Record-breaking GDPR fines

Over 1 billion zlotys - within two days the British Information Commissioner Office imposed a fine of this amount on two companies.

Krzysztof Grabowski

British Airways and the Marriott hotel chain are to pay £183 million and £99 million, respectively. In both cases, fines were imposed for leakage of personal data. Almost 4% of the world's population's personal data have been stolen from the databases of both companies. The largest amount of data was leaked from the Marriott database - the incident affects 339 million customers.  

Both companies have the possibility to appeal against the ICO decision and negotiate the amount of fines proposed.

What to do in case of detecting a data breach?

If a personal data breach already occurs, it is crucial to detect it as soon as possible and inform the data protection supervisory authority within 72 hours of its detection.
In the case of both companies punished by the ICO, the reaction to the incident was not immediate. Marriott waited 4 years to inform the public and the victims of the data leak about the incident. British Airways detected a breach more than 3 months after it occurred, which may indicate that the process was not sufficiently secure. In the case of loss of sensitive data, the time is decisive. In both cases, unauthorised persons received, among other things, credit card numbers of customers and, in the case of Marriott, also passport numbers.

In the event of a personal data breach, the safety of the injured party must be ensured as soon as possible. Communication, aimed at notifying about an incident and warning about potential risks, is crucial in this process.

Cases of data breach in Poland

In 2018, since the introduction of RODO, over 3,000 complaints have been filed with the Office for the Protection of Personal Data. In a dozen or so cases, the data leakage was of a very large scale. In December, the case of mass leakage of data from customers of the online store was famous on the Polish market.  The stolen data included names, surnames, PESEL number and the financial situation of 2.5 million customers of the company. Five months after the leak was reported to the affected persons, passwords and logins of customers were published on the Internet.  Currently, the case is being clarified by UODO.

For violation of RODO requirements, companies face penalties of up to €20 million or up to 4% of the company's annual global turnover.



Krzysztof Grabowski

Krzysztof Grabowski
Inspektor Ochrony Danych Osobowych
Crowe Advartis

[email protected]