Background information
- Date of decision: 7 February 2023
- Cross-border case or national case: National case
- Legal references: Article 83 (1- 3) and (4) (a) and (5) (a) GDPR (General conditions for imposing administrative fines), Article 28 (1) (3) and (9) GDPR (Processor), Article 33 (1) GDPR (Notification of a personal data breach to the supervisory authority), Article 34 (1) (2) GDPR (Communication of a personal data breach to the data subject), Article 5 (1) (a) GDPR(Principles relating to processing of personal data), Article 57 (1) (a) and (h) GDPR, Article 58 (2) (e) and (i) GDPR
- Decision: Administrative fine
- Key words: Administrative fine, Personal data breach
Summary of the Decision
Origin of the case
The Polish SA received an anonymous notification regarding a possible personal data breach that involved tenants’ personal data in the context of processing their data by the housing association (controller). The breach occurred as a result of the theft of documents, including a copy of the notarial deed, held by the administrator of housing association.
Key Findings
One of the controller’s infringements was the failure to notify the personal data breach to the supervisory authority. The risk of negative consequences for housing association members was more than unlikely and therefore the controller was obliged to notify the personal data breach to the supervisory authority. In this case, the association not only failed to notify to the supervisory authority the personal data breach of all its members, but also to inform two persons whose data were processed on the stolen photocopy of the notarial deed relating to their property. In the authority's view, there has been a high risk to the rights and freedoms of these persons in connection with the personal data breach that has occurred, which entails that they must be communicated of it.
Decision
The Polish SA imposed an administrative fine of just over EUR 350 (PLN 1,500) on a housing association. As part of its proceedings, the SA took into account several infringements in the activities of the controller, including the lack of notification of a personal data breach, the failure to communicate the breach to the data subjects, and that the processing of the data of the members of this association was entrusted without a written agreement. Since the case at hand concerns a breach that gives rise to such a high risk, therefore, the supervisory authority, in addition to imposing an administrative fine, additionally ordered the controller to communicate the breach to the data subjects within 3 days of the issuing of the decision.
For further information: PL: Decyzja - DKN.5131.31.2021
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.