Background information
- Date of final decision: 16 November 2022
- National case
- Controller: P4 Sp. z o.o. (the legal successor of Virgin Mobile Polska Sp. z o.o.)
- Legal Reference: Integrity and confidentiality Article 5(1)(f), Accountability Article 5(2), Data protection by design and by default Article 25(1), Security of processing Article 32(1),(2)
- Decision: Administrative Fine
- Key words: electronic communications, re-examination
Summary of the Decision
Origin of the case
The Polish SA received a personal data breach notification in December 2019, in which the controller notified a breach of subscribers' personal data, consisting in an unauthorised person gaining access to the data and obtaining registration confirmations containing personal data.
As a result of an administrative proceedings, on 3 December 2020 the supervisory authority issued a decision, imposing an administrative fine of 439 510,59 EUR on Virgin Mobile Polska Sp. z o.o. The controller, however, challenged the decision requesting that it be revoked. In a judgment of 21 October 2021, the Voivodship Administrative Court revoked the appealed decision, stating that the complaint lodged by the Virgin Mobile was justified, although not all charges raised in it could be considered legitimate
Key Findings
The Court found the Polish SA’s assessment to be accurate. According to that assessment the procedures adopted by the company could have been effective if they had also included regulations on systematic testing, measuring and assessing the effectiveness of the technical and organisational measures adopted to ensure the security of data processing and which would have been observed by Virgin Mobile. The lack of regulations in place contributed to the personal data breach. However, the court pointed out that the supervisory authority had not sufficiently considered the circumstances in the form of the measures taken by Virgin Mobile to mitigate the damage suffered by individuals when determining the amount of the fine.
The Polish SA re-examined the evidence and again issued an administrative decision imposing a fine. The authority noted that Article 5 of the GDPR indicates the principles concerning the processing of personal data that must be respected by all controllers.
Decision
In the opinion of the Polish SA, Virgin Mobile infringed the principle of confidentiality, the proper implementation of which ensures that data is not made available to unauthorised persons, in the event of a personal data breach.
The subscribers' personal data breach occurred as a result of the exploitation of a vulnerability in the IT system. It is worth noting at this point that the measures adopted by Virgin Mobile could have been effective if, as part of the procedures implemented, they had also included regulations on systematic testing, assessing and evaluating the effectiveness of the technical and organisational measures adopted to ensure the security of personal data processing. Thus, in practice, the controller did not take such measures at all.
The Polish SA, finding a violation of the GDPR, decided to impose an administrative fine of 340 717,27 EUR on P4 Sp. z o.o., based in Warsaw, the legal successor of Virgin Mobile Polska Sp. z o.o.
For further information: decision in national language (PL)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.