Contact
Jarosław Kamiński

Attorney at law (Poland)
Associate Partner
Phone: +48 22 244 00 27
E-Mail

By virtue of his decision of 10 September 2019, the President of the Polish Personal Data Protection Office (“PDPO President”) has imposed the so far highest ever fine on morele.net sp. z o.o. of Cracow (the “Company”) for a breach of the new personal data protection laws. The fine amounts to PLN 2,830,410, which is about EUR 660,000.The penalty for the Company was so harsh because the Company breached the principle of data confidentiality under Article 5(1)(f), the principles of lawfulness, reliability and transparency under Article 5(1)(a) and the principle of accountability under Article 5(2) of the EU General Data Protection Regulation 2016/679 (“GDPR” or “the Regulation”).The PDPO President took such a decision because the Company failed to fulfil its obligation to ensure effective technical and organisational measures in respect of access control and authentication. The Company was also accused of ineffective monitoring of potential threats to rights and obligations of data subjects whose data were processed. Furthermore, the Company was unable to say since when it had collected users’ personal data in order to help them fill in applications for hire purchase in the future. Neither did the Company present data processing clauses and consents to data processing.

Confidentiality

The authority found that the most significant violation was the breach of the principle of confidentiality, which requires processing personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5(1)(f) GDPR).

The Regulation includes a list of technical and organisational measures which the data controller or the processor must implement where necessary in order to ensure data security adequate for the risk. These measures include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Article 32(1) GDPR).

In assessing whether the level of security is appropriate the data controller and the processor are obliged to take into account the risk related to the processing, especially the risk of accidental or unlawful destruction, loss, modification, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed (Article 32(2) GDPR).

Safeguards

What failed in the case of morele.net was the Company's ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and a process for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Article 32(1)(b) and (d) GDPR).

The Company failed to ensure safeguards for access control and authentication adequate for the risk level. The PDPO President says that access control and authentication are the key safeguards to protect against unauthorised access to the IT system used for data processing. Access for authorised users only and the prevention of unauthorised access to systems and services are also regarded as exemplary security measures under e.g. standard PN-EN ISO/IEC 27001:2017-06, which the Company should have observed.

The international organisation The Open Web Application Security Project in its study entitled “OWASP Top 10- 2017. The Ten Most Critical Web Application Security Risks“ and the National Institute of Standards and Technology (NIST) in its paper "NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management” have also emphasised the crucial importance of the right means of authentication to minimise the risk of security breaches. The choice of the right authentication measures should be preceded by a risk analysis and then regularly reviewed. The PDPO President invoked the above-mentioned standards emphasising their importance in the context of data processing security which the Company should ensure.

Potential risk monitoring

Ineffective monitoring of potential threats to rights and freedoms of data subjects enabled unauthorised access to personal data of users registered on the Company's websites.

As a consequence, hackers launched phishing attacks  on some users registered on the Company's websites in order to steal user credentials to access users’ bank accounts.

Annual reports published by CERT Poland show that phishing is currently the most frequent and prominent forms of IT security threat to data protection. Such incidents have accounted for more than 40% of all incidents since 2016 (44% in 2018).

Also the European Union Agency for Cybersecurity, the “Agency”, emphasises the importance of monitoring of potential threats in its Guidelines for SMEs on the security of personal data processing. The Agency holds that the monitoring of IT incidents is a major safeguard of data protection as it helps to identify potential internal or external threats.

Lawfulness and reliability

The inspection revealed that the company had processed personal data which individuals had disclosed in applications for hire purchase in order to help them submit later applications by automatically filling out hire purchase application forms. The Company was unable to tell since when it had collected those data or present evidence that it had conducted a data processing analysis or show the processing consent forms.

Thus, the Company breached the requirement to process personal data in accordance with the principle of lawfulness and reliability (fairness) of processing (Article 5(1)(a) GDPR). To ensure the lawfulness of processing, a company needs to, among other things, ensure that at least one of the grounds for the lawful processing laid down in Article 6 GDPR exists and must ensure compliance with other data protection laws.

If the processing is based on consent, the data controller must demonstrate that (following the principle of accountability) the data subject has consented to the data processing (Article 7(1) GDPR). If the data controller is unable to demonstrate that the data subject has consented to the processing of certain data, the consent may be challenged.
Raczej mało wnosi

Given the scale of the personal data processing, the scope of data and the context of the processing, the PDPO President concluded that morele.net sp. z o.o. had not fulfilled its obligation to use adequate safeguards to ensure protection of the processed data. The explanatory statement accompanying the official decision says that the Company fulfilled the data processing requirements to a limited extent only and the measures it took did not reduce the risk to an acceptable level. Beyond doubt, appropriate safeguards to ensure the necessary protection of data would have significantly reduced the risk of unauthorised access and minimised the risk of the violation of rights and freedoms of the users.

If you are interested in our support in choosing the best solutions to ensure your data processing security, please contact Rödl & Partner experts in Cracow, Gdansk, Gliwice, Poznan, Warsaw or Wroclaw.

Aneta Siwek

16.12.2019