Ikonka home dla okruszków News and events
photo
17.11.2025

Failure to notify a personal data breach without undue delay – administrative fine for the bailiff

Once again, the President of the Personal Data Protection Office indicates what does it mean that personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A personal data breach may have negative consequences for the data subject, even if everything appears to indicate that the data subject will not be prejudiced.

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed an administrative fine of almost PLN 21 000 on the bailiff: PLN 7 700 for failing to notify a personal data breach to the President of the Personal Data Protection Office of without undue delay, and PLN 13 200 for failing to communicate it to the data subject. It also ordered the immediate communication of the personal data breach to the data subject.

This case concerns the bailiff who, by mistake, sent a letter of attachment of earnings to the wrong person. That letter included, inter alia: name, Personal Identification Number (PESEL), address, amount of bailiff’s attachment of earnings.

The President of the Personal Data Protection Office learned of this notification from the person who was the unauthorised recipient of this correspondence. The person also informed the bailiff and indicated that the bailiff feared that his data could also be made available to the wrong addressee – if someone had mistakenly changed the envelopes.

The bailiff did not notify the incident either to the President of the Personal Data Protection Office or to the data subject.

Lack of analysis of the risk of data breach

The President of the Personal Data Protection Office found that there had indeed been a mistake in the bailiff’s office. However, the controller considered that it was ‘unlikely’ that the incident could result in a breach of the rights and freedoms of the data subject. The proceedings of the President of the Personal Data Protection Office revealed that the bailiff had no basis for such an assessment of the situation, since the bailiff had not carried out any analysis of the risk of breach of the rights and freedoms of the person concerned. 

It was only in the correspondence with the President of the Personal Data Protection Office that the controller explained that the bailiff had not notified the breach to the supervisory authority and had not informed the data subject (the bailiff had not fulfilled its obligations under Articles 33 and 34 of the GDPR), since the error was an isolated case among thousands of letters sent, and since the erroneous recipient of the delivery had taken the issue of the protection of personal data seriously, it was unlikely that that event would result in a risk to the rights and freedoms of the data subject.

In his decision of 23 October 2025, the President of the Personal Data Protection Office indicated that such explanations were not sufficient. The procedure for notifying the supervisory authority and the data subject is essential for the protection of personal data. The risk analysis should therefore have been carried out before the decision not to notify the supervisory authority was taken.

In order to consider that we are talking about a unlikelihood of the risk, it was necessary to demonstrate that the effect of the breach would not materialise at all – and therefore there is ‘no risk’ (the Polish version of the GDPR uses the term ‘low probability’ and the English version uses the term ‘unlikely’. This word has a stronger meaning than our native counterpart and serves to define something that is rather improbable, doubtful or almost impossible).

Correct assessment of likelihood

When assessing the risk to the rights and freedoms of natural persons, the likelihood factor and the severity of the potential adverse effects should be taken into account together. The high level of any of these factors influences the overall assessment. The scope of the breach included, inter alia, the data subject Personal Identification Number (PESEL). Therefore, in this case, there was a possibility of serious negative consequences for data subjects:

According to the latest infoDOK report, in the fourth quarter of 2024 alone, there were 2 661 attempts of defraud loans totalling PLN 80 000 000. In contrast, there were 12 331 attempts of loan scams totalling PLN 324 200 000 million in 2024 and 12 409 attempts at loan scams in 2023 as a whole.

Judgments in cases of loan fraud are not uncommon and have been issued by Polish courts in similar cases for a long time.

In the case of a delivery to an inappropriate person, a properly conducted risk analysis would reveal a high risk to the rights and freedoms of data subjects. This means that both the President of the Personal Data Protection Office and the data subject should be notified of the incident.

The President of the Personal Data Protection Office recalls that Guidelines 9/2022 of the European Data Protection Board (EDPB) on personal data breach notification under GDPR – in particular Chapter II on Article 33 of the GDPR – are helpful in assessing a given situation. It follows from those guidelines that ‘notification to the competent authority is mandatory unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons’. This means that the condition of ‘low probability’ in the Polish version of the GDPR should be equated with the absence of a real prospect of a real materialisation of the potential impact on data subjects.

Importance of breach notification and communication to data subject

The notification of personal data breaches by controllers is an effective tool to really improve the security of the processing of personal data. The President of the Personal Data Protection Office verifies whether the controller has correctly assessed the breach and may, if the controller has not informed the data subjects, order that the breach be communicated to them.

By informing data subjects, they receive information about the risks and what they can do to protect themselves from the potential negative effects of the breach. They can assess the situation themselves and decide on the steps to take in a given situation.

The assessment of the risk to the rights and freedoms of the individual should be made by taking into account the affected person (the person whose data security has been compromised) and not the interests of the controller. This is particularly important since, if there is a risk to the rights and freedoms of an individual, he or she may, on the basis of the information contained in the personal data breach notification, take action himself or herself to provide additional protection (remedies), as indicated, for example, by the controller. Keep in mind that not everyone knows how to ensure the security of their data, i.e. what can be done on their own to increase it. Therefore, reliable information from the controller in this regard is important.

Decision in Polish: https://orzeczenia.uodo.gov.pl/document/urn:ndoc:gov:pl:uodo:2024:dkn_5131_17/content

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.