The President of the Personal Data Protection Office again fined Morele.net company

The President of the Personal Data Protection Office once again analysed the violation of the GDPR at Morele.net in connection with a large data leakage and again fined the controller. This time, the fine amounted to over PLN 3.8 million.

After the Supreme Administrative Court of Poland on 9 February 2023 overturned the decision of the President of the Personal Data Protection Office imposing a fine on Morele.net company, the supervisory authority re-conducted the administrative proceedings in this case. It showed that the personal data breach occurred due to the Company's failure to apply appropriate safeguards, which led to the leakage of personal data of 2.2 million people. The Supreme Administrative Court of Poland did not question all the findings of the President of the Personal Data Protection Office related to this breach. However, it questioned the authority's competence to assess the technical and organisational measures taken by the controller to secure personal data. In the court's opinion, the authority should substantiate having the knowledge needed to conduct such an analysis of the safeguards. The statement of reasons allowed to conclude that the President of the Personal Data Protection Office should have appointed an expert or prepared an internal document constituting conclusions from the analysis of the standard of security measures applied by the company, to which the controller could refer in the course of the proceedings.

As a result, the Personal Data Protection Office re-conducted the administrative proceedings, which also showed that Morele.net had applied insufficient technical safeguards to the existing risk of a data breach. There was also a lack of implementation of appropriate procedures to respond to unusual behaviour, such as increased network traffic.

The deficiencies in the safeguards were confirmed by the "Analysis of the (…) applied by Morele.net sp. o. o. (...)", prepared by the supervisory authority in connection with the need to comply with the judgment of the Supreme Administrative Court of Poland.

In the course of the proceedings, the President of the Personal Data Protection Office did not appoint an expert, and the party to the proceedings questioned the presented analysis, alleging inter alia partiality on the part of its authors and demanding that they be excluded. The supervisory authority did not take this allegation into account in the course of the proceedings, as it would de facto lead to the fact that none of the Personal Data Protection Office’s employees could deal with this case due to the allegation of partiality.

Meanwhile, the prepared analysis showed that the controller did not encrypt some of the data (which it admitted), did not have two-factor authentication, did not conduct a risk analysis that would take into account, inter alia, the risks associated with the possibility of logging into the system from a public network. As a result, there were two instances of unauthorised access from the outside, as a result of which an unauthorised person came into possession of the data of Morele.net's customers.

There were also no technical and administrative solutions to monitor network traffic and react in the event of detecting inappropriate activities. This is confirmed by the findings, which show that the company was not sure whether and what data had been stolen from its resources. A number of solutions in this area were implemented by the controller only after the data leakage. In the opinion of the President of the Personal Data Protection Office, if he had had them at his disposal earlier, he would have been able to detect unauthorised access attempts and take measures to prevent data theft.

In the course of the proceedings, the controller itself admitted that the lack of appropriate solutions implemented was a mistake on its part.

The President of the Personal Data Protection Office held that in this case the imposition of an administrative fine was necessary and justified by the gravity, nature and scope of the infringements alleged against the controller.

This decision is the first to use the European Data Protection Board's Guidelines on the calculation of administrative fines, as adopted on 24 May 2023, to determine the amount of the fine.

Decision: ZSPR.421.2.2019