Virgin Mobile Polska Sp. z o. o. – €452,761 Fine (Poland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Virgin Mobile Polska was fined €452,761 after a data breach exposed the personal information of over 114,000 customers. The breach happened because the company didn't have strong enough security measures. This case underscores the need for regular security checks to protect customer data.
What happened
A data breach at Virgin Mobile Polska exposed personal data of over 114,000 customers due to inadequate security measures.
Who was affected
Customers whose personal data, including names and ID numbers, were accessed during the breach.
What the authority found
The Polish DPA found that Virgin Mobile Polska failed to implement adequate security measures, leading to unauthorized data access.
Why this matters
This fine serves as a warning to companies about the importance of maintaining robust data security practices and regularly testing their effectiveness to prevent breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Virgin Mobile Polska S.A. (the controller) is a telecommunications services provider who offers pre-paid services to its subscribers. In December 2019, an unauthorised person gained access to 142,222 records with confirmations of registration for prepaid services. The data breach affected 114,963 persons whose first and last name, personal identification number, series and number of ID card, telephone number, and other personal data were accessed. The controller reported this data breach to the Polish DPA who initiated an investigation. During the course of the investigation, the DPA recevied oral explanations from the controller regarding the data breach as well as a detailed account of the incident. Reportedly, the controller adopted measures to rectify the deficiencies and vulnerabilities in its IT system. Based on the information provided by the controller, the DPA opened ex officio proceedings for the failure to implement appropriate technical and organisational measures ensuring an appropriate level of security. The DPA recalled that Article 24(1) GDPR sets out the basic obligation of the controller to comply with the principles under Article 5 GDPR, including the principle of confidentiality. Additionally, Article 32 GDPR obliges the controller to implement appropriate technical and organisational measures to ensure security of data processing. The DPA held that the controller failed to comply with the obligations under Article 32(1)(b) and (d) GDPR. Specifically, the data breach occurred as a result of the exploitation of a vulnerability in the IT system allowing unauthorised access to personal data. The DPA considered the measures adopted by the controller as not appropriate because their implementation should have included regular testing, measurement and assessment of effectiveness. The DPA also found a violation of Article 25(1) GDPR because the controller failed to implement obligations imposed by the Polish [https://isap.sejm.gov.pl/isap.nsf/DocD
Related Enforcement Actions (0)
No other enforcement actions found for Virgin Mobile Polska Sp. z o. o. in PL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
16 November 2022
Authority
Urząd Ochrony Danych Osobowych
Fine Amount
€452,761
1,968,524 PLN
GDPRhub ID
gdprhub-5531About this data
Cite as: Cookie Fines. Virgin Mobile Polska Sp. z o. o. - Poland (2022). Retrieved from cookiefines.eu
Last updated: