Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Poland: UODO fines National Prosecutor's Office PLN 85,000 for disclosing personal data
On September 3, 2024, the Polish data protection authority (UODO) published its decision in DKN.5131.33.2023, as issued on September 2, 2024, in which it imposed a fine of PLN 85,000 (approx. $21,950) on the National Prosecutor's Office for violations of the General Data Protection Regulation (GDPR) following a breach notification from a third party.
Background to the decision
The UODO explained that during a press conference, the Prosecutor of the National Prosecutor's Office and the Minister of Justice disclosed personal data, including the name, surname, and special categories of data, of the injured party in a criminal proceeding. The UODO mentioned that the breach of personal data was not reported to the UODO, nor was the affected individual informed.
After receiving information from a third party, the UODO clarified that it initiated an investigation requesting an explanation from the National Prosecutor's Office, to which the National Prosecutor's Office responded by saying that the disclosed data was part of the court's ruling and was cited to illustrate a fundamental point, and the personal data had already been disclosed during the court proceedings.
Findings of the UODO
Following its investigations, the UODO found the National Prosecutor’s Office to be in violation of:
- Article 5(1)(a) of the GDPR: the principle of legality whereby the National Prosecutor's Office disclosed the personal data of the injured party contained in the judgment without a legal basis;
- Article 33(1) of the GDPR: by failing to notify the UODO of the breach of personal data protection without undue delay and no later than 72 hours of discovering the breach; and
- Articles 34(1) and 34(2) of the GDPR: by failing to notify the person whose data was disclosed without undue delay.
Outcomes
In light of the above, the UODO imposed a fine of PLN 85,000 (approx. $21,950) on the National Prosecutor's Office. The UODO also ordered the National Prosecutor's Office to notify, within three days of receipt of the decision, the person whose personal data was disclosed in the breach and provide them with the following information:
- a description of the nature of the personal data breach;
- the name and contact details of the data protection officer (DPO) or another contact point from which more information can be obtained;
- a description of the possible consequences of the personal data breach, taking into account the category of persons and the scope of data covered by the breach; and
- a description of the measures taken or proposed by them to remedy the breach, including measures to minimize its possible negative effects, taking into account the category of persons and the scope of data covered by the breach.
You can read the press release here and the decision here, both only available in Polish.