High fine imposed by the Polish Data Protection Authority for an infringement of the GDPR

Poland
Available languages: PL

Recently, the Polish Data Protection Authority (UODO) imposed a fine of EUR 660,000 (PLN 2,830,410) on Morele.net Sp. z o.o., a company operating in the e-commerce sector. This is the third fine imposed by the UODO for an infringement of the GDPR[1].

Background

  • The company, which administers a network of Internet shops, notified the UODO about two breaches of personal data protection which involved unauthorised access to a database comprising the data of approximately 2 million customers.
  • This data included information contained in approximately 35,000 credit applications, including information on alimony obligations.
  • The company learnt about the first breach from its customers who had fallen victim to spear-phishing, which consists in sending text messages requesting an additional payment to complete an order. After this incident, the company implemented additional technical security measures, which did not, however, prevent a second, though smaller, breach a month later. The company informed its customers about each of the breaches.
  • After the breaches had been reported, the UODO carried out an audit in the company.

UODO’s charges

  • The most serious charge concerned an infringement of the rules of data confidentiality and security resulting from the company’s failure to apply appropriate technical and organisational measures.
  • The second charge concerned collecting data from installment credit applications without the data subjects’ consent (dating back to before the GDPR entered into force) and insufficient documenting of data processing. However, the authority deemed this infringement to be less serious.

What the UODO took into account

  • In the UODO’s view, the company did not take into account the risk linked to unauthorised access to data and use of phishing. UODO referred to the standards and norms of PN-EN ISO/IEC 27001:2017-06, PN-ISO/IEC 29115:2017‑07, guidelines of the European Agency for Network and Information Security (ENISA), the document “OWASP Top 10 – 2017”, prepared by the OWASP Foundation, as well as the document “NIST 800-63B” of the American Federal Agency – National Institute of Standards and Technology. The authority pointed out that access control and authorisation are the fundamental means of security which protect against unauthorised access. The choice of these means should be preceded by a risk assessment and be subject to regular reviews. The authority also pointed out that the risk assessment should be appropriately documented, which the UODO believes was not done in this case.
  • Interestingly, in spite of the fact that, as the company pointed out, the GDPR imposes an obligation on data controllers to choose appropriate, i.e. adequate, security measures, the UODO decided that the data controller is obliged to check both the choice and the effectiveness of the technical means used. That the company did not “eliminate the risk” of damage occurring was deemed by the UODO to be an aggravating circumstance, which had an impact on the amount of the fine imposed.
  • Another aggravating circumstance was the significant scale of the infringement, i.e. the situation brought about a high risk of negative legal implications for over 2 million people. In the UODO’s view, this supported the conclusion that the infringement was of a substantial gravity and serious nature.
  • The UODO also decided that the company processes data in a “professional” manner, and therefore it is subject to stricter requirements regarding data processing security, which fact also contributed to the amount of the fine.
  • Another interesting thing is the authority’s approach to the duration of the infringement. Though the UODO admitted that the infringement lasted for a relatively short time, given the significant number of people affected by it, the authority did not consider this fact as a mitigating circumstance.
  • Some of the most noteworthy mitigating circumstances taken into account by the UODO include the fact that the company took steps to eliminate the infringement and engaged in good co-operation with the authority during both the audit itself and the proceedings.
  • With regard to the second charge, the UODO pointed to the high importance of the processing documentation, such as collecting consents and carrying out risk assessment, which in its view the company did not do.

Conclusions

  • Before selecting and implementing technical and organisational security measures in an organisation, and in the course of applying them, one should carry out a risk assessment, which should make it possible to select appropriate (and, as the UODO understands it, also effective) security measures and apply them in practice.
  • All data processing operations conducted in an organisation should be documented.
  • Good co-operation with the authority at the audit stage and making efforts to eliminate the infringement is something that will mitigate the amount of the possible fine imposed by the UODO.

[1] Read here about the first fine imposed by the OPDP.