The President notified the prosecutor's office about the leakage of the pandabuy.com customers' data
On 29 April 2024, Mirosław Wróblewski, the President of the Personal Data Protection Office, notified the District Public Prosecutor's Office Warszawa Śródmieście-Północ of the suspicion of committing a crime by the perpetrators of the publication of the data of Polish customers of the pandabuy.com sales platform. Personal data of customers of the Chinese online shopping platform, which mediates purchases from Chinese sellers, leaked from the service and here published in aggregated forms on other websites.
On March 31, 2024, the data of 1.3 million platform customers from around the world, including Polish, from the pandabuy.com platform, were made available online. The scope of data covered by the data leakage was broad and included: names and surnames, email addresses, phone numbers, user IDs, IP addresses, passwords, delivery addresses, order and payment data. These data were used by the authors of the "lista-drillowcow.pl" website, created on 7 April, to create an interactive map of the Poland, on which they placed information relating to Polish customers of this service, inter alia their names and surnames and delivery addresses. In the following days (8 and 9 April 2024), this website was unavailable, but an interactive map with data appeared at other addresses, inter alia "list of drillowcow.club" and "lista-drillowcow.xyz".
In the opinion of the President of the Personal Data Protection Office, the processing of personal data of Polish customers of the pandabuy.com sales platform, including their publication on the above-mentioned websites, by the persons administering these websites took place without a legal basis. Thus, the provision of Article 107(1) of Act of 10 May 2018 on the Protection of Personal Data was violated, which states that "who processes personal data, although processing thereof is not permitted, or is not authorized to process them, shall be subject to a fine, restriction of personal liberty or imprisonment for up two years”.
It is a common crime, prosecuted ex officio, by public prosecution, for which the person who processes personal data is responsible, although their processing is not allowed.
Inadmissible processing of personal data occurs when it takes place without a legal basis and there are no grounds for legalising the processing of data specified in the provisions of the GDPR.
In connection with this event, the President of the Personal Data Protection Office will also take other appropriate actions within the framework of his tasks and powers under the General Data Protection Regulation (GDPR) and national regulations.