Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Poland: UODO fines National Prosecutor's Office PLN 85,000 for disclosing personal data

On September 3, 2024, the Polish data protection authority (UODO) published its decision in DKN.5131.33.2023, as issued on September 2, 2024, in which it imposed a fine of PLN 85,000 (approx. $21,950) on the National Prosecutor's Office for violations of the General Data Protection Regulation (GDPR) following a breach notification from a third party.

Background to the decision

The UODO explained that during a press conference, the Prosecutor of the National Prosecutor's Office and the Minister of Justice disclosed personal data, including the name, surname, and special categories of data, of the injured party in a criminal proceeding. The UODO mentioned that the breach of personal data was not reported to the UODO, nor was the affected individual informed.

After receiving information from a third party, the UODO clarified that it initiated an investigation requesting an explanation from the National Prosecutor's Office, to which the National Prosecutor's Office responded by saying that the disclosed data was part of the court's ruling and was cited to illustrate a fundamental point, and the personal data had already been disclosed during the court proceedings.

Findings of the UODO

Following its investigations, the UODO found the National Prosecutor’s Office to be in violation of:

  • Article 5(1)(a) of the GDPR: the principle of legality whereby the National Prosecutor's Office disclosed the personal data of the injured party contained in the judgment without a legal basis;
  • Article 33(1) of the GDPR: by failing to notify the UODO of the breach of personal data protection without undue delay and no later than 72 hours of discovering the breach; and
  • Articles 34(1) and 34(2) of the GDPR: by failing to notify the person whose data was disclosed without undue delay.

Outcomes

In light of the above, the UODO imposed a fine of PLN 85,000 (approx. $21,950) on the National Prosecutor's Office. The UODO also ordered the National Prosecutor's Office to notify, within three days of receipt of the decision, the person whose personal data was disclosed in the breach and provide them with the following information:

  • a description of the nature of the personal data breach;
  • the name and contact details of the data protection officer (DPO) or another contact point from which more information can be obtained;
  • a description of the possible consequences of the personal data breach, taking into account the category of persons and the scope of data covered by the breach; and
  • a description of the measures taken or proposed by them to remedy the breach, including measures to minimize its possible negative effects, taking into account the category of persons and the scope of data covered by the breach.

You can read the press release here and the decision here, both only available in Polish.