On 19 September 2019, the Polish Personal Data Protection Office ("UODO") announced the imposition highest fine to date for violation of personal data protection regulations.
In December 2018, Morele.net Sp. z o.o. ("Morele.net"), an online retailer, reported that it was the victim of a cybercrime in which its online customer database was breached. Data of about 2.2 million customers such as names, email and delivery addresses, and telephone numbers were compromised.
Hackers used the stolen data in a phishing attack; customers were sent a link to a fake store page where they were instructed to pay an allegedly missing sum of money for purchases that they had previously made in the Morele.net store.
The company reported the case to law enforcement authorities and notified the UODO. Morele.net also informed its customers about the incident. After investigation by UODO, it was determined that the organizational and technical measures used by Morele.net for data protection were not adequate to the existing risk related to the processing of their customer data, and these inadequacies resulted in the unauthorized access.
In the UODO decision, three basic infringements were identified. Firstly, Morele.net did not comply with the principle of confidentiality as defined in the GDPR. Secondly, Morele.net did not effectively monitor potential threats, especially those related to unusual online behavior. Morele.net did not react quickly enough when it was apparent that large amounts of data were being downloaded. Thirdly, Morele.net claims it processed some data on the basis of consent, however Morele.net has not been able to demonstrate the consent for such processing, therefore the accountability principle of the GDPR was violated as well.
Consequently, due to the high risk of negative effects for more than 2 million data subjects, a fine of over PLN 2.8 million (EUR 660,000) was imposed on Morele.net for insufficient protection of personal data.
The decision of UODO shows the importance of effectively monitoring potential risks, as well as implementing appropriate safeguards for protecting databases. UODO acknowledged that the punishment is repressive in nature, as it is a response to Morele.net's violation of the GDPR, but also preventive, as Morele.net and other data administrators will be effectively discouraged from violating personal data protection provisions in future. Morele.net has announced an appeal against this decision.