The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine, equivalent to 460 thousand euros applied by the Poland Personal Data Protection Office (UODO) to the Polish mobile phone company, Virgin Mobile Polska for the lack of adequate technical and organizational measures implemented to ensure the security of the processed data.
UODO stated that the company infringed the principles of data confidentiality and accountability. Virgin Mobile did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.
In connection with a data breach, as a result of which an unauthorised person obtained customers data from one of the databases, the Supervisory Authority carried out the inspection at the company. As a result of the irregularities found, the authority instituted administrative proceedings finalised with the imposition of a fine.
The Supervisory Authority considered that the implementation of a data processing system for use without proper validation of assumed parameters was a flagrant breach by the controller.
However, given the scale and gravity of the breaches, the UODO considered that it would be disproportionate to apply remedies other than an administrative fine.
The NCPDP, as the national authority for the supervision of personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.