Skip to main content

The Polish Supreme Administrative Court concluded “Morele.net saga”

|

In its judgement from February 2023, the Supreme Administrative Court of Poland announced a significant decision from 2019 of the Polish DPA that imposed a substantial fine of PLN 2.8 million (ca. 645,000 euros) against the online retailer, Morele.net. The decision concerned Morele.net’s alleged failure to introduce adequate data security safeguards that could have enabled a phishing attack leading to the unauthorized acquisition of a customer database, violating the obligations under GDPR regarding ensuring data security and integrity.

Background

In  late 2019 , the Polish DPA (President of the Personal Data Protection Office) imposed a fine exceeding PLN 2.8 million (ca. €645,000) on Morele.net, as a consequence of inadequate data protection. The fine stems from the company's lack of security measures commensurate with the risks of personal data processing, resulting in a breach that affected roughly 2.2 million individuals. The investigation initiated by the Polish DPA highlighted Morele.net’s lacking response protocols for unusual network traffic. The breach exposed sensitive information, including personal identification numbers (PESEL) and financial details of approximately 35,000 individuals, intensifying the risk of identity theft. The authority identified violations of confidentiality principles under Article 5(1)(f) of the GDPR. While determining the fine, the DPA  considered Morele.net's corrective actions post-breach, cooperation with the authority, and clean prior record as mitigating factors.

The company appealed from the Polish DPA’s decision to the Voivodeship Administrative Court in Warsaw but the Court upheld the DPA’s decision. The company appealed to the Polish Supreme Administrative Court

The Polish Supreme Administrative Court’s judgement

The Supreme Administrative Court (case file: III OSK 3945/21) annulled the Polish DPA’s decision and the Voivodeship Administrative Court’s judgement. The Court reminded that a salient point arises from the stipulations of Article 32 of the DPA concerning personal data breaches: administrative sanctions aren't necessarily imposed for unauthorized personal data processing but rather for failing to maintain an apt security standard in given circumstances. Put simply, entities aren't held liable for third-party maleficence, such as hacking. Instead, their accountability stems from insufficient security measures that might have facilitated such breaches. Thus a mere unauthorized data access doesn't inherently violate Article 32 of the GPDR. Even the most stringent security can potentially be compromised. Recital 76 of the GPDR affirms this, emphasizing the necessity for an "objective assessment" of risk levels tied to processing operations. Hence according ot the Court the "appropriate" measures mentioned in Article 32(1) RODO are not about absolute effectiveness but are relative to the specific situation and time of data access. This nuance is critical, especially when evaluating penalties for breaches under Article 32 RODO.

According to the Court, the Polish DPA should have acceded to Morele.net’s request for the appointment of an external expert. This expert would have been tasked with analyzing the technical measures that Morele.net implemented to safeguard its data. Importantly, the expert's role would also include assessing whether the precautions taken by Morele.net were proportionate to the risks commonly recognized within the e-commerce sector. The Court emphasized the principle that it is incumbent upon the authority leading the proceedings—here, the Polish DPA—to actively gather evidence pertinent to the case. In this context, the Court highlighted that an expert’s opinion can be a valuable form of such evidence.

Commentary

This decision offers a practical interpretation regarding fulfilling of the GDPR obligations referring to the security of personal data. Furthermore it sheds light on the expectation for regulatory authorities to adopt a proactive and comprehensive approach in their proceedings. It underscores the potential necessity of involving external experts to provide a detailed, impartial analysis, which can significantly inform the authority’s final decision and ensure a fair, thorough examination of the facts at hand.

 

Article provided by INPLP member: Xawery Konarski (Traple Konarski poderecki & Wspólnicy, Poland)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}