Background information
- Date of final decision: 19 December 2023
- National case
- Legal Reference(s): Article 33 (Notification of a personal data breach to the supervisory authority), Article 34 (Communication of a personal data breach to the data subject)
- Decision: Administrative fine
- Key words: Administrative fine, Data security, Data subject rights, Lawfulness of processing, Personal data breach, Responsibility of the controller or Sensitive data
Summary of the Decision
Origin of the case
The Polish Supervisory Authority (SA) received a personal data breach notification from the Minister of Foreign Affairs (MFA). It concerned the delivery of a damaged and incomplete package by the postal operator to the addressee.
The President of the Polish SA was informed not by the data controller, but by the MFA, to which the addressee reported incorrectness in its delivery. Upon receiving information about the breach, the Ministry of Foreign Affairs notified the Polish SA that the Consulate General of the Republic of Poland had sent, at the request of the District Court in Krakow, correspondence containing personal data through a postal operator. The Consulate notified the District Court in Krakow (i.e., the sender of the package, acting as a data controller), that the postal operator had delivered the damaged and incomplete correspondence to the addressee. The Court, despite being the controller of the sent data in the concerned case, did not to notify the personal data breach to the supervisory authority.
Key Findings
In the case concerned, the protection of the personal data of seven persons was breached, whereby four of them were facing a high risk of violation of their rights or freedoms due to the extent of the personal data breached. The breach included PESEL numbers (in Polish: Powszechny Elektroniczny System Ewidencji Ludności, i.e., Universal Electronic System for Registration of the Population), as well as information about the plaintiff's health and psychological evaluations of two children.
The controller, by deciding not to notify the personal data breach to the supervisory authority as well as not to communicate it to the data subjects, practically deprived the data subjects of their rights to receive reliable information about the personal data breach without undue delay, and of the opportunity to prevent potential damage. The President of the Polish SA urged the Court to indicate whether an analysis of the risk for the rights or freedoms of the individuals affected (necessary for assessing whether there has been a data protection breach) has been carried out.
Decision
The President of Polish SA has imposed an administrative fine of about € 2.300 (10,000 PLN) on the District Court in Krakow (hereafter also referred to as the Court or controller) for failing to notify the personal data breach to the supervisory authority and for failing to communicate information on the breach to the data subject without undue delay.
For further information: national decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.