Data leakage of more than two million users of the online store took place in December 2018. The incident involved the use of a method called phishing, aimed at the fraudulent attempt to obtain sensitive personal information. Data such as names, surnames, e-mail addresses and telephone numbers of online store users have fallen into the unauthorised hands. In the case of some persons the scope of the data was much wider - it also comprised the personal ID numbers (PESEL numbers), the series and the number of identity documents, educational background, registered address, correspondence address, source of income, amount of net income, the cost of maintaining a household, marital status, the amount of credit commitments or maintenance obligations.
The President of the Personal Data Protection Office, justifying the amount of this fine, pointed out that the store did not have the adequate protection against hacking attack. Moreover, he emphasized that the company, as the data controller, should have taken all necessary measures and due diligence when implementing technical and organisational measures in order to ensure security and confidentiality of the processed data.
The online store Morele.net has announced an appeal against this decision.
Financial penalties for GDPR infringements may even amount to EUR 20 million or they may constitute the amount of 4% of a company's total annual global turnover. In Poland the President of UODO when determining the amount of a fine considers 11 different factors. The factors include the purpose and scope of the data processed, the number of victims and the scope of the damage suffered, corrective actions, cooperation with the Office and the level of technical and procedural data protection.
The first penalty imposed since the adoption of the new regulations was a fine of PLN 943 thousand imposed this year in March to a private company for the breach of information obligation concerning the data of more than 6 million customers to whom the company sent E-correspondence. The President of UODO, justifying this decision, pointed out that the persons whose data were processed could not exercise their rights under the provisions of GDPR.
According to GDPR Today portal in Poland since 1 March 2019 the Personal Data Protection Office has received over 5.5 thousand complaints concerning GDPR infringements. From May 2018 to 13 August 2019 the Office conducted 113 controls in 28 private sector entities. Administrative proceedings on personal data protection breaches were initiated against 25% of audited entities.
Contact our expers