Ikonka home dla okruszków News and events
photo
24.07.2025

Voivodeship Administrative Court dissmissed Panek SA’s complaint against the fine decision

Voivodeship Administrative Court dissmissed Panek SA’s complaint against the fine decision of the President of the Personal Data Protection Office

The Voivodeship Administrative Court in Warsaw dismissed Panek SA’s complaint concerning an administrative fine imposed on that company by the President of the Personal Data Protection Office, Mirosław Wróblewski, for infringing the provisions on the protection of personal data during the launch of the new website and the process of copying files from the former website of that company.

The case dates back to April 2020, when Panek SA notified to the President of the Personal Data Protection Office personal data breach that occurred a few days earlier. The breach consisted of the fact that, when the new website of Panek SA was launched, a folder containing files with personal data from the previous version of the website was disclosed. As a result, Google’s robot was able to index files containing personal data such as name, surname, email address, home address, passwords to the client panel, phone number and personal identification number (PESEL number) (however, this happened on a much smaller scale for this data). The breach ultimately affected more than 7000 persons (without the PESEL numbers being disclosed). You can read more about the case on our website.

The President of the Personal Data Protection Office imposed an administrative fine of PLN 1 527 855 on Panek SA as data controller and PLN 20 037 on the processor (for infringement of Article 32 (1) and (2) and Article 32 (1) and (2) in connection with Article 28 (3)(c) GDPR.

Panek SA lodged a complaint with the Voivodeship Administrative Court against the decision of the President of the Personal Data Protection Office, alleging, inter alia, that the supervisory authority infringed the provisions of the procedure, i.e. Article 8 in conjunction with Article 80 of the Code of Administrative Procedure, by infringing the principle of the free assessment of evidence by failing to establish the cause of the 2020 incident and assuming that Panek SA was responsible for it; infringement of the provisions, i.e. Article 7 in conjunction with Article 77 of the Code of Administrative Procedure, read in conjunction with Article 84 of the Code of Administrative Procedure, by the supervisory authority’s failure to take the necessary steps to clarify the facts of the case on its own initiative; incorrect application of the provisions of the GDPR: Article 24 (1) and 32 (1) and 2, assuming that the outsourcing of data security services to an external processor is not a sufficient technical and organisational measure; misapplication of the provisions of the GDPR; Article 28 (1) and Article 5 (2) consisting of assuming that these provisions imply an obligation of continuous supervision by the controller of the way in which the data are processed by the processor. Panek SA also challenged the way in which the President of the Personal Data Protection Office calculated the fine. 

In its judgment of May 2025, the Voivodeship Administrative Court found that the decisions of the President of the Personal Data Protection Office did not infringe the law.

The Voivodeship Administrative Court pointed out that the essence of the case was to examine whether the data controller had provided sufficient technical and organisational measures to verify, in particular, the activities of the processor with regard to the implementation of appropriate data protection security measures. According to the Court, that was not the case.

As a basic justification, the Voivodeship Administrative Court referred to the main premise of Regulation 2016/679, which states that risk management is the cornerstone of personal data protection activities and stems from the fact that monitoring the level of risks and ensuring accountability on the adequacy of safeguards is a necessity, without which it is not possible to speak of safeguarding personal data; nor can such activities be carried out without the creation of permanent documentation that helps to identify risks and classify them in the future. The Voivodeship Administrative Court also pointed out that, irrespective of the relationship between the controller and the processor, it is the controller’s duty to carry out a sound risk analysis.

In its judgment, the Voivodeship Administrative Court also stated that the supervisory authority imposed a fine on the basis of Article 58 (2)(i) and 83 (4)(a) of the GDPR, it did not exceed the maximum amounts laid down by law. The Court added that, when calculating the amount, the supervisory authority also applied the guidelines of the European Data Protection Board, which confirms that the penalty imposed cannot be regarded as arbitrary. 

Judgment of the Voivodeship Administrative Court ref. II SA/Wa 45/25

Decision in Polish: DKN.5130.2415.2020

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.