Data Protection in Poland

Enforcement in Poland

EU regulation

In 2021, the Polish DPA issued seventeen administrative fines. Most of them were connected with a failure of an entity to provide information to or cooperate with the Polish DPA , as well as not having sufficient technical and organisational measures to ensure information security.

The biggest fine of 2021 was imposed on a company that provides comprehensive, integrated media and telecommunications services. Its infringement consisted in the failure to implement appropriate technical and organisational measures to ensure the security of personal data processed in cooperation with a courier service provider. The large number of data breaches involved the loss of correspondence with personal data or the delivery of correspondence to the wrong recipient. The company’s data controller reported the breaches to the supervisory authority and notified the affected individuals two or even three months after they occurred. The company was fined EUR 245,000. 

Another fine was issued on 14 October 2021. The Polish DPA had become aware of a data protection breach following a complaint against a bank. It turned out that correspondence sent by the bank through a courier service containing personal data (e.g. first name, surname, PESEL number, home address, account numbers and identification numbers of customers) had been lost. The bank had failed to report the incident to the Polish DPA and provide adequate notice to the data subjects and was fined EUR 78,000.

Another decision was issued against an insurance company for failing to report a personal data breach to the Polish DPA and failing to notify the data subject of the breach. The breach was caused by an employee of a financial intermediary sending an insurance needs analysis and an insurance offer, including data such as first name, surname, PESEL number, city, postal code and information on the subject of the insurance, by e-mail to the wrong recipient. The fine was EUR 35,300.

Another fine resulting from a failure to report a personal data breach to the Polish DPA was imposed on a generator, distributor and retailer of electricity. The breach involved sending an email with an unencrypted, non-password-protected attachment containing the personal data of several hundred people. The sender of the email was an associate of the company, which was fined EUR 30,000.

The last of the major fines imposed in 2021 concerned the National School of Judiciary and Public Prosecution, whose data controller failed to implement sufficient technical and organisational measures related to its training platform website. During a test migration to a new platform, the data of more than 50,000 individuals had been exposed on the Internet. The Polish DPA imposed a fine of EUR 22,200.


Poland regulation

In 2022, the Polish DPA issued ten decisions imposing administrative fines which, similarly to the previous year, concerned the failure to provide information to the Polish DPA, lack of cooperation with the Polish DPA, and the use of insufficient technical and organisational measures to ensure information security.

So far, the highest fine of 2022, i.e. EUR 1,000,000, was imposed on an electricity and gas trading company, which sells electricity and gas to both business and household end users. The company failed to implement appropriate technical and organisational measures, but also did not properly verify its data processor. The Polish DPA found that unauthorised persons had managed to access and siphon off customer data and blamed both the controller and the processor for the personal data breach affecting more than 100,000 individuals for five days. As a result, the processor was also fined EUR 53,000.

Another fine was imposed on a bank which did not report a personal data breach to the Polish DPA in a timely manner, despite the fact that around 10,500 people were affected. In its decision, the Polish DPA emphasised that it was not necessary for the risk to have actually materialised, but the mere fact that it could have, was sufficient. The bank was fined EUR 118,000.

One recent decision concerned a telecoms operator that failed to report a data breach to the Polish DPA within 24 hours in accordance with the provisions of Telecommunications Act. The company’s data controller also did not notify the affected individuals. The breach occurred during the process of concluding a contract, as an email containing a copy of the contract and its annexes was sent to an address incorrectly indicated by the customer. This was not the first time the entity had not notified the Polish DPA of a data breach by the required deadline, which also had an impact on the fine, which was EUR 53,000.

The same telecoms operator is also the owner of a company providing prepaid and postpaid wireless voice, text and data communications services throughout Poland. This case started in 2019 when the Polish DPA imposed a fine of EUR 444,000  for the lack of appropriate technical and organisational measures to ensure the security of the data it was processing. The company lodged an appeal following the decision and as a result the administrative court stated that the Polish DPA should re-assess the amount of the fine. The company had to pay a fine in the amount of EUR 374,00.

In 2023, the Polish DPA imposed a fine of EUR 24 000 on insurance company for failing to report a data breach within the required 72-hour timeframe. The breach involved an unauthorized recipient receiving an email with sensitive personal data, including names, addresses, and insurance details. Despite being aware of the incident, the company did not notify the supervisory authority, leading to the fine. The decision highlights the importance of timely reporting and proper risk assessment to protect individuals' data rights.

In 2024, the Polish DPA imposed an administrative fine of EUR 326 000 on the bank for failing to report a personal data protection breach. The Polish DPA found out about the personal data protection breach at the Bank from the media. It involved the publicising of bank documents contained in a parcel abandoned on one of the housing estates, after it had previously been stolen from a courier company. The Polish DPA emphasized that the risk assessment of an individual's rights or freedoms should be viewed from the perspective of the person at risk, rather than the Controller's interests. Failing to report a data breach to both the affected individuals and the Polish DPA hinders an appropriate response and risk evaluation, potentially leading to serious consequences for the data subjects.

In 2024, the Polish DPA imposed a monetary penalty on an entity whose employee lost a memory stick. The memory stick contained partially encrypted personal data of another controller employee. The lost external data carrier contained unencrypted files with the employee's personal data in terms of name, home address, nationality, gender, date of birth, PESEL number, passport series and number, telephone number, email address, photograph (image) and salary details. In addition, the data medium also contained encrypted financial data files. It was found that the company failed to apply appropriate technical and organisational measures to protect personal data, which violated the principles of integrity, confidentiality and accountability. The controller was fined EUR 56,000.

Continue reading

  • no results

Previous topic
Back to top