The Voivodeship Administrative Court: data breach must be communicated to the data subject

The Polish SA in autumn 2020 received a notification of a suspected violation of data protection provisions by the Lex Nostra Foundation. The case involved the loss of personal data of a number of individuals that took place in early 2020, due to the theft of folders containing personal data of beneficiaries. The controller failed to notify the personal data breach to the SA and to communicate it to the data subjects. The consequence of such failure was that the supervisory authority imposed an administrative fine on the Lex Nostra Foundation in June 2021. The controller appealed against the decision to the Voivodeship Administrative Court in Warsaw, in the opinion of which the complaint did not merit consideration.

The Court confirmed that the controller failed to notify the personal data breach to the supervisory authority. In addition, the controller failed to communicate the personal data breach to the data subjects without undue delay. This constitutes a violation of the General Data Protection Regulation (GDPR).

In the Court's view, the SA was right to point out examples of damage that may occur in the event of a breach. And these include, but are not limited to: discrimination, identity theft or identity fraud, financial loss and damage to good reputation. The Court also confirmed that in this case - given the catalogue of personal data that was affected by the breach - there was a high risk to the rights and freedoms of data subjects, as the lost data allowed for easy identification of those persons.

In the Court’s view, the controller's failure to act in this way resulted practically in depriving the data subjects not only of communication of the breach, but also of the possibility to take appropriate measures to counteract the negative effects of the breach.