Client Alert Client Alert

EUR 660,000 fine in Poland for violation of personal data protection regulations

On 19 September 2019, the Polish Personal Data Protection Office (“UODO”) announced the imposition highest fine to date for violation of personal data protection regulations.

In December 2018, Sp. z o.o. (“”), an online retailer, reported that it was the victim of a cybercrime in which its online customer database was breached. Data of about 2.2 million customers such as names, email and delivery addresses, and telephone numbers were compromised.

Hackers used the stolen data in a phishing attack; customers were sent a link to a fake store page where they were instructed to pay an allegedly missing sum of money for purchases that they had previously made in the store.

The company reported the case to law enforcement authorities and notified the UODO. also informed its customers about the incident. After investigation by UODO, it was determined that the organizational and technical measures used by for data protection were not adequate to the existing risk related to the processing of their customer data, and these inadequacies resulted in the unauthorized access.

In the UODO decision, three basic infringements were identified. Firstly, did not comply with the principle of confidentiality as defined in the GDPR. Secondly, did not effectively monitor potential threats, especially those related to unusual online behavior. did not react quickly enough when it was apparent that large amounts of data were being downloaded. Thirdly, claims it processed some data on the basis of consent, however has not been able to demonstrate the consent for such processing, therefore the accountability principle of the GDPR was violated as well.

Consequently, due to the high risk of negative effects for more than 2 million data subjects, a fine of over PLN 2.8 million (EUR 660,000) was imposed on for insufficient protection of personal data.

The decision of UODO shows the importance of effectively monitoring potential risks, as well as implementing appropriate safeguards for protecting databases. UODO acknowledged that the punishment is repressive in nature, as it is a response to’s violation of the GDPR, but also preventive, as and other data administrators will be effectively discouraged from violating personal data protection provisions in future. has announced an appeal against this decision.

Read the full text

Download PDF