Polish SA: risk assessment and acting in accordance with established procedures counteract data loss

20 December 2022

Background information

  • Date of final decision: 2 November 2022
  • National case
  • Controller: Mayor of the Commune
  • Legal Reference:
    • Data protection by design and by default Article 25(1)
    • Responsibility of the controller Article 24(1)
    • Integrity and confidentiality Article 5(1)(f)
    • Accountability Article 5(2)
    • Security of processing Article 32(1),(2)
  • Decision: Administrative Fine
  • Key words: Commune, Security of processing


Summary of the Decision


Origin of the case

The controller notified to the Polish Supervisory Authority, SA a personal data breach which occurred as a result of a break-in in the employee's apartment and the theft of a laptop that contained a file with personal data. As a result, the loss of confidentiality of the personal data of the aforementioned individuals occurred.


Key Findings

The proceedings revealed that the stolen computer was protected from unauthorised access only by a password, and the security measures adopted in the procedures were not applied to this device.

The controller had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment. The controller was aware of the need to apply appropriate organisational and technical measures to ensure the security of processing by using portable computer devices. As a result of the personal data breach the controller took steps to avoid similar incidents in the future by encrypting laptop hard drives. Thus, it was only after the data breach occurred that the controller complied with the results of its own risk assessment and the risk management specified therein.



The Polish SA imposed an administrative fine of PLN 8,000 on the Mayor of the Commune of Dobrzyniewo Duże for failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.


For further information: decision in national language (PL)

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.