Poland: Issued UODO ruling imposing a fine of over PLN 3.8 million on Morele.net for violating several GDPR provisions

On 8 February 2024, the President of the Personal Data Protection Office (UODO) fined Morele.net over PLN 3.8 million for GDPR violations related to a data breach that affected 2.2 million people. After the Supreme Administrative Court annulled the initial fine, UODO conducted a new investigation, confirming that Morele.net failed to implement adequate security measures, such as encryption and two-factor authentication, leading to unauthorised access. Morele.net admitted its shortcomings during the proceedings. UODO applied new European guidelines for calculating penalties for the decision.