Administrative fine for housing association for lack of personal data breach notification to the Polish SA

1 March 2023

Background information

  • Date of decision: 1 March 2023 
  • Cross-border case or national case: National case
  • Legal references: Article 83 (1), (2), (4) (a) GDPR (General conditions for imposing administrative fines), Article 57 (1) (a) and (h) GDPR, Article 58 (2) (e) and (i) GDPR,  Article 33 (1) GDPR (Notification of a personal data breach to the supervisory authority),  Article 34 (1), (2), (4) GDPR (Communication of a personal data breach to the data subject)
  • Decision: Administrative fine
  • Key words: Administrative fine,  Personal data breach

 

Summary of the Decision

 

Origin of the case

The Polish SA received a report from a third party which got the access as unauthorised entity to information concerning a member of a housing association.

 

Key Findings

As revealed in the ex officio proceedings before the supervisory authority, the incident occurred during a press conference, during which the unauthorised person was provided by the controller with information about a dispute between the controller and a member of the association, including a photocopy of a notice of suspected crime along with such personal data as name, surname, personal identification number (PESEL number) and address of residence. The case was recorded by the controller in the internal register of personal data breaches, and after analysing the risk to rights and freedoms, the controller considered it not likely to result in a high risk. The Polish SA is of the opinion that, in this case, there were no factors reducing the level of probability of adverse effects. According to the SA, given the sharing of personal data, the controller should have communicated the breach to the data subject, but failed to do that.

 

Decision

The Polish SA imposed an administrative fine of about EUR 11,500 (PLN 52,000) on a housing association for failing to notify the supervisory authority of a personal data breach and for failing to communicate the breach to the data subject.

 

For further information: PL: Decyzja DKN.5131.49.2021

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.