SO Warszawa - III C 904/23
Polish court orders Financial Ombudsman to pay €9,300 for data leak to 28,366 entities.
Summary
A Polish court has ordered the Financial Ombudsman to pay €9,300 in damages for a data leak that exposed a customer's personal information to 28,366 unauthorized entities. The incident occurred when the Ombudsman, acting as a data controller, sent a letter containing the customer's name, address, and case reference number to numerous public institutions via a government platform. The court found the Ombudsman liable under Article 82 of the GDPR, stating they failed to implement adequate security measures as an administrator of the platform and that the data subject suffered non-material damages due to the extensive disclosure.
Full text
Help SO Warszawa - III C 904/23: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:45, 30 June 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 edits Tag: submission [1.0] Latest revision as of 17:28, 30 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 edits Tag: Visual edit (One intermediate revision by the same user not shown)Line 60: Line 60: }}}} A court ordered the Financial Ombudsman to pay PLN 40,000 in non-material damages for sending a letter containing the personal data of a customer to 28,366 unauthorised entities on a government platform.A court ordered the Financial Ombudsman to pay PLN 40,000 (€9,300) in non-material damages for sending a letter containing the personal data of a customer to 28,366 unauthorised entities on a government platform. == English Summary ==== English Summary == === Facts ====== Facts === The Financial Ombudsman’s office (the controller) sent a letter containing the personal data of a customer (the data subject) to 28,366 public institutions and entities registered on an official government platform in February 2021. The data subject demanded compensation for the unauthorised disclosure of his personal data from the controller in November 2021. The controller refused to accept liability for the incident.The Financial Ombudsman’s office (the controller) sent a letter containing the name, the address, and the case reference number of a customer (the data subject) to 28,366 public institutions and entities registered on an official government platform in February 2021. The data subject demanded compensation for the unauthorised disclosure of his personal data from the controller in November 2021. The controller refused to accept liability for the incident. The supervisory authority issued the controller a reprimand in September 2022 for disclosure of personal data in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The data subject brought a lawsuit for damages under [[Article 82 GDPR|Article 82 GDPR]] before the Regional Court in Warsaw in August 2023. The data subject stated that they had experienced severe stress and lost the sense of security and control over their data as a result of the unauthorised disclosure of the letter. The controller argued it was not at fault for the incident as it was caused by a temporary IT system failure that the controller could not have foreseen.The supervisory authority issued the controller a reprimand in September 2022 for disclosure of personal data in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The data subject brought a lawsuit for damages under [[Article 82 GDPR]] before the Regional Court in Warsaw in August 2023. The data subject stated that they had experienced severe stress and lost the sense of security and control over their data as a result of the unauthorised disclosure of the letter. The controller argued it was not at fault for the incident as it was caused by a temporary IT system failure that the controller could not have foreseen. === Holding ====== Holding === The Regional Court in Warsaw held that the controller was undoubtedly liable for the unauthorised disclosure of the data subject’s personal data pursuant to [[Article 82 GDPR|Article 82 GDPR]]: the controller was an administrator for the government platform and had not taken adequate measures to secure the data. The Regional Court in Warsaw held that the controller was undoubtedly liable for the unauthorised disclosure of the data subject’s personal data pursuant to [[Article 82 GDPR]]: the controller was an administrator for the government platform and had not taken adequate measures to secure the data. Second, the court held that the data subject had suffered non-material damage in connection with the aforementioned incident. It took into account that the data had been disclosed to numerous entities. In addition, the deterioration of the data subject’s mental state was confirmed by a witness.Second, the court held that the data subject had suffered non-material damage in connection with the aforementioned incident. It took into account that the data had been disclosed to numerous entities. In addition, the deterioration of the data subject’s mental state was confirmed by a witness. Latest revision as of 17:28, 30 June 2026 SO Warszawa - III C 904/23 Court: SO Warszawa (Poland) Jurisdiction: Poland Relevant Law: Article 82 GDPR Decided: 16.02.2026 Published: 19.06.2026 Parties: National Case Number/Name: III C 904/23 European Case Law Identifier: Appeal from: Appeal to: Unknown Original Language(s): Polish Original Source: Portal Orzeczeń Sądów Powszechnych (in Polish) Initial Contributor: av A court ordered the Financial Ombudsman to pay PLN 40,000 (€9,300) in non-material damages for sending a letter containing the personal data of a customer to 28,366 unauthorised entities on a government platform. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Financial Ombudsman’s office (the controller) sent a letter containing the name, the address, and the case reference number of a customer (the data subject) to 28,366 public institutions and entities registered on an official government platform in February 2021. The data subject demanded compensation for the unauthorised disclosure of his personal data from the controller in November 2021. The controller refused to accept liability for the incident. The supervisory authority issued the controller a reprimand in September 2022 for disclosure of personal data in violation of Article 6(1) GDPR. The data subject brought a lawsuit for damages under Article 82 GDPR before the Regional Court in Warsaw in August 2023. The data subject stated that they had experienced severe stress and lost the sense of security and control over their data as a result of the unauthorised disclosure of the letter. The controller argued it was not at fault for the incident as it was caused by a temporary IT system failure that the controller could not have foreseen. Holding The Regional Court in Warsaw held that the controller was undoubtedly liable for the unauthorised disclosure of the data subject’s personal data pursuant to Article 82 GDPR: the controller was an administrator for the government platform and had not taken adequate measures to secure the data. Second, the court held that the data subject had suffered non-material damage in connection with the aforementioned incident. It took into account that the data had been disclosed to numerous entities. In addition, the deterioration of the data subject’s mental state was confirmed by a witness. The court awarded the data subject PLN 40,000 in damages. It considered the data subject’s claim of PLN 50,000 to be excessive in light of established case law. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. JUSTIFICATION of the judgment of October 23, 2025 (p. 503) By the lawsuit of August 22, 2023 (p. 244), filed against the Financial Ombudsman, the plaintiff, K. S., requested that the defendant pay him the amount of PLN 50,000, with statutory default interest on this amount from November 30, 2021, to the date of actual payment, and that the defendant pay him the costs of the proceedings, including the costs of legal representation at twice the minimum rates, the stamp duty on the power of attorney, and reimbursement of the costs of the party and the attorney according to the list of costs, if any, with statutory interest from the date the judgment becomes final and binding until the date of payment. In support of the claim, the pla