Administrative fine for lack of personal data breach notification

The Personal Data Protection Office (hereinafter: SA) has imposed an administrative fine of nearly PLN 52,000 on a housing association for failing to notify the personal data breach to the supervisory authority and for failing to communicate the breach to data subject. It also ordered the controller to communicate the personal data breach to the data subject.

The Polish SA received a report from a third party which got the access as unauthorised entity to information concerning a member of a housing association.

As revealed in the ex officio proceedings before the supervisory authority, the incident in case occurred during a press conference, during which the unauthorised person was provided by the controller with information about a dispute between the controller and a member of the association, including a photocopy of a notice of suspected crime along with such personal data as name, surname, personal identification number (PESEL number) and address of residence.

The case was recorded by the controller in the internal register of personal data breaches, and after analysing the risk to rights and freedoms, the controller considered it unlikely.

Breach notification

Every controller in the case of a personal data breach is obliged to notify it to the supervisory authority within 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons.

The controller shall conduct a risk analysis for the occurrence of infringement to the rights and freedoms of natural persons, and when the analysis conducted indicates at most a low probability of a risk, the controller may exempt itself from the obligation to notify the incident to the supervisory authority and record it in the internal documentation. It should be pointed out that this analysis should take into account any risks to the data subject, not the interests of the controller. In the case in question, the controller, despite providing a document with data in the form of name, surname, personal identification number (PESEL number) and address of residence, did not show that an in-depth analysis had been made, and only provided the supervisory authority in this regard with a general document that did not refer to this specific case. The Polish SA is of the opinion that, in this case, there were no factors reducing the level of probability of adverse effects. A document containing the personal data of a housing association’s member was made available to an unauthorised party. It is irrelevant whether this person actually performed the acts referred to in the notice of suspicion of crime. Even if the validity of the allegations raised was confirmed, this does not mean that the person should be deprived of the protection of his/her rights.

In a situation where there is a high risk to the rights and freedoms of natural persons, the controller is also obliged to communicate the breach to the data subject.

When the risk is high, it is necessary to inform the data subject

According to the SA, given the sharing of personal data, the controller should communicate the breach to the data subject.

The controller should indicate to the data subject the occurrence of possible negative consequences. The compilation of such data as the disclosed name, surname or personal identification number (PESEL number) is sufficient to impersonate the person and, for example, incur financial liabilities. Therefore, the affected person should be all the more informed about the personal data breach.

Although the negative consequences have not materialised, the mere possibility of their occurrence is important.

Full text of the decision (in Polish)