MoneyMan data leakage
The President of the Personal Data Protection Office (UODO) received a personal data breach notification from ID Finance Poland Sp. z o.o. with the seat in Warsaw (entity maintaining a lending platform MoneyMan.pl). The case is currently being analysed by the UODO, and first activities have been undertaken aimed at explaining the exact circumstances of this breach. The controller informed the President that it has communicated the breach to the data subjects.
In case of data leakage, the UODO cooperates with the controllers, gives advice or consults the contents of the breach notification to data subjects. The activity of the President of the UODO is aimed at ensuring that the controller processes personal data in compliance with the law.
In particular, the purpose of notifying breaches to the President of the Personal Data Protection Office is to assess, inter alia, whether the controller has properly filled in, inter alia, the obligation to notify breaches to data subjects, as long as there was indeed a situation, in which it was obliged to do so.
It is worth pointing out that not every breach must be notified to the President of the UODO and the data subjects. Data breaches that do not affect the rights and freedoms of the data subjects should be entered only into the internal register kept by the controller where all breaches should be recorded. However, the President of the UODO has to be notified of those incidents which are likely to have a (higher than small) adverse effect on the data subjects. These include, for example, situations in which the breach may lead to identity theft, financial loss or violation of legally protected secrecy.
What to do when the breach relates to my data?
Hacking — breaking the security safeguards of IT systems in which personal data are processed and exploiting existing vulnerabilities (gaps) in these systems — means situations where unauthorised persons obtain personal data (or have the possibility to do so). Where the controller considers that there is a risk of unauthorised use, it should notify the data subject of the incident. Appropriate measures should then be taken to mitigate any negative consequences.
Above all, great care should be taken when providing data online. Messages from the controller, sent for example by SMS or e-mail, shall be carefully analysed in order to avoid, e.g., a phishing attack, the purpose of which may be to “phish” additional data.
Persons who have been or suspect that they may be victims of identity theft should, as a first step, address the Police. The President of the UODO is not a law enforcement authority, it is not entitled to conducting proceedings aimed at detecting and assessing whether an offence has been committed, and classifying and punishing an offence .
Any person who considers that his or her personal data are unlawfully processed may lodge a complaint with the President of the Personal Data Protection Office. Moreover, Article 79 of the GDPR also gives everyone the right, irrespective of the lodging of a complaint with the President of the UODO, to protect his/her rights before a civil court. Under Article 82 of the GDPR, if a person has suffered material or non-material damage, he or she shall also have the right to obtain compensation from the controller.
As regards actions to be taken by controllers in the event of personal data breaches, they are described in detail on our website at: https://uodo.gov.pl/pl/134/1029.