Background information
- Date of decision: 14 March 2023
- Cross-border case or national case: National case
- Legal references: Article 33 (Notification of a personal data breach to the supervisory authority), Article 34 (Communication of a personal data breach to the data subject)
- Decision: Administrative fine, Communication order personal data breach
- Key words: Administrative fine, Personal data breach, Data security, Data subject rights, Children, Health records, Risk assessment
Summary of the Decision
Origin of the case
The Personal Data Protection Office has received an information indicating a possible data protection breach at the District Public Prosecutor's Office. The incident consisted in a local journalist being provided with non-anonymised documentation from a concluded proceeding in response to a request made under the Access to Public Information Act. This journalist then, after receiving a copy of the documents, published them on a local website, anonymising the personal data beforehand. In view of the controller's failure to notify the personal data breach to the supervisory authority and the failure to communicate it to the data subjects, the supervisory authority initiated ex officio proceedings.
Key Findings
In the present case, the controller failed to communicate the breach to the data subjects.
Taking into account the wide range of data disclosed, it must be concluded that there was a high risk to the rights or freedoms of individuals as a result of the incident. An additional risk to the rights or freedoms of individuals relates to the disclosure of data on the health of a child.
In the course of the proceedings, the controller did not provide any analysis in this regard and thus did not document that it had carried out an analysis of the high risk to the rights and freedoms of natural persons affected by the personal data breach in question. The authority therefore considered that the Controller had simply not carried out such an assessment. The incident resulted in a breach of the confidentiality of individuals' data due to the release of improperly anonymised documents.
Decision
The President of the Personal Data Protection Office has imposed an administrative fine of about 4 500,00 EUR (20 000,00 PLN) on the District Prosecutor's Office for failing to notify the personal data breach to the supervisory authority and failing to communicate it to the data subjects. The President of the Polish supervisory authority has ordered the controller to communicate the breach to the data subjects.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.