Back to Feed
PolicyJun 30, 2026

SO Warszawa - III C 904/23

Polish court orders Financial Ombudsman to pay PLN 40,000 for data breach.

Summary

The Regional Court in Warsaw has ordered Poland's Financial Ombudsman to pay PLN 40,000 (approximately $10,000 USD) in non-material damages to a customer. The Ombudsman disclosed the customer's personal data to 28,366 unauthorized entities through a government platform due to an IT system failure. The court found the Ombudsman liable under Article 82 of the GDPR for failing to implement adequate security measures, leading to the data subject's non-material damages, including stress and loss of control over their data.

Full text

Help SO Warszawa - III C 904/23: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 08:45, 30 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators48 edits Tag: submission [1.0] (No difference) Latest revision as of 08:45, 30 June 2026 SO Warszawa - III C 904/23 Court: SO Warszawa (Poland) Jurisdiction: Poland Relevant Law: Article 82 GDPR Decided: 16.02.2026 Published: 19.06.2026 Parties: National Case Number/Name: III C 904/23 European Case Law Identifier: Appeal from: Appeal to: Unknown Original Language(s): Polish Original Source: Portal Orzeczeń Sądów Powszechnych (in Polish) Initial Contributor: av A court ordered the Financial Ombudsman to pay PLN 40,000 in non-material damages for sending a letter containing the personal data of a customer to 28,366 unauthorised entities on a government platform. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Financial Ombudsman’s office (the controller) sent a letter containing the personal data of a customer (the data subject) to 28,366 public institutions and entities registered on an official government platform in February 2021. The data subject demanded compensation for the unauthorised disclosure of his personal data from the controller in November 2021. The controller refused to accept liability for the incident. The supervisory authority issued the controller a reprimand in September 2022 for disclosure of personal data in violation of Article 6(1) GDPR. The data subject brought a lawsuit for damages under Article 82 GDPR before the Regional Court in Warsaw in August 2023. The data subject stated that they had experienced severe stress and lost the sense of security and control over their data as a result of the unauthorised disclosure of the letter. The controller argued it was not at fault for the incident as it was caused by a temporary IT system failure that the controller could not have foreseen. Holding The Regional Court in Warsaw held that the controller was undoubtedly liable for the unauthorised disclosure of the data subject’s personal data pursuant to Article 82 GDPR: the controller was an administrator for the government platform and had not taken adequate measures to secure the data. Second, the court held that the data subject had suffered non-material damage in connection with the aforementioned incident. It took into account that the data had been disclosed to numerous entities. In addition, the deterioration of the data subject’s mental state was confirmed by a witness. The court awarded the data subject PLN 40,000 in damages. It considered the data subject’s claim of PLN 50,000 to be excessive in light of established case law. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. JUSTIFICATION of the judgment of October 23, 2025 (p. 503) By the lawsuit of August 22, 2023 (p. 244), filed against the Financial Ombudsman, the plaintiff, K. S., requested that the defendant pay him the amount of PLN 50,000, with statutory default interest on this amount from November 30, 2021, to the date of actual payment, and that the defendant pay him the costs of the proceedings, including the costs of legal representation at twice the minimum rates, the stamp duty on the power of attorney, and reimbursement of the costs of the party and the attorney according to the list of costs, if any, with statutory interest from the date the judgment becomes final and binding until the date of payment. In support of the claim, the plaintiff argued that the defendant violated the confidentiality of his personal data by disclosing it to public entities by sending a cover letter addressed to the plaintiff to institutions whose addresses were listed in the ePUAP database, containing an attachment in the form of a letter dated February 4, 2021, addressed to the President of the Management Board of (...) S.A. The plaintiff stated that, due to the aforementioned incident, he experienced severe stress, received numerous correspondence from entities that received his data, and lost his sense of security and control over his own data. He alleged that unauthorized persons had learned that he was in dispute with an insurer and had an insurance policy. The plaintiff primarily cited the following legal bases for his claims: - Article 24 § 1 of the Civil Code in conjunction with Article 448 of the Civil Code. due to the infringement of the plaintiff's personal rights, i.e., the right to privacy and the right to confidentiality of correspondence, by disclosing his personal data, i.e., name, address, and policy name, along with the reference number of the case conducted with the Financial Ombudsman, to an unlimited number of entities, which numbered at least 28,402 unauthorized persons, - Article 5(1)(f) of the GDPR regarding the defendant's violation of the principle of integrity and confidentiality in terms of accidental data loss, - Article 82 of the GDPR, under which the plaintiff may seek compensation for the damage suffered, - Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, under which the plaintiff has the inviolable right to the protection of his personal rights, in this case, personal data, primarily in the context of their fair processing. (lawsuit, pp. 3-23) In response to the lawsuit dated February 15, 2024, (p. 444), the defendant requested the dismissal of the claim in its entirety and an award of legal costs, including attorney fees, against the plaintiff, in accordance with applicable standards. As a precautionary measure, if the Court were to find the claim justified, the defendant argued that the amount claimed by the plaintiff was excessive and that awarding it would lead to the plaintiff's unjust enrichment vis-à-vis the defendant. Therefore, the defendant requests a reduction. In its response to the lawsuit, the defendant stated that it was not responsible for the personal data incident, explaining that it used IT systems dedicated to administrative bodies, and that the dispatch of the letter referred to above was due to a temporary system failure – a system error and suspension. The defendant argued that it exercised the utmost care in selecting IT systems specifically dedicated to administrative services and could not have foreseen their temporary malfunction, and that it attempted to immediately prevent the consequences of the incident. It argued that the defendant's employee operating the system at the time of the incident had previously been trained in all procedures related to the operation of the EZD and ePUAP systems. The defendant also indicated that it had taken steps to avoid a similar incident in the future by contacting the operators of the EZD system (which is used by the Financial Ombudsman) and ePUAP with proposals for modifying the IT systems and implementing procedures at the Office of the Financial Ombudsman to protect customer personal data. According to the defendant, the lack of fault excludes its liability under both Article 82 of the GDPR and Article 448 of the Civil Code. In the defendant's opinion, the plaintiff has failed to demonstrate any damage (injury) it allegedly suffered in connection with the aforementioned incident. The defendant argued that the circle of recipients to whom the plaintiff's data was transferred was closed and that, despite the fact that the plaintiff's data was shared with 28,402 entities, these were public entities or entities entrusted with public tasks, and that the risk of material damage to the plaintiff resulting from unauthorized use of the shared data was negligible. The defendant argued that any use of

Entities

Financial Ombudsman (vendor)