Ikonka home dla okruszków News and events
photo
25.02.2026

Fines imposed on the Lumus Foundation for infringement of personal data processing regulations

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed administrative fines on the Lumus Foundation after finding a number of infringements of personal data protection regulations. The President of the Personal Data Protection Office also stated that the nature of the violations indicates a broader, systemic problem faced by non-governmental organisations in complying with regulations on the protection of personal data of natural persons.

In the present case, the President of the Personal Data Protection Office initiated in an ex-office administrative proceesings, preceded by the receipt by the supervisory authority of signals indicating irregularities committed by the controller in the processing of personal data. Information on this matter was received by the President of the Personal Data Protection Office from local government administrations, which received documents from the controller containing non-anonymised personal data of beneficiaries of free legal aid and personal data of the Foundation’s contractors. The documents were attached to applications for inclusion in the list of non-governmental organisations authorised to operate free legal aid and counselling centres. In the course of the proceedings in question, the President of the Personal Data Protection Office found that the transfer of such a wide range of personal data was not required by the provisions of the Free Legal Aid Act and was excessive.

The President of the Personal Data Protection Office found that, as a result of the controller’s conduct, there had been a breach of the provisions on the protection of personal data consisting of the unauthorised disclosure of the personal data of 29 natural persons, including 25 beneficiaries of legal aid and four contractors of the Foundation. The material scope of the disclosed data included names, personal identification number (PESEL), home addresses, telephone numbers, as well as information on the life, legal and health situation of the beneficiaries. The supervisory authority emphasised that the nature of the personal data breach, in particular the special categories of those data and the context in which they were processed, resulted in a risk to the rights and freedoms of the natural persons concerned.

In the case at hand, the President of the Personal Data Protection Office found that the controller had failed to comply with its core obligations after establishing a personal data breach. First, it did not notify the supervisory authority within 72 hours of its finding (obligation under Article 33(1) GDPR. Second, it failed to inform without undue delay the data subjects (obligation under Article 34(1) GDPR. The controller explained that, in its view, the risk to the rights and freedoms of natural persons was unlikely, since the data had reached public institutions, in the form of a paper document – which, in the controller’s view, was an indication that there was no risk of further unauthorised sharing. The President of the Personal Data Protection Office disagreed with that line of argument, pointing out that the mere disclosure of data to unauthorised entities, and in particular of special categories of data, creates a risk which obliges the controller to take the specific response indicated in the provisions of the GDPR.

The supervisory authority has thoroughly analysed the Foundation’s position on the standards for impact assessment. In the view of the President of the Personal Data Protection Office, account should be taken of the guidelines of the European Data Protection Board and the case-law of the administrative courts, from which it follows that the non-occurrence of potential damage does not release the controller from its notification obligations. In the opinion of the President of the Personal Data Protection Office, the Foundation carried out a subjective risk assessment and focused on its own organisational perspective, rather than on an objective analysis of the effects of a potential data breach on the data subjects.

It was only as a result of the statements made to it by the President of the Personal Data Protection Office that the Foundation informed the data subjects of the breach found, first informing the Foundation’s contractors and then the beneficiaries of legal aid. The President of Personal Data Protection Office concluded that the action taken by the controller was late and insufficient in the context of the obligation to communicate the breach to the data subject without undue delay.

Another aspect of the case at hand was the question of the position of the data protection officer within the Foundation’s organisational structures. The President of the Personal Data Protection Office found that the position of data protection officer was held by a member of the management board, who subsequently became the chairman of the management board, which was considered by the supervisory authority to be contrary to Article 38(6) GDPR, as the DPO may perform other tasks and duties only if the controller or processor ensures that such tasks and duties do not give rise to a conflict of interest.

In the course of the proceedings, the Foundation submitted to the President of the Personal Data Protection Office its own analysis of conflicts of interest, in which it stated that, in its view, the combination of the functions of President and data protection office is permissible due to the specific nature of the project activity and the fact that the purposes and means of data processing are largely imposed on the controller by the granting institutions. The President of the Personal Data Protection Office disagreed with that argument, considering it to be incorrect and based on an incorrect interpretation of the provisions. The supervisory authority pointed out that the data protection officer must maintain organisational independence and that the person in charge of the organisation cannot, inter alia, supervise himself or herself as regards the lawfulness of the processing of personal data. Indeed, the legislator’s intention was to ensure that the DPO performs the role of guarantor in an independent manner in order to properly and effectively ensure the compliance of data processing.

The supervisory authority also criticised the fact that the conflict of interest analysis was approved by the person directly concerned, which, in the view of the President of the Personal Data Protection Office, constituted an example of a lack of independence and confirmed the existence of a conflict of interest. Moreover, according to the supervisory authority, the Foundation infringed Article 37(7) GDPR, read in conjunction with the Act on the Protection of Personal Data of 10 May 2018, as a result of the data protection officer’s contact details not being published and the Polish SA not being notified of his or her appointment within the statutory 14-day time limit. These notifications were not validly submitted until August 2025, after the President of the Personal Data Protection Office intervened in the matter.

In the course of the administrative proceeding, the Foundation made organisational changes by dismissing a data protection office improperly located within the Foundation and appointing an external person to that post. The supervisory authority noted those actions as a relevant circumstance, but did not consider them sufficient to refrain from imposing administrative fines, pointing out that those actions were reactive and were taken only in the course of proceedings already under way.

In the present case, the President of the Personal Data Protection Office imposed administrative fines totalling PLN 22 920 on the Lumus Foundation for infringement of Article 33(1) GDPR, Art. 37(7) GDPR and Art. 38(6) GDPR. In addition, the President of the Personal Data Protection Office issued a reprimand to the Foundation for infringement of Article 34(1) GDPR and justified the level of fines applied by stating that their total amount represents a small percentage of the Foundation’s annual turnover and clearly deviates from the maximum fines provided for in the GDPR, while at the same time fulfilling a punitive and dissuasive function.

According to the supervisory authority, the decision issued in the present case is of significant social importance, since the President of the Personal Data Protection Office emphasises in that decision that non-governmental organisations performing public tasks – especially in sensitive areas – are subject to the same level of protection of personal data as other entities subject to the GDPR. The public service tasks and the public funding of an entity do not exempt it from the obligation to comply with the rules on the protection of personal data.

This decision is also a voice in the discussion on combining the role of DPO with management functions in organisations. The President of the Personal Data Protection Office recalls that, even in entities structured as a foundation, the principle of the independence of the DPO cannot be relativised or downplayed. 

In the view of the President of the Personal Data Protection Office, the decision in this case refers to many systemic aspects concerning the functioning of NGOs and the responsibility for the protection of personal data and the right to privacy.

Decision in Polish: DKN.5131.15.2025

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2026
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2026
Copyright.