Polish SA fines controller EUR 2200 for failure to implement appropriate security measures

9 June 2023

Background information

  • Date of decision: 9 June 2023
  • Cross-border case or national case: National case
  • Legal references: Article 5 (Principles relating to processing of personal data),  Article 24 (Responsibility of the controller),  Article 25 (Data protection by design and by default),  Article 32 (Security of processing)
  • Decision: Administrative fine
  • Key words: Administrative fine, Data protection by design and by default, Data security, Personal data breach, Responsibility of the controller, Principles relating to processing of personal data or Risk analysis


Summary of the Decision


Origin of the case

The controller notified to the Polish SA a personal data breach involving an employee making a copy of personal data from a company computer to an unauthorised medium. As it turned out, this controller, until the date of the breach, had not used port encryption and other tools to prevent the transfer of data to an unauthorised storage medium.

In the Polish SA’s opinion, taking into account, in particular, the scope of personal data processed by the controller and contained in the copied documents, this controller was obliged to take measures ensuring an appropriate level of data protection.


Key Findings

The supervisory authority's proceedings shows that the controller did not carry out a risk analysis for the processing of the data affected by the breach. Meanwhile, this activity is crucial for the selection of appropriate technical and organisational measures. Moreover, risk analysis should be documented and justified on the basis of the factual circumstances existing at the time of its performance.

Although the controller conducted training courses covering personal data protection issues, it was not able to prove that the person who caused the personal data breach attended those training courses.

In the factual circumstances, the controller's failure to conduct a risk analysis prior to the occurrence of a personal data breach meant that it was unable to demonstrate whether the solutions adopted actually provided adequate security. The consequence was the unauthorised use of a portable data storage medium by an employee.



An administrative fine of about 2 200 EUR (10 000 PLN) was imposed on the City and Commune Mayor. It turned out that this controller did not apply adequate organisational measures to prevent a personal data breach that occurred as a result of unauthorised copying of personal data files. It could have prevented this by conducting a risk analysis beforehand.


For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.