Industry News

Polish retailer gets €645,000 fine under GDPR for “insufficient organizational and technical safeguards”

An online retailer in Poland has received a hefty fine under the General Data Protection Regulation (GDPR) after failing to protect the data collected from 2.2 million customers through the company’s nine websites.

The European Union last year passed the General Data Protection Regulation, a law that makes organizations more responsible in collecting and processing their customers’ personal data. While not enforcing a particular set of technological tools and processes, the GDPR imposes a minimum threshold that organizations must consider to ensure compliance. For Polish retailer, this was sadly not the case. reportedly became aware of a breach on its systems in November 2018, when customers reported receiving SMS messages demanding additional payments to complete an order. The SMS scam contained a link to a fake electronic payment gateway controlled by the hackers.

While took steps to remedy the situation following the breach, Poland’s Personal Data Protection Office (UODO) this week decided to fine the company PLN 2.8 million, or €645,000 for “insufficient organizational and technical safeguards”.

The President of UODO stated that, “by not using sufficient technical means of data protection, violated, among others specified in art. 5 paragraph 1 letter f GDPR, the principle of confidentiality.”

According to, for most of the affected customers, the leaked data included names, telephone numbers, email addresses and delivery addresses. Of the 2.2 million customers affected, 35,000 had additional information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status, according to the report.

Starting with mid-2019, data protection authorities across the EU have switched from an educative stance to a more corrective attitude, dealing the first fines under the newly adopted regulation. Among the highest-reported penalties this year are those incurred by British Airways (205$ million euros), hotel chain Marriott (111 million euros) and Google (50 million euros).

About the author


Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.