Morele.net – Court Ruling (Poland, 2020)

In November 2018, the company reported to the supervisory authority two violations related to obtaining by an unauthorised person access to the database, and consequently - to personal data of customers of the company's online shops. After the inspection, the DPA concluded that the company had breached the rules on personal data protection. The deficiencies consisted in the violation by the company of the principle of data confidentiality, consisting in the failure to ensure the security and confidentiality of the processed personal data, which resulted in unauthorised persons gaining access to the personal data of the company's customers, and in the violation of the principle of legality, reliability and accountability by not showing that personal data from instalment applications collected before 25 May 2018 were processed by Morele.net Sp. z o.o. on the basis of the consent of the person to whom the data referred. In September 2019 UODO imposed a fine on the shop Morele.net in the amount of 2,830,410 PLN (660,000 EUR). The company appealed against this decision to the Provincial Administrative Court in Warsaw. Did the technical and organisational measures applied by the company comply with the standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the company's activity in 2018? Were the technical and organisational measures applied by the company appropriate taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and objectives of the processing, as well as the risk of infringement of the rights or freedoms of natural persons of different probability and seriousness of the threat? The Provincial Administrative Court in Warsaw dismissed the appeal. The Court agreed with UODO and found that the fine imposed was justified.