UODO (Poland) - ZSPR.421.2.2019: Difference between revisions

From GDPRhub
mNo edit summary
 
(12 intermediate revisions by 5 users not shown)
Line 66: Line 66:


|Appeal_To_Body=WSA Warsaw (Poland)
|Appeal_To_Body=WSA Warsaw (Poland)
|Appeal_To_Case_Number_Name=[[II SA/Wa 2559/19]]
|Appeal_To_Case_Number_Name=- II SA/Wa 2559/19
|Appeal_To_Status=Appealed - Confirmed
|Appeal_To_Status=Appealed - Confirmed
|Appeal_To_Link=
|Appeal_To_Link=
Line 74: Line 74:
}}
}}


UODO found that the company Morele.net violated the principle of data confidentiality and failed to ensure the security and confidentiality of personal data processed. Therefore, the DPA imposed on the company a fine of PLN 2,830,410 (EUR 660,000).
The Polish DPA (UODO) find the company Morele.net €660000 for violating the principle of data confidentiality and failing to ensure the security and confidentiality of personal data processed.  


==English Summary==
==English Summary==
Line 90: Line 90:


==Comment==
==Comment==
In the opinion of the DPA, it was an ineffective means of authentication that contributed to the event of obtaining unauthorised access to the employee's panel. Due to the access of many people to the panel which contains the data of current purchase transactions of individual customers, and taking into account the risks associated with obtaining unauthorised access to data, the use of an authentication measure exclusively in the form of a login and password was insufficient. In the opinion of the DPA, the Company has not sufficiently assessed the ability to ensure continued confidentiality and the risks associated with gaining unauthorised access have not been taken into account. As indicated by UODO, access control and authentication are basic security measures to protect against unauthorized access to the IT system used to process personal data. Providing access to authorised users and preventing unauthorised access to systems and services is one of the exemplary elements of security, which is indicated, among others, by the PN-EN ISO/IEC 27001:2017-06 standard. As follows from Article 32(1) of Regulation 2016/679, one of the factors to be taken into account when selecting appropriate technical and organisational measures is the state of technical knowledge, which should be assessed taking into account market conditions, in particular the availability and market acceptability of a given technical solution. Specific guidance in this respect is provided by existing standards and norms, in particular ISO standards, which are also subject to constant review and development in line with technological progress. The authority has recalled the ENISA recommendations that a two-step authentication mechanism should be used for access control and authentication of systems involving access to personal data. In this respect, the DPA has also referred to the recommendations of other organisations. In the opinion of the President of UODO, the measures adopted by the Company could be effective if they were properly adapted and a procedure for responding to adverse events such as abnormal network traffic was implemented. ENISA, in its guidelines on the security of personal data processing, also indicates that the monitoring of events in IT systems is an important element enabling the identification of potential internal or external threats. This task should be performed in the form of appropriate implemented procedures and a notification system for adverse events. In the opinion of the President of UODO, the Company applied technical and organisational measures which contributed to a limited extent to meeting the requirements of <nowiki>[[Article 32 GDPR]]</nowiki>, as the foreseeable risks were not adequately minimised and limited during processing.
In the opinion of the DPA, it was an ineffective means of authentication that contributed to the event of obtaining unauthorised access to the employee's panel. Due to the access of many people to the panel which contains the data of current purchase transactions of individual customers, and taking into account the risks associated with obtaining unauthorised access to data, the use of an authentication measure exclusively in the form of a login and password was insufficient.
 
In the course of the proceedings, the Company applied for expert evidence to determine whether the Company's measures were adequate according to the applicable standards. However, the authority did not take this request into account, which could have had a significant impact on the outcome of the case. The Company appealed to the Provincial Administrative Court, which, however, dismissed the complaint and agreed with the findings of the UODO (see: [[WSA Warsaw (Poland) - II SA/Wa 2559/19]]).


==Further Resources==
==Further Resources==
Line 101: Line 99:


<pre>
<pre>
Based on Article
DECISION
 
 
 
CP 421.2.2019
 
 
 
Pursuant to Article 104(1) of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2018, item 2096 as amended) and Article 7(1) and (2), Article 60, Article 101,
 
Article 103 of the Personal Data Protection Act of 10 May 2018. (Journal of Laws of 2018, item 1000 as amended) in relation to Article 5(1)(a) and (f), Article 5(2), Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), (c), (d), (d), (e) and (f), Article 5(2), Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), Article 32(1)(c) and Article 32(1)(b), Article 32(1)(c) and Article 32(1)(d). d, 32(2), 58(2)(i) and 83(3), 83(4)(a), 83(5)(a) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1 and OJ L 127, 23.05.2018, p. 2), following administrative proceedings concerning the processing of personal data by Morele.net Sp. z o.o. with its registered office in Krakow at ul. Fabryczna 20A, President of the Office for Personal Data Protection
 
 
 
 
 
 
(2) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/


        $('.icon-print').on('click', function () {
            $('#root-div').hide();
            $('body').addClass('print');
            $('#article-content').prependTo('body');
            $('.article-metric-button').hide();
            $('.icon-print').hide();
            $('.icon-back').show();
            window.scrollTo({ top: 0, behavior: 'smooth' });
            window.print();
        });


        $('.icon-back').click(function () {
            $('body').removeClass('print');
            $('#article-content').prependTo('#article-container');
            $('#root-div').show();
            $('.article-metric-button').show();
            $('.icon-back').hide();
            $('.icon-print').show();
        });
    });
</script></div></div></div></div><div class="container pl-0 pr-0"><div class="footer-new pt-4 pb-4"><div class="row"><div class="col-12 col-md-6 col-lg-3"><ul><li> <a href="https://uodo.gov.pl/p/prezes-i-urzad">President and the Office</a></li><li> <a href="https://uodo.gov.pl/p/aktualnosci">News</a></li><li> <a href="https://uodo.gov.pl/p/prawo">Right</a></li><li> <a href="https://uodo.gov.pl/p/edukacja">Education</a></li><li> <a href="https://uodo.gov.pl/p/wspolpraca">Cooperation</a></li><li> <a href="https://uodo.gov.pl/p/zamowienia-publiczne">Public procurement</a></li><li> <a href="http://archiwum.giodo.gov.pl">Archive giodo.gov.pl</a></li></ul></div><div class="col-12 col-md-6 col-lg-3"><ul><li> UODO hotline</li><li> 606-950-000</li><li> open on business days from 10: 00-14: 00</li><li></br> <a href="https://techinfo.uodo.gov.pl/">Techinfo</a></li></ul></div><div class="col-12 col-md-6 col-lg-3 pb-3"> <a href="https://uodo.gov.pl/pl"><img class="img-responsive center-block" src="/bundles/app/img/logo-white_pl.png"
                        alt="Office logo" /></a></div><div class="col-12 col-md-6 col-lg-3"><ul><li> Office for Personal Data Protection</li><li> ul. Stawki 2, 00-193 Warsaw</li><li> kancelaria@uodo.gov.pl</li><li> Working hours: 8.00-16.00 </li></ul></div></div><div class="footer-new copyright d-none d-lg-block"><div class="row"><div class="col-12 col-md-6 col-lg-6"> © UODO 2018 - 2020 All rights reserved.</div><div class="col-12 col-md-6 col-lg-6 text-right"> <a href="https://uodo.gov.pl/pl/1/255">Privacy Policy</a> | <a href="https://uodo.gov.pl/pl">Home</a> | <a href="https://uodo.gov.pl/p/kontakt">Contact</a> | <a href="https://twitter.com/UODOgov_pl">Twitter</a> </div></div></div><div class="footer-new copyright d-none d-md-block d-lg-none"><div class="row"><div class="col-12 col-md-6 col-lg-6"> © UODO 2018 - 2020 All rights reserved.</div><div class="col-12 col-md-6 col-lg-6 text-right"> <a href="https://uodo.gov.pl/pl/1/255">Privacy Policy</a> | <a href="https://uodo.gov.pl/pl">Home</a> | <a href="https://uodo.gov.pl/p/kontakt">Contact</a> | <a href="https://twitter.com/UODOgov_pl">Twitter</a> </div></div></div><div class="footer-new copyright d-md-none"><div class="row"><div class="col-12 col-md-6 col-lg-6 text-center"> © UODO 2018 - 2020 All rights reserved.</div><div class="col-12 col-md-6 col-lg-6 text-center"> <a href="https://uodo.gov.pl/pl/1/255">Privacy Policy</a> | <a href="https://uodo.gov.pl/pl">Home</a> | <a href="https://uodo.gov.pl/p/kontakt">Contact</a> | <a href="https://twitter.com/UODOgov_pl">Twitter</a></div></div></div></div></div></div><script>
    $(".department").on('click', function() {
        $(".department").removeClass('active-department');
        $(this).toggleClass('active-department');
    });
</script></body></html>
</pre>
</pre>

Latest revision as of 10:01, 17 November 2023

UODO - ZSPR.421.2.2019
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 7(1) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Article 58(2)(i) GDPR
Article 83(3) GDPR
Article 83(4)(a) GDPR
Article 83(5)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 10.09.2019
Published:
Fine: 2830410 PLN
Parties: n/a
National Case Number/Name: ZSPR.421.2.2019
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
WSA Warsaw (Poland)
- II SA/Wa 2559/19
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish DPA (UODO) find the company Morele.net €660000 for violating the principle of data confidentiality and failing to ensure the security and confidentiality of personal data processed.

English Summary

Facts

In November 2018, the Company reported to the President of the UODO two breaches of personal data protection, which concerned unauthorised access to the database of customers of online shops and obtaining by an unauthorised person access to the account of the Company's employee and, consequently, obtaining personal data of customers shopping in the above-mentioned online shops. In December 2018 the Company reported another infringement consisting in gaining unauthorised access to the Company's employee account. The employees of UODO conducted an inspection in the Company.

The DPA found that the Company violated the principle of confidentiality as a result of two attempts to gain access to the Company's employee panel and access to the database of all the Company's clients by unauthorised persons. The access to the Company's employee panel and to the data of all the Company's clients from the Company's database system resulted in the materialisation of the risk of infringement of rights and the freedom of natural persons whose data are processed by the Company in the form of the application of the method called phishing, which is aimed at extracting data, e.g. credentials to a bank account by impersonating the Company in SMS messages and using the fact of making an order by the customer.

Dispute

Did the technical and organisational measures applied by the company comply with the standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the company's activity in 2018? Were the technical and organisational measures applied by the company appropriate taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and objectives of the processing, as well as the risk of infringement of the rights or freedoms of natural persons of different probability and seriousness of the threat?

Holding

The DPA found that the company violated the rules of personal data processing and imposed a fine of PLN 2,830,410 on it.

Comment

In the opinion of the DPA, it was an ineffective means of authentication that contributed to the event of obtaining unauthorised access to the employee's panel. Due to the access of many people to the panel which contains the data of current purchase transactions of individual customers, and taking into account the risks associated with obtaining unauthorised access to data, the use of an authentication measure exclusively in the form of a login and password was insufficient.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

DECISION



CP 421.2.2019



Pursuant to Article 104(1) of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2018, item 2096 as amended) and Article 7(1) and (2), Article 60, Article 101,

Article 103 of the Personal Data Protection Act of 10 May 2018. (Journal of Laws of 2018, item 1000 as amended) in relation to Article 5(1)(a) and (f), Article 5(2), Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), (c), (d), (d), (e) and (f), Article 5(2), Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), Article 32(1)(c) and Article 32(1)(b), Article 32(1)(c) and Article 32(1)(d). d, 32(2), 58(2)(i) and 83(3), 83(4)(a), 83(5)(a) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1 and OJ L 127, 23.05.2018, p. 2), following administrative proceedings concerning the processing of personal data by Morele.net Sp. z o.o. with its registered office in Krakow at ul. Fabryczna 20A, President of the Office for Personal Data Protection



 



 (2) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/679 of 27 April 2016). EU Official Journal L 119 of 04.05.2016, p. 1, and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter: "Regulation 2016/679" imposes on Morele.net Sp. z o. o. with its registered office in Krakow, ul. Fabryczna 20A, a fine of PLN 2,830,410 (equivalent to EUR 660,000), according to the average euro exchange rate announced by the National Bank of Poland in the table of exchange rates as of 28 January 2019.



 



EXPLANATORY MEMORANDUM



On [...] November 2018. Morele.net Sp. z o. o. with its registered office in Krakow at ul. Fabryczna 20A, (hereinafter referred to as the "Company"), reported to the President of the Office for Personal Data Protection (hereinafter also referred to as the "President of the Office for Personal Data Protection") two violations of personal data protection, which concerned unauthorised access to the database of customers of apricot online shops.net, hulahop.pl, amfora.pl, pupilo.pl, trennujesz.pl, motoria.pl, digitalo.pl, ubrieramy.pl, meblujesz.pl, sklep-presto.pl, budujesz.pl and obtaining by an unauthorised person access to [...], and consequently obtaining personal data of customers shopping in the above mentioned internet shops. Then, on [...] December 2018, the Company reported to the President of the Office for Personal Data Protection another infringement consisting in obtaining unauthorised access to [...].



From [...] to [...] January 2019, in order to control the compliance of data processing with the provisions on personal data protection, control activities were carried out in Morele.net Sp. z o. o. with its registered office in Krakow at 20A Fabryczna Street. The scope of control included the processing of personal data of customers of the following online shops: morele.net, hulahop.pl, amfora.pl, pupilo.pl, trennujesz.pl, motoria.pl, digitalo.pl, ubrieramy.pl, meblujesz.pl, sklep-presto.pl, zbudujuj.pl, whose administrator is the Company.



On the basis of the collected evidence, it has been established that in the process of personal data processing, the Company, as the controller, violated the provisions on personal data protection. These deficiencies consisted in: violation by the Company of the principle of data confidentiality expressed in Article 5(1)(f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/679 of 27 April 2016). (OJ L 119, 04.05.2016, p. 1, and OJ L 127, 23.05.2018, p. 2), hereinafter referred to as "Regulation 2016/679", reflected in the form of the obligations laid down in Article 24(1), Article 25(1) and points (b) and (d) of Article 32(1), Article 2(2) and Article 2(3) of Regulation (EC) No 45/2001. 32(2) of Regulation 2016/679 consisting in the failure to ensure the security and confidentiality of personal data processed, which resulted in unauthorised persons gaining access to the personal data of the Company's clients and in a breach of the principles of legality, reliability and accountability expressed in Article 5(1)(a) and Article 5(1)(b) and (d) of Regulation 2016/679. 5(2) of Regulation 2016/679, as specified in Article 7(1) and Article 6(1) of Regulation 2016/679, by not showing that personal data from instalment applications collected before 25 May 2018 were processed by Morele.net Sp. z o. o. with its registered office in Krakow on the basis of the consent of the data subject.



The President of UODO, on the basis of the evidence gathered, established the following facts of the case:



The Company's business includes retail sale via mail order houses or the Internet. The company operates Internet shops: apricot.net, hulahop.pl, amfora.pl, pupilo.pl, trennujesz.pl, motoria.pl, digitalo.pl, ubrieramy.pl, meblujesz.pl, sklep-presto.pl, budujesz.pl.

In connection with its business, the Company processes personal data of customers who have registered on the morele.net website (and websites of other shops, mentioned above, whose administrator is the Company). The number of people whose data is processed by the Company is approximately 2,200,000 (approximately two million two hundred thousand) . The scope of these data includes: name, surname, e-mail address, telephone number and delivery address, and access to these data is [...]. Until December 2018. The company also processed data from instalment applications. The scope of these data included: first name, surname, e-mail address (e-mail), telephone number, PESEL number, series and number of the identity document, date of issue of the identity document, expiry date of the identity document, education, registered office address, correspondence address, source of income, monthly net income, household maintenance costs, number of dependants, marital status, amount of monthly other liabilities in financial institutions, information on the amount of maintenance and other liabilities resulting from court judgments (collected from 2016). Their total number was approximately 35 000 [...].

 […].

On [...] November 2018. The Company was informed by clients that they were receiving short text messages informing them of the need to pay an additional fee of 1 PLN in order to complete the order. The message contained a link to a fake DotPay electronic payment gateway. The Company immediately notified the Police about the incident and attempted to clarify the matter.

[…]

The breach of personal data protection was found by the Company on [...] November 2018.

After carrying out monitoring activities on [...] November 2018. The Company reported the breach to the President of the Office for Personal Data Protection. Moreover, the Company posted on its website a warning information about false text messages. The same information was sent by the Company to clients in e-mails and text messages. On [...] December 2018. The Company again informed the data subjects about the infringement, informing them, among other things, about potential access to data from instalment applications.

As indicated in the reports sent to the President of the Office for Personal Data Protection and supplementary reports, the Company undertook work on introducing additional technical security measures, among others in the form of [...].

On [...] November 2018. The Company received an e-mail from an unknown person informing about the theft of the Company's customer database.

On [...] November 2018, the Company reported to the President of the Office for Personal Data Protection a breach concerning potential unauthorised access to the Company's customer database. The infringement concerned approximately 2 200 000 (approximately two million two hundred thousand) users.

On [...] December 2018, the Company sent 2,200,000 (approximately two million two hundred thousand) e-mail messages to the clients containing a notification of unauthorised access to the clients' database (the content of the notification of data subjects was sent to the Office in addition to the notification of the infringement). In the above information addressed to customers, the Company informed that it does not process data from credit applications.

On [...] December 2018. The Company identified another unauthorised access to [...], used to resend false text messages, of which 600 persons to whom the unauthorised person had access were informed. On [...] December 2018, the infringement was reported to the President of the Office for Personal Data Protection.

Due to the fact that the notification of the data subjects did not meet the requirements set out in Article 34 of Regulation 2016/679, on [...] January 2019, the President of the Office for Personal Data Protection pursuant to Article 52 paragraph 1 of the Act on Personal Data Protection of 10 May 2018. (Journal of Laws of 2018, item 1000 as amended), addressed a request to the Company to inform the data subjects about the violation of their personal data again and to provide them with recommendations on how to minimise the potential effects of the violation. In response to the speech of the President of the Office for Personal Data Protection, the Company once again sent the notification of a personal data breach to 35,000 (thirty-five thousand) persons.

In order to determine the circumstances of the data protection violations reported by the Company and to determine the technical security measures applied by the Company, the measures applied to minimize the effects of the violation and to prevent similar events, on [...] January 2019, the President of the Office for Personal Data Protection sent a request to the Company for explanations.

In response to the call of [...] January 2019, by letter of [...] January 2019, the Company provided extensive explanations, including, inter alia: a description of the Company's activities following the incident, a description of the technical and organisational security measures applied by the Company, a description of the procedure for handling the requests of the data subjects.

For explanations of [...] January 2019. The Company has attached the financial statements for the financial year from January 1st 2017 to December 31st 2017, from which it follows that the amount of net revenue from sales and equalised with them is equal:  […].

As established in the course of the audit, making purchases in Internet shops, the administrator of which is the Company, requires prior registration. The necessary information to set up an account includes an e-mail address (e-mail) and a password to the user account, which is entered by the shop's customer. After logging in, the user is able to enter his name, surname, address and telephone number (for the purpose of determining the basic data necessary for delivery of the purchased goods). The user account exists in the Company's system until the termination of the agreement, i.e. deletion of the account by[MB1] user.

As established in the course of the audit, the documentation in force in the Company concerning the processing of personal data was updated in 2016. In 2017. The Company began work on the application of the provisions of Regulation 2016/679, with regard to the adaptation of the website, user profile, newsletter, adaptation of documents within the Company, circulation of documents within the Company, physical and technical security measures. As indicated in the explanations adopted during the audit, the risk analysis was carried out by the Company on an ad hoc basis for individual processes, in an informal manner.

In the course of the audit, a copy of the Company's internal documentation entitled "The Company's internal documentation" was obtained. "Report after the database was stolen". (Annex B10 to the inspection report), [...].

[…].

As established during the audit, the module supporting [...] does not record the information entered by the Client in the Company's database. […]

According to the explanations adopted during the audit, the Company has never collected data on scans of identity cards belonging to customers submitting [...]. The instalment purchase form from around [...] October 2018 contained space to enter only the amount of maintenance obligations or the amount of obligations arising from other court decisions. The Company does not confirm that such data was recorded in the database deleted in December 2018.

By letter of [...] February 2019. The Company requested the President of the Office for the Protection of Personal Data to examine the case as a matter of urgency, indicating that due to the media character of the case and uncertainty as to how the President of the Office for the Protection of Personal Data would end the case, any lengthy examination of the case may pose a threat to the functioning of the Company. […] .

In connection with the above, on [...] June 2019, in the letter mark: ZSPR.421.2.2019/43412, the President of the Office for Personal Data Protection initiated ex officio administrative proceedings in respect of the identified breaches, in order to clarify the circumstances of the case.



In response to the notice of initiation of administrative proceedings, the Company's proxy (power of attorney in the case file), by letter of [...] July 2019, submitted explanations, in which he indicated, inter alia, that:



In the Company's opinion, the findings made during the audit do not indicate that the Company has infringed Article 5(1)(f), Article 24(1), Article 25(1), Article 32(1)(b) and (d) and Article 32(2) of Regulation 2016/679 in the processing of personal data.

In the course of the inspection (in accordance with the request of the inspectors), the Company submitted the content of the consent clause legalizing the processing of data from instalment applications, therefore it cannot be considered that the Company processed data from instalment applications without a legal basis and, as a result, it is not correct for the President of the Office for Personal Data Protection to state that in this respect the Company violates Article 5(1)(a) and Article 5(2) of Regulation 2016/679.

The Company had security measures, technical and organisational, adequate to the identified threats, taking into account the conditions specified in Article 24 and Article 32 of Regulation 2016/679.

The Company has been analysing the risks of the existing threats on an ongoing basis and has been implementing new and up-to-date methods to ensure the security of the processed data, taking into account the conditions specified in Article 24 and Article 32 of Regulation 2016/679.

The Company does not agree with the allegation that it did not assess and monitor potential threats to the rights and freedoms of persons whose data it processes on a current basis, as for many years the Company has been regularly conducting research, verifying threats and hiring external companies to carry out security audits. In the course of the audit, the Company provided a number of evidence for this circumstance, [...].

The company also referred to the list of security measures applied, submitted during the audit.

In the Company's opinion, indirect evidence confirming the fact of current monitoring of threats and implementation of adequate safety measures is the Company's reaction to the suspected data leakage which took place in November 2018. The Company has updated its risk position and implemented new safeguards [...] and stopped collecting data from the instalment forms. These actions were not of a one-off nature (due to a security incident). The Company always took appropriate actions when, on the recommendation of the IT team or IOD, it was necessary to update, upgrade or expand the personal data processing safeguards.

The Company's security monitoring is confirmed by orders which are drawn up in order to improve the security features, [...].

The Company also disagrees with the allegation that potential threats are not monitored on an ongoing basis. Such a claim is not confirmed by any evidence gathered during the inspection. On the contrary, in the Company's opinion, the evidence gathered indicates that action has been taken in this respect. The President of UODO did not specify to what specific extent, in his opinion, the Company has failed to comply with the obligation to monitor the threats on a current basis, which makes it impossible to more precisely refer to the allegation formulated and to formulate additional evidential conclusions.

 Regulation 2016/679 imposes an obligation on administrators to provide adequate (for threats) safeguards, and not safeguards effective in all circumstances. The risks associated with the processing always exist, regardless of the means used. The task of the administrator is to minimize them by applying appropriate measures, which the Company has done and does.

Contrary to the claims of the President of the Office of Electronic Communications (UODO) concerning the selection of ineffective measures at the level of network traffic monitoring, the Company monitors network traffic, as evidenced by the technical security measures adopted, including network traffic monitoring, i.e.; [...].

The Company also points out that the "Report after the database is stolen" (Annex B10 to the control protocol) would not have been created if the Company had not monitored the traffic (see table indicating the level of network traffic).

In the Company's opinion, there are no grounds for concluding that the Company did not examine the level of data security on an ongoing basis and did not adjust it to the identified threats.

In the Company's opinion, the allegation of failure to assess the risk of gaining access to [...] is not confirmed by the evidence gathered during the audit. The risk analysis conducted by the Company shows that only authorised persons (employees of the Company), who have been granted appropriate rights, had access to [...].

The Company also points out that Regulation 2016/679 requires the analysis and evaluation of personal data processing processes, not individual IT systems. The IT systems (and their security) are only applied technical means referred to e.g. in Article 24(1) of Regulation 2016/679 or in Article 32(1) of Regulation 2016/679.

The analysis of the facts and the reassessment of the risks have led the Management Board to decide [...].

As the President of UODO summarised the allegations and concluded that an earlier implementation and the introduction of additional measures could significantly reduce the risk of unauthorised access, the Company notes that this claim was not supported by any arguments, as well as a justification as to why it was inappropriate in view of the safeguards applied by the Company.

According to the Company's assessment, the technical and organisational security measures applied were appropriate to the risks related to the processing of personal data, in accordance with Articles 24(1) and 32(1) of Regulation 2016/679. There are no grounds to the contrary in the evidence. The Company is of the opinion that the technical and organisational security measures applied were adequate to the risks and met the conditions specified in the regulations.

Referring to the allegation of the President of the Office for Personal Data Protection that the Company is not able to precisely indicate the date on which the functionality of saving data from instalment applications was activated, the Company indicates that the content of the consent is on the first page of Annex A22 and Annex A23 to the control protocol. […]. Therefore, the allegation of the President of the Office for the Protection of Personal Data in this respect is incorrect and is not supported by the collected evidence.

The evidence does not justify the allegation made by the President of the Office for the Protection of Personal Data that the Company does not have a documented analysis of the data processing process with regard to the functionality of recording data from instalment applications. The evidence shows that the Company has verified, evaluated and monitored the data processing process related to instalment applications on an ongoing basis. An example of the conducted analysis is [...] determining the content of the consent, which was prepared in connection with the current analysis of the processing process.

As an example of the analysis and application of appropriate (adequate) technical measures to personal data related to [...]. Only the user (customer) of the shop was able to display the data during the next filling in of the Privacy-by-Default form.

The company argued that according to the principle of accountability, the controller is obliged to demonstrate compliance with Regulation 2016/679, but may use any means, including system logs, procedures (whether documentary or not). In this case, an example of ensuring accountability is [...].

Referring to the allegation of the President of the Office for the Protection of Personal Data that the Company deleted personal data from installment applications without detailed analysis, the Company indicates that Regulation 2016/679 allows and orders the deletion of data at the moment when the controller ceases to have the purpose of processing. The Company has completed the processing of data whose processing was based on consent and had no other purposes of processing, so the data were deleted. The closure of the process was motivated by a risk analysis carried out in connection with correspondence with the blackmailer.

Referring to the remark of the President of the Office for Personal Data Protection that the Company did not document the deletion of the data, the Company indicates that due to the closure of the data processing process, the process was deleted from the Register of Processing Activities. The deletion of the database has also been documented [...]. Moreover, the President of the Office for Personal Data Protection has not indicated the provision which the Company would violate in connection with the removal of the database.

In the Company's opinion, the evidence gathered in the case does not justify the statement of the President of the Office for Personal Data Protection that the Company processed personal data from instalment applications without a legal basis, i.e. without the consent of the data subject, as the content of the collected consents is included in Annex A22 and Annex A23 to the control protocol.

Moreover, in the letter responding to the notice of initiation of administrative proceedings, the Company's attorney asked the President of the Office for the Protection of Personal Data about the following



admitting and carrying out evidence from an expert opinion in the field of information systems security in order to: a) establish technical and organisational standards of security measures in business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to that of the Company in 2018.b) assess whether the technical and organisational measures applied by the Company complied with the standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the Company's activity in 2018; c) assess whether the technical and organisational measures applied by the Company were appropriate taking into account the state of technical knowledge, cost of implementation and the nature, scope, context and purposes of processing, as well as the risk of infringement of the rights or freedoms of natural persons of varying probability and seriousness of the threat;

attach to the file of proceedings a copy of the existing correspondence between the UODO and the Company (the Company's letter of [...] January 2019, the Company's letter of [...] February 2019, as well as reports of violations made by the Company).       

Order of [...] August 2019. The President of the Office for Personal Data Protection refused to accept the Company's application for admission and to carry out the application from the expert opinion.



In response to the decision of [...] August 2019 and information about the collection of evidence of [...] August 2019, the Company's attorney sustained the Company's current position and requested the discontinuation of the administrative proceedings in question. In particular, the Company maintains the previously expressed position that there is no evidence indicating a breach of personal data protection regulations by the Company, in particular with respect to the application of appropriate security measures, and does not agree with the statement of the President of the Data Protection Office contained in the notice of initiation of the procedure of [...] June 2019 on the breach of the provisions of Regulation 2016/679.



After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following:



Article 5 of Regulation 2016/679, formulates the rules on the processing of personal data which must be respected by all controllers, i.e. the entities which alone or jointly with others determine the purposes and means of processing personal data. According to Article 5(1)(f) of Regulation 2016/679, personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unlawful or incompatible processing and accidental loss, destruction or damage, by appropriate technical or organisational means ("confidentiality and integrity").



In accordance with Article 24(1) of Regulation 2016/679, taking into account the nature, scope, context and purposes of the processing, and the risks of violation of the rights or freedoms of natural persons of varying degrees of likelihood and gravity, the controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with this Regulation and to demonstrate this. Those measures shall be reviewed and updated as necessary.



Pursuant to Article 25(1), both in determining the means of processing and during the processing itself, the controller shall implement appropriate technical and organisational measures designed to effectively implement data protection principles (data protection by design).


Pursuant to point (b) of Article 32(1) of Regulation 2016/679, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, and the risk of infringement of the rights or freedoms of individuals of varying likelihood and seriousness, the controller and processor shall implement appropriate technical and organisational measures to ensure a degree of security appropriate to those risks, including, inter alia, the ability to ensure the continuing confidentiality, integrity, availability and resilience of the processing systems and services, where appropriate, and in accordance with Article 32(1)(b) of Regulation 2016/679. 32(1)(d) of Regulation 2016/679 to regularly test, measure and evaluate the effectiveness of the technical and organisational measures to ensure the security of processing.

In accordance with Article 32(2) of Regulation 2016/679, when assessing whether the degree of security is adequate, the controller shall in particular take account of the risks represented by the processing, in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.



The provisions of Articles 24(1), 25(1), 32(1)(b) and (d) and 32(2) of Regulation 2016/679 thus constitute a concretisation of the principle of confidentiality set out in Article 5(1)(f) of Regulation 2016/679. Therefore, the matter in question should be examined with a view to meeting the co-existence conditions for technical and organisational measures.



The principle of confidentiality, the correct implementation of which ensures that the data are not made available to unauthorised persons, has been breached in the facts of the case as a result of having accessed [...] twice. [...] and to the data of all clients from the Company's database system resulted in the materialisation of the risk of infringing the rights and freedoms of natural persons whose data are processed by the Company, in the form of applying the method called phishing, aimed at extracting data, including those which authenticate the bank account by impersonating the Company in SMS messages and using the fact that the client placed an order.



 In the opinion of the President of the Office for Personal Data Protection, the breach of confidentiality in question should be considered from the perspective of two events: obtaining unauthorized access to [...] and obtaining data of all clients from the Company's database system.



In the facts of the case in question, in the opinion of the President of the Office for the Protection of Personal Data, an ineffective means of authentication has contributed to the event of unauthorised access [...].



As indicated by the Company in its letter of [...] January 2019, as soon as an infringement consisting in obtaining access [...] by an unauthorised person has been detected, work has been undertaken to introduce additional technical security measures, inter alia, in the form of [...].



The President of the Office for Personal Data Protection, in the notice of initiation of administrative proceedings, indicated that the Company has failed to fulfil the obligation resulting from art. 32 sec. 1 and 2 of Regulation 2016/679 consisting in the selection of effective technical and organisational measures at the level of access control and authentication. In response, the Company indicated that its employees receive appropriate rights and authorisations to access particular IT systems and databases, and such access is supervised by a team of administrators. Furthermore, the Company indicated that the IT team of the Company monitors the functioning of [...] on an ongoing basis and adapts solutions to market standards and threats, and that the solutions applied in the Company [...] enabled the detection of unusual behaviours.



In the opinion of the President of the Office for the Protection of Personal Data, due to [...]. As it results from the material collected in the course of the audit, the Company used external security auditors (Annex B11 and B12 to the audit protocol) and implemented their recommendations regarding the identified vulnerabilities in the software code used for personal data processing. In the opinion of the supervisory authority, the ability to ensure continuous confidentiality was insufficiently assessed and the risks associated with obtaining unauthorised access were not taken into account [...]. As the Company indicated in its response to the notice of initiation of administrative proceedings, 'it is not the aim of this regulation to eliminate the risk in full, which cannot be done, but only to implement technical and organisational solutions which are appropriate and proportionate, taking into account the criteria assessed' and that Regulation 2016/679 'imposes on controllers the obligation of adequate (to the risks) safeguards, not safeguards effective in all circumstances'.



It should be pointed out here that access control and authentication are essential security measures to protect against unauthorised access to the IT system used to process personal data. Providing access to authorised users and preventing unauthorised access to systems and services is one of the exemplary elements of security, which is indicated, among others, by the PN-EN ISO/IEC 27001:2017-06 standard. As follows from Article 32(1) of Regulation 2016/679, one of the factors to be taken into account when selecting appropriate technical and organisational measures is the state of technical knowledge, which should be assessed taking into account market conditions, in particular the availability and market acceptability of a given technical solution. Specific guidance in this respect is provided by existing standards and norms, in particular ISO standards, which are also subject to constant review and development in line with technological progress.



The European Network and Information Security Agency (ENISA), in its guidelines for the security of processing of personal data issued in 2016[1], taking into account the above mentioned standard (in the 2013 version) and the provisions of Regulation 2016/679, recommends the use of a two-stage authentication mechanism for systems involving access to personal data as part of access control and authentication.



In accordance with the risk-based approach, resulting, inter alia, from Article 25(1) of Regulation 2016/679, the choice of the appropriate means of authentication should be based on a risk assessment of the underlying transaction or service. Standard PN-ISO/IEC 29115:2017-07 ('Information technology - Security techniques - Framework for reasonable assurance of authentication levels'), as well as recitals 75 or 85 of Regulation 2016/679 indicate the possible consequences and consequences of an authentication failure depending on the level used, including unauthorised disclosure of confidential information or financial loss.



The validity of properly selected technical measures for access control and authentication is also demonstrated by other information security organisations.



The OWASP Foundation, an international non-profit organisation which aims to develop and disseminate good practices addressed to software developers, in its document "OWASP Top 10 - 2017"[2], presents a list of the greatest threats to Internet applications together with methods of their prevention. One of them is to break the authentication measure (usually one-step). As a preventive measure, it is recommended to use multi-stage authentication as a way to significantly minimise the risk of security breaches.



This document, as well as the above mentioned standard, also refers to the development of the American federal agency - the National Institute of Standards and Technology (NIST) document - "NIST 800-63B: Digital Identity Guidelines: Authentication and Application Life Cycle Management". (Digital Identity Guidelines: Authentication and Lifecycle Management)[3].



Both PN-ISO/IEC 29115:2017 07, document NIST 800-63B and OWASP studies indicate that the selection of an appropriate means of authentication should be preceded by a risk analysis and be subject to continuous review.



The risk, in the actual state of affairs of the case in question, concerned the risk of using a method called phishing, aimed at fraudulent use of data, among other things, credentials to the bank account by impersonating the Company in SMS messages and using the fact of making an order by the customer.  As it is indicated in the literature, among phishing attacks one can distinguish attacks targeted at specific groups of people (so called spearphishing) and a person attacking devotes time to obtaining information about the target and creating a personalized message, related to the situation of a given person (in the case in question - a person who made a purchase transaction), which makes such messages (in the case in question - a text message calling for an additional fee of 1 PLN, in order to complete the order with a link to a fake DotPay electronic payment gateway) may be difficult to detect and defend.



According to the annual reports on the activity of CERT Polska for 2016, 2017 and 2018, phishing is one of the most common types of incidents and the most distinctive category in comparison with other attacks, and the percentage of incidents of this type is still at a similar level (in 2018 about 44 percent). As CERT Polska indicates, the most common motive for criminals is the desire to obtain credentials for various websites, including banks. Moreover, the scenarios of impersonating payment intermediaries, which took place in the facts of the case, became in 2018 the most popular attack on e-banking users, causing significant financial losses. CERT Polska indicates that the first such practices took place as early as 2017, which is also confirmed by press reports.



In the facts of the case in question, in the opinion of the President of the Office for Personal Data Protection, ineffective monitoring of potential threats to the rights and freedoms whose data are processed by the Company contributed to an event consisting in gaining unauthorised access to clients' data from the Company's database system.



As the Company indicates in its letter of [...] July 2019, the indication by the President of the Office for the Protection of Personal Data in the notice of initiation of administrative proceedings that the potential risks are not being monitored on an ongoing basis 'does not find (...) confirmation in any evidence gathered during the inspection'. Moreover, the Company indicated that "contrary to the claims of the President of the Office for the Protection of Personal Data Protection concerning the selection of ineffective measures", it monitors network traffic and indicated the adopted technical security measures in this respect, among others [...].



In the opinion of the President of the Data Protection Office, despite the application of such a solution, the Company was not able to react to an unusual event in the monitoring system consisting of increased data transfer. In the document "Report after database stealing" (Annex B10 to the inspection report) indicates that [...].



The presented facts indicate that the Company, from October 2018 to January 2019, had no knowledge of the reasons for the increased data transmission. […]. In the opinion of the President of the Office for Personal Data Protection, the measures adopted by the Company could be effective if they were properly adapted and a procedure for responding to adverse events such as abnormal network traffic was implemented. ENISA, in its guidelines on the security of personal data processing, also indicates that the monitoring of events in IT systems is an important element enabling the identification of potential internal or external threats. This task should be performed in the form of appropriate implemented procedures and a notification system for adverse events.



As emphasised in recital 76 of Regulation 2016/679 (the recitals contain a justification for the provisions of the operative part (articles) of the act, which is a regulation), the risks should be assessed on the basis of an objective assessment of whether there are risks or high risks associated with the processing operations. At the same time, account should be taken of the reasons for the risks related to the nature of the data, the scope of the processing, the context and the purposes, as well as of the other elements referred to in recital 75 of Regulation 2016/679, taking into account Article 32 of Regulation 2016/679, including in particular the relation between these reasons and data security and the consequences of failure to ensure such security (Article 32(2)).



In accordance with Article 32(2) and having regard to recital 83 of Regulation 2016/679, when assessing whether the degree of security is adequate, account shall be taken in particular of the risks associated with the processing (in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed) and which may in particular result in physical harm or damage to property or nonmaterial property (recital 83).



In the facts of the case, the Company, when processing personal data of more than 2 200 000 users, which is to be considered a large-scale processing of personal data and taking into account the scope of the data and context of the processing, was obliged to assess and monitor potential threats to the rights and freedoms of persons whose data it processes more effectively on an ongoing basis.



Regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing is the responsibility of each controller and processor under Article 32(1)(d) of Regulation 2016/679. The controller is therefore obliged to verify both the selection and the level of effectiveness of the technical measures applied. The complexity of this verification should be assessed in terms of its adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and objectives of the processing.



In the facts of the case, the Company fulfilled this obligation by partially verifying only the level of effectiveness of the implemented security measures in terms of known vulnerabilities in the implemented software - as indicated by security audits of already functioning IT systems used for processing data of the Company's customers [...] . In the opinion of the President of the Office for Personal Data Protection, the Company did not undertake any actions aimed at assessing the selection of technical and organisational measures from the perspective of their adequacy to the risks. Reviewing and updating the implemented solutions are also a requirement formulated directly in Article 24(1), second sentence, of Regulation 2016/679, as well as resulting from Article 24(1), second sentence, of Regulation 2016/679. 25(1) of Regulation 2016/679, which creates the obligation to ensure privacy by design and imposes an obligation on the controller to implement appropriate technical measures both in the phase of determining the methods of processing and in the phase of the processing itself. In doing so, taking into account the nature, scope, context and purpose of the processing and the resulting risks to the rights and freedoms of individuals, the controller is obliged to implement appropriate technical and organisational measures.



It should be indicated that an earlier application implemented [...] December 2018. [...] and implemented [...] would significantly reduce the risk of unauthorised access by an unauthorised person, and thus minimise the risk of infringing the rights or freedoms of natural persons whose data are processed by the Company, i.e. making the data available to unauthorised recipients.



To sum up, in the opinion of the President of the Office for the Protection of Personal Data, the Company applied technical and organisational measures, which contributed to a limited extent to meeting the requirements of Article 32 of Regulation 2016/679, as the foreseeable risks were not adequately minimised and limited during the processing.



The requirement in Article 5(1)(a) of Regulation 2016/679 requires the controller to process the data lawfully, fairly and transparently to the data subject. The requirement to ensure the lawfulness of data processing operations implies, inter alia, the need to meet at least one of the conditions for the lawfulness of data processing laid down in Article 6 of Regulation 2016/679 and the need to ensure compliance with other provisions on personal data protection.



According to Article 6(1)(a) of Regulation 2016/679, processing is lawful where the data subject has consented to the processing of his or her personal data for one or more specified purposes. As it follows from Article 4(11) of Regulation 2016/679, the data subject's consent shall mean the freely given specific, informed and unambiguous indication of his wishes by way of a statement or explicit affirmative action to which the data subject gives his consent to the processing of personal data concerning him.



  However, from the content of Article 7(1) of Regulation 2016/679, where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his/her personal data. The controller should implement organisational or technical measures which make it possible to prove the data subject's consent, in particular, in a way which makes it possible to consolidate the fact of obtaining consent.



The collection and recording of information on who gave consent and what content it contained, when it was given, what information was given to the data subject when he gave his statement of consent, what information was given on the manner in which consent was given, and whether consent was withdrawn and, if so, when, shall be considered to be correct for the purposes of proof, in accordance with Article 7(1) of Regulation 2016/679. The controller's possession of the above mentioned information on the data subject's consent shall constitute a specification of the general principle of accountability formulated in Article 5 paragraph 2 of Regulation 2016/679. In case the controller is not able to prove that and what consent to data processing was given by the data subject, such consent may be questioned.



As established during the audit, the Company obtained data from installment applications, which was to make it easier for customers to apply for subsequent installment purchases (auto-filling of the installment form). As indicated in the explanations, these data were not used by the Company for any other purpose. The Company is not able to accurately indicate the date on which the functionality of saving data from installment applications was launched (probably in 2016) and does not have a documented analysis of the data processing in this respect. The evidence suggests that around [...] December 2018. The company, on an oral recommendation of [...], deleted the customer database from the so-called 'instalment applications'. No detailed analysis was carried out in this respect and the deletion was not documented.



With regard to the explanations concerning the violation of the principle of lawfulness, reliability and accountability in the processing of personal data from installment applications, it should be strongly emphasized that the Company has not been able to demonstrate since when it collected personal data in order to facilitate the fulfilment of future applications [...] and in this respect has not provided any statement of consent to such processing. The [...] printout only indicates that it is only in the context of the amendment of the data protection legislation ("in connection with TODO") that two consents should be added on [...] .



This is because approvals were obtained after the entry into force of Regulation 2016/679, and the process itself continued from 2016. (Company's explanation), it should be assumed that the deleted database contained data collected without a legal basis. […].



In the course of the audit, the Company did not present any clauses or templates of applied consents collected prior to the application of Regulation 2016/679, therefore it should be stated that the controller did not demonstrate that it obtained appropriate consents from persons whose data it collected in the period from 2016 (as indicated in the explanatory notes - the period from which the Company started to collect data from instalment applications) to May 2018 for processing of data from instalment applications.



For these reasons, the Company's explanations concerning the completed processing of the data, in the absence of other evidence, are not sufficient to consider that the processing itself was carried out in accordance with the law, including on the basis of a properly formulated ground of consent.



Such an approach of the Company to the data processing process, although the process itself is considered to be closed (the data has been erased), undermines the basic principles of data processing, including the principle of lawfulness and reliability indicated in Article 5(1)(a) of Regulation 2016/679, as the controller must always be able to demonstrate that personal data are processed lawfully. However, the principle of accountability (Article 5(2) of Regulation 2016/67) requires the controller to be able to demonstrate that he or she complies with his or her obligations under the provisions on personal data protection. These requirements apply to all stages of data processing, which also applies to situations where there are data protection violations or substantial changes in the processing. However, accountability applies not only at the time of the collection of personal data, but at all times during the processing, regardless of the information or method of communication provided. The Company has sent the customers a notice of unauthorised access to the customers' database in which it informed them that the unauthorised access did not concern the information provided in the instalment applications because it does not collect such data, which could mislead the customers. For these reasons, the administrator's decision to delete the data, which was not preceded by a well-established analysis, proves that the basic principles of personal data protection referred to above were not respected.



In view of the foregoing, the President of the Office for the Protection of Personal Data, in exercising his power under Article 58(2)(i) of Regulation 2016/679, according to which each supervisory authority has the power to impose, in addition to or instead of the other remedies provided for in Article 58(2)(a) to (h) and (j) of that Regulation, an administrative penalty payment pursuant to Article 83 of Regulation 2016/679, has concluded, in view of the circumstances set out in that procedure, that in the present case there are grounds for imposing an administrative penalty payment on the Company.



When deciding to impose an administrative fine on the Company, the President of the Office for Personal Data Protection, pursuant to Article 83(2)(a-k) of Regulation 2016/679, has taken into account the following circumstances of the case, which are aggravating and affect the level of the financial penalty imposed:



a) The Company has not complied with the obligation to apply appropriate technical and organisational measures to ensure a level of security corresponding to the risk of unauthorized access to the personal data of its customers, which resulted in the access to [...] twice by an unauthorized person or persons, and consequently to access the database of all the Company's customers in the total number of approximately 2,200,000 (approximately two million two hundred thousand) persons; thus, the Company's actions aimed at ensuring the security of data processing prior to the occurrence of a breach should be considered ineffective, as they did not contribute to eliminating the risk of damage;



(b) the infringement of Article 5(1)(f) in conjunction with Article 32(1)(b) and (d) in conjunction with Article 32(1)(b) and (d) in this case has been established. (b) the infringement of Article 5(1)(f) in conjunction with Article 32(1)(b) and (d) in conjunction with Article 32(2) of Regulation 2016/679, consisting in unauthorised access to the Company's employee panel by an unauthorised person or persons, and consequently also access to the Company's customer database, is of considerable importance and serious nature, as it poses a high risk of negative legal consequences for approximately 2 200 000 (approximately two million two hundred thousand) persons whose data were accessed by an unauthorised person or persons; Significantly, if the confidentiality of the Company's IT system is breached twice, the risk is proportionally higher in the case of 600 (six hundred) persons; the Company's breach of its obligations to apply measures to ensure the security of the processed data, before it is made available to unauthorised persons, entails a potential but real possibility of using the data by third parties without the knowledge and against the will of the data subjects, contrary to the provisions of Regulation 2016/679, e.g. the Act on the Protection of Individuals with regard to the Processing of Personal Data (Journal of Laws of 2009, No. 153, item 259, as amended). The fact that the Company, which processes personal data in a professional manner as part of its business activity, is more responsible and more demanding than the entity processing personal data as a secondary, incidental or small-scale activity, also has a significant impact on the gravity of the breach; when conducting commercial activities, and at the same time collecting data via the Internet, the Company, as the controller of such data, should take all necessary actions and exercise due diligence in the selection of technical and organisational measures to ensure the security and confidentiality of data; the factual findings made by the President of the Office for Personal Data Protection prove that the Company did not meet this requirement at the time of the occurrence of the identified violations;



(c) infringement of Article 5(1)(f), Article 32(1)(b) and (d) and Article 32(1)(c). The fact that the Company, despite the declaration of network system monitoring and response in the 24/7 system (twenty-four hours, seven days a week), did not find any real time, i.e. between 07.10.2018 and 14.10.2018, deserves a particularly reprehensible assessment, increased traffic on the server's network gateway and did not take any remedial action at that time to prevent access to the data of approximately 2,200,000 (approximately two million two hundred thousand) individuals who are the Company's clients. In this state of affairs, the Company's negligence must be regarded as gross;



(d) the breach by not ensuring the security and confidentiality of the data continued at least from [...] November 2018. (when the Company's clients informed about the receipt of text messages calling for an additional fee of 1 PLN, in order to complete the order with a link to the false DotPay electronic payment gateway) until [...] December 2018. (i.e. the introduction by the Company of additional technical security measures) - which should be considered a relatively short period of time; however, this circumstance cannot have a mitigating effect on the decision of the supervisory authority, as the infringement concerned a significant number of natural persons; a data leak of 2,200,000 (approximately two million two hundred thousand people) - even if it is a short-term or one-off event - should be assessed strictly, due to its nature and high importance and scope, as well as its possible long-term consequences for data subjects.



When determining the amount of the administrative fine, the President of the Office for the Protection of Personal Data also took into account mitigating circumstances affecting the final penalty, i.e:



(a) the Company takes all possible measures to remedy the infringement; as established in the course of the proceedings, the Company has introduced, inter alia, [...];



(b) good cooperation on the part of the Company, which has cooperated with the President of the Office for Personal Data Protection both during the inspection and during the present procedure in order to remedy the breach and mitigate its possible negative effects; the Company has sent explanations and responded to the speech of the President of the Office for Personal Data Protection within the prescribed time limit, so the degree of cooperation should be assessed as complete;



(c) there is no evidence that data subjects have suffered material damage, but the breach of confidentiality of the data itself constitutes non-pecuniary damage (harm); natural persons whose data have been unlawfully accessed may at least be afraid of losing control over their personal data, of identity theft or identity fraud, or of financial loss;



(d) it has not been established that the Company has previously committed an infringement of the provisions of Regulation 2016/679 that would be relevant to this proceeding.



The fact that a fine was imposed, as well as the administrative fine itself, was not affected by the fact that it was imposed:



(a) The company shall not apply approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679,



(b) on the same subject, the measures referred to in Article 58(2) of Regulation 2016/679 have not previously been applied to the Company,



(c) there is no evidence to suggest that the Company has obtained a financial advantage as well as to avoid losses due to the infringement.



Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection decided that the imposition of an administrative fine on the Company is necessary and justified by the gravity and nature and scope of the alleged infringements. It should be stated that the application to the Company of any other remedy provided for in Article 58(2) of Regulation 2016/679, and in particular the application of a warning (Article 58(2)(b)), would not be proportionate to the irregularities found in the processing of personal data and would not guarantee that the Company will not in the future commit similar omissions as in this case.



With regard to the amount of the fine imposed on the administrative company, the President of the Office for the Protection of Personal Data considered that, in the established circumstances of this case - i.e. in view of the finding of a breach of the principle of confidentiality of data expressed in Article 5(1)(f) of Regulation 2016/679 (and reflected in the form of the obligations laid down in Articles 24(1), 25(1) and 32(1)(b) and (d), 32(2) of Regulation 2016/679), and in addition, a breach of the principles of legality, reliability and transparency expressed in Article 5(1)(b) and (c) of Regulation 2016/679, the principle of proportionality and the principle of proportionality and the principle of proportionality. Article 83(5)(a) of Regulation 2016/679, according to which breaches of the basic principles of processing, including the conditions of consent referred to in Article 5(2) (further specified in Articles 6 and 7 of Regulation 2016/679) shall apply.Articles 5, 6 and 7 of that Regulation shall be subject to an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being applicable.



At the same time, in view of the fact that the Company has found an infringement within the same or related processing operations of several provisions of Regulation 2016/679, pursuant to Article 83(3) of Regulation 2016/679, the President of the Office for Personal Data Protection has determined the total amount of the administrative fine in the amount not exceeding the penalty for the most serious infringement.



In the facts presented, the most serious should be considered a breach by the Company of the principle of confidentiality set out in Article 5(1)(f) of Regulation 2016/679. This is supported by the serious nature of the breach and the circle of people affected by it (approximately 2 200 000 - about two million two hundred thousand users of online shops administered by the Company). What is important is that in relation to the above mentioned number of people, there is still a high risk of illegal use of their personal data, because the purpose for which the unauthorised person took steps to gain access to this information is unknown.



The infringement by the Company of the principles of legality and reliability expressed in Article 5(1)(a) and the principle of accountability in Article 5(2) of Regulation 2016/679 should be considered a minor infringement. In the case of the second of the identified infringements, the circle of affected persons is much smaller (about 35 thousand - about thirty-five thousand users submitting applications in instalments). The company also deleted these data on the grounds that their further processing involves greater risks. The collection of data from applications [...] without a legal basis, i.e. the consent of the data subject, took place before the application of Regulation 2016/679, and after the amendment of the regulations, the Company collected data on the basis of consent, which it proved during the inspection and during the proceedings.



Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000, as amended), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as at 28 January of each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate as at 28 January - according to the average euro exchange rate announced in the table of exchange rates of the National Bank of Poland closest after that date.



In view of the foregoing, the President of the Office for the Protection of Personal Data, pursuant to Article 83(3) and Article 83(5)(a) of Regulation 2016/679, in conjunction with Article 103 of the Personal Data Protection Act of 2018, imposed on the Company - applying the average euro exchange rate of 28 January 2019 - for the infringements described in the operative part of this decision. (1 EUR = 4,2885 PLN) - an administrative fine in the amount of 2,830,410 PLN (equivalent to 660,000 EUR).



In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine applied shall, in the circumstances of this case, fulfil the functions referred to in Article 83(1) of Regulation 2016/679, i.e. it shall be effective, proportionate and dissuasive in that particular case.



In the opinion of the President of the Office for Personal Data Protection, the penalty imposed on the Company will be effective, because it will lead to a state in which the Company will apply such technical and organisational measures which will ensure a level of security for the data processed which corresponds to the risk of infringement of the rights and freedoms of the data subjects and the seriousness of the threats accompanying the processing of these personal data. Therefore, the effectiveness of the penalty is equivalent to a guarantee that from the moment of completing this procedure the Company will approach the requirements set forth in the regulations on personal data protection with the utmost care.



The financial penalty payment applied shall also be proportionate to the infringement found, including in particular the seriousness of the infringement, the circle of individuals concerned and the risks they run. According to the President of the Office for Personal Data Protection, the financial penalty imposed on the Company is also proportional to its financial situation and will not be excessive for it. The amount of the penalty has been set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of the controller's breach of duties, but, on the other hand, it does not cause a situation in which the necessity to pay the financial penalty will result in negative consequences, in the form of a significant reduction in employment or a significant decrease in the Company's turnover. In the opinion of the President of the Office for Personal Data Protection, the Company should and is able to bear the consequences of its negligence in the area of data protection, hence the imposition of a penalty of PLN 2,830,410 is fully justified.



In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine will fulfil a repressive function in these specific circumstances, as it will be a response to the Company's breach of Regulation 2016/679, but also a preventive one, as the Company itself, as well as other administrators, will be effectively discouraged from violating personal data protection regulations in the future.



In the opinion of the President of the Office for the Protection of Personal Data, the financial penalty applied meets, in the circumstances of the present case, the conditions referred to in Article 83(1) of Regulation 2016/679 because of the seriousness of the infringements found in the context of the basic requirements and principles of Regulation 2016/679, in particular the principle of confidentiality expressed in Article 5(1)(f) of Regulation 2016/679.



The purpose of the penalty imposed is to ensure the proper performance of the obligations provided for in Article 5(1)(f), Article 24(1), Article 25(1) and Article 32(1)(b) and (d), Article 32(2) of Regulation 2016/679 and, consequently, to carry out data processing in accordance with the applicable law.



In view of the above, the President of the Office for the Protection of Personal Data has decided as in the operative part of this decision.



The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for a right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.



Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000, as amended), an administrative fine shall be paid within 14 days from the expiry of the time limit for lodging a complaint with the Voivodship Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) No. 28 1010 1010 0028 8622 3100 0000.



[1] Guidelines for SMEs on the security of personal data processing - https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing



[2] https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf



[3] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf