When Must Individuals Be Comunicate of a Data Breach? Important Judgment

The Supreme Administrative Court confirmed the objections raised by the President of the Personal Data Protection Office to the judgment of the Voivodeship Administrative Court in Warsaw concerning a fine of PLN 159,176 imposed by the President of the Personal Data Protection Office on the Sopot-based insurance company Ergo Hestia SA. The fine was issued for failing to report a personal data breach and for not communicating the affected individual. The case will therefore be reconsidered by the Voivodeship Administrative Court. The breach concerned the sending of an email with an unencrypted attachment containing an insurance offer. The attachment included personal data (such as name, surname, and PESEL numer (personal identification numer)) as well as financial information, which was sent to the wrong recipient.

The Voivodeship Administrative Court, following the insurer’s appeal, overturned the decision of the President of the Personal Data Protection Office. However, the Supreme Administrative Court ordered the case to be reheard and indicated the principles to be applied.

The Voivodeship Administrative Court had previously found that the breach concerned only one individual and that the personal data had been disclosed to only one person. Nevertheless, the nature and type of the disclosed data made it possible to identify the specific individual. Therefore, in the Court’s view, the matter required notification to the President of the Personal Data Protection Office (Article 33(1) GDPR).

The Court also stated that the Personal Data Protection Office had not sufficiently explained in its reasoning why it considered that the company had breached Article 34(1) GDPR (since the breach could have posed a high risk to the rights or freedoms of natural persons). According to the Court, the President of the Personal Data Protection Office had not convincingly demonstrated that events could occur in practice which might lead to significant negative consequences for the affected individuals. The President of the Personal Data Protection Office pointed out the possibility of legally incurring obligations solely on the basis of data including name, PESEL number, town, and postal code, and that such data could allow access to systems providing medical services and to health records of the affected person.

The President of the Personal Data Protection Office filed a cassation appeal against this judgment, alleging that the Voivodeship Administrative Court had misinterpreted Article 34 GDPR by failing to take into account that, when assessing risk, the severity of the potential impact on individuals must also be considered, not only the probability.

The Supreme Administrative Court held that the appeal was justified. In its ruling, the Court stated:

“The finding that the probability of a breach of the rights or freedoms of a natural person is not low, combined with the high significance of the potential impact of the breach on those rights or freedoms, determines the possibility of a high risk of such a breach. This imposes on the controller the obligation to communicate the individual concerned of the breach.”

According to the Supreme Administrative Court, the real issue in dispute was whether the breach of data confidentiality, which undoubtedly occurred, created a high risk of violating the rights or freedoms of natural persons. The Court also disagreed with the lower court’s view that the Personal Data Protection Office had not sufficiently justified its decision, allegedly breaching Article 107 § 3 of the Code of Administrative Procedure.

The Supreme Administrative Court further clarified how the communication obligation under GDPR (Article 34(1) in conjunction with Article 33(1)) should be interpreted:

• Even if a personal data breach occurs, the controller is not required to notify if it is unlikely to result in a risk to the rights or freedoms of natural persons. Rights and freedoms should be understood similarly to Article 6(1)(f) GDPR. Consequently, the notification obligation is not absolute.
• The controller must assess whether there is a risk of infringement of rights or freedoms. This assessment should be based on objective criteria (such as past experience with similar cases, knowledge of information security) and on the circumstances of the specific breach.
• To avoid notification to the Personal Data Protection Office, there must be a low probability not merely of the breach itself, but of the risk of such a breach. This creates a broader obligation than if the assessment concerned only the likelihood of an actual infringement.
• It is not necessary for the high risk to materialise or for rights or freedoms to be actually infringed. The mere emergence of a high risk is sufficient.

When assessing whether risks exist, the controller should consider all possible harms or detriments that may result for individuals, such as loss of control over personal data, reputational damage, the possibility of contracts being concluded by another person using someone else’s data, financial losses, or negative social consequences arising from the disclosure of certain personal data. The existence of risk does not require actual harm or detriment to occur.

In the Supreme Administrative Court’s view, there can be no doubt that the incident in this case could cause a high risk of infringement of the rights or freedoms of a natural person, simply because it involved personal data in the form of a PESEL number combined with name and surname and other personal details. Even disregarding other data, the risk of infringement – contrary to the Voivodeship Administrative Court’s findings – is high. Disclosure of a PESEL number is known to carry various risks that may have serious consequences for its holder. One of the most serious threats associated with revealing a PESEL number is identity theft. In combination with other personal data, such as name, surname, ID card number, or address (not necessarily all of these in every case), it may be used to obtain credit or loans fraudulently, conclude contracts for telecommunications services, claim social benefits unlawfully, or impersonate an individual in everyday matters.