The decision to punish Morele.net sp. z o.o. is the result of an inspection carried out in the company after it reported personal data breaches to the President of the UODO. In November 2018, as a result of a phishing attack, an unauthorized person gained access to personal data of over 2 million customers of the company's online stores, to which he then sent an SMS urging to make a transfer of PLN 1 to finalize the order. The message was redirected to a fake payment gateway through which the person could access customer login information. In December 2018, the company again reported a data leak, this time with a broader scope - including information from customer loan applications.
The decision of the President of UODO proves that not effectively implementing the GDPR in an organization is not only preparing documentation regarding the processing of personal data, but also ensuring an appropriate level of data security. In the opinion of the authority, the company has seriously violated the following obligations as a personal data administrator:
- breach of the principle of confidentiality and integrity (Article 5 para. 1 lit.f GDPR)
Although Morele.net sp.z o.o. introduced security measures for access to processed data, periodically reviewed them, and even used the assistance of external auditors, which still proved to be insufficient. In a short period of time there was a double data leak, which was detected after receiving signals from customers of online stores. The authority came to the conclusion that the access and authentication control used to protect data proved to be ineffective, however, because it was not adapted to the level of risk involved in such data processing. The system was designed in such a way that it did not allow the company to detect the breach early enough - by identifying the increased network traffic and determining its source. Risk analysis failed, which should be carried out by the data administrator in order to select the appropriate security, including tools for effective monitoring.
- breach of the principles of legality, reliability and accountability (Article 5 (1) (a) and Article 5 (2) of the GDPR)
During the audit, it was also found that the company, despite processing personal data contained in the clients' credit applications to help them complete subsequent applications by automatically completing the form, was not able to show that it had obtained their consent. Moreover, the company has not been able to demonstrate since when it processed personal data for this purpose and when it was deleted. Morele.net sp. z o.o. not only did not register individual approvals obtained from clients but also, in the course of the proceedings, it even did not submit any forms that were used for the purpose of getting these approvals. Therefore, the authority concluded that the company did not have a legal basis to process this data, and the lack of documentation regarding its processing, including the processing period, violated the principle of data accountability.
The decision imposing an administrative penalty is not final and the company has already announced that it will appeal against it. In the opinion of Morele.net sp. z o.o. its measures to protect personal data were adequate, although they ultimately failed to prove fully effective. It is the administrator's responsibility to implement adequate security, not absolute security.