Background
In late 2019 , the Polish DPA (President of the Personal Data Protection Office) imposed a fine exceeding PLN 2.8 million (ca. €645,000) on Morele.net, as a consequence of inadequate data protection. The fine stems from the company's lack of security measures commensurate with the risks of personal data processing, resulting in a breach that affected roughly 2.2 million individuals. The investigation initiated by the Polish DPA highlighted Morele.net’s lacking response protocols for unusual network traffic. The breach exposed sensitive information, including personal identification numbers (PESEL) and financial details of approximately 35,000 individuals, intensifying the risk of identity theft. The authority identified violations of confidentiality principles under Article 5(1)(f) of the GDPR. While determining the fine, the DPA considered Morele.net's corrective actions post-breach, cooperation with the authority, and clean prior record as mitigating factors.
The company appealed from the Polish DPA’s decision to the Voivodeship Administrative Court in Warsaw but the Court upheld the DPA’s decision. The company appealed to the Polish Supreme Administrative Court
The Polish Supreme Administrative Court’s judgement
The Supreme Administrative Court (case file: III OSK 3945/21) annulled the Polish DPA’s decision and the Voivodeship Administrative Court’s judgement. The Court reminded that a salient point arises from the stipulations of Article 32 of the DPA concerning personal data breaches: administrative sanctions aren't necessarily imposed for unauthorized personal data processing but rather for failing to maintain an apt security standard in given circumstances. Put simply, entities aren't held liable for third-party maleficence, such as hacking. Instead, their accountability stems from insufficient security measures that might have facilitated such breaches. Thus a mere unauthorized data access doesn't inherently violate Article 32 of the GPDR. Even the most stringent security can potentially be compromised. Recital 76 of the GPDR affirms this, emphasizing the necessity for an "objective assessment" of risk levels tied to processing operations. Hence according ot the Court the "appropriate" measures mentioned in Article 32(1) RODO are not about absolute effectiveness but are relative to the specific situation and time of data access. This nuance is critical, especially when evaluating penalties for breaches under Article 32 RODO.
According to the Court, the Polish DPA should have acceded to Morele.net’s request for the appointment of an external expert. This expert would have been tasked with analyzing the technical measures that Morele.net implemented to safeguard its data. Importantly, the expert's role would also include assessing whether the precautions taken by Morele.net were proportionate to the risks commonly recognized within the e-commerce sector. The Court emphasized the principle that it is incumbent upon the authority leading the proceedings—here, the Polish DPA—to actively gather evidence pertinent to the case. In this context, the Court highlighted that an expert’s opinion can be a valuable form of such evidence.
Commentary
This decision offers a practical interpretation regarding fulfilling of the GDPR obligations referring to the security of personal data. Furthermore it sheds light on the expectation for regulatory authorities to adopt a proactive and comprehensive approach in their proceedings. It underscores the potential necessity of involving external experts to provide a detailed, impartial analysis, which can significantly inform the authority’s final decision and ensure a fair, thorough examination of the facts at hand.
Article provided by INPLP member: Xawery Konarski (Traple Konarski poderecki & Wspólnicy, Poland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
