Currently, data protection offices all over Europe are experiencing a high workload, mostly because of issues related to the Schrems case, as well as difficulties resulting from Brexit. The end of 2020 was very busy, also for the Polish Data Protection Office (Polish: Urząd Ochrony Danych Osobowych; "UODO") as it dealt with more GDPR infringements and imposed more fines than usual.
In the beginning of December UODO imposed a fine of nearly PLN 2m (approx. EUR 436,000) on Virgin Mobile Polska, a telecommunications company, for the lack of implementation of appropriate technical and organisational measures ensuring the security of processed data. UODO stated that the company infringed the principles of data confidentiality and accountability specified in the GDPR. As it turned out, Virgin Mobile Polska failed to carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the processed data. Those breaches led to an unauthorised person obtaining customer data from one of the databases.
Further, UODO also imposed a fine on Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A., an insurance company, as it did not notify the supervisory authority of a personal data breach. Back in May 2020, a third-party notified UODO of a breach involving sending an e-mail including an insurance policy to an unauthorised addressee. The attached document contained personal data in the scope of, among others, names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car). UODO imposed a fine on the company in the amount of PLN 86,000 (approx. EUR 19,000).
Finally, a fine in the amount of over PLN 1m (approx. EUR 219,000) was imposed by UODO on ID Finance Poland, an owner of online loan website, for loss of data due to lack of appropriate technical and organisational measures. The company failed to react to a notification regarding gaps in their security systems, which resulted in an unauthorised person having access to personal data and deleting such data from the company's servers.