Background information
- Date of final decision: 26 November 2024
- National case
- Legal Reference (s): Article 33 (Notification of a personal data breach to the supervisory authority), Article 34 (Communication of a personal data breach to the data subject)
- Decision: Administrative fine, Communication order personal data breach
- Key words: Administrative fine, Data subject rights, Personal data breach, Principles relating to processing of personal data, Data security, Responsibility of the controller
Summary of the Decision
Origin of the case
The President of the Personal Data Protection Office became aware of the case from the Ombudsman for Patients. One of the hospital's patients was provided with another person's medical information. The information contained the name, date of birth, PESEL (personal ID number) and health data.
The hospital explained that it was not aware of the incident and therefore did not notify it. At the request of the Polish SA, it provided a data risk analysis and the content of the notification, which it then - too late - addressed to the data subject that was affected by the data disclosure.
Key Findings
The hospital - the data controller - explained to the President of the Personal Data Protection Office that the risk of inconvenience associated with the disclosure of the patient's personal data to an unauthorised person was, in its opinion, low and the incident did not require further actions. The hospital informed the data subject of the matter. However, because the hospital did not notify the breach to the Polish Supervisory Authority (SA), the latter could not react and support the controller in minimising the consequences of the breach, which had already occurred.
The President of the Personal Data Protection Office emphasises that the accidental disclosure of personal data to even one identified person may lead to an increase in the scale of the breach and thus create a risk of breach of the data subject's rights or freedoms.
Decision
The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of 6 800 € on the County Hospital in Września for infringement of Articles 33 and 34 of the GDPR.
The President of the Polish SA considered that an administrative fine should be imposed. Its imposition is intended to ensure that the hospital fulfils its data protection obligations in the future, in particular with regard to data breach notification.
For further information: national decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.