Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Poland: UODO fines company PLN 47,000 for ineffective security measures

On July 19, 2023, the Polish data protection authority (UODO) announced its decision in Case No. DKN.5131.8.2021, as issued on May 31, 2023, in which it fined an unnamed company PLN 47,000 (approx. $10,000) for violations of the General Data Protection Regulation (GDPR), following the anonymous notification of a personal data breach to the UODO.

Background to the decision

In particular, the UODO stated that it received a notification of a data breach, caused by a ransomware attack, that led to the loss of the personal data of employees and contractors of the company.

Findings of the UODO

At the end of its investigation, the UODO determined that the company had violated Article 5(1)(f) of the GDPR by failing to implement adequate technical and organizational measures to ensure the security of personal data. Additionally, the UODO stated that by failing to test and evaluate the effectiveness of said measures, the company had violated Articles 5(2), 32(1), 32(2) of the GDPR.

The UODO found that the company failed to conduct a risk assessment of its data processing activities to inform its data security measures contrary to Articles 24(1) and 25(1) of the GDPR. Additionally, the UODO faulted the company for failing to report the breach to the UODO within 72 hours of becoming aware of the breach and failing to notify the data subjects affected by the breach in violation of Articles 33(1), 34(1), 34(2) of the GDPR.

Further, the UODO held that the company did not cooperate effectively with the UODO during its investigation. In particular, the UODO noted that communication from the company was often inconsistent.


In light of the above, the UODO fined the company PLN 47,000 (approx. $10,000) for the abovementioned violations.

You can read the press release here and the decision here, both only available in Polish.