The Office for Personal Data Protection (‘UOOU’) announced, on 16 August 2016, its decision to impose a fine of CZK 3.6 million (approximately €130,000) on T-Mobile Czech Republic in relation to a data breach the company suffered earlier this year. According to the UOOU, T-Mobile did not take sufficient measures to protect the personal data of 1.2 million of its customers, which was contained in an electronic internal database and later stolen by one of its employees.
Michal Nulíček and Josef Donát, Partners at Rowan Legal, told DataGuidance, “The T-Mobile enforcement action itself is unusual, normally the proceedings before the UOOU take approximately half a year and the fines are considerably lower in most cases. The speed of the proceedings can be probably attributed to T-Mobile’s cooperation, which also implemented additional security measures before the on-site audit of the UOOU was initiated.”
The UOOU stated that T-Mobile committed an administrative offence due to the violation of its duties under Section 13(1) of the Data Protection Act 2000 (‘the Act’), which, among other things, imposes obligations on data controllers and processors to adopt measures preventing unauthorised or accidental access to personal data.
Ondŕej Kramoliš, Associate and Data Protection specialist at Allen & Overy, commented, “The UOOU reacted very quickly and transparently. Just a couple of days after the leak, they publicly announced the start of the administrative proceedings against T-Mobile and only two months later the proceedings were completed and a fine imposed. This is not a standard practice as the UOOU usually keeps its sanction proceedings non-public and informs the public about them only after they are completed.”
This shows that even breaches that do not affect rights and freedoms of data subjects (i.e. without data leaks to third parties) can lead to significant fines. However, timely detection of the data breach, fast implementation of corrective measures and open cooperation with the UOOU may prevent further damages and also lead to lower fines
According to T-Mobile, the firm’s security controls were triggered immediately upon becoming suspicious that an illegal activity, including the copying of the customer database, had been committed. Once the breach was discovered, T-Mobile immediately contacted the police and terminated the contract with an employee, who acquired the customer data and later attempted to sell the datasets to a T-Mobile business partner, who immediately informed the mobile network operator of the data loss.
Nulíček and Donát explained, “T-Mobile and the UOOU noted that the data were acquired by an employee without necessary authorisation, but were not transferred to any third party. This shows that even breaches that do not affect rights and freedoms of data subjects (i.e. without data leaks to third parties) can lead to significant fines. However, timely detection of the data breach, fast implementation of corrective measures and open cooperation with the UOOU may prevent further damages and also lead to lower fines. The corrective measures will especially come into play with the General Data Protection Regulation (‘GDPR’) since they may prevent the obligation to notify the relevant data breach, which is otherwise mandatory under GDPR.”
Under the Act, the UOOU may impose a penalty on a legal person of up to CZK 10 million (about €370,000). However, in the present case the UOOU took into consideration the fact that T-Mobile has adopted technical and organisational measures to protect the personal data of its customers following the discovering the breach, and thus did not impose the maximum penalty.
Kramoliš commented, “This is one of the biggest fines ever issued by the UOOU […] However, given the previous practice of the UOOU and fines imposed in the past, I consider the fine to be appropriate. The question is whether the UOOU should not change its course and start imposing higher fines closer to the upper limit to emphasize the importance of protection of personal data, especially now when the date of effectiveness of the GDPR, which creates room for much higher fines, is approaching.”
Nulíček and Donát concluded, “This penalty is a clear message from the UOOU that they are not afraid of enforcement action. With the outlook to the GDPR, this makes the data protection and breach prevention a top issue for all Czech companies not only in IT and telco sector, but also in other data intensive branches of the industry such as health and pharma.”
Agata Dziedzic | Privacy Analyst