Fine for insufficient organisational and technical safeguards
The President of the Personal Data Protection Office imposed a fine in the amount of more than PLN 2,8 million on Morele.net.
The company’s organisational and technical measures for the protection of personal data were not appropriate to the risk posed by the processing of personal data, which means that data of about 2,2 million people have fallen into the wrong hands. There was a lack of appropriate response procedures to deal with the emergence of unusual network traffic, concluded the President of the Personal Data Protection Office (UODO).
While imposing a fine, the supervisory authority concluded that the breach which took place in this case was of considerable importance and of serious character, and concerned a large number of persons. In its decision, the supervisory authority also pointed out that, as a result of the infringement, there was a high risk of adverse effects on persons whose personal data fell into the wrong hands, such as identity theft.
The data concerned included in particular: name and surname, phone number, email, delivery address. However, in the case of about 35000 people, the data leaked from their installment loan application. The scope of the data comprised the personal ID number (PESEL number), the series and the number of the identity document, educational background, registered address, correspondence address, source of income, amount of net income, the cost of living of the household, marital status, as well as the amount of credit commitments or maintenance obligations.
In the decision imposing the fine, the President of UODO concluded that the company by failing to comply with the required technical means of data protection, has breached, inter alia, the principle of confidentiality, as set out in Article 5 (1)(f) of the GDPR. Therefore, there has been an unauthorised access to and obtaining of customers’ data. The authority considered that an unsuccessful measure for the authentication of data access was put in place. The company had implemented additional technical security measures after the breach.
The investigation revealed that the infringement occurred also because of ineffective monitoring of potential risks. The investigation also revealed other misconduct, but it is the lack of appropriate technical (insufficient safeguards) and organisational measures (on the monitoring of potential risks related to atypical online behaviour) that led to the imposition of a fine. In determining its amount, however, the President of UODO took account of mitigating circumstances, such as: action taken by the company to put an end to the infringement, good cooperation with the controller and the fact that the company has not breached the personal data protection law before.
The Polish text of the decision in this regard is available at: https://uodo.gov.pl/decyzje/ZSPR.421.2.2019