Administrative fine for housing association for lack of personal data breach notification to the Polish SA

1 March 2023

Poland

Background information

Date of decision: 1 March 2023
Cross-border case or national case: National case
Legal references: Article 83 (1), (2), (4) (a) GDPR (General conditions for imposing administrative fines), Article 57 (1) (a) and (h) GDPR, Article 58 (2) (e) and (i) GDPR, Article 33 (1) GDPR (Notification of a personal data breach to the supervisory authority), Article 34 (1), (2), (4) GDPR (Communication of a personal data breach to the data subject)
Decision: Administrative fine
Key words: Administrative fine, Personal data breach

Summary of the Decision

Origin of the case

The Polish SA received a report from a third party which got the access as unauthorised entity to information concerning a member of a housing association.

Key Findings

As revealed in the ex officio proceedings before the supervisory authority, the incident occurred during a press conference, during which the unauthorised person was provided by the controller with information about a dispute between the controller and a member of the association, including a photocopy of a notice of suspected crime along with such personal data as name, surname, personal identification number (PESEL number) and address of residence. The case was recorded by the controller in the internal register of personal data breaches, and after analysing the risk to rights and freedoms, the controller considered it not likely to result in a high risk. The Polish SA is of the opinion that, in this case, there were no factors reducing the level of probability of adverse effects. According to the SA, given the sharing of personal data, the controller should have communicated the breach to the data subject, but failed to do that.

Decision

The Polish SA imposed an administrative fine of about EUR 11,500 (PLN 52,000) on a housing association for failing to notify the supervisory authority of a personal data breach and for failing to communicate the breach to the data subject.

For further information: PL: Decyzja DKN.5131.49.2021

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Administrative fine for housing association for lack of personal data breach notification to the Polish SA

Background information

Summary of the Decision

Origin of the case

Key Findings

Decision

CEPD adota declaração sobre o papel das APD no quadro do Regulamento Inteligência Artificial, nas perguntas frequentes do Quadro de Privacidade de Dados UE-EUA e no novo Selo Europeu de Proteção de Dados

Coordinated Supervision Committee appoints new coordinator

Zdravko Vukić elected new Deputy Chair of the European Data Protection Board

Reconhecimento facial nos aeroportos: as pessoas devem ter o máximo controlo sobre os dados biométricos

EDPB launches French and German versions of its Data Protection Guide for small business