Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Poland: UODO fines Virgin Mobile PLN 1.6M for GDPR violations

The Polish data protection authority ('UODO') published, on 9 December 2022, its decision in Case no. DKN.5112.1.2020, as issued on 16 November 2022, in which it fined Virgin Mobile Poland Spz o.o PLN 1.6 million (approx. €358,864), for violations of Articles 5(1)(f), 5(2), 24(1), 25(1), 32(1)(b), 32(1)(d), and 32(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach notification to the UODO.

Background to the decision

In particular, the UODO stated that it had received a data breach notification in December 2019 from the controller, regarding unauthorized access to subscribers' personal data, according to which the UODO conducted an investigation and issued a decision against Virgin Mobile, on 3 December 2021, fining the company PLN 1.97 million (approx. €441,834). Subsequently, the UODO noted that its decision was subject to an appeal by Virgin Mobile, following which the Warsaw Provincial Administrative Court noted that the UODO, in determining the amount of the fine imposed, had not sufficiently considered the measures taken by Virgin Mobile to minimize the harm suffered by individuals, as required by Article 83(2)(c),(e), and (h) of the GDPR, and did not indicate in justification for its decision on the same. 

Findings of the UODO

Notably, in light of the Court's judgment, the UODO had re-examined the evidence and issued a decision imposing the above-mentioned reduced penalty on Virgin Mobile. Accordingly, the UODO found that Virgin Mobile's violation of the confidentiality principle as well as its lack of appropriate technical and organisational measures had contributed to the occurrence of a personal data breach. In this regard, the UODO specified that despite Virgin Mobile's adopted solutions, the company was unable to detect vulnerabilities due to the lack of regular testing, and that conducting reviews once or in the event of an organizational or legal change, and taking action only in the event of a suspicion of vulnerability, cannot be considered as regular testing. 


As a result of the above violation, the UODO imposed a fine of PLN 1.6 million on Virgin Mobile taking into account mitigating circumstances under Article 83(2) of the GDPR.

You can read the press release here and the decision here, both only available in Polish.

Update: 23 October 2023

Court upholds UODO's decision to impose fine on P4 for inadequate data security measures

On 20 October 2023, the UODO announced that the Provincial Administrative Court in Warsaw upheld the UODO's decision to impose an administrative fine of PLN 1.6 million on P4 (formerly Virgin Mobile Poland) for violations of the GDPR.

You can read the press release, only available in Polish, here.