Enea S.A.: Insufficient fulfilment of data breach notification obligations

The Polish DPA (UODO) fined Enea S.A. EUR 30,000 for the controller's failure to report a personal data breach, in violation of Art. 33 (1) GDPR. The DPA received information about a personal data breach from a person who had become an unauthorized recipient of personal data. The breach consisted of sending an email with an unencrypted, non-password protected attachment that contained personal data of several hundred individuals. The sender of the email was an employee of the sanctioned controller.

GDPR Articles: Art. 33 (1) GDPR
Industry: Transportation and Energy