A fine of 1.5 million Czech crowns for e-commerce for personal data leakage

A fine of 1.5 million Czech crowns for e-commerce for personal data leakage

In 2018, the Czech Personal Data Protection Authority imposed a first large fine of 1.5 million Czech crowns against Internet Mall, a. s., which operates the e-commerce Mall.cz. as well as the Slovak version - Mall.sk.

What did the company do wrong?

The Mall.cz portal did not secure personal data of at least 735 956 customers. From at least December 31, 2014 to August 2017, it did not protect clients' names, surnames, email addresses, passwords, and phone numbers from unauthorized access to the database. For this reason, it was possible for all these sensitive customer data to appear on the Uloz.to portal from July 27 to August 25, 2017. However, the problem is that the company did not find out how this mass leak of personal data could have occurred, which is an aggravating circumstance.

What law did the company break?

Online e-commerce Mall.cz did not violate GDPR because this security incident occurred before GDPR came into force. However, the company violated the technical and organizational privacy requirements set by law before the GDPR was approved. Already the European Union Directive of 1995 required an adequate level of data protection with an emphasis on the state of the art. In the past, many companies have not consistently respected regulations aimed at protecting personal data, but they do not even respect them today.

Why could the fine be higher?

Therefore, it is not surprising that several companies are sanctioned nowadays by the competent authorities and fines of several million are applied. If the Mall.cz online store had become this large data leak at a time when GDPR was already in effect, the fine would probably have been much higher. Under the Regulation, the fine can currently be up to EUR 10 million or 2% of the company's annual annual turnover for the previous financial year. In 2017, Mall in Slovakia and the Czech Republic achieved a turnover of 340 million euros. The fine could thus be as high as EUR 6.8 million.

How to respond when personal data leaks today?

If a personal data breach occurs during the period of validity of the European GDPR, the company must report the leak to the competent authority within 72 hours of its discovery. If there was a high risk for the persons concerned and the company would not take appropriate measures to prevent the consequences of this incident, the company would have to inform all persons concerned without delay.