In our DSGVO News we would like to introduce not only judgments of the German and Austrian data protection authorities but also decisions of all other European data protection authorities. A few days ago, for example, the Czech supervisory authority (Úřad pro ochranu osobních údajů, English the office for personal data protection) imposed a fine on a local Internet shop. This is a pre-DSGVO incident, but the incident would have been a blatant offense even under the new European rules.
The Mall Group is an Internet company and claims to be the largest e-commerce group in Central and Eastern Europe. It was created by the merger of various Eastern European companies in 2016. The company does not act as a pure mail order company but has further channels for stronger customer loyalty through various other products such as MallPay, MallTV, etc. In the Czech Republic, Mall.cz is the market leader in e-commerce.
According to the Czech data protection authority, unauthorized persons were able to retrieve the personal data of 735,000 customers between 31 December 2014 and August 2017. The records contained first and last name, e-mail address, password and telephone number. The form in which the passwords existed (as a hash value or in plain text) was not disclosed. The records were also available for about a month at a Czech Filehoster.
According to the authorities, the operators have not been able to provide any explanation as to how this data breach occurred.
Decision of the Data Protection Authority
The Czech supervisory authority imposed on the company a fine of 1.5 million Czech crowns (approximately € 60 000, -) for a violation of the Czech Data Protection Act (Zákon č 101/2000 Sb., O ochraně osobních údajů (účinné znění)). The maximum possible penalty in this case would have been CZK 5 million (CZK) (see section 45, paragraph 3).
Although the Czech Data Protection Act dates back to 2000, many passages are similar to the Basic Data Protection Regulation. The meanwhile invalid national regulation demands adequate protection, the GDPR continues here and demands adequate protection against the state of the art. The legislator wanted to ensure that the protection of personal data was regularly evaluated.
In addition, the maximum penalties have significantly increased by the General Data Protection Regulation, up to 20 million euros are possible (see article 83), while in the Czech Republic to date only 10 million CZK (about € 380 000, -) would have been possible (in the case of illegal processing of particularly sensitive data or if the illegal processing poses a high risk to the private lives of those affected).
The Czech data protection authority shows that also data protection offenses are treated from the past. The penalty is explained by the large number of records that were made public and the fact that the company could not provide an explanation for the cause. It is therefore to be feared that personal data will continue to be under-protected. Should further customer data be stolen, then mall.cz must reckon with much more sensitive fines, since in this case the GDPR is used and the data protection authority proceeds in this case against a repeat offender.