UODO (Poland) - DKN.5112.1.2020: Difference between revisions

From GDPRhub
 
Line 84: Line 84:
Virgin Mobile Polska S.A. (the controller) is a telecommunications services provider who offers pre-paid services to its subscribers. In December 2019, an unauthorised person gained access to 142,222 records with confirmations of registration for prepaid services. The data breach affected 114,963 persons whose first and last name, personal identification number, series and number of ID card, telephone number, and other personal data were accessed.   
Virgin Mobile Polska S.A. (the controller) is a telecommunications services provider who offers pre-paid services to its subscribers. In December 2019, an unauthorised person gained access to 142,222 records with confirmations of registration for prepaid services. The data breach affected 114,963 persons whose first and last name, personal identification number, series and number of ID card, telephone number, and other personal data were accessed.   


The controller reported this data breach to the Polish DPA who initiated an investigation. During the course of the investigation, the DPA recevied oral explanations from the controller regarding the data breach as well as a detailed protocol on the incident. Reportedly, the controller adpopted measures to rectify the deficiencies and vulnerabilities in its IT system. Based on the information provided by the controller, the DPA opened ex officio proceedings for the failure to implement appropriate technical and organisational measures ensuring a level of security corresponding to the risk.  
The controller reported this data breach to the Polish DPA who initiated an investigation. During the course of the investigation, the DPA recevied oral explanations from the controller regarding the data breach as well as a detailed account of the incident. Reportedly, the controller adopted measures to rectify the deficiencies and vulnerabilities in its IT system. Based on the information provided by the controller, the DPA opened ex officio proceedings for the failure to implement appropriate technical and organisational measures ensuring an appropriate level of security.  


=== Holding ===
=== Holding ===
The DPA recalled that [[Article 24 GDPR|Article 24(1) GDPR]] sets out the basic obligation of the controller to comply with the principles under [[Article 5 GDPR]], including the principle of confidentiality.  
The DPA recalled that [[Article 24 GDPR|Article 24(1) GDPR]] sets out the basic obligation of the controller to comply with the principles under [[Article 5 GDPR]], including the principle of confidentiality.  


Additionally, [[Article 32 GDPR]] obliges the controller to implement appropriate technical and organisational measures to ensure security of data processing. The DPA held that the controller failed to comply with the obligations under [[Article 32 GDPR|Article 32(1)(b) and (d) GDPR]]. Specifically, the data breach occurred as a result of the exploitation of a vulnerability in the IT system allowing unauthorised access to personal data. The DPA considerd the measures adopted by the controller as not appropriate because their implementation should have included regular testing, measurement and assessment of effectiveness.
Additionally, [[Article 32 GDPR]] obliges the controller to implement appropriate technical and organisational measures to ensure security of data processing. The DPA held that the controller failed to comply with the obligations under [[Article 32 GDPR|Article 32(1)(b) and (d) GDPR]]. Specifically, the data breach occurred as a result of the exploitation of a vulnerability in the IT system allowing unauthorised access to personal data. The DPA considered the measures adopted by the controller as not appropriate because their implementation should have included regular testing, measurement and assessment of effectiveness.


The DPA also found a violation of [[Article 25 GDPR|Article 25(1) GDPR]] because the controller failed to implement obligations imposed by the Polish [https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20190000796 Anti-Terrorist Activities Act]. The DPA recalled that "data protection by design" refers to a variety of measures and necessary safegaurds to protect the rights of data subjects, not only encryption and pseudonymisation.  
The DPA also found a violation of [[Article 25 GDPR|Article 25(1) GDPR]] because the controller failed to implement obligations imposed by the Polish [https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20190000796 Anti-Terrorist Activities Act]. The DPA recalled that "data protection by design" refers to a variety of measures and necessary safeguards to protect the rights of data subjects, not only encryption and pseudonymisation.  


Moreover, the DPA stated that [[Article 5 GDPR|Article 5(2) GDPR]] requires controllers to demonstrate compliance with the data processing principles. The fact that the controller did not know whether or not the attacker may have had access nor the duration of the access, confirmed that the technical and organisational measures implemented by the controller were insufficient. The lack of knowledge of this information proved the lack of control over data processing. This in turn, constituted a breach of the principle of accountability under [[Article 5 GDPR|Article 5(2) GDPR]].
Moreover, the DPA stated that [[Article 5 GDPR|Article 5(2) GDPR]] requires controllers to demonstrate compliance with the data processing principles. The fact that the controller did not know whether or not the attacker may have had access nor the duration of the access, confirmed that the technical and organisational measures implemented by the controller were insufficient. The lack of knowledge of this information proved the lack of control over data processing. This in turn, constituted a breach of the principle of accountability under [[Article 5 GDPR|Article 5(2) GDPR]].


Taking into account the above-discussed findings, the DPA also held that the controller violated [[Article 24 GDPR|Article 24(1) GDPR]] by not fulfilling its responsibilities as a controller under the GDPR.  
Taking into account the above-discussed findings, the DPA also held that the controller violated [[Article 24 GDPR|Article 24(1) GDPR]] by not fulfilling its responsibilities as a controller under the GDPR. Pursuant to [[Article 58 GDPR|Articles 58(2)(i)]] and [[Article 83 GDPR|83 GDPR]], the DPA imposed a PLN 1,968,524 fine on the controller for the above-discussed GDPR violations.  
 
Pursuant to [[Article 58 GDPR|Articles 58(2)(i)]] and [[Article 83 GDPR|83 GDPR]], the DPA imposed a PLN 1,968,524 fine on the controller for the above-discussed GDPR violations.  


== Comment ==
== Comment ==

Latest revision as of 15:35, 3 January 2023

UODO - DKN.5112.1.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Article 83(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 01.01.2021
Decided: 16.11.2022
Published: 07.12.2022
Fine: 1,968,524 PLN
Parties: Virgin Mobile Polska Sp. z o. o.
National Case Number/Name: DKN.5112.1.2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO Government website (in PL)
Initial Contributor: n/a

The Polish DPA fined Virgin Mobile €460,000 for lack of appropriate technical and organisational measures, which resulted in a data breach affecting over 114,000 persons.

English Summary

Facts

Virgin Mobile Polska S.A. (the controller) is a telecommunications services provider who offers pre-paid services to its subscribers. In December 2019, an unauthorised person gained access to 142,222 records with confirmations of registration for prepaid services. The data breach affected 114,963 persons whose first and last name, personal identification number, series and number of ID card, telephone number, and other personal data were accessed.

The controller reported this data breach to the Polish DPA who initiated an investigation. During the course of the investigation, the DPA recevied oral explanations from the controller regarding the data breach as well as a detailed account of the incident. Reportedly, the controller adopted measures to rectify the deficiencies and vulnerabilities in its IT system. Based on the information provided by the controller, the DPA opened ex officio proceedings for the failure to implement appropriate technical and organisational measures ensuring an appropriate level of security.

Holding

The DPA recalled that Article 24(1) GDPR sets out the basic obligation of the controller to comply with the principles under Article 5 GDPR, including the principle of confidentiality.

Additionally, Article 32 GDPR obliges the controller to implement appropriate technical and organisational measures to ensure security of data processing. The DPA held that the controller failed to comply with the obligations under Article 32(1)(b) and (d) GDPR. Specifically, the data breach occurred as a result of the exploitation of a vulnerability in the IT system allowing unauthorised access to personal data. The DPA considered the measures adopted by the controller as not appropriate because their implementation should have included regular testing, measurement and assessment of effectiveness.

The DPA also found a violation of Article 25(1) GDPR because the controller failed to implement obligations imposed by the Polish Anti-Terrorist Activities Act. The DPA recalled that "data protection by design" refers to a variety of measures and necessary safeguards to protect the rights of data subjects, not only encryption and pseudonymisation.

Moreover, the DPA stated that Article 5(2) GDPR requires controllers to demonstrate compliance with the data processing principles. The fact that the controller did not know whether or not the attacker may have had access nor the duration of the access, confirmed that the technical and organisational measures implemented by the controller were insufficient. The lack of knowledge of this information proved the lack of control over data processing. This in turn, constituted a breach of the principle of accountability under Article 5(2) GDPR.

Taking into account the above-discussed findings, the DPA also held that the controller violated Article 24(1) GDPR by not fulfilling its responsibilities as a controller under the GDPR. Pursuant to Articles 58(2)(i) and 83 GDPR, the DPA imposed a PLN 1,968,524 fine on the controller for the above-discussed GDPR violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT
THE SECURITY OFFICE
PERSONAL DATA

Warsaw, November 16, 2022

DECISION

DKN.5112.1.2020

Based on Article. 104 § 1 of the Act of June 14, 1960 Code of Administrative Procedure (Journal of Laws of 2022, item 2000), art. 7 sec. 1, art. 60, art. 101 and art. 103 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and art. 57 sec. 1 lit. a) and h), Art. 58 sec. 2 lit. i), art. 83 sec. 1-3, art. 83 sec. 4 lit. a) in connection with art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2, as well as art. 83 sec. 5 lit. a) in connection with art. 5 sec. 1 lit. f) and art. 5 sec. 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection of data) (Journal of Laws UE L 119 of 4/05/2016, p. 1, as amended), hereinafter referred to as Regulation 2016/679, after conducting administrative proceedings initiated ex officio in the case of infringement by Virgin Mobile Polska Sp. z o.o. (KRS No. 217207), whose legal successor is P4 Sp. z o.o. with headquarters in Warsaw at ul. Invention 1 (KRS No. 415094), provisions on the protection of personal data, President of the Office for Personal Data Protection,



stating that Virgin Mobile Polska Sp. z o.o. (KRS No. 217207), whose legal successor is P4 Sp. z o.o. with its seat in Warsaw (KRS No. 415094), the provisions of art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679, consisting in Virgin Mobile Polska Sp. z o.o., whose legal successor is P4 Sp. z o.o. with its seat in Warsaw, appropriate technical and organizational measures to ensure a level of security corresponding to the risk of data processing using IT systems used to register personal data of subscribers of pre-paid services, which led to an unauthorized person gaining access to these data, which also constituted a violation of the principle of integrity and confidentiality referred to in art. 5 sec. 1 lit. f) of Regulation 2016/679 and was related to the violation of the accountability principle referred to in Art. 5 sec. 2 of Regulation 2016/679, imposes on P4 Sp. z o.o. with its seat in Warsaw, for violation of art. 5 sec. 1 lit. f), art. 5 sec. 2, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679, an administrative fine of PLN 1,599,395.00 (say: one million five hundred ninety nine thousand three hundred ninety five zlotys).





JUSTIFICATION



On December 24, 2019, the Office for Personal Data Protection received a notification of a personal data breach registered under reference number [….], submitted by Virgin Mobile Polska Sp. z o.o. – now P4 Sp. z o.o. as a result of [...] May 2022, pursuant to the decision of the Registry Court for the Capital City of Warszawa in Warsaw, 13th Commercial Division of the National Court Register (case reference: [….]), connection of Virgin Mobile Polska Sp. z o.o. (hereinafter: "Virgin") with P4 Sp. z o.o. (hereinafter referred to as "P4 Company"). The merger took place pursuant to Art. 492 § 1 item 1 of the Code of Commercial Companies[1] by transferring all assets of Virgin Mobile Polska sp. z o.o. ("acquired company") to P4 sp. z o.o. ("acquiring company") (merger by acquisition).

In the notification, Virgin informed about a violation of the protection of personal data of subscribers of prepaid services, consisting in an unauthorized person gaining access to these data and obtaining 142,222 records of confirmations of registration of prepaid services, containing personal data of 114,963 customers in terms of name, surname, PESEL registration number, series and ID card number, telephone number, NIP number and name of the entity. The reported incident took place in the period from […] to […] December 2019. Due to the scope of the disclosed personal data, the indicated breach resulted in a high risk of violating the rights and freedoms of natural persons.

In connection with the reported breach, the President of the Office for Personal Data Protection (hereinafter also referred to as the "President of the Office" or "President of the Personal Data Protection Office") decided to conduct an inspection at Virgin of the compliance of personal data processing with the provisions on the protection of personal data, i.e. with Regulation 2016/679 and the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781). The scope of the inspection covered the method of personal data processing, including the method of their protection, as part of the provision of telecommunications services to subscribers of prepaid services. In the course of the inspection (inspection reference […]), oral explanations were received from Virgin employees and the A system used to register the personal data of subscribers of pre-paid services was inspected. The facts are described in detail in the inspection report signed by the Company's Management Board.

During the inspection it was found that:

1)      The subject of Virgin's business is the provision of services in the field of wireless telecommunications.

2)      The legal basis and purpose of processing personal data in the Virgin company in the registration process of prepaid services is the performance of a contract for a telecommunications service, concluded by performing a factual action, i.e. sending an SMS, MMS, downloading data or initiating a telephone connection, based on the Act of July 16, 2004 Telecommunications Law (Journal of Laws of 2022, item 1648, as amended).

3)      The obligation to obtain personal data for the prepaid service (registration of prepaid cards) was introduced in Art. 60b sec. 2 in relation to from the section 1 of the Telecommunications Law, which entered into force on July 25, 2016. For subscribers of prepaid services who concluded a contract before the entry into force of the Act of June 10, 2016 on anti-terrorist activities (Journal of Laws of 2021, item 2234 as amended), i.e. before July 2, 2016, the obligation to provide the service provider with your personal data was introduced by Art. 60 of this Act.

4)      The scope of data processed in connection with the registration of the prepaid service in the case of a subscriber who is not a natural person includes data in the form of the name of the entity, NIP number, telephone number, while if the registration is made by a proxy, personal data of the proxy are also obtained in the field of name and surname and PESEL number or the series and number of the identity document. When a prepaid card is registered by a natural person, the name and surname, PESEL number, ID card number or other identity document and telephone number are obtained. In addition, for contact purposes, personal data is obtained in the form of e-mail addresses and telephone numbers.

5)     Collection of the above-mentioned data processing takes place at the stage of card registration using point of sale (points of sale, hereinafter referred to as "POS") - carried out by external entities with whom Virgin has signed cooperation agreements, also specifying the rules for entrusting the processing of personal data. For entities that do not have their own software solutions for the prepaid card registration service, Virgin developed an application [...] for registering these cards.

6)      The data registration process via POS is carried out through application A, available from the public network using a web browser. Personal data for this application are entered by the POS on the basis of the presented identity document.

7)      Application A allows you to generate a printout of confirmation of registration. The solutions adopted for entities using their own IT systems to register prepaid cards, e.g. cash register systems or terminals, do not allow printing the card registration confirmation.

8)      The central system used by Virgin is the IT system named B, which is connected to the application A used to register prepaid cards.

9)      System B is created by T. Sp. z o.o. s.k.a. above the company also maintained system B from [..] April 2014 to [...] June 2017. From [...] July 2017, the employees of A. S.A. on the basis of a framework contract.

10)   Basic personal data are saved [...] to the database of system B based on [...], which receives registration data entered by the POS using application A and data from the systems of wholesale customers, i.e. those who do not have access to application A, but use from their information systems.

11)  The manufacturer of application A is W. J. M. P. S. s.c. . She developed the application, which started functioning from [...] September 2014. Until now, W. J. M. P. S. s.c. has also operated, developed and supervised application A. A is an application for entering data into system B through the use of a web interface [...]. Originally, the maintenance of […], enabling the exchange of information between application A and the central system B, was carried out by company T. (from [...] April 2014 to [...] June 2017). From [...] July 2017 to the present, the maintenance of the web service, enabling the exchange of information between the application and the central system B, and the maintenance of the system is provided by A. S.A..

12)   During the inspection, it was found that from […]to […] December 2019, Virgin had a personal data breach as a result of obtaining unauthorized access to the data of subscribers of pre-paid services by using a vulnerability of the IT system, i.e. a service generating confirmation of prepaid card registration. The identified vulnerability of the service generating registration confirmations consisted in the lack of verification […]. Correct verification was to consist in generating confirmation of registration only when […]. System B did not verify […].

13)   Technical and organizational measures used at Virgin from […] May 2018 (the date of application of Regulation 2016/679), i.e. before the infringement, were reviewed and updated as needed in the event of organizational or legal changes.

14)  No comprehensive regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing were carried out at Virgin. In a situation where there was a suspicion of a vulnerability, work was carried out to protect against a given vulnerability. The above is confirmed, among others, by in the explanations submitted by the controlled entity in the letter of [...] March 2020 and in the printouts of screenshots from the C system sent for evidence purposes, indicating the performance of vulnerability tests [...] and verification of the entered data.

15)   Virgin did not carry out tests aimed at verifying the security of application A and [...] system B on the vulnerability of the IT system related to the personal data breach. Such actions were taken only after the incident on […] December 2019.

16)   In the documentation kept by Virgin describing the data processing process and the organizational and technical measures used, obtained in the course of inspection activities, i.e. "Personal Data Processing Policy of Virgin Mobile", "[...] Procedure [...]", "[...] Plan [...]", issues regarding regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing are not regulated.

17)   Virgin took corrective actions and removed the vulnerability of the IT system by modernizing it based on correlation [...]. Virgin introduced the restriction […]. When there is a need to re-generate the application, it is possible […].



Based on the information and evidence collected in the inspection proceedings, it was established that in the process of processing data of subscribers of pre-paid services, Virgin, as the administrator, violated the provisions on the protection of personal data. These shortcomings consisted in the violation of the principle of data confidentiality expressed in art. 5 sec. 1 lit. f) Regulation 2016/679 and the obligations that constitute the specification of this principle, set out in art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679, by failing to implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk of data processing using IT systems used to register personal data of subscribers of prepaid services.

In connection with the above, in the letter of [...] June 2020 (letter reference [...]), the President of the UODO notified Virgin about the initiation of administrative proceedings ex officio regarding the violation of the provisions on the protection of personal data due to the failure to implement appropriate technical and organizational measures ensuring a level of security corresponding to the risk. In the course of these proceedings, the President of the UODO accepted the facts established in the course of the inspection, reference number […] (points 1-17 above). The President of the Office also obtained additional explanations from Virgin (submitted by the attorney in letters of [...] July 2020 and [...] August 2020), in which it was indicated, inter alia, that:

1)      From the beginning of its operations, Virgin offered pre-paid services in a model that did not require providing personal data. The requirement to provide data was introduced by the Act of June 10, 2016 on anti-terrorist activities (Journal of Laws of 2021, item 2234, as amended). Upon the entry into force of the provision of art. 43 above of the Act specifying the scope of collected data, the legislator set a 30-day deadline. As indicated by the representative, a month to implement such large changes is definitely too short time to implement and test any IT system of such a scale. The deadline imposed by the legislator increased the risk of errors and shortcomings.

2)      At this stage of the proceedings, it was not established who the attacker was. The way the vulnerability was exploited indicated that the attacker had previously accessed the system and knew how to construct the appropriate query. Currently, Virgin does not know whether and what rights the attacker might have had and what period this right might have concerned. In the opinion of Virgin, it is up to the President of the Office to demonstrate whether data has been made available to an unauthorized person.

3)      The investigation into unauthorized access conducted by the District Prosecutor's Office in Warsaw was discontinued by the decision of [...] July 2020 due to the failure to detect the perpetrator. Therefore, Virgin does not know whether the vulnerability was used to disclose personal data to an unauthorized person. This circumstance requires clarification by the authority in the course of the proceedings.

4)      Virgin, referring to the allegation of violation of Art. 25 sec. 1 of Regulation 2016/679 points out that the provisions of Regulation 2016/679 apply from May 25, 2018. At the time of introducing changes to its operations required by the Anti-terrorist Activity Act, Virgin was not obliged to comply with the principle of data protection by design. However, at further stages of processing, this principle is basically identical to the obligation to secure personal data pursuant to art. 32 of Regulation 2016/679, because contained in art. 25 sec. 1 of Regulation 2016/679, the principle of data minimization in this case does not apply due to the fact that the scope of personal data is defined by law.

5)       The Virgin company, deciding to implement and use the B system, carried out numerous tests, measurements and assessments as to whether it is appropriate to properly fulfill its functions, including securing the subscribers' personal data entered into it. The risk to the rights and freedoms of data subjects was constantly assessed by Virgin. Each time in the event of organizational or legal changes in Virgin, technical and organizational measures were reviewed and updated.

6)      In the opinion of Virgin, the use of the vulnerability indicates that the personal data of the persons affected by the breach were not collected as a result of an external system bypass. The use of knowledge to break into a system is a more difficult to avoid risk than an external security attack.

7)      According to Virgin's assessment, the use of the system vulnerability for the attack in question resulting in access to data was not dependent on the lack of appropriate testing, measurement or evaluation of the system, because the indicated activities were regularly and correctly carried out by the Company. The confirmation is the printouts from the C system regarding the vulnerability [...] and verification of the entered data, which prove that although Virgin did not conduct tests specifically related to the vulnerability used during the attack of [...]-[...] December 2019, other tests [...], aimed at detecting vulnerabilities and improving data quality, were conducted.

8)      Virgin does not agree with the allegation that regular testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing were not carried out. Virgin conducted a wide range of activities aimed at verifying the correct functioning of the IT system, application A and [...] system B used for registering prepaid cards. Virgin carried out comprehensive technical and organizational security reviews several times, such as the audit in November 2019, contract review, certification audit, security and risk reviews and assessments with the participation of the management board, carried out in December 2019. These activities were continued in 2020, among others in connection with the implementation of ISO.

9)      Prior to the breach, Virgin adopted data protection measures in the form of: procedures specifying the risk analysis methodology, information security level classification procedure, information security policy, IT system management procedure with attachments: […] Procedure […], […] Procedure […], […] Policy […], […] Procedure […], […] Procedure […], […] Procedure […], as well as elements of the Business Continuity Plan: […] Plan […] , […] Plan […], […] Plan […].

10)   In the letter of [...] August 2020, Virgin explained that the scope of data indicated in the letter of [...] July 2020, which the breach concerned, was definitely narrower than that indicated in the personal data breach notification of […] December 2019, point 5. The breach of the full scope of personal data occurred only in 4,522 cases, i.e. it concerned first and last names, PESEL number and subscriber's document number. In the remaining scope, the violation concerned: first names, surnames and PESEL number (108,702 cases) or subscriber's document number (10,167 cases).

11)   Virgin submitted to the case file a copy of the certificates obtained on [...] July 2020: ISO/IEC 27001:2013 confirming the implementation and maintenance by Virgin of the information security management system for services provided by the telecommunications operator and ISO/IEC 27701 :2019 certifying the implementation and maintenance by Virgin of a personal data management system as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013 for privacy management in the scope of services provided by the telecommunications operator.

12)  In the explanations of October 2020 (supplemented by the letter of October 2020), Virgin indicated that the requirements to maintain certificates of compliance of the management system with the implemented standards mean in particular: verifying the performance (before receiving the certificate) of a number of comprehensive reviews of the security and functioning of the management system (personal data and information security), commitment (in the contract with the certification authority) at least once a year (in the coming years) to a similar comprehensive management review and to perform at least one internal audit with the area of each standard, as well as covering the operation of the information security and data protection management system at Virgin with an annual audit by an independent certificate issuing institution.

13)  In accordance with the requirements of maintaining certificates of compliance with the implemented standards, the Virgin Company performs and documents successively measuring the effectiveness of technical and organizational measures to ensure the security of processing by: measuring the number of personal data processing processes (activities) with a full description in relation to all processes (activities) personal data processing (evidence: [...]), measurement of the number of IT systems processing personal data, with a full description in relation to all systems (evidence [...]), measurement of the number of identified security incidents (including personal data protection breaches) and measurement of the number complaints from people about the lack of appropriate safeguards), formal definition of the goals set for Virgin in the area of personal data protection and information security (proof: […] in force from […] December 2019), preparation and implementation of the procedure for measuring these goals, research tests susceptibility sy IT systems performed internally, penetration tests carried out in July 2020 by an external company I. Sp. z o.o.



In these facts, the President of the Office for Personal Data Protection issued a decision of December 3, 2020, imposing an administrative fine of PLN 1,968,524.00 on Virgin. (one million nine hundred and sixty-eight thousand five hundred and twenty-four zlotys) for infringement of the provisions of Art. 5 sec. 1 lit. f), art. 5 sec. 2, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679.



On [...] January 2021, the Office for Personal Data Protection received a complaint from Virgin regarding the above-mentioned decision of the authority. The applicant Virgin, acting through a proxy, appealed in its entirety against the decision of the President of the UODO of December 3, 2020 and pursuant to Art. 145 § 1 item 1 lit. a) and c) of the L.P.S.A [2], applied for the annulment of the contested decision.

In the contested decision, Virgin alleged violation of substantive law and procedural provisions that could have a significant impact on the outcome of the case, i.e.:

1)      violation of substantive law that affected the outcome of the case, i.e. Art. 83 sec. 2 lit. a) in connection with art. 99 sec. 2 of Regulation 2016/679, consisting in their incorrect application and acceptance that the alleged violation by Virgin of the provisions of art. 5 sec. 1 lit. f), art. 5 sec. 2, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679 started and lasted before May 25, 2018 and ended on July 22, 2020, while Virgin was obliged to apply the provisions of Regulation 2016/679 from [...] May 2018, and the end infringement occurred in February 2020 at the latest, which led to the imposition of an administrative fine on Virgin in violation of Art. 83 sec. 2 lit. a) Regulation 2016/679;

2)      violation of substantive law that affected the outcome of the case, i.e. Art. 83 sec. 1 in connection with art. 83 sec. 2 lit. a) of Regulation 2016/679, consisting in its incorrect application and acceptance that the persons affected by the alleged infringement suffered the damage referred to in art. 83 sec. 1 lit. a) of Regulation 2016/679, while the fear of suffering damage by data subjects cannot be considered as suffering damage, which led to the imposition of an administrative fine on Virgin in an amount that violates the principle of proportionality;

3)      violation of substantive law that affected the outcome of the case, i.e. Art. 83 sec. 1 in connection with art. 83 sec. 2 lit. b) of Regulation 2016/679, consisting in its incorrect application and acceptance that unintentional violation of the provisions of Regulation 2016/679 by Virgin is a circumstance that increases the administrative fine imposed by the authority, while unintentional violation of the provisions of Regulation 2016/679 should reduce that amount of the fine, which resulted in the imposition of a (disproportionate) penalty on the applicant in relation to the alleged infringement;

4)      violation of substantive law that affected the outcome of the case, i.e. Art. 83 sec. 1 in connection with art. 83 sec. 2 lit. e), g) and k) of Regulation 2016/679, consisting in their incorrect application and acceptance that the circumstances of the lack of a previous violation by the complainant, the categories of personal data to which the violation concerned, as well as the complainant's failure to achieve directly or indirectly in connection with the violation financial benefits or avoidance of loss by Virgin had no impact on the amount of the fine imposed by the authority on Virgin, while they constitute mitigating circumstances applicable in each individual case of infringement, including those relating to Virgin, which resulted in the imposition of Virgin a penalty that is inadequate (disproportionate) to the infringement alleged against it;

5)      violation of substantive law that affected the outcome of the case, i.e. Art. 83 sec. 1 in connection with art. 83 sec. 2 lit. a) of Regulation 2016/679, consisting in their incorrect application and the assumption that the circumstances of personal data processing in a professional manner have a significant impact on the seriousness of the violation of the provisions of Regulation 2016/679 alleged against Virgin by the authority, and consequently constitute an aggravating factor, while this circumstance should not be taken into account when imposing a fine by an administrative authority and determining its size;

6)      violation of substantive law that affected the outcome of the case, i.e. Art. 32 sec. 1 lit. d) in connection with art. 32 sec. 2 of Regulation 2016/679, consisting in their incorrect application and acceptance that the failure to implement an organizational security measure consisting in regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing implemented by Virgin led to the failure to detect the vulnerability that was the cause of the data protection breach and constituted a breach of obligations under Regulation 2016/679, for which the authority imposed a financial penalty;

7)      violation of substantive law that affected the outcome of the case, i.e. Art. 83 sec. 1 in connection with art. 5 sec. 1 lit. f), art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679, consisting in the violation of the principle of proportionality of the penalty as a result of improper joint application of art. 5 sec. 1 lit. f) together with art. 25 sec. 1, art. 32 sec. 1 lit. b) and d) and Art. 32 sec. 2 of Regulation 2016/679, which concern the same act, which resulted in the automatic adoption of a higher penalty;

8)      violation of substantive law that affected the outcome of the case, i.e. Art. 25 sec. 1 of Regulation 2016/679, consisting in its incorrect application in the case, by recognizing that a violation may occur despite the fact that no damage has been caused;

9)      violation of the provisions of the procedure, which had a significant impact on the outcome of the case, i.e. Art. 7 in connection with art. 77 and 80 of the Code of Administrative Procedure [3], consisting in failing to take any action ex officio necessary to thoroughly clarify the facts and erroneously assuming by the authority that the alleged violation of personal data protection covered 123,391 people, while in fact the violation concerned 114,963 people, which resulted in an unjustified imposing sanctions on Virgin in an amount that does not correspond to the number of people affected by the violation;

10)  violation of the provisions of the procedure that had a significant impact on the outcome of the case, i.e. Art. 7 in connection with art. 77 and art. 80 of the Code of Administrative Procedure, consisting in failing to take any steps ex officio necessary to thoroughly clarify the facts and erroneously assuming by the authority that the personal data of all persons affected by the alleged violation of personal data protection included the following data scope: name, surname, PESEL number and series and number of the identity card number, telephone number, NIP number, as well as the name of the entity, while this range was different for individual groups of entities, and in terms of both the PESEL number and the ID card series, this violation concerned only 4,522 subscribers, which resulted in the wrongful imposition of sanctions on Virgin in an amount that does not correspond to the actual scope of personal data of the persons concerned by the alleged infringement;

11)  violation of the provisions of the procedure, which had a significant impact on the outcome of the case, i.e. Art. 7 in connection with art. 77 and 80 of the Code of Administrative Procedure, consisting in failure to take any actions necessary to thoroughly clarify the facts and erroneous assumption by the authority that the violation of the obligation to regularly test, measure and assess data security measures lasted until [...] July 2020, i.e. until the time of receipt of ISO certificates, while the internal audit took place in February 2020, and the certification audit in April and May 2020, which means that the Company had implemented the necessary security measures in February 2020 at the latest;

12)  violation of the provisions of the procedure, which had a significant impact on the outcome of the case, i.e. Art. 7 in connection with Art. 77 and art. 80 of the Code of Administrative Procedure, consisting in failing to take any actions ex officio necessary to thoroughly clarify the facts and failing to collect and consider all the evidence in an exhaustive manner, as well as erroneously assuming by the authority that the powers held by the attacker are irrelevant to finding a violation by Virgin the provisions of Regulation 2016/679, while the circumstances of the attack suffered by Virgin constitute an element of the facts necessary to correctly determine the scale of the infringement, which resulted in the wrongful imposition of sanctions on the complainant;

13)  violation of the provisions of the procedure that had a significant impact on the outcome of the case, i.e. Art. 107 § 1 and 3 of the Code of Administrative Procedure, by failing to indicate in the decision and its justification all the facts that the authority considered proven, as well as the evidence on which it relied and the reasons for which it refused credibility and validity to other evidence, which significantly hinders the reconstruction of reasoning of the authority, and consequently the review of the legality of the contested decision.



By judgment of October 21, 2021, the Voivodship Administrative Court in Warsaw (file reference: II SA/Wa 272/21) repealed the contested decision.



The Provincial Administrative Court in Warsaw stated in the abovementioned of the judgment that the complaint brought by Virgin is justified, although not all allegations raised in it could be considered justified.

In the opinion of the Court, the contested decision of the President of the Office violated both the provisions of procedural law in the scope of preparing the justification and considering and assessing the facts of the case (Article 107 § 3 of the Code of Administrative Procedure in connection with Article 77 § 1, Article 80, Article 8 § 1 and Article 11 of the Code of Administrative Procedure), as well as the provisions of substantive law indicated in Art. 83 sec. 2 of Regulation 2016/679 in the scope of explaining to the Complainant why an administrative fine was imposed on Virgin, referred to in Art. 83 of Regulation 2016/679, in the amount specified in the decision.

In the opinion of the Court, the President of the Office did not explain in the justification of the contested decision why, when applying an administrative fine, its amount indicated in the contested decision was not influenced by the circumstances indicated in Art. 83 sec. 2 lit. c), e) and h) of Regulation 2016/679.

Further, the Court indicated that the authority did not sufficiently consider, when determining the amount of the penalty, the circumstances in the form of actions taken by Virgin to minimize the damage suffered by the data subjects, including in particular the impact of this circumstance on the application of the sanction, and did not indicate in justification of the contested decision, what was the reason for not taking it into account, and did not connect this circumstance with the extent of the damage, and also did not take into account that the unauthorized person or persons managed to download only about 13.62% of all records in the database and it was caused by the actions of Virgin.

In the Court's opinion, the authority did not properly determine the duration of the infringement when imposing the administrative fine in the context of the entry into force of the provisions of Regulation 2016/679, and inexplicably referred to the professional processing of personal data by Virgin when determining the severity of the infringement. According to the Court, when determining the seriousness of the infringement, the authority should extend the argumentation regarding the number of people actually harmed and the scope of the violation of their personal data. The Court also pointed out that the position of the President of the Office is incomprehensible that the manner in which the supervisory authority found out about the breach had no impact on the application of the sanctions, what impact the circumstances in the form of the category of personal data had on the application of the sanctions in the context of the infringement reported by Virgin concerning full range of data, i.e. names and surnames, PESEL number and subscriber document number in 4522 cases and a limited scope, i.e. first names and surnames and PESEL number in 108702 cases, and subscriber document number in 10167 cases.

In the opinion of the adjudicating panel, the President of the Office unreasonably assumed that the application of the administrative sanction was not affected by the circumstance indicated in Art. 83 sec. 2 lit. k) Regulation 2016/679. The court indicated that it was necessary for the President of the Office to refer in the justification of the contested decision to the circumstances arising from the case files and to indicate, when determining the amount of the penalty, whether or not Virgin achieved any financial benefits or avoided losses. The court also pointed to a violation of Art. 83 sec. 2 lit. b) of Regulation 2016/679 in connection with the incomplete and unconvincing justification when imposing the penalty, why the authority considered it a circumstance incriminating Virgin that Virgin unintentionally violated the provisions of the GDPR due to failure to exercise due diligence.

According to the Court, when imposing the penalty, the President of the Office should also take into account the fact that Virgin took steps to eliminate the irregularities that occurred at the time of the incident, and consider to what extent the actions taken by Virgin affected the correct application of the provisions of Regulation 2016/ 679.

The court found the allegation of violation of Art. 7 of the Code of Administrative Procedure, indicating that the President of the UODO has fulfilled the conditions for proper determination of the facts of the case. In the case under consideration, the authority demonstrated, based on the evidence gathered, that in the period from [...] to [...] December 2019, Virgin processed the personal data of its clients in a manner that did not ensure an adequate level of personal data security.

The Court found the assessment of the President of the UODO to be accurate, consistent, logical and factually based that the procedures adopted by Virgin could be effective if, as part of the implemented procedures, they also contained regulations on regular testing, measuring and assessing the effectiveness of the adopted technical and organizational measures to ensure security of processing and which Virgin would respect.

In the opinion of the Court, the President of the UODO was also right that the lack of the above-mentioned of the regulations contributed to the occurrence of a breach of personal data protection and considered it correct that the authority assumed that Virgin did not carry out tests aimed at verifying the security of application A and [...] system B regarding the vulnerability of the IT system.

The opinion of the President of the UODO did not raise any reservations of the Court that in order to detect the exploited vulnerability of the system, which led to a breach of personal data protection, it would be enough to verify the basic principle of the system's operation, i.e. […]. According to the Court, the implementation of the system without a properly functioning validation proves gross negligence of the basic duties of the personal data administrator, in the context of Art. 32 of Regulation 2016/679.

The Court also considered the allegations of infringement by the President of the UODO of the provisions of Art. 5 sec. 1 lit. f) and sec. 2, art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and d) and sec. 2 of Regulation 2016/679. According to the Court, the President of the UODO took into account whether Virgin, as the administrator of personal data, analyzed the risk related to data protection, whether it documented and justified it properly in the actual state, whether it examined the processing of personal data from the date of entry into force of the provisions of Regulation 2016/679 at individual stages and whether the procedures applied by Virgin were adequate to the estimated risk.

In view of the above, the President of the Office re-analyzed the evidence collected in the course of these proceedings and, on this basis, considered the following.

Article 5 of Regulation 2016/679 sets out the rules regarding the processing of personal data that must be respected by all administrators, i.e. entities that individually or jointly with others determine the purposes and methods of personal data processing. In accordance with art. 5 sec. 1 lit. f) of Regulation 2016/679, personal data must be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures. The principle of integrity and confidentiality mentioned in this provision states that the data is processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures. Data confidentiality is a property that ensures that data is not made available to unauthorized entities.

In accordance with the content of art. 24 sec. 1 of the Regulation 2016/679, taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probabilities and severity, the administrator implements appropriate technical and organizational measures so that the processing takes place in accordance with this regulation and to be able to demonstrate it . These measures are reviewed and updated if necessary.

The provision of art. 24 sec. 1 defines the basic and main obligations of the administrator, who is charged with implementing appropriate technical and organizational measures to ensure compliance of processing with the requirements of Regulation 2016/679. This is in particular about the implementation of the principles set out in Art. 5 sec. 1 of Regulation 2016/679.

However, pursuant to art. 25 sec. 1 of Regulation 2016/679, the controller, both when determining the processing methods and during the processing itself, implements appropriate technical and organizational measures designed to effectively implement the principles of data protection (taking data protection into account in the design phase).

Pursuant to Art. 32 sec. 1 lit. b) of Regulation 2016/679, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probabilities and severity, the controller and the processor implement appropriate technical and organizational measures to ensure a level of security corresponding to this risk, including, where appropriate, the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services, and pursuant to art. 32 sec. 1 lit. d) of the regulation, regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing.

Pursuant to Art. 32 sec. 2 of Regulation 2016/679, when assessing whether the level of security is appropriate, the administrator takes into account, in particular, the risk associated with processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed.

The provision of art. 32 of Regulation 2016/679 is therefore a specification of the indicated in art. 5 sec. 1 lit. f) regulation 2016/679, the principle of integrity and confidentiality. Whereas Art. 5 sec. 2 of Regulation 2016/679 imposes on the data controller the obligation to demonstrate to the supervisory authority that it has ensured adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures.

The confidentiality principle, the correct implementation of which ensures that data is not made available to unauthorized persons, as it results from the established facts - was violated as a result of exploiting the vulnerability of the IT system, which resulted in obtaining the data of subscribers of pre-paid services from the Virgin database system and the materialization of the risk of infringement of rights or freedom of natural persons whose data is processed by this Company.

The President of the UODO in the notification of the initiation of administrative proceedings indicated that Virgin failed to fulfill the obligation under Art. 32 sec. 1 lit. b) and ... d) of Regulation 2016/679, consisting in the selection of effective technical and organizational measures to ensure the security of the processed data, including the ability to continuously ensure confidentiality, integrity, availability and resilience of processing systems and services, as well as solutions to ensure regular testing, measurement and evaluation of the effectiveness of the adopted technical and organizational measures, which also breached the administrator's obligations to ensure and demonstrate compliance of processing with the requirements referred to in art. 24 sec. 1 of Regulation 2016/679 and the obligation to effectively implement the principles of data protection referred to in art. 25 sec. 1 of Regulation 2016/679, and consequently violated the confidentiality principle set out in Art. 5 sec. 1 lit. f) of Regulation 2016/679 and the principle of accountability resulting from art. 5 sec. 2 of Regulation 2016/679.

It should be emphasized that the security measure adopted by Virgin to ensure the resilience of IT systems consisting in verification only according to [...], instead of also [...], which resulted in a breach of data confidentiality, cannot be considered a security measure referred to in the above-mentioned provisions of Regulation 2016/679. The violation of the protection of personal data of subscribers of pre-paid services occurred as a result of the use of a vulnerability of the IT system (a service generating registration confirmations) allowing unauthorized access to data. The found vulnerability of the service generating registration confirmations consisted precisely in the lack of verification of all required parameters, i.e. […]. According to the assumptions of the system, correct verification was to consist in generating a registration confirmation only when [...]. However, System B did not verify […] or whether a given request originated from […].

In response to the notification of the initiation of administrative proceedings, Virgin indicated that prior to the breach, it had adopted data protection measures in the form of procedures defining the methodology of risk analysis, information security level classification procedures, information security policy, IT system management procedures with attachments: […] Procedure […], […] Procedure […], […] Policy […], […] Procedure […], […] Procedure […], […] Procedure […], as well as elements of the Business Continuity Plan : […] Plan […], […] Plan […], […] Plan […].

In the opinion of the President of the UODO, the measures adopted by Virgin could be effective if, as part of the implemented procedures, they also contained regulations on regular testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of processing and which would be observed by Virgin. Meanwhile, in the above-mentioned company run by Virgin documentation describing the data processing process and the organizational and technical measures used, obtained in the course of inspection activities, these issues have not been regulated.

As indicated by the Provincial Administrative Court in Warsaw in the judgment with the reference number II SA/Wa 2826/19 of August 26, 2020, "This provision [Art. 32 of Regulation 2016/679] does not require the data controller to implement any technical and organizational measures that are to constitute personal data protection measures, but requires the implementation of adequate measures. Such adequacy should be assessed in terms of the manner and purpose for which personal data are processed, but the risk associated with the processing of such personal data should also be taken into account, which risk may be of different levels. (…) The measures adopted are to be effective, in specific cases, some measures will have to be measures of a low-risk nature, others - must mitigate high risk, but it is important that all measures (and each one separately) are adequate and proportionate to the degree of risk” which this authority shares.

In the opinion of the President of the Office, the lack of regulations adopted by Virgin in the procedures ensuring regular testing, measurement and evaluation of the effectiveness of the technical and organizational measures used to ensure the security of data processing contributed to the occurrence of a personal data breach.

At the same time, the evidence collected in the course of the inspection shows that regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing was not carried out at Virgin. In situations where there was a suspicion of a vulnerability, only work was carried out to protect against a given vulnerability (printouts from the C system confirming the remedial actions taken regarding confirmed suspicions of system vulnerability). The above is also confirmed by in the explanations submitted by the controlled entity in the letter of March 2020 and in the printouts of screenshots from the C system sent for evidence purposes, indicating the performance of vulnerability tests [...] and verification of the entered data. However, tests aimed at verifying the security of application A and [...] system B regarding the vulnerability of the IT system related to the personal data breach were not carried out. Such actions were taken only after the infringement [...] December 2019. The technical and organizational measures used at Virgin from [...] May 2018 (the date of application of Regulation 2016/679) until the occurrence of the breach were reviewed and updated only in the event of organizational or legal changes (a copy of an e-mail informing about the need to review the monitoring used together with the survey).

As a side note, it should be mentioned that the original creator of system B was T. Sp. z o.o. s.k.a., which also dealt with the maintenance of system B, as well as the maintenance of [...] enabling the exchange of information between application A (developed by W. J. M. P. S. s.c. and operating from [...] September 2014) and central system B in the period from [...] April 2014 to […] June 2017. These functions were then taken over by A. S.A. and performs them until now. The change of the operator, in the opinion of the President of the Office, should initiate a comprehensive assessment of the effectiveness of the implemented technical and organizational solutions to ensure the security of data processed in Virgin's IT systems. site, such an assessment has been carried out.

In the explanations of [...] January 2020, Virgin indicated that the last comprehensive review of technical and organizational measures was carried out in May 2018. According to further explanations of [...] July 2020, "By deciding to implement and the use of system B carried out numerous tests, measurements and assessments as to whether it is appropriate to properly fulfill its functions, including securing subscribers' personal data entered into it". Further, Virgin indicates that "The risk to the rights and freedoms of data subjects was constantly assessed by the Company. Each time in the case of organizational or legal changes in the Company, technical and organizational measures were reviewed and updated. This proves that these activities were carried out according to the individual needs of the Company. During the use of the above-mentioned system, made every effort to ensure that the system fulfills its functions and properly protects the data entered into it. As indicated above, taking into account the state of technical knowledge that the Company had at the time when this event occurred, the technical solutions adopted and used by it were at the highest possible level."

The President of the Office cannot agree with this position, because to detect the exploited vulnerability, it would be enough to verify the basic principle of operation of system B, i.e. checking whether validation takes place [...], while failure to take this action proves ineffective or improper performance of the reviews indicated by Virgin . Checking the correctness of the validation of the two above-mentioned data does not require any specialist knowledge or large financial outlays, but only access to the system. In addition, it should be emphasized that the vulnerability identified as a result of a breach of personal data protection is related to the technical means used to identify users, and thus their rights in the system. As indicated by Virgin in the notification of a personal data breach of [...] December 2019, "the breach consisted in using [...] due to its purpose [...], due to a design error it allowed [...]. An identifying argument […] that should be validated as […]. Therefore, calling [...] was possible by specifying [...]. The attacker used […]”. Checking the correct operation of the assumed validation [...] is so obvious and basic that the only correct conclusion that can be drawn is that the implementation of a system for processing personal data for use without a properly functioning above mentioned validation proves gross negligence of the basic duties of the personal data administrator, in the context of art. 32 of Regulation 2016/679.

According to Virgin, "the exploitation of a system vulnerability for this data access attack was not dependent on a lack of proper testing, measuring or evaluating the system as these activities were regularly
and properly maintained by the Company. The confirmation is the printouts from the C system regarding the vulnerability [...] and the verification of the entered data, which prove that although Virgin did not conduct tests specifically related to the vulnerability used during the attack of [...]-[...] December 2019, other tests [...] ], aimed at detecting vulnerabilities and improving the quality of data, were conducted".

In the opinion of the President of the Office, testing only in the event of an emerging threat, without introducing a procedure that would define a schedule of activities to ensure regular testing, measurement and evaluation of the effectiveness of the implemented measures, is insufficient. As it results from the collected material, despite the solutions adopted, Virgin was unable to detect vulnerabilities due to the lack of regular tests of the B system implemented by Virgin, which was assumed, as explained by Virgin obtained during the inspection, to verify [ ...] and compliance of the id of the application for registration with the [...] registrant of the application.

It needs to be emphasized that regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing is the basic obligation of each controller and processor resulting from art. 32 sec. 1 lit. d) Regulation 2016/679. The administrator is therefore obliged to verify both the selection and the level of effectiveness of the technical measures used at each stage of processing. The comprehensiveness of this verification should be assessed through the prism of adequacy to the risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing. However, in the facts in question, Virgin partially fulfilled this obligation by verifying and modifying the level of effectiveness of the implemented security measures in situations where there was a suspicion of a vulnerability - then work was undertaken to protect against a given vulnerability. As mentioned above, no tests were carried out to verify the security of application A and [...] system B related to the breach of personal data.

Nor can it be considered that actions, as indicated by Virgin, consisting in subjecting technical and organizational measures to reviews and updates in the event of organizational or legal changes, constitute fulfillment of the administrator's obligation to ensure regular testing, measurement and testing of the effectiveness of technical and organizational measures . Such actions do not satisfy the requirement of regularity. Tests should be performed regardless of whether such changes in activity occur or not. The changes referred to by the Virgin Company should, however, be a factor requiring a re-analysis of the risk and their impact on the security of the processed data, the result of which should be taken into account when applying the security measure of regular testing.

Therefore, it should be emphasized that conducting reviews in the event of an organizational or legal change, as well as taking action only in the event of a suspicion of vulnerability, cannot be considered as regular testing, measuring and assessing the effectiveness of the technical and organizational measures used to ensure the security of data processing. They are undertaken in connection with the occurrence of a specific event, e.g. an organizational change at the data controller. Therefore, they have more features of a risk analysis, which should be carried out in the event of such types of changes in the organization and course of personal data processing. Meanwhile, the indicated testing, measuring and evaluating, so that it constitutes the implementation of the requirement arising from Art. 32 sec. 1 lit. d) of Regulation 2016/679, must be carried out on a regular basis, which means conscious planning and organization, as well as documenting (in connection with the accountability principle referred to in Article 5(2) of Regulation 2016/679) of this type of activities in specified time intervals, regardless of changes in the organization and course of data processing processes caused, for example, by an organizational change at the data controller. However, Virgin did not take such actions, which determines the violation of this provision of Regulation 2016/679.

The President of the Office for Personal Data Protection shares the view expressed by the Provincial Administrative Court in Warsaw in the judgment of September 3, 2020, reference number II SA/Wa 2559/19, according to which: "Regulation 2016/679 introduced an approach in which risk management is the foundation activities related to the protection of personal data and is a continuous process. Entities processing personal data are obliged not only to ensure compliance with the guidelines of the above-mentioned regulation through a one-time implementation of organizational and technical security measures, but also to ensure continuity of monitoring the level of threats and ensuring accountability in terms of the level and adequacy of the introduced security measures. This means that it becomes necessary to be able to prove to the supervisory authority that the solutions introduced to ensure the security of personal data are adequate to the level of risk, as well as take into account the nature of the organization and the mechanisms used for processing personal data. The administrator is to independently conduct a detailed analysis of the conducted data processing processes and perform a risk assessment, and then apply measures and procedures that will be adequate to the assessed risk.

The consequence of this orientation is the resignation from lists of requirements in the field of security imposed by the legislator, in favor of self-selection of security measures based on threat analysis. The administrators are not provided with specific security measures and procedures. The administrator is to independently conduct a detailed analysis of the conducted data processing processes and perform a risk assessment, and then apply measures and procedures that will be adequate to the assessed risk."

In the context of the judgment cited, it should be pointed out that the risk analysis carried out by the personal data controller should be documented and justified on the basis of, above all, the determination of the facts existing at the time of its implementation. In particular, the characteristics of the ongoing processes, assets, vulnerabilities, threats and existing security measures as part of the ongoing personal data processing processes should be taken into account.

The term asset is used to indicate everything that is of value to the organization, the company - the data controller. Certain assets will be of a higher value than others, and they should also be assessed and secured from this perspective. The interconnections of existing assets are also very important, e.g. the confidentiality of assets (personal data) will depend on the type and method of processing this data. Determining the value of assets is necessary to assess the effects of a possible incident (breach of personal data protection).

Determining the existing safeguards is necessary, inter alia, to be able to identify them in terms of their adjustment to the existing risk. It is also essential to check the effectiveness of the functioning of these security features, because the existence of an unproven security, firstly, may eliminate its value, and secondly, it may give a false sense of security and may result in the omission (non-detection) of a critical vulnerability, which, if used, will cause very negative effects, including, in particular, lead to a breach of personal data protection.

Vulnerability is commonly referred to as a weakness or a security gap that, when used by a given threat, may interfere with the functioning and may also lead to incidents or breaches of personal data protection. Identifying threats consists in determining what threats and from what direction (reason) may appear.

The method of conducting a risk analysis is, for example, defining the risk level as the product of the probability and consequences of a given incident. Typically, a risk matrix is used, which allows you to visualize risk levels, presenting risk levels for which the organization defines appropriate actions.

The risk analysis presented in the course of the inspection, carried out in May 2018, does not fully reflect the actual state of the process [...] being the subject of the inspection, in connection with the occurrence of a personal data breach reported by Virgin [...] December 2019. As follows from material collected in the course of the inspection, the review of technical and organizational measures was carried out by the Company only before the application of Regulation 2016/679. However, it cannot be considered real and factual, as it did not lead to the disclosure of vulnerabilities in the functioning of the system.

It should be emphasized that the study of the probability of a given event should not be based solely on the frequency of occurrence of events in a given organization, because the fact that a given event did not occur in the past does not mean that it cannot occur in the future.

The threat indicated in the presented risk analysis in the form of "unauthorized access by third parties or unauthorized disclosure of data to third parties" should not be defined by Virgin at the "Not applicable" level, because this event may occur in any organization for many different reasons, while the answer "Not applicable" would be reasonable if Virgin did not process personal data in this process. However, as evidenced by the evidence established in the course of the inspection and administrative proceedings, this threat materialized through the use of a vulnerability unidentified by the administrator existing in the processing of personal data [...] in connection with the violation of personal data of subscribers of prepaid services.

The adoption of the "Medium/rare" value and the "2" rating for the "lack of vulnerability testing of IT systems" threat also proves a superficial approach to the risk of violation of the rights or freedoms of natural persons by Virgin. The adopted rating should reflect the real situation in a given organization and be based primarily on facts found during the examination of this situation, carried out in the form of an audit, verification or based on the facts found. However, as it results from the evidence collected during the inspection, in 2019 Virgin did not carry out a review of the technical and organizational measures used, which in itself disqualifies the assessment made at this level, and as indicated above, incidental actions taken do not bear the hallmarks of regularity .

The above findings allow for an unequivocal statement that the risk analysis carried out was only to demonstrate that there is no high risk of violating the rights or freedoms of natural persons, and thus that it is not necessary to implement additional technical and organizational measures. However, this approach resulted in a lack of proper assessment of threats to the processing of personal data of subscribers of pre-paid services [...] and, as a consequence, improper protection thereof, which resulted in a personal data breach.

It should also be noted that the presented risk analysis was carried out in May 2018, so for over a year and a half (from May 2018 to December 2019), the Company did not take any action to verify the assumptions and ratings. Meanwhile, just like other organizational measures, the risk analysis should also be subject to periodic reviews and updates, and according to the collected material, the next risk analysis for the process [...] was carried out only [...] December 2019, i.e. after the data breach occurred personal. It should be emphasized that each check, audit or review must be based on complete and reliable information. The functioning of any organization, especially in the field of personal data protection, cannot be based on unreliable or unrealistic grounds, and disregarding the value of basic information may result, as indicated above, in a false sense of security and the data controller's failure to take the actions he is obliged to take, which in turn, it may result, as in the present case, in a violation of personal data protection, which, due to the scope of personal data subject to the violation, poses a high risk of violating the rights or freedoms of natural persons.

As indicated by the Provincial Administrative Court in Warsaw in the judgment reference number II SA/Wa 2826/19 of August 26, 2020, "(...) activities of a technical and organizational nature are the responsibility of the personal data administrator, but they cannot be selected completely free and voluntary, without taking into account the degree of risk and the nature of the protected personal data.”, which the authority accepts as its own opinion.

Therefore, the lack of a reliable risk analysis, combined with the lack of regular testing, measurement and evaluation of the effectiveness of the implemented technical and organizational measures to ensure the security of processing, led, which should be emphasized again, to a breach of personal data, but also determines the breach by Virgin of the obligations incumbent on data administrator, resulting from art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679.

Referring to the submitted copies of the certificates obtained [...] in July 2020: ISO/IEC 27001:2013 confirming the implementation and maintenance by Virgin of the information security management system for services provided by the telecommunications operator and ISO/IEC 27701:2019 confirming the implementation and maintenance by Virgin of the personal data management system as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013 to privacy management in the scope of services provided by the telecommunications operator and the explanations submitted in this regard, it should be considered that in the course of the proceedings Virgin removed failure in the form of a lack of procedures to ensure regular testing, measurement and evaluation of the effectiveness of the measures adopted in the documentation kept by Virgin describing the data processing process and the organizational and technical measures used.

As indicated by Virgin in the submitted explanations, the requirements to maintain certificates of compliance of the management system with the implemented standards mean, among others: covering the operation of the information security and data protection management system with an annual internal audit conducted by Virgin, as well as an external audit by an independent certificate issuing institution. The above means that Virgin has implemented solutions that ensure regular testing, measurement and evaluation of the effectiveness of the measures adopted to ensure the security of data processing. However, the implementation of these solutions did not take place until [...] July 2020, i.e. after a significant period of time had elapsed since the personal data breach of subscribers of prepaid services occurred.

Referring to the explanations of Virgin and the circumstances indicated therein, that at the time of introducing changes to its operations required by the Act on anti-terrorist activities, it was not obliged to comply with the principle of data protection in the design phase referred to in art. 25 sec. 1 of Regulation 2016/679, the President of the Office points out that, as emphasized in recital 171 of Regulation 2016/679 (the recitals contain justification for the provisions of the normative part of the act, which is the regulation), the processing that is already underway on the date of application of this regulation should within two years from the entry into force of this Regulation, be adapted to its provisions. In accordance with the wording of art. 99 sec. 1 of Regulation 2016/679, the regulation enters into force on the twentieth day after its publication in the Official Journal of the European Union and applies from May 25, 2018 (Article 99(2)). Therefore, on May 24, 2016, Regulation 2016/679 entered into force with the obligation to apply directly from May 25, 2018. The European legislator gave data controllers a two-year period to design existing data processing systems to meet the requirements of Regulation 2016/679.

Bearing in mind that systems B and A have been in operation since 2014, Virgin, within two years from the entry into force of Regulation 2016/679, was obliged to design systems to use technical measures that meet the requirements of Art. . 25 sec. 1 of Regulation 2016/679.

The European Data Protection Board (EDPB) in Guidelines No. 4/2019 regarding Article 25 "Data protection by design and data protection by default", version 2.0, adopted on October 20, 2020, indicates that "the obligation to maintain, review and update, if necessary, the processing operation also applies to pre-existing systems. This means that existing systems designed before the entry into force of the GDPR should be reviewed and maintained to ensure the implementation of measures and safeguards that effectively implement the principles and rights of data subjects, as set out in these guidelines.

It should also be emphasized that Art. 25 sec. 1 of Regulation 2016/679, despite naming the administrator's obligation indicated therein as "data protection in the design phase", applies not only to the design stage, but also to the data processing stage itself. Implementing security is a continuous process, not just a one-time action of the administrator. The measures mentioned therein, such as "data minimization" or "pseudonymisation", are only an example of measures that should be applied in order to meet the requirement to implement data protection principles and provide processing with the necessary safeguards to meet the requirements of the regulation and protect the rights of data subjects concern. The EDPB in the mentioned guidelines explains that "technical and organizational measures as well as necessary safeguards can be understood in a broad sense as any method or measure that the controller may use in the processing process. The appropriate wording means that the measures and necessary safeguards should be adapted to achieve the intended goal, i.e. they must effectively implement the principles of data protection. The suitability requirement is therefore closely related to the effectiveness requirement. A technical or organizational measure and security can be any action, ranging from the use of advanced technical solutions to basic training of employees. Examples that may be appropriate, depending on the context and risk related to the given processing, include pseudonymisation of personal data; storing personal data available in a structured, commonly machine-readable format; enabling data subjects to interfere with processing; providing information on the storage of personal data; having malware detection systems; employee training in basic occupational hygiene in cyberspace; implementing privacy and information security management systems that contractually oblige processing entities to implement specific practices in the field of data minimization, etc.”

In the explanations, Virgin stated that at this stage of the proceedings it was not shown who the attacker was. The way the vulnerability was exploited indicated that the attacker had previously accessed the system and knew how to construct the appropriate query. Currently, Virgin does not know whether and what rights the attacker might have had and what period this right might have concerned. In the opinion of Virgin, it is up to the President of the Office to demonstrate whether data has been made available to an unauthorized person.

Referring to the above statement of Virgin that it is up to the President of the Office to prove whether data has been made available to an unauthorized person, it should be emphasized that the President of the Office has no powers to conduct proceedings aimed at detecting the perpetrator of a prohibited act and assessing whether to commit it, because these are vested in law enforcement authorities, as they are authorized to conduct such proceedings and assess whether a prohibited act has been committed and to qualify a prohibited act. The competence of the President of the Office, however, includes assessing whether the data controller processes data in accordance with the requirements resulting from the provisions on the protection of personal data and the data controller's liability for data processing in a manner that violates these provisions.

Therefore, it should be pointed out again that it is the duty of each administrator to process data in accordance with the principles set out in art. 5 of Regulation 2016/679, in this case in accordance with Art. 5 sec. 1 lit. f). Whereas pursuant to Art. 5 sec. 2 of Regulation 2016/679, he is responsible for compliance with the provisions of sec. 1 and must be able to demonstrate compliance with them (accountability). This obliges the administrator to exercise due diligence both when granting authorizations to process data, as well as when withdrawing authorizations against a former employee, contractor or contractor. The circumstances of the decision to terminate the legal relationship with the employee, contractor or contractor may increase the risk of unauthorized access to the entity's resources. Therefore, constant monitoring of IT systems is the administrator's duty to ensure compliance with the requirements imposed by the provisions of art. 32 sec. 1 lit. b) and d) of Regulation 2016/679. It was the responsibility of Virgin to demonstrate to the supervisory authority that it had implemented appropriate data security measures and secured data against access by unauthorized persons, e.g. those whose authorization had expired, as well as to demonstrate that it had taken all possible measures to ensure that the confidentiality of data was not breached and is not responsible for this violation.

Virgin's claim that it does not know whether and what rights the attacker could have had and for what period this right could apply confirms that the technical and organizational measures implemented by it to ensure data security were insufficient. The lack of knowledge about this information is also proof that Virgin did not control the data processing process, which constitutes a violation of the accountability principle. The above is confirmed by the ruling of the Provincial Administrative Court in Warsaw of February 10, 2021, ref. II SA/Wa 2378/20: "The accountability principle is therefore based on the controller's legal responsibility for the proper fulfillment of duties and imposes on him the obligation to demonstrate, both to the supervisory authority and to the data subject, evidence of compliance with all data processing principles." The issue of the principle of accountability is similarly interpreted by the Provincial Administrative Court in Warsaw in the judgment of August 26, 2020, file ref. II SA/Wa 2826/19: "Taking into account all the standards of Regulation 2016/679, it should be emphasized that the administrator has considerable freedom in terms of the security measures used, but at the same time is responsible for violating the provisions on the protection of personal data. The principle of accountability directly implies that it is the data controller who should demonstrate, and thus prove, that he complies with the provisions set out in Art. 5 sec. 1 of Regulation 2016/679."

The above proves that the findings of the President of the Office that Virgin did not properly implement the requirements of Regulation 2016/679 to the extent specified in Art. 24 sec. 1, art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679, which led to a breach of the personal data of subscribers of pre-paid services. The consequence of violating the cited provisions of Regulation 2016/679 is also a violation of the confidentiality principle expressed in art. 5 sec. 1 lit. f) Regulation 2016/679 and the accountability principle referred to in Art. 5 sec. 2 of Regulation 2016/679.

To sum up, despite the removal by Virgin of deficiencies in ensuring the security of processed data, including the vulnerability of IT systems used to process personal data of subscribers of pre-paid services, which was the cause of a violation of the confidentiality of personal data, there were premises justifying the use of the President of the Office's powers to impose an administrative a fine for breaching the principle of data confidentiality (Article 5(1)(f) of Regulation 2016/679) and, consequently, the principle of accountability (Article 5(2) of Regulation 2016/679) in connection with breaching the administrator's obligations when implementing technical measures and organizational during data processing, in order to effectively implement the principles of data protection (Article 25(1) of Regulation 2016/679); obligations to ensure confidentiality, integrity, availability and resilience of data processing systems and services (Article 32(1)(b) of Regulation 2016/679); the obligation to regularly test, measure and evaluate the effectiveness of the adopted technical and organizational measures to ensure the security of processing (Article 32(1)(d) of Regulation 2016/679) and the obligation to take into account the risk associated with processing resulting from unauthorized access to the processed personal data (Article 32(2) of Regulation 2016/679).

The exercise of the powers vested in the President of the Office by the President of the Office results primarily from the fact that the controller has violated the basic principles of data processing, i.e. the principle of confidentiality, as well as the principle of accountability, which is an absolute obligation to demonstrate compliance with the provisions of Regulation 2016/679 to the President of the Office.

Based on Article. 58 sec. 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in art. 58 sec. 2 lit. a) - h) and point. j) of this Regulation, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of a particular case.

When deciding to impose an administrative fine on P4, Virgin's legal successor, and determining its amount, the President of the UODO - pursuant to art. 83 sec. 2 lit. a) - k) of Regulation 2016/679 - took into account and considered as aggravating the following circumstances of the cases affecting the amount of the penalty imposed:



1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the given processing, the number of data subjects affected and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679) - violation of the provisions of Regulation 2016/679 found in this case, which resulted in unauthorized access to the data processed by the Virgin Company by an unauthorized person or persons, and as a consequence, violation of the confidentiality of data of over 100,000 subscribers of Virgin's prepaid services, is of considerable importance and serious nature, as it poses a high risk of material or non-material damage to the person whose data has been breached. The mere breach of confidentiality of data already constitutes non-pecuniary damage (harm) for these persons. Subscribers whose name and surname, PESEL number or identity document number were obtained in an unauthorized manner may at least feel fear of losing control over their personal data, identity theft or identity fraud, or finally of financial loss. Violation by Virgin of the obligations to apply measures protecting the processed data against disclosure to unauthorized persons, entails not only the potential, but also the real possibility of using these data by third parties without the knowledge and against the will of the persons whose data have been breached, e.g. PESEL number in order to establish legal relations or incur obligations on behalf of persons whose data was obtained unlawfully, or use data for unwanted marketing activities using a telephone number. In addition, in relation to subscribers affected by a breach of confidentiality of their data, there is still a high risk of unlawful use of their personal data, because this data was obtained by an unauthorized person or persons illegally as a result of criminal activities.

The gravity and nature of the infringement are also significantly affected by the fact that Virgin, and currently its legal successor, P4, processes data on a massive scale. Mass processing must be associated with a higher level of responsibility of the controller and a higher level of due diligence required from him, as inadequate data protection may result in negative consequences for many people. Due diligence should be assessed taking into account the subject and nature of the business activity (see the judgment of the Supreme Court of September 25, 2002, file reference number I CKN 971/00: "due diligence of the debtor in his business activity, which is determined taking into account the professional nature of this activity, does not mean exceptional diligence, but adapted to the person acting, the subject to which the action relates, and the circumstances in which the action takes place"). P4, the legal successor of Virgin, processes personal data on a large scale (in connection with the provision of wireless telecommunications services) only using the IT environment as the basic form of its activity, which entails increasing the scope of responsibility for implementing organizational and technical measures to secure the processed data. It should be noted that the violation of the administrator's obligations (lack of appropriate technical and organizational measures) did not apply only to persons affected by the leakage of their personal data, and even not to all personal data held at that time in their database. This breach posed a risk to all Virgin customers throughout the duration of the breach, both before and after the data leak. Therefore, the duration of the infringement was not without significance when determining the amount of the fine. The lack of appropriate technical and organizational measures ensuring a level of security corresponding to the risk lasted from the date of application of Regulation 2016/679, i.e. from […] May 2018, and was finally removed - during the procedure ended with the issuance of this decision - along with obtaining by Virgin on July 22, 2020, ISO/IEC 27001:2013, ISO/IEC 27701:2019, ISO/IEC 27001:2013 and ISO/IEC 27002:2013 certificates, confirming the implementation of procedures ensuring regular testing, measurement and evaluation of the effectiveness of the adopted measures in the documentation kept by Virgin describing the data processing process and the organizational and technical measures used.

2. Intentional or unintentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679) - unauthorized access to the personal data of subscribers of Virgin's prepaid services became possible as a result of Virgin's failure to exercise due diligence and undoubtedly constitutes unintentional nature violations. Nevertheless, the P4 Company, the legal successor of the Virgin Company, as the administrator, is responsible for the irregularities found in the data processing process. What deserves a negative assessment is the fact that the Virgin company, although it assumed that the system would verify compliance [...], did not test the correct operation of the system in accordance with the assumed requirements. At the same time, Virgin's claims that it does not know whether and what rights the attacker could have had, and for what period this right could apply, prove that the technical and organizational measures implemented by Virgin to ensure data security were insufficient, and Virgin had no control over data processing. It should be emphasized that the Virgin Companies are not responsible for the unlawful actions of third parties, i.e. the person or persons of unknown identity responsible for the attack, and in this respect they are not liable. The company is charged with gross negligence in the implementation of the system and procedures ensuring regular testing, which contributed to the occurrence of a personal data breach and, consequently, a breach of data confidentiality. This position of the authority (recognition as an aggravating circumstance of the unintentional - resulting from failure to exercise due diligence - nature of the infringement) was also supported by the Provincial Administrative Court in Warsaw in its judgment of February 15, 2022, file ref. II SA/Wa 3309/21, indicating "As regards the fine imposed, in the opinion of this Court, the actions of the President of the UODO were legitimate. [...] In addition, the authority justified in great detail both the necessity of the penalty and its amount, pointing to: [...] - unintentional nature of the infringement (unauthorized access to personal data of persons against whom actions were taken by the probation officer became possible as a result of failure to exercise due diligence by the President of the Court.

3. Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679) - personal data accessed by an unknown and unauthorized third party, although they do not belong to the special categories of personal data referred to in article 9 of Regulation 2016/679, however, their scope: telephone number and, in the case of 4,522 persons, name and surname, PESEL number, number and series of identity document; in relation to 108,702 people, name and surname and PESEL number; in relation to 10,167 people, the name and surname as well as the number and series of the identity document is associated with a high risk of violating the rights or freedoms of natural persons. At this point, it should be emphasized that, in particular, the unauthorized disclosure of such a category of data as the PESEL number (in combination with the name and surname), the leak of which concerns over 100,000 as indicated above. subscribers, may have a real and negative impact on the protection of the rights or freedoms of natural persons. PESEL number, i.e. an eleven-digit numerical symbol that uniquely identifies a natural person, containing the date of birth, serial number, gender designation and control number, and therefore closely related to the private sphere of a natural person and also subject to exceptional protection as a national identification number under Art. 87 of Regulation 2016/679, is data of a special nature and requires such special protection. The fact that the breach concerned approximately 13.62% of all data (records) that were in the Virgin database at that time does not reduce the risk of identity theft or identity fraud or financial loss for over 100,000. persons affected by a breach of confidentiality of their personal data in the field of PESEL number. There is no other such specific data that would unambiguously identify a natural person. It is not without reason that the PESEL number serves as the identification data of each person and is commonly used in contacts with various institutions and in legal circulation. The PESEL number together with the name and surname unambiguously identify a natural person in a way that allows the negative effects of the violation (e.g. identity theft, loan extortion) to be attributed to that particular person.

The scale of the phenomenon is not indifferent to the possibility of high risk in this case. From the latest infoDOK report (prepared as part of the Social Information Campaign of the RESERVED DOCUMENTS System, organized by the Polish Bank Association and some banks, under the auspices of the Ministry of the Interior and in cooperation with, among others, the Police and the Consumer Federation, available at the link: https ://zbp.pl/aktualnosci/Wydarzenia/Raport-InfoDOK-Q42021) shows that in the first quarter of this year there were 1,915 attempts to extort loans and credits. This means an average of 21 scam attempts per day. Every day, a total of 575,000 people were tried to extort using someone else's name. zloty. In turn, in the fourth quarter of 2021, attempts were made to extort 2,075 loans for a total amount of PLN 91.3 million. This is PLN 24 million more than in 2020, and the entire year 2021 in terms of numbers and amounts was significantly more dangerous than the previous one: a 17% increase in the number of extortion attempts and a 32% increase in total amounts.

Attention should also be paid to the material of Biuro Informacji Kredytowej S.A. published at: https://www.bik.pl/poradnik-bik/wylurzenie-kredytu-tak-dzialaja-oszusci - "Only the name, surname and PESEL number were enough for scammers to extort several loans totaling tens of thousands of zlotys. Nothing else was correct: neither the ID card number nor the address of residence.

As indicated by the Provincial Administrative Court in Warsaw in the judgment of July 1, 2022, file ref. act II SA/Wa 4143.21 "In the event of a breach of such data as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects."



When determining the amount of the administrative fine, the President of the Office for Personal Data Protection took into account the following premises as mitigating circumstances affecting the reduction of the amount of the fine:

1. Actions taken by the Company to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679) - Virgin sent notifications of a breach of their personal data to persons affected by a breach of the confidentiality of their personal data containing all required pursuant to Art. 34 sec. 2 of Regulation 2016/679 information. Virgin, immediately after detecting a data security breach, before initiating administrative proceedings, took specific and quick actions, which resulted in the removal of this breach. In particular, Virgin removed from the IT system the vulnerability to violation of the protection of subscribers' personal data processed in the system, used by an unauthorized person or persons. Despite the high risk of material or non-material damage to persons whose data was unlawfully obtained by an unauthorized person, prompt action taken by Virgin to secure data before downloading contributed to reducing the number of persons affected by a breach of the security of their data, which should be be considered as a mitigating circumstance, because narrowing down the number of people affected by the breach proves the actions taken to minimize the damage suffered by the data subjects. As a consequence, the actions taken by Virgin contributed to narrowing down the scale of the breach and limited the data leak, as stated by Virgin, to 13.62% of all records in its database.

2. The degree of cooperation with the supervisory authority to remove the infringement and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679) - Virgin correctly fulfilled its procedural obligations both during the proceedings control as well as in administrative proceedings ended with the issuance of this decision, moreover, it fully implemented the recommendations of the President of the Office in connection with the reported violation, regarding supplementing the notification of data subjects about the violation.

3. Any relevant previous infringements by the administrator (Article 83(2)(e) of Regulation 2016/679) - no previous infringements of the provisions of Regulation 2016/679 by Virgin were found prior to these proceedings.

The fact that the President of the Office applied sanctions in the form of an administrative fine in this case, as well as its amount, had no other impact, as indicated in Art. 83 sec. 2 of Regulation 2016/679, circumstances, that is:

1. The degree of responsibility of the administrator, taking into account the technical and organizational measures implemented by him pursuant to art. 25 and 32 (Article 83(2)(d) of Regulation 2016/679) - in the Guidelines of the Article 29 Data Protection Working Party adopted on October 3, 2017 on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 indicated that - considering this premise - "the supervisory authority must answer the question to what extent the controller "did everything that could be expected", given the nature, purposes or scope of processing and in the light of the obligations imposed on it by ordinance".

The President of the UODO stated in this case that Virgin violated the provisions of art. 25 sec. 1, art. 32 sec. 1 lit. b) and ... d) and Art. 32 sec. 2 of Regulation 2016/679. In his opinion, this company (currently its legal successor - Company P4) bears a high degree of responsibility for failure to implement appropriate technical and organizational measures that would prevent a breach of the protection of its clients' personal data. It is obvious that in the considered context of the nature, purpose and scope of personal data processing, Virgin did not "did everything that could be expected of it"; thus failed to comply with the provisions of Art. 25 and 32 of Regulation 2016/679 obligations. In the present case, however, this circumstance determines the essence of the infringement itself; it is not only a factor influencing – mitigating or aggravating – its assessment. For this reason, the lack of appropriate technical and organizational measures referred to in Art. 25 and 32 of Regulation 2016/679, cannot be considered by the President of the UODO in this case as a circumstance that may additionally affect the stricter assessment of the infringement and the amount of the administrative fine imposed on P4.

2. The way the supervisory authority found out about the breach (Article 83(2)(h) of Regulation 2016/679) - a breach of personal data protection was reported to the President of the UODO by Virgin. By making this notification, Virgin fulfilled its legal obligation referred to in Art. 33 of Regulation 2016/679. The implementation of the legal obligations incumbent on the administrator is neutral and in itself does not constitute a mitigating circumstance. The Article 29 Working Group in the Guidelines on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 (WP 253 17/PL) emphasizes that "According to the regulation, the controller is obliged to notify the supervisory authority of a breach of personal data protection. The mere fulfillment of this obligation by the controller cannot be interpreted as a mitigating factor.'

3. Compliance with the measures previously applied in the same case referred to in Art. 58 sec. 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679) - in this case, the measures referred to in Art. 58 sec. 2 of Regulation 2016/679.

4. Application of approved codes of conduct under Art. 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679) - Virgin does not use approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679.

5. Financial benefits or losses avoided directly or indirectly in connection with the infringement (Article 83(2)(k) of Regulation 2016/679) - it has not been found that Virgin obtained any financial benefits or avoided any financial losses.

Taking into account all the circumstances discussed above, the President of the UODO decided that the imposition of an administrative fine on P4, Virgin's legal successor, is necessary and justified by the weight, nature and scope of the infringements alleged against Virgin. It should be stated that the application in this case of any other remedy provided for in Art. 58 sec. 2 of Regulation 2016/679, and in particular, limiting itself to a reminder (Article 58(2)(b)) would not be proportionate to the identified irregularities in the processing of personal data and would not guarantee that P4, the legal successor of Virgin, in will not commit similar negligence in the future.

Referring to the amount of the administrative fine imposed on P4 Company, Virgin's legal successor, the President of the UODO decided that in the circumstances of this case - i.e. in view of finding a violation of several provisions of Regulation 2016/679 (principle of data confidentiality, expressed in Article 5 sec. 1 letter f), and reflected in the form of obligations specified in art. 25 sec. 1, art. 32 sec. 1 lit. b) and letter d) and Art. 32 sec. 2, which consequently means a violation of the accountability principle referred to in Art. 5 sec. 2 of Regulation 2016/679) - both art. 83 sec. 4 lit. a) of Regulation 2016/679, providing, inter alia, for violation of the administrator's obligations referred to in art. 25 and 32 of Regulation 2016/679, the possibility of imposing an administrative fine of up to EUR 10,000,000 (in the case of a company - up to 2% of its total annual global turnover from the previous financial year), as well as art. 83 sec. 5 lit. a) of Regulation 2016/679, according to which violations of i.a. basic principles of processing, referred to, among others, in article 5 of this regulation, are subject to an administrative fine of up to EUR 20,000,000 (in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year, with the higher amount applicable).

Therefore, pursuant to art. 83 sec. 3 of Regulation 2016/679, the President of the UODO determined the total amount of the administrative fine in an amount not exceeding the fine for the most serious infringement. In the presented facts, the violation of the confidentiality principle specified in art. 5 sec. 1 lit. f) Regulation 2016/679 and, consequently, the principle of accountability specified in art. 5 sec. 2 of Regulation 2016/679. This is supported by the serious nature and gravity of the infringement, the long duration of the infringement of the provisions of Regulation 2016/679 and the category of data to which the breach of confidentiality relates.

Pursuant to the content of art. 103 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the table of exchange rates as at January 28 of each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the exchange rate table of the National Bank of Poland, which is the closest after that date.

Considering the above, the President of the UODO, pursuant to art. 83 sec. 4 lit. a) and Art. 83 sec. 5 lit. a) in connection with art. 83 sec. 3 of Regulation 2016/679 and in connection with Art. 103 of the Act on the Protection of Personal Data, for the violations described in the operative part of this decision, imposed on P4, the legal successor of Virgin - using the average euro exchange rate as at January 28, 2022 (EUR 1 = PLN 4.5697) - an administrative fine in the amount PLN 1,599,395.00 (equivalent to EUR 350,000.00).

In the opinion of the President of the UODO, the applied administrative fine fulfills the functions referred to in art. 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.

In the opinion of the President of the Office, the administrative fine imposed on P4, the legal successor of Virgin, is proportional to both the seriousness of the infringement (resulting in the violation of one of the basic principles on which the personal data protection system in Regulation 2016/679 is based - data confidentiality), as well as to the size of the administrator, which size - measured by its turnover - should be considered inseparable from the considerations of the effectiveness of the penalty and its deterrent nature.

In the course of the proceedings, Virgin presented the financial statements of Virgin Mobile Polska Sp. z o.o. for 2021, according to which net sales revenue amounted to PLN 95,578,126.00. (in words: ninety-five million five hundred and seventy-eight thousand one hundred and twenty-six zlotys), which is equivalent to EUR 20,915,623.80 at the average exchange rate of the euro on January 28, 2022.

Considering the presented financial results, it should be stated that the adjudicated administrative fine will not be excessively severe for P4 Company. It should be pointed out that the amount of the penalty imposed by the President of the UODO - PLN 1,599,395.00 - constitutes only 1.67% of the turnover achieved by Virgin Mobile Polska Sp. z o.o. in 2021. At the same time, the penalty will be effective (it will achieve the goal of punishing the administrator for the most serious breach with serious consequences) and deterrent for the future (because it will lead to a state in which P4, the legal successor of Virgin, will apply such technical and organizational measures, which will ensure the level of security for the processed data corresponding to the risk of violating the rights and freedoms of data subjects and the severity of the threats accompanying the processing of such personal data). The effectiveness of the penalty is therefore equivalent to a guarantee that P4, the legal successor of Virgin, will, from the moment of completion of these proceedings, approach the requirements of the provisions on the protection of personal data with the utmost care.

A lower penalty with the high turnover achieved by Virgin could be imperceptible in practice and could leave room for calculating whether the costs of administrative fines for this organization would not be lower than the expenditure on personal data protection.

The President of the UODO also indicates that the administrative fine imposed on P4, the legal successor of Virgin, meets in particular the criterion of proportionality of the fine as defined in the jurisprudence of the CJEU (on the basis of competition law and in relation to the decision of the European Commission, but in the opinion of the President of the UODO, more general applies): "[...] the principle of proportionality requires that acts issued by the institutions of the Union do not exceed the limits of what is appropriate and necessary to achieve the legitimate objectives pursued by the provisions, where there is a choice between several appropriate solutions , the least onerous should be applied and the resulting disadvantages must not be disproportionate to the objectives pursued […] (see judgment of 12 December 2012, Electrabel v Commission, T‑332/09, EU:T:2012 :672, paragraph 279 and the case-law cited there)" (see judgment of 26 October 2017 in case T-704/14 Marine Harvest ASA v. EC, sec. 580).

Therefore, the amount of the fine has been set at such a level that, on the one hand, it constitutes an adequate reaction of the supervisory authority to the degree of infringement of the administrator's obligations, but on the other hand, it does not cause a situation where the need to pay an administrative fine will have negative consequences in the form of a significant deterioration of the situation of P4 as the legal successor of Virgin.

In the opinion of the President of the UODO, in these specific circumstances, the administrative fine will fulfill a repressive function, as it will be a response to Virgin's violation of the provisions of Regulation 2016/679, but also a preventive one, as it will contribute to preventing future violations of the data controller's obligations under the provisions on the protection of personal data, both when processing data by the administrator himself and in relation to entities acting on his behalf.

In the opinion of the President of the Office, the applied administrative fine meets the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679 due to the importance of the violations found in the context of the basic requirements and principles of Regulation 2016/679 - in particular the principle of confidentiality expressed in art. 5 sec. 1 lit. f) Regulation 2016/679.

Considering the above, the President of the Office for Personal Data Protection decided as in the conclusion of this decision.

[1] Act of September 15, 2000, Code of Commercial Companies (Journal of Laws of 2022, item 1467).

[2] Act of 30 August 2002 Law on Proceedings before Administrative Courts (i.e. Journal of Laws of 2022, item 329) hereinafter p.p.s.a.

[3] Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2022, item 2000), hereinafter referred to as "Kpa".

2022-12-07