Poland’s Personal Data Protection Office (UODO) this week announce that it would be fining an online retailer PLN 2.8 million, or €645,000 for “insufficient organizational and technical safeguards”.
It has been reported that Morele.net discovered a breach of its databases in November 2018 that affected 2.2 million customers across the company’s nine websites. Customers reported being sent SMS messages asking for extra payments to complete an order that had been filed. The SMS scam included a link to a fake electronic payment gateway managed by hackers.
Poland’s Personal Data Protection Office (UODO) decided to sanction a penalty of PLN 2.8 million or €645,000 for “insufficient organizational and technical safeguards”.
It is thought that the data included names, telephone numbers, email addresses and delivery addresses. It was further reported that another 35,000 customers had extra information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status.
In 2018, the European Union signed the General Data Protection Regulation into law. GDPR established a threshold for data privacy and security that all entities must achieve to ensure the personal data of EU citizens is protected and data privacy is assured. If the minimum standards for data privacy and security are not met, a financial penalty can be imposed up to €20m or 4% of annual global revenue for the previous financial year.
Jan Nowak President of UODO said that the penalty applied to Morele.net: “By not using sufficient technical means of data protection, violated, among others specified in art. 5 paragraph 1 letter f GDPR, the principle of confidentiality.”
The application of this fine mirrors the trend of EU based data protection agencies implementing a strict policy when it comes to applying financial penalties against companies of all types and sizes for GDPR breaches.
This emphasises the importance for all companies doing business with European Union citizens to ensure that they are doing everything in their power to comply with the GDPR legislation. Breaches of all sizes are being investigated. 2019 has seen a growing number of financial penalties issued for data breaches and GDPR violations.