An Bord Eorpach um Chosaint Sonraí

Nuacht Náisiúnta

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
26 January 2021

The Italian SA (Garante per la protezione dei dati personali) imposed an immediate limitation on the processing performed by TikTok with regard to the data of users whose age could not be established with certainty.

The SA decided to take urgent measures (GDPR, art. 58, comma 2, lett. f) and art. 66, comma 1) following the dismay caused by the death of a 10-year-old girl from Palermo.

In December, the Garante had already notified several infringements to TikTok including poor attention to the protection of minors, the easy dodging of the registration ban the company applies to children under 13 years, non-transparent and unclear information provided to users, and default settings falling short of privacy requirements.

Pending receipt of the feedback that was requested via the above notification, the Garante decided to anyhow step in today in order to afford immediate protection to the minors in Italy that have joined the social platform.

This is why the Italian SA banned TikTok from further processing the data relating to any user ‘whose age could not be established with full certainty so as to ensure compliance with the age-related requirements’.

The ban will apply provisionally until 15 February as the Garante plans to conclude its further assessment by that date.

The limitation order will be brought to the attention of the Irish SA, since TikTok recently communicated that it had set its main EU establishment in Ireland. 

To read the decision in Italian, click here.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

The State Commissioner for Data Protection in Lower Saxony has imposed a fine of 10.4 million euros against notebooksbilliger.de AG. The company had been using video surveillance to monitor its employees for at least two years with no legal justification. Some of the areas recorded by the illegal cameras included workspaces, sales floors, warehouses and staff rooms.

The company claimed the video cameras had been installed to prevent and investigate criminal offences and to track the flow of goods in warehouses. In order to prevent theft, however, a company must first implement less severe means (e.g. random bag checks when leaving the business premises). Furthermore, video surveillance may only be used to investigate crimes if specific individuals are reasonably suspected of committing such offences. If this is the case, the company may be allowed to monitor the individuals with cameras for a limited period. However, notebooksbilliger.de had not limited its video surveillance to specific employees or a specific period. In addition, many of the recordings were saved for 60 days, which is much longer than necessary.

General suspicion is not enough

“This is a serious case of workplace surveillance”, says the State Commissioner for Data Protection in Lower Saxony, Barbara Thiel. “Companies have to understand that such intensive video surveillance is a major violation of their employees’ rights”. While businesses often argue that video surveillance can be effectively used to deter criminals, this does not justify the permanent and unjustified interference with the personal rights of their employees. “If that were the case, companies would be able to extend their surveillance without limit. Employees do not have to sacrifice their personal rights just because their employer puts them under general suspicion”, explains Thiel. “Video surveillance is a particularly invasive encroachment on a person’s rights, because their entire behaviour can theoretically be observed and analysed. According to the case law of the Federal Labour Court, this can put staff under pressure to act as inconspicuously as possible to avoid being criticised or sanctioned for their behaviour”.

The customers of notebooksbilliger.de were also affected by the illegal video surveillance, because some cameras were directed at seating on the sales floor. In areas where people typically spend more time (e.g. to try out devices), data subjects have high legitimate interests. This is especially true for seating areas, where customers are clearly invited to take their time. Therefore, the video surveillance used by notebooksbilliger.de was not justified.

The fine of 10.4 million euros is the highest penalty that has ever been imposed by the State Commissioner for Data Protection in Lower Saxony under the General Data Protection Regulation (GDPR). The GDPR enables supervisory authorities to impose fines of up to 20 million euros – or up to 4% of a company’s total annual turnover worldwide – whichever is higher. The fine imposed against notebooksbilliger.de is pending legal enforcement. The company has since arranged its video surveillance in accordance with the law and proved this to the State Commissioner for Data Protection in Lower Saxony.

The State Commissioner for Data Protection in Lower Saxony provides more information on video surveillance here.

For more information please contact the Lower Saxony DPA here: poststelle@lfd.niedersachsen.de

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

The Dutch Data Protection Authority (DPA) has issued a formal warning to a supermarket for its use of facial recognition technology. Although the facial recognition technology has been disabled since December 2019, the supermarket wished to turn it back on.

The supermarket claims that it used facial recognition technology to protect its customers and staff and to prevent shoplifting. The technology was connected to cameras at the store’s entrance.

The technology scanned the face of everyone who entered the store and compared it to a database of people who had been banned from entering stores. The faces of people who had not been banned were deleted after several seconds.

Following reports in the media, on 6 December 2019 the DPA requested information from the owner of the supermarket. On 8 December 2019, the supermarket disabled the facial recognition technology. The owner indicated in documents provided to the DPA, however, that he wished to turn it back on.

Ban on facial recognition technology

‘It’s unacceptable for this supermarket – or any other store in the Netherlands – to just start using facial recognition technology,’ says Monique Verdier, deputy chairperson of the DPA. ‘Use of such technology outside of the home is banned in nearly all cases. And that’s for good reason.’

Walking bar codes

‘Facial recognition makes us all walking bar codes,’ explains Verdier. ‘Your face is scanned every time you enter a store, a stadium or an arena that uses this technology. And it’s done without your consent. By putting your face through a search engine, there is a possibility that your face could be linked to your name and other personal data. This could be done by cross-checking your face with your social media profile, for example.’ 

‘The technology can then decide what to do with the information: Are you suspected of something? Are you of interest as a customer? Is there value in monitoring your purchasing behaviour and creating a profile for you? If we have cameras with facial recognition technology everywhere, everything and all of us can be continuously monitored.’

Two exceptions

Facial recognition technology uses biometric data to identify people. The use of facial recognition for security is prohibited in all but two situations.

The first is if the people have given explicit consent for their data to be processed. Here, although the owner of the supermarket claims customers had been warned that the store used facial recognition technology, the customers did not give explicit consent for this.

‘The presumption that silence equals approval does not work here,’ says Verdier. ‘Simply entering the supermarket doesn’t count as giving consent.’

The other exception is if facial recognition technology is necessary for authentication or security purposes, but only in so far as substantial public interest is concerned. The supermarket claims that this is the case. The DPA considers that it is not.

‘The only example that the law gives is for the security of a nuclear power plant,’ explains Verdier. ‘The bar is therefore very high. Preventing shoplifting is of a completely different magnitude than preventing a nuclear disaster.’

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

Following an investigation, the Dutch Data Protection Authority (DPA) found that the way health insurer CZ handled applications for prior approval of treatment was in breach of the General Data Protection Regulation (GDPR). According to the DPA’s investigation, in a number of cases CZ processed more medical data than was necessary for the assessment of applications for the reimbursement of costs for rehabilitation care. The applications in question were from insured persons who required specialised medical rehabilitation, following a complex fracture or due to a motor disorder for example. For this breach of privacy legislation, the DPA has imposed an order subject to penalty on CZ.

To cover specialised medical rehabilitation, health insurer CZ requires insured persons to apply for prior approval (authorisation requirement). CZ can set additional conditions for such approval.

Twelve insured persons requested that the DPA take enforcement action against CZ. They argued that CZ had processed too much personal data – including sensitive personal data – when assessing their applications for rehabilitation care.

In breach of privacy legislation (GDPR)

The DPA found that, when assessing the applications of four insured persons, CZ processed more medical data than was necessary and was therefore in breach of the GDPR. According to the DPA’s investigation, CZ’s policy led to more personal data being provided than was necessary for such an assessment.

CZ appealed against the DPA’s decision. The DPA and CZ have, however, also already made a number of agreements, and CZ has taken several measures as a result, such as deleting from its systems the data in question of the twelve insured persons and removing the policy document on applications for prior approval from its website.

When assessing applications for prior approval for specialised outpatient medical rehabilitation, CZ will determine on a case-by-case basis whether additional data is necessary. This will be based on the information that is required according to professional frameworks and the position of the National Health Care Institute.

CZ and the DPA will continue to discuss possible adjustments to the way applications for prior approval are handled, to ensure it is in compliance with the GDPR.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority.
26 January 2021

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 25 000 (over EUR 5 850) on the Medical University of Silesia, as there was a data protection breach at the university, of which the controller should notify not only the supervisory authority but also the persons affected by the incident.

Besides the imposed fine, the supervisory authority also ordered the university to notify the persons affected by the breach that occurred in connection with the examinations conducted in the form of videoconference on the special e-learning platform.

Signals that a data protection breach had occurred at the Medical University of Silesia reached the UODO in early June 2020. The information and the description of the complaint allowed to conclude that students were identified during the examinations held at the end of May 2020 in the form of a video conference. After the end of the examination, the recordings were available not only to the examined people but also to others who had access to the system. Moreover, by using a direct link, any third party could have access to the examination recordings, and the examined students' personal data presented during identification.

Because the information indicated that there could have occurred a high risk to the rights and freedoms of the persons who took the examination, the UODO asked the data controller to clarify the situation. In reply to the letter, the controller argued that it was not necessary to notify the Office in connection with the breach, as in its opinion the risk to the rights or freedoms of the persons affected by the incident was low. Furthermore, after this incident, the system was modified so that files with the recorded course of examinations were not shared by mistake. The controller also indicated that it had identified the persons who downloaded the examination file and notified them of responsibility for using these data.

However, the university has still not notified a data breach and has not notified the persons affected by this incident. It did not do so, despite another letter from the UODO that indicated the situations in which a data breach should be notified to the supervisory authority and the affected persons should also be notified of the incident. Therefore, an administrative proceeding was instituted. In its course, it was established that the breach occurred, because one of the employees, after the completed examination on the e-learning platform, did not close the access to the virtual room, in which the test was held. As a result, the examination recordings could be downloaded. Since the students, before the examination, were identified based on their identity cards or student IDs, a number of their personal data was recorded on the recordings. Depending on the type of identity card or student ID they used, there was a different scope of data in case of individual affected persons. However, in some cases, they were, e.g. an image, a PESEL number (personal identification number), an identity document number or album number, a name and surname, an address of residence. Also, due to the breach, unauthorized persons could view other data such as a year of study, a group, a field of study, information about the subject being taken or the answers given during the examination.

The Office found that the data breach had occurred, and that the controller had failed to comply with its obligations to notify about this fact both the supervisory authority and the persons affected by the breach. Such obligations arise when, due to the breach, there is a high risk to the rights or freedoms of the persons affected (e.g. the danger of incurring various obligations on someone's data). The controller had, therefore, incorrectly assessed the risk involved.
In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by 26 persons. Since there is no certainty that it will not be made available further to unauthorized persons.

In the Office's opinion, the responsibility for these data lies with the controller, and not with the persons who downloaded the file with the course of the examination after it had finished. It was due to the controller's negligence that a breach occurred, resulting in a high risk for students' rights and freedoms.
The supervisory authority welcomed the implemented changes on the e-learning platform, which prevent students from downloading files with examinations. They will allow avoiding similar situations in the future.

The President of the Office, while imposing the fine for not notifying the supervisory authority and not informing the persons whom the incident concerned, took into account, among others, the duration of the breach (from the breach to the issuing of the decision several months passed), the intentional action of the controller, who decided not to notify a breach and not to inform the students about it, the unsatisfactory cooperation of the controller with the authority (the controller did not notify a breach despite the letters sent and the proceedings initiated). 

The imposed fine will fulfil not only a repressive but also a preventive function, as it shows that one cannot neglect the obligations that arise in connection with the personal data protection breach. Especially, that an inappropriate approach to the obligations imposed by the GDPR may lead to adverse effects for the persons affected by the breaches.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

The Norwegian Data Protection Authority has notified Grindr LLC (Grindr) that we intend to issue an administrative fine of NOK 100 000 000 for not complying with the GDPR rules on consent. 

- Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Grindr is a location-based social networking app for gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr. 

Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.

- The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Invalid consents

The Norwegian Data Protection Authority considers that as a general rule, consent is required for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering. The same applies where a commercial app wishes to share data concerning users’ sexual orientation.

Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties. Furthermore, the information about the sharing of personal data was not properly communicated to users. We consider that this was contrary to the GDPR requirements for valid consent. 

- Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away, Thon added.

Could result in highest Norwegian DPA fine to date

An administrative fine should be effective, proportionate and dissuasive. 

- We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR. Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it “consents”. It is imperative that such practices cease, Thon emphasised.

We have based our calculations on a conservative estimate of Grindr’s worldwide annual turnover, according to which the turnover approaches € 100 000 000 M. This means that our proposed fine will constitute approximately 10 % of the company’s turnover.

Applicability of the GDPR

Although Grindr does not have any establishments within the EEA, the company is subject to the GDPR by virtue of its Article 3.2. Pursuant to this provision, the GDPR applies to controllers that offer goods or services to, or that monitor the behaviour of, people in the EEA.

Our investigation has focused on the consent mechanism in place from the GDPR became applicable until April 2020, when Grindr changed how the app asks for consent. We have not to date assessed whether the subsequent changes comply with the GDPR.

Not a final decision

The document we have issued to Grindr is a draft decision. Grindr has been given the opportunity to comment on our findings within 15 February 2021. We will make our final decision once we have assessed any remarks the company may have.

Our draft decision concerns the free version of the Grindr app.

The Norwegian Consumer Council also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly known as AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are ongoing.

You can read the press release on the Norwwegian DPA's website here.

For more information, please contact the Norwegian DPA: International@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

The inability to quickly identify the threat and remove it led the company ID Finance Poland to data loss. Therefore, the President of the Personal Data Protection Office (UODO) found that the company had not implemented appropriate technical and organizational measures, which resulted in a loss of confidentiality of the personal data principle, and imposed an administrative fine on the company in the amount of over PLN 1 million (EUR 250,000).

The punished company (owner of a lending platform MoneyMan.pl) did not respond adequately to the signal about gaps in its security. It did not check quickly enough the information that its client’s data was available on one of its servers. Such notification was not treated seriously, so a few days after the company received the signal, an unauthorized person copied the data and then deleted it from the server. The person demanded a ransom for returning the stolen information. Only then did the company start analysing the security features on its servers and notified data breach to the supervisory authority at the same time. 
In the proceedings, the UODO established that the breach took place following the failure to restore the appropriate security configuration after one of the servers operated by the processor (hosting company) was restarted. The controller was notified about this by one of its cybersecurity specialists, who detected the vulnerability and indicated sample, publicly available information. Instead of diligently checking the received notifications and monitoring the processor, whether it duly dealt with the case in terms of checking the security, the controller had doubts about whether this was an attempt to extort other data from him, which he indicated in his correspondence to the processor. As a result, they did not immediately check the system’s identified vulnerabilities and a few days later, the data was stolen from this server.

This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured. In the opinion of the Personal Data Protection Office, the controller should maintain the ability to quickly and effectively identify any breaches in order to be able to take appropriate action. Moreover, the controller should be able to quickly investigate the incident in terms of whether there has been a data breach and take appropriate remedial action.

The supervisory authority also found that the processor's lack of a sufficiently quick response to the notification of a system vulnerability does not exclude the controller's responsibility for the data breach. The controller must be able to detect, address, and notify data breach - this is a critical element of technical and organizational measures.

In the opinion of the UODO, the company, despite promptly providing the processor with information about a potential vulnerability in the server's security, did not take sufficient action. The proceedings showed that the controller briefly analysed the signal received, did not take it seriously and did not oblige the processor to deal with the case properly. 

When imposing a fine for the loss of the confidentiality of personal data due to a series of negligence by the controller, the UODO took into account the scale of the breach and the scope of the stolen data. In addition, because unencrypted passwords have also leaked, it is possible to use these data to log in to different customer accounts, if they used the same login (e.g. e-mail) and password on other websites. In establishing the amount of the fine, the authority also took into account the controller's delay in taking preventive measures.

The amount of the fine should fulfil both a repressive and a preventive function. In the opinion of the authority, it should prevent similar breaches in the future both in the penalized company and at other controllers’.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. (WARTA S.A. Insurance and Reinsurance Company) infringed the provisions of the General Data Protection Regulation, because it did not notify a personal data breach to the President of the Personal Data Protection Office. The supervisory authority therefore imposed a fine on the company in the amount of PLN 85 588 (EUR 20,000).

In May 2020, the Personal Data Protection Office (UODO) received information from a third party about the personal data breach which consisted in sending by e-mail an insurance policy by an insurance agent, being a processor for the WARTA S.A. Insurance and Reinsurance Company, to an unauthorised addressee.

The attached document contained personal data in the scope of, among others, names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car). Important in this case is the fact that the supervisory authority has been informed of the personal data breach by an unauthorised addressee who has taken possession of documents not intended for him or her, and the confidentiality of the persons concerned has been breached. 

Therefore, the supervisory authority requested the Company to clarify whether, in connection with sending of electronic correspondence to an unauthorised recipient, an analysis was carried out in terms of the risk to the rights and freedoms of natural persons necessary to assess whether there was a data protection breach resulting in the need to notify the UODO and the persons affected by the breach. In the letter, the supervisory authority indicated to the company how it could notify the breach and called for explanations. 

The Company confirmed that there had been an incident related to a personal data breach and that an assessment had been conducted in terms of the risk to the rights and freedoms of natural persons. It was on the basis of that assessment that the fined company found that the breach did not require notification to the UODO. The company considered that the breach was caused by sending the insurance policy document to the wrong e-mail address indicated by the customer himself or herself. In addition, the unauthorised recipient addressed the company with a request for and the company asked for a permanent deletion of the message with a request for feedback confirming its deletion.

Despite the letter from UODO requesting clarification, the company still did not notify a personal data breach and did not communicate the incident to the persons affected by the breach. The supervisory authority has therefore initiated administrative proceedings. It was only as a result of the initiation of the proceedings that the company notified a personal data breach and informed two persons affected by the breach.

Such action by the company resulted in a long duration of the breach, which must be regarded as an aggravating circumstance. All the more so, since five months have elapsed from being informed of the personal data breach to the notification of the personal data breach to the supervisory authority.

In the course of the proceedings, the UODO considered that the fact that the breach occurred as a result of a mistake of a customer who provided the wrong e-mail address cannot cause the lack of qualification of the event as a personal data breach. When allowing the possibility to use e-mail for communication with the customer, the controller should be aware of the risks associated with, for example, incorrect e-mail address provided by the customer. Therefore, in order to minimise these risks, the controller should take appropriate organisational and technical measures, such as verification of the address provided or encrypting the documents sent in this way.

Also, the fact of requesting the wrong recipient to permanently delete the correspondence received cannot determine that a risk to the rights and freedoms of the data subjects is not high. The controller is not sure whether the unauthorised addressee has not made, for example, a copy of the documents or has not recorded them. 

When imposing an administrative fine, the President of the UODO also took into account mitigating circumstances, such as the fact that the breach concerned the personal data of two persons and that the company asked the wrong recipient to permanently delete the correspondence received. However, it is worth mentioning that a request for deletion of data is not tantamount to guaranteeing that the data is actually erased by an unauthorised person and does not preclude possible negative consequences of their use.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

 

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 1.9 million (EUR 460,000) on Virgin Mobile Polska for the lack of implemented appropriate technical and organisational measures to ensure the security of the processed data.

UODO stated that the company infringed the principles of data confidentiality and accountability specified in the GDPR. Virgin Mobile did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

In connection with a data breach, as a result of which an unauthorised person obtained customers data from one of the databases, the Supervisory Authority carried out the inspection at the company. As a result of the irregularities found, the authority instituted administrative proceedings finalised with the imposition of a fine.
In the course of the proceedings, the UODO disagreed with the controller which claimed to have tested and monitored the technical and organisational measures taken to ensure the security of personal data. The Supervisory Authority considered that these activities were neither regular nor comprehensive, as they were carried out incidentally and did not cover all the systems in which the data was processed.

In the course of the proceeding, it turned out that data exchange between applications in the IT system was to take place after verification of certain parameters from registration applications of prepaid services’ customers. The aim was for the programme to check whether the request for the transfer of the data had been received from the authorised entity. In practice, this verification did not work, and before its implementation the mechanism was not tested. However, vulnerability in this process (consisting in failure to verify the relevant parameters) was used by an unauthorised person to obtain the data. It was only after this incident that appropriate activities were undertaken regarding the repair of this functionality in the company’s IT system.

The Supervisory Authority considered that the implementation of a data processing system for use without proper validation of assumed parameters was a flagrant breach by the controller.

In imposing a fine, the UODO took into account that the breach committed by the operator was serious as it posed a high risk of adverse effects of legal remedies for a large number of persons (e.g. the risk of identity theft). It should be remembered that although unauthorised persons had short-term access to the systems, but sufficient to collect large amounts of data. Moreover, the breach itself was long-term, with the vulnerability of data leakage existing for a long time.
The Office also took into account mitigating circumstances, such as the good cooperation of the controller, the quick removal of the breach after its detection, but also the implementation of additional solutions to further improve the security of the data processed.

However, given the scale and gravity of the breaches, the UODO considered that it would be disproportionate to apply remedies other than an administrative fine.

The fine is intended to prevent the company from committing similar negligence in the future.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.