The Voivodeship Administrative Court has accepted the fine imposed on Virgin Mobile
Following the fact that the Personal Data Protection Office re-investigated the breach of the GDPR provisions by Virgin Mobile (now P4) and reduced the amount of the fine imposed on this controller from PLN 1.9 million to PLN 1.6 million, the Voivodeship Administrative Court in Warsaw did not challenge the decision of the supervisory authority.
On a previous occasion, the Voivodeship Administrative Court in Warsaw (judgment of 21 October 2021 ref. no. II SA/Wa 272/21) repealed the decision of the President of the Polish supervisory authority, stating that the complaint lodged by Virgin was justified, although not all charges raised in the complaint could be considered legitimate. At the time, the Court held that the President of the Personal Data Protection Office correctly assessed that the procedures adopted by the company could have been effective if, as part of the procedures implemented, they had also included regulations on regular testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing and which would have been observed by Virgin. The lack of regulations in place contributed to the personal data breach.
However, the Court pointed out that the authority, when determining the amount of the fine, did not sufficiently explain why the circumstances indicated in Article 83(2)(c), (e) and (h) of Regulation 2016/679, i.e. the actions taken by the controller to minimise the harm suffered by the data subjects, any relevant previous breaches by the controller and the manner in which the supervisory authority became aware of the breach, did not affect the amount of the fine indicated in the decision appealed against.
For this reason, the President of the Polish supervisory authority had to reassess the impact of the circumstances indicated in the GDPR for imposing an administrative fine on the amount of the fine applied to the controller.
Let us recall that the President of the Personal Data Protection Office, in his decision, found an infringement of the provisions of the GDPR consisting in the failure of Virgin Mobile Polska, whose legal successor is P4 Sp. z o.o., to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of data processing by means of IT systems. These systems were used to record the personal data of subscribers of prepaid services, and the lack of appropriate technical and organisational measures in place led to an unauthorised person gaining access to the data, which also constituted a breach of the principle of integrity and confidentiality.
After the President of the Polish supervisory authority again conducted proceedings and decided to impose an administrative fine, this time in the amount of almost PLN 1.6 million on P4, the legal successor of Virgin Mobile Polska, this decision was also challenged by the company.
The Voivodeship Administrative Court in Warsaw, in a judgment of 21 June 2023 (ref. no. II SA/Wa 150/23), this time dismissed the controller's complaint. The Court agreed with the President of the Personal Data Protection Office as regards the assessment of the infringement, thus dismissing the company's allegations. In the justification to the verdict, the Court also stated that the fine was correctly determined and justified, and that the authority indicated specific circumstances that influenced the amount of the fine.
The Court was also not persuaded by the complainant's argument that the infringement took place at the now-defunct Virgin Mobile and not at P4. According to the Court, "the effect of P4's acquisition of Virgin Mobile was that it entered into all the rights and obligations of the acquired company, including public law obligations, including liability for administrative torts."