The President of the Polish Personal Data Protection Office has imposed a penalty of PLN 1.9M on Virgin Mobile Polska for its failure to implement the relevant measures ensuring the security of the data processed.
The President concluded that the company has failed to carry out regular and comprehensive tests, measurements, and evaluations of the technical and organizational measures used to guarantee the security of the data processed, taking actions in this respect only incidentally, in connection with suspected vulnerabilities or organizational changes. There were also no tests in terms of security measures related to transferring data between applications used with respect to buyers of prepaid services. These irregularities resulted in an unauthorized person obtaining access to the data of the clients in one of the databases.
The amount of the penalty was influenced by the fact that the violation was a material one since it has created a high risk of negative consequences for a large number of persons (e.g. the risk of identity theft). The short duration of data access the unauthorized persons had was of no importance, as it was sufficient to download a large volume of data. Additionally, the violation itself lasted for a long time: the President concluded that vulnerability to data leaks existed a long time before it actually happened.
This is another case of a personal data leak that shows how important it is for entities processing personal data to comply with the provisions of the GDPR, including the principle of data confidentiality and accountability, in particular by means of regularly, and not only incidentally, testing the technical measures used to protect personal data.
Not sure who to entrust with handling the legal aspects of your personal data processing? At our Law Firm, we have a number of GDPR specialists, including Michał Czuryło, Attorney-at-Law, and Barbara Miziołek, Attorney-at-Law. Contact them:
Michał Czuryło | email@example.com | +48 504 035 553
Barbara Miziołek | firstname.lastname@example.org | +48 508 061 790