menu close EventsNewsContact Us
English
EnglishPolish
search close
Global Site close
  • Americas
  • Asia Pacific
  • Europe
  • Middle East and Africa
ArgentinaArubaBahamasBarbadosBoliviaBrazilCanadaCayman IslandsChileColombiaCosta RicaCuracaoDominican RepublicEcuadorEl SalvadorGuatemalaHondurasMexicoPanamaParaguayPeruPuerto RicoSaint MartinSurinameUnited StatesUruguayVenezuela
AfghanistanAustraliaCambodiaChinaHawaiiHong KongIndiaIndonesiaJapanMacauMalaysiaMaldivesMongoliaMyanmarNepalNew ZealandPakistanPhilippinesSingaporeSouth KoreaSri LankaTaiwanThailandVietnam
AlbaniaAndorraArmeniaAustriaAzerbaijanBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFranceGeorgiaGermanyGreeceHungaryIrelandItalyKazakhstanLatviaLiechtensteinLithuaniaLuxembourgMaltaMoldovaNetherlandsNorwayPolandPortugalRomaniaSerbiaSlovakiaSloveniaSpainSwedenSwitzerlandTajikistanTurkeyUkraineUnited KingdomUzbekistan
AlgeriaAngolaBahrainCôte d’IvoireEgyptGhanaIraqJordanKenyaKuwaitLebanonLiberiaMaliMauritiusMoroccoMozambiqueNigeriaOmanQatarSaudi ArabiaSenegalSierra LeoneSouth AfricaTanzaniaTogoTunisiaUgandaUnited Arab EmiratesYemenZimbabwe
English
EnglishPolish
Services
close Services
Services
IndustriesInsights
About Us
close About Us
About Us
Careers
close Careers
Careers
EventsNewsContact Us
search close
home Insights
WSA upholds validity of penalty for failure to report data protection breach

WSA upholds validity of penalty for failure to report data protection breach

Violetta Matusiak, Data Security Inspector, Crowe
11/16/2022
WSA upholds validity of penalty for failure to report data protection breach
The consequence of failing to report a personal data protection breach to the supervisory authority and failing to notify the persons whose data has been lost about the incident is a financial penalty. The Voivodship Administrative Court (WSA) in Warsaw in its judgment of 31 August 2022 confirmed the position of the Personal Data Protection Office (PDPO) on this issue.

Loss of personal data shall be reported immediately

The Voivodship Administrative Court in Warsaw on 31 August 2022 dismissed the complaint of the Lex Nostra Foundation for the Promotion of Mediation and Legal Education against the decision of the President of the Personal Data Protection Office to impose a financial penalty on the Foundation.

The merits of the case concerned the penalty for failing, contrary to the provisions of the GDPR, to report a personal data breach and failing to inform the Foundation's beneficiaries whose data had been lost because of the theft of document folders.

The WSA confirmed the Foundation's failure to make an adequate notification of the data security breach, which, as the controller of personal data, was obliged to do so. Meanwhile, the lack of notification could also have resulted in a violation of the rights and freedoms of the persons whose data had been lost. Consequently, there was a breach of the GDPR regulations.

The Court also confirmed that the PDPO was right to assume that the incident in question could have resulted in considerable damage including financial loss, identity theft and forgery, discrimination, and damage to an individual's reputation. In turn, the failure to provide the notification in question prevented the data subjects from taking any remedial action and failed to minimise the possible negative effects of the breach.

In the WSA's view, considering the above, the fine imposed on the Foundation was justified and adequate to the situation, which consequently led to the dismissal of the Foundation's complaint.

Ref. act II SA/Wa 2993/21

Personal data protection: see our offer

Obligations of the controller with respect to personal data breaches

According to Article 4(12) of the GDPR, a personal data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed".

The data controller has the following obligations in relation to a data breach:

  • reporting the breach to the supervisory authority within 72h of its detection;
  • notifying the data subject of the incident and the possible consequences for the individual's rights and freedoms;
  • keeping internal records of breaches;
  • conducting an analysis of the breach and, on the basis of this analysis, taking appropriate actions to counter the effects of the breach and prevent future incidents.

Learn more, explore Outsourcing of the Data Protection Officer (DPO)

The implementation of appropriate procedures for dealing with the incident or suspected data breach is the foundation of any organisation's data security policy. The speed with which action is taken, and the appropriate proficiency in identifying an incident, is critical to an organisation's security in processing personal data.

The controller, in case of any data breach, should assess the risk and classify the incident in terms of violation of rights and freedoms of natural persons. If, as part of the assessment, he/she identifies a risk of infringement of the rights and freedoms of natural persons, he/she is obliged to immediately inform the President of the Personal Data Protection Office about the breach.

Furthermore, it is important to note that, regardless of the risk assessment, the controller, if any incident occurs, is also obliged to implement countermeasures to reduce the risks and ensure an adequate level of personal data security.

Read also: What guidelines do the GDPR industry codes provide?

Personal data protection

Ask for an offer

Learn more

Amendment to the CIT Act signed by the President
The President signed an amendment to the CIT Act, which will delay the entry into force of the minimum tax provisions by two years. What else changes?
Cash payment limits - changes from 1 January 2024
The new cash payment limits will take effect from 1 January 2024. Originally the changes were to come into force as early as 2023.
Accounting services - how to choose the best service provider?
What should you pay attention to when selecting an accounting service provider if you want to maximise the benefits of such cooperation?
Real estate companies - obligation to submit information to KAS by 30 September
30 September is the deadline for submitting information and corrections of information on the shareholding structure of real estate companies to KAS.