
GDPR: Virgin Mobile fined PLN 1.9M for failure to implement proper data protection

Przemysław Juściński

The President of the Polish Personal Data Protection Office has imposed a penalty of PLN 1.9M on Virgin Mobile Polska for its failure to implement the relevant measures ensuring the security of the data processed.

The President concluded that the company has failed to carry out regular and comprehensive tests, measurements, and evaluations of the technical and organizational measures used to guarantee the security of the data processed, taking actions in this respect only incidentally, in connection with suspected vulnerabilities or organizational changes. There were also no tests in terms of security measures related to transferring data between applications used with respect to buyers of prepaid services. These irregularities resulted in an unauthorized person obtaining access to the data of the clients in one of the databases.

The amount of the penalty was influenced by the fact that the violation was a material one since it has created a high risk of negative consequences for a large number of persons (e.g. the risk of identity theft). The short duration of data access the unauthorized persons had was of no importance, as it was sufficient to download a large volume of data. Additionally, the violation itself lasted for a long time: the President concluded that vulnerability to data leaks existed a long time before it actually happened.

This is another case of a personal data leak that shows how important it is for entities processing personal data to comply with the provisions of the GDPR, including the principle of data confidentiality and accountability, in particular by means of regularly, and not only incidentally, testing the technical measures used to protect personal data.

Not sure who to entrust with handling the legal aspects of your personal data processing? At our Law Firm, we have a number of GDPR specialists, including Michał Czuryło, Attorney-at-Law, and Barbara Miziołek, Attorney-at-Law. Contact them:


Michał Czuryło | michal.czurylo@kwkr.pl | +48 504 035 553

Barbara Miziołek | barbara.miziolek@kwkr.pl | +48 508 061 790


Meet all of our team members.




Do you want to be up to date? Sign up for our newsletter

By subscribing to our newsletter, you consent to the sending of information by e-mail on important events in the field of law, legislative changes and the activities of the Law Firm.

read more

The administrator of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with headquarters in Krakow, ul. Kącik 4, 30-549 Krakow. Your data will be processed for the purpose of sending our newsletter. You have the right to request access to your personal data, their copies, rectification, deletion or limitation of processing, as well as the right to object to the processing and to lodge a complaint with the supervisory authority. More details can be found in our Privacy Policy.


KWKR Konieczny Wierzbicki and Partners Law Firm
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Administratorem Twoich danych osobowych jest KWKR Konieczny Wierzbicki i Partnerzy S.K.A. z siedzibą w Krakowie, ul. Kącik 4, 30-549 Kraków.
Przetwarzamy Twoje dane wyłącznie w celu udzielenia odpowiedzi na wiadomość przesłaną przez formularz kontaktowy i dalszej komunikacji (co stanowi nasz prawnie uzasadniony interes) – przez czas nie dłuższy niż konieczny do udzielenia Ci odpowiedzi, a potem przez okres przedawnienia ewentualnych roszczeń. Masz prawo do żądania dostępu do swoich danych osobowych, ich kopii, sprostowania, usunięcia lub ograniczenia przetwarzania, a także prawo wniesienia sprzeciwu wobec przetwarzania oraz wniesienia skargi do organu nadzorczego. Więcej szczegółów znajdziesz w naszej Polityce Prywatności.

Rondo ONZ 1,

00-124 Warszawa

+48 12 3957161
