data processed by the processor was properly secured and did not verify whether the database storage location ensured adequate confidentiality.

The Data Processor, on the other hand, neglected communication. ITCenter did not ensure whether the files containing personal data required additional safeguards. Another failure of the processor was the non-implementation of effective technical measures, as the solutions used did not guarantee full data confidentiality.

Why did UODO impose a higher fine on the cotroller?

GDPR clearly states that the controller is responsible for personal data protection. In this case, PANEK SA not only failed to provide adequate security but also failed to supervise the processor’s work. Although ITCenter made mistakes, their scale was marginal compared to the negligence of the controller.

How to avoid similar incidents?

1. Risk analysis: Every change in an IT system should be preceded by a study of the impact on personal data security.
2. Active supervision: Outsourcing services to an external company does not release the controller from responsibility. Regular audits and tests are fundamental.
3. Effective communication: The processor and the controller must cooperate, sharing key information and implementing appropriate safeguards.

The case of PANEK SA and ITCenter serves as a warning to all companies. This GDPR incident shows that personal data protection is an obligation that cannot be entirely delegated to external providers. Every process in which data is processed requires close cooperation and control. Ignoring these principles can be costly – not only financially but also in terms of reputation.

Another case of a high fine for a controller, even though it appeared the processor neglected security issues, can be found here:

Case study: Disabled antivirus and a 350,000 fine for a GDPR violation.

Is your company ready for such challenges?