VK May Be Fined for GDPR Violation

VK, the popular social network, could face a fine of up to €20 million or 4% of its annual turnover for allegedly violating the General Data Protection Regulation (GDPR). Belarusian activist Kristian Shinkevich, who resides in Poland, filed a complaint against VK with the Polish Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). According to Shinkevich, VK is not complying with European data protection laws and should either be fined or banned from operating in Poland. This was reported by the Telegram channel “You’ll Get Jailed for a Like.”

Shinkevich claims that although VK responded to his request for access to his personal data, the information provided was incomplete. Furthermore, after submitting a follow-up request, he lost access to his account.

The activist also criticized the way his personal data was delivered. The information was sent in a password-protected zip archive by a VK support agent, who also provided the password. Shinkevich argues that this method is insecure and does not meet GDPR requirements for organizational and technical data protection measures.

Denis Lukash, Executive Director of the Center for Digital Rights, commented: “GDPR requires the minimization of data and the implementation of organizational and technical protection measures. While it makes sense for a VK employee to find a user’s ID and export the data, and even encrypt it in a zip file with a password, this protection becomes meaningless if the same employee provides the password. This suggests that VK does not ensure adequate organizational protection of personal data, neither under Russian law (152-FZ) nor under GDPR. Segregation of access rights and their management is a basic rule of information security.”

He added, “VK could be fined for two violations: breaching fundamental principles and violating the rights of the data subject. The penalty can be up to €20 million or 4% of the group’s global annual turnover for the previous financial year.”