The President of the Personal Data Protection Office lodged a cassation appeal against the judgment of the Voivodeship Administrative Court concerning the case on the Minister of Health
The President of the Personal Data Protection Office Mirosław Wróblewski lodged a cassation appeal against the judgment of the Voivodeship Administrative Court in Warsaw of 2 March 2026, which annulled the decision of the supervisory authority on the infringement of the personal data protection provisions by the Minister for Health.
The case concerns the disclosure of personal data of a doctor by Minister of Health Adam Niedzielski, who published information containing health data (special category of data within the meaning of the GDPR) on the X portal in August 2023. The doctor's personal data was obtained from the Medical Information System. In December 2023, the President of the Personal Data Protection imposed an administrative fine of PLN 100 000 on the Minister of Health. In September 2025, the criminal court finally found Adam Niedzielski guilty of exceeding his rights and violating the provisions on the personal data protection.
We informed about the decision of the President of the Personal Data Protection Office on the website in a statement:
https://www.uodo.gov.pl/pl/138/2941
On 2 March 2026, a hearing was held before the Voivodeship Administrative Court in Warsaw in the above case. In the statement of reason for the judgment, the Voivodeship Administrative Court referred to the binding nature of the final judgment in the criminal case of 2025: it appeared that Adam Niedzielski, acting as a public official – the Minister of Health – exceeded his powers by disclosing information obtained from the Medical Information System containing personal data of a special category concerning health via mass means of communication to unauthorised persons (thus infringing Article 9(1) GDPR and Article 9(2)). Adam Niedzielski became acquainted with this information in connection with the performance of his official duties (acting as the minister responsible for health). According to the Voivodeship Administrative Court, the 2025 judgment affected the perception of the facts described in the decision of the President of the Personal Data Protection Office of December 2023, and therefore decided to repeal it in order to allow the supervisory authority to examine the case taking into account the findings made by the court when deciding on the criminal case. The Voivodeship Administrative Court took the view that a natural person – Adam Niedzielski – was responsible for the infringement and not an administrative authority such as the Minister for Health.
The President of the Personal Data Protection disagreed with that ruling. In his cassation appeal, he pointed out that the Voivodeship Administrative Court erroneously equated the criminal liability of a natural person with the administrative liability of the data controller. Moreover, he pointed out that these are two separate regimes of legal liability that can operate in parallel.
The President of the Personal Data Protection Office argues that the judgment of the criminal court decides only on the liability of a specific person for a prohibited act, but does not prejudge who is the data controller within the meaning of the GDPR and who is administratively responsible data processing. In accordance with Article 4(7) GDPR, the controller is the entity that decides on the purposes and methods of data processing, in this case the Minister of Health as a public administration body.
The President of the Personal Data Protection Office also pointed out that the decision of December 2023 was not limited to the assessment of the act of publication itself, but covered the entire process of data processing - from obtaining data from the system, through data security issues to how to respond to a personal data breach. In that regard, the responsibility lies with the controller and not with the natural person who committed the infringement.
In the opinion of the supervisory authority, the Voivodeship Administrative Court wrongly presented the dispute as concerning factual findings, while the facts were consistent with the findings of the criminal court. The dispute concerned only the legal classification, i.e. who bears administrative responsibility for the violation of the regulations.
The President of the Personal Data Protection Office notes that the administrative court’s obligation to be bound by the findings of a criminal judgment, as provided for in Article 11 of the Law on Proceedings before Administrative Courts, applies only to findings concerning the identity of the perpetrator, the circumstances of the act, and its criminal classification. It does not, however, apply to the assessment of administrative liability or the determination of the status of a data controller.
In this context, the supervisory authority stresses that the adoption of the Voivodeship Administrative Court’s position would lead to systemic consequences. It would mean that, where a person acting within a public authority exceeds his powers, responsibility for the infringement of the rules on the protection of personal data would lie not with the authority as controller, but only with that natural person. The activities of the body’s custodial staff outside the scope of its powers or mandates could not be regarded, in the context of administrative liability for the activities of that body. This is contrary to the existing judicial case-law on the scope of responsibility of the data controller.
According to the President of the Personal Data Protection Office, such an interpretation would undermine the system of personal data protection. It would lead public authorities to avoid liability for illegal data processing by relying on the actions of their representatives outside their area of competence.
The President of the Personal Data Protection Office recalls that the controller’s liability is objective and also covers cases in which infringements are committed by a person acting within its structure. The fact that the act was committed by a specific natural person does not exclude the liability of the entity that carries out the data processing process and decides on its framework.
The President of the Personal Data Protection Office also explains that in the case under consideration, Adam Niedzielski's actions were inextricably linked to his function as Minister of Health. His access to data was due to this function and not to private activity. Thus, the actions of a natural person cannot be separated from those of an authority in the manner described in the decision of the Voivodeship Administrative Court.
The supervisory authority also points out that adopting the position of the Voivodeship Administrative Court would lead to a weakening of the protection of the rights of data subjects: data subjects could have difficulties in asserting their rights vis-à-vis the controller if the responsibility is transferred to the natural persons within the controller. It is also important that the provisions of the GDPR provide also for the controller's liability for the lack of appropriate technical and organisational measures and for incorrect response to data protection breaches. These obligations cannot be attributed to a natural person, as they are systemic in nature and concern the functioning of the entire organisation.
The President of the Personal Data Protection Office also notes that the Voivodeship Administrative Court drafted the reasoning for its judgment in a laconic manner that does not allow one to reconstruct the line of reasoning needed to verify why a criminal court’s finding of personal culpability for an act would automatically preclude the supervisory authority’s decisions regarding administrative and systemic obligations. The Voivodeship Administrative Court did not explain why a finding of criminal liability on the part of a natural person would automatically exclude the controller’s liability under the administrative law regime.
In the opinion of the supervisory authority, the grounds of the judgment infringe Article 141(4) of the Law on Proceedings before Administrative Courts, as they do not contain a full legal analysis or arguments allowing for review by a court. The Court merely found that there had been an error of fact, without going further into the nature of the controller’s liability.
The President of the Personal Data Protection Office requested that the cassation appeal be examined at the hearing, that the contested judgment of the Voivodeship Administrative Court be set aside in its entirety, and that the Minister of Health’s appeal against the supervisory authority’s decision of 20 December 2023, be heard by the Supreme Administrative Court by dismissing it in its entirety or by setting aside the contested judgment of the Voivodeship Administrative Court in its entirety and referring the case back for re-examination.
File reference: II SA/Wa 285/24