The President of the Personal Data Protection Office (UODO) has issued another decision imposing an administrative fine on Virgin Mobile Polska for non-compliance with the GDPR. The Office conducted an inspection in the company after unauthorised persons gained access to the data of its customers (including PESEL numbers) using a loophole in the application. The inspection was initiated as a result of reporting a data protection breach by Virgin Mobile Polska.
For what violations was a fine imposed?
The President of UODO accused the company of violating the principles of confidentiality (data leakage) and accountability (inability to demonstrate data processing according to UODO).
In the opinion of the President of UODO, the breach in Virgin Mobile Polska was caused by the lack of a procedure of regular checks ensuring that the effectiveness of the implemented data protection measures is tested, measured and evaluated. For this reason, the company was not able to detect an error in the operation of the IT system that enabled the data leakage.
Admittedly, Virgin Mobile Polska carried out checks on the systems, but these were ad hoc actions, carried out in case of suspicion of vulnerability of the systems.
The President of UODO stated that not only did the company not introduce a schedule of checks, but also incorrectly conducted a risk analysis for a given system, i.a. assessing that it was not affected by the risk of unauthorized access by third parties or unauthorized disclosure of data to third parties. In the same analysis, the risk of vulnerability of IT systems was identified as low. Therefore, the data controller did not correctly identify the threats related to the given data processing process and consequently did not select appropriate organisational and technical measures to ensure their security.
In the opinion of the Office, the company carried out the risk analysis only superficially, because it was not preceded by a review of the technical and organisational measures already applied in the company. The analysis was carried out in such a way as to establish a low level of risk, which does not require the application of further measures to ensure compliance of the processing with the GDPR.
high amount of fine despite the cooperation of the company
The President of the UODO pointed out that the imposed fine takes into account the attitude of the controlled company, which already in the course of the proceedings rectified the infringements, followed the recommendations of the Office and even before the decision was issued, reviewed and evaluated the data security measures and implemented ISO standards providing for regular reviews and audits of security measures and personal data management systems.
The company may appeal the decision to the provincial administrative court.