[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPi_MNyfoW9HKOnTz7ys0QtLwBnx80FUgAP_j4yUB0RQ":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"3149105f-48f2-454d-97be-aa260607acbc","SO Warszawa - III C 904\u002F23","so-warszawa-iii-c-904-23-f41578","Created page with \"{{COURTdecisionBOX |Jurisdiction=Poland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=SO Warszawa |Court_Original_Name=Sąd Okręgowy w Warszawie |Court_English_Name=Regional Court in Warsaw |Court_With_Country=SO Warszawa (Poland) |Case_Number_Name=III C 904\u002F23 |ECLI= |Original_Source_Name_1=Portal Orzeczeń Sądów Powszechnych |Original_Source_Link_1=https:\u002F\u002Forzeczenia.ms.gov.pl\u002Fcontent\u002Frodo\u002F154505000000903_III_C_000904_2023_Uz_2026-02-16_001 |Ori...\" New page {{COURTdecisionBOX |Jurisdiction=Poland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=SO Warszawa |Court_Original_Name=Sąd Okręgowy w Warszawie |Court_English_Name=Regional Court in Warsaw |Court_With_Country=SO Warszawa (Poland) |Case_Number_Name=III C 904\u002F23 |ECLI= |Original_Source_Name_1=Portal Orzeczeń Sądów Powszechnych |Original_Source_Link_1=https:\u002F\u002Forzeczenia.ms.gov.pl\u002Fcontent\u002Frodo\u002F154505000000903_III_C_000904_2023_Uz_2026-02-16_001 |Original_Source_Language_1=Polish |Original_Source_Language__Code_1=PL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Date_Decided=16.02.2026 |Date_Published=19.06.2026 |Year=2026 |GDPR_Article_1=Article 82 GDPR |GDPR_Article_Link_1=Article 82 GDPR |GDPR_Article_2= |GDPR_Article_Link_2= |GDPR_Article_3= |GDPR_Article_Link_3= |EU_Law_Name_1= |EU_Law_Link_1= |EU_Law_Name_2= |EU_Law_Link_2= |National_Law_Name_1= |National_Law_Link_1= |National_Law_Name_2= |National_Law_Link_2= |Party_Name_1= |Party_Link_1= |Party_Name_2= |Party_Link_2= |Appeal_From_Body= |Appeal_From_Case_Number_Name= |Appeal_From_Status= |Appeal_From_Link= |Appeal_To_Body= |Appeal_To_Case_Number_Name= |Appeal_To_Status=Unknown |Appeal_To_Link= |Initial_Contributor=av | }} A court ordered the Financial Ombudsman to pay PLN 40,000 in non-material damages for sending a letter containing the personal data of a customer to 28,366 unauthorised entities on a government platform. == English Summary == === Facts === The Financial Ombudsman’s office (the controller) sent a letter containing the personal data of a customer (the data subject) to 28,366 public institutions and entities registered on an official government platform in February 2021. The data subject demanded compensation for the unauthorised disclosure of his personal data from the controller in November 2021. The controller refused to accept liability for the incident. The supervisory authority issued the controller a reprimand in September 2022 for disclosure of personal data in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The data subject brought a lawsuit for damages under [[Article 82 GDPR|Article 82 GDPR]] before the Regional Court in Warsaw in August 2023. The data subject stated that they had experienced severe stress and lost the sense of security and control over their data as a result of the unauthorised disclosure of the letter. The controller argued it was not at fault for the incident as it was caused by a temporary IT system failure that the controller could not have foreseen. === Holding === The Regional Court in Warsaw held that the controller was undoubtedly liable for the unauthorised disclosure of the data subject’s personal data pursuant to [[Article 82 GDPR|Article 82 GDPR]]: the controller was an administrator for the government platform and had not taken adequate measures to secure the data. Second, the court held that the data subject had suffered non-material damage in connection with the aforementioned incident. It took into account that the data had been disclosed to numerous entities. In addition, the deterioration of the data subject’s mental state was confirmed by a witness. The court awarded the data subject PLN 40,000 in damages. It considered the data subject’s claim of PLN 50,000 to be excessive in light of established case law. == Comment == ''Share your comments here!'' == Further Resources == ''Share blogs or news articles here!'' == English Machine Translation of the Decision == The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. JUSTIFICATION of the judgment of October 23, 2025 (p. 503) By the lawsuit of August 22, 2023 (p. 244), filed against the Financial Ombudsman, the plaintiff, K. S., requested that the defendant pay him the amount of PLN 50,000, with statutory default interest on this amount from November 30, 2021, to the date of actual payment, and that the defendant pay him the costs of the proceedings, including the costs of legal representation at twice the minimum rates, the stamp duty on the power of attorney, and reimbursement of the costs of the party and the attorney according to the list of costs, if any, with statutory interest from the date the judgment becomes final and binding until the date of payment. In support of the claim, the plaintiff argued that the defendant violated the confidentiality of his personal data by disclosing it to public entities by sending a cover letter addressed to the plaintiff to institutions whose addresses were listed in the ePUAP database, containing an attachment in the form of a letter dated February 4, 2021, addressed to the President of the Management Board of (...) S.A. The plaintiff stated that, due to the aforementioned incident, he experienced severe stress, received numerous correspondence from entities that received his data, and lost his sense of security and control over his own data. He alleged that unauthorized persons had learned that he was in dispute with an insurer and had an insurance policy. The plaintiff primarily cited the following legal bases for his claims: - Article 24 § 1 of the Civil Code in conjunction with Article 448 of the Civil Code. due to the infringement of the plaintiff's personal rights, i.e., the right to privacy and the right to confidentiality of correspondence, by disclosing his personal data, i.e., name, address, and policy name, along with the reference number of the case conducted with the Financial Ombudsman, to an unlimited number of entities, which numbered at least 28,402 unauthorized persons, - Article 5(1)(f) of the GDPR regarding the defendant's violation of the principle of integrity and confidentiality in terms of accidental data loss, - Article 82 of the GDPR, under which the plaintiff may seek compensation for the damage suffered, - Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, under which the plaintiff has the inviolable right to the protection of his personal rights, in this case, personal data, primarily in the context of their fair processing. (lawsuit, pp. 3-23) In response to the lawsuit dated February 15, 2024, (p. 444), the defendant requested the dismissal of the claim in its entirety and an award of legal costs, including attorney fees, against the plaintiff, in accordance with applicable standards. As a precautionary measure, if the Court were to find the claim justified, the defendant argued that the amount claimed by the plaintiff was excessive and that awarding it would lead to the plaintiff's unjust enrichment vis-à-vis the defendant. Therefore, the defendant requests a reduction. In its response to the lawsuit, the defendant stated that it was not responsible for the personal data incident, explaining that it used IT systems dedicated to administrative bodies, and that the dispatch of the letter referred to above was due to a temporary system failure – a system error and suspension. The defendant argued that it exercised the utmost care in selecting IT systems specifically dedicated to administrative services and could not have foreseen their temporary malfunction, and that it attempted to immediately prevent the consequences of the incident. It argued that the defendant's employee operating the system at the time of the incident had previously been trained in all procedures related to the operation of the EZD and ePUAP systems. The defendant also indicated that it had taken steps to avoid a similar incident in the future by contacting the operators of the EZD system (which is used by the Financial Ombudsman) and ePUAP with proposals for modifying the IT systems and implementing procedures at the Office of the Financial Ombudsman to protect customer personal data. According to the defendant, the lack of fault excludes its liability under both Article 82 of the GDPR and Article 448 of the Civil Code. In the defendant's opinion, the plaintiff has failed to demonstrate any damage (injury) it allegedly suffered in connection with the aforementioned incident. The defendant argued that the circle of recipients to whom the plaintiff's data was transferred was closed and that, despite the fact that the plaintiff's data was shared with 28,402 entities, these were public entities or entities entrusted with public tasks, and that the risk of material damage to the plaintiff resulting from unauthorized use of the shared data was negligible. The defendant argued that any use of the plaintiff's shared data was equally negligible. It also pointed out that the plaintiff's personal data, such as her name and mailing address, which were shared by the defendant, are publicly available on the website where the plaintiff maintains her blog. (Response to the lawsuit, pp. 259-270) During the proceedings, the parties maintained their positions. The court established the following facts: On February 11, 2021, a breach of confidentiality of K. S.'s personal data occurred at the Office of the Financial Ombudsman. The letter was addressed to the President of the Management Board of (...) S.A. In the case of (...), containing the plaintiff's personal data, was sent to institutions and public entities registered in the ePUAP system. The letter was sent to 28,366 institutions (as of February 11, 2021). The letter contained the following information about the plaintiff: first and last name, mailing address, policy number and name, reference number of the case conducted with the Financial Ombudsman, and names of financial market entities. The letter did not include the plaintiff's phone number or email address. The Financial Ombudsman requested that the institutions and entities that obtained correspondence containing the plaintiff's personal data delete or anonymize K. S.'s personal data obtained in connection with the incident and took steps to determine the causes of the data protection breach. He also instructed K. S. to report the incident to the Ombudsman upon learning of the disclosure or use of his data by an unauthorized person. In a letter from the Financial Ombudsman dated February 12, 2021, addressed to the plaintiff, it was noted that, due to the erroneous sending of a letter containing his personal data, entities and institutions unauthorized to process it gained access to the aforementioned data. The letter indicated that the possible consequences of a breach of the plaintiff's personal data that could potentially occur include: stress related to the breach of the plaintiff's personal data and the lack of control over personal data; receiving unsolicited correspondence; and impersonating the plaintiff in order to obtain additional information about the plaintiff (e.g., financial and personal information). (evidence: letter from the Financial Ombudsman dated February 11, 2021, pp. 27-29, disclosed letter dated February 4, 2021, pp. 31-36, letter from the Financial Ombudsman dated March 17, 2021 with attachments in the form of a list of entities to which the letter was disclosed, pp. 38-133v., official notes, pp. 281, 283, minutes of the meeting of February 11, 2021, pp. 420-421, testimonies of witnesses M. K., p. 498v., J. C., pp. 498v.-499) At the time of the incident, Order No. (...) of the Financial Ombudsman dated May 25, 2018, regarding the introduction of the Data Protection Policy at the Financial Ombudsman's Office and the Instructions and other documents related thereto, was in force at the Financial Ombudsman's Office. Related, Order No. (...) of the Financial Ombudsman of December 31, 2020, on the introduction of Office Instructions, a Uniform Material List of Files, and Instructions on the Organization and Scope of Operations of the Company Archives at the Office of the Financial Ombudsman in Warsaw, and a Set of Procedures for the Electronic Document Management System at the Office of the Financial Ombudsman. (Exhibit: Order No. (...) with attachments, pp. 291-314, Order No. (...) with attachments, pp. 316-366, Set of Procedures for the EZD system, pp. 368-418) On the date of the incident, the plaintiff's name and address, in connection with his business activities, could be found in publicly available databases and on the (...) website, where the plaintiff maintained his blog at the time. (Evidence: printouts from publicly available databases, pp. 423-443, plaintiff's cross-examination, pp. 499v.) Due to the incident, the plaintiff began receiving numerous emails from public institutions and entities, as well as instant messaging messages (...) from unknown individuals, informing them that their personal data had been obtained. The correspondence was too large to fit in their mailbox. The plaintiff began to experience discomfort and stress related to the transfer of his personal data and concerns about how this data would be used. To date, the plaintiff has not suffered any material damage as a result of the incident. (evidence: letters from public institutions and entities, pp. 135-218, printouts from the instant messenger (...), pp. 220-225, testimony of witness J. S., pp. 499-499v., questioning of the plaintiff, p. 499v.) By letter dated November 16, 2021, the plaintiff requested the defendant to pay PLN 200,000 in compensation within 14 days of receiving the letter. The letter was delivered to the Financial Ombudsman on November 22, 2021. In response to the aforementioned letter, the Financial Ombudsman denied liability for the incident. (letter dated November 16, 2021, pp. 227-228, printout from the dispatch book, p. 229, printout from tracking (...), 230, letter dated December 6, 2021, pp. 232-233) By decision of September 30, 2022, the President of the Personal Data Protection Office issued a warning to the Financial Ombudsman for violating Article 6, sec. 1 of Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation) (OJ EU L 119, 4.05.2016, p. 1, OJ EU L 127, 23.05.2018, p. 2, and OJ EU L 74, 4.03.2021, p. 35) by disclosing the personal data of Mr. K. S., residing at (...), (...) W., contained in the letter of the Financial Ombudsman dated 4 February 2021 regarding (...), via the ePUAP system to third parties without a legal basis. The decision is final and binding. (Decision No. (...), pp. 235-242, letter dated August 21, 2023, p. 243) In connection with the incident of February 11, 2021, the Financial Ombudsman introduced procedures in its Office aimed at protecting clients' personal data. (Undisputed circumstance) The court determined the above factual circumstances based on the documents listed in the above part of the justification, the authenticity of which was not disputed by either party. In determining the factual circumstances, the court relied on the testimony provided by the plaintiff. While the questioning of the parties is only supplementary evidence, in some cases it may prove to be crucial evidence in reconstructing circumstances relevant to the resolution. The court gave credence to the explanations provided by the plaintiff. In particular, the plaintiff's claims that the incident of February 11, 2021, caused him severe stress were credible. The court credited the testimony of witness J. S., an acquaintance of the plaintiff, who described his mental state following the incident of February 11, 2021. The court also credited the testimony of witnesses M. K. and J. C., who were employees of the defendant at the time of the incident. The witnesses described the circumstances surrounding the breach of the plaintiff's personal data and the unsuccessful attempts to repair the breach. Witness J. C. also testified that following the incident of February 11, 2021, the Ombudsman's office implemented new procedures to prevent similar incidents in the future. The court considered the following: The claim was partially upheld. In this case, the plaintiff seeks compensation for non-material damage arising from an incident on February 11, 2021, involving the disclosure of his personal data to unauthorized persons by the Financial Ombudsman. This circumstance (i.e., a data breach by the Financial Ombudsman) was not disputed by the parties. The defendant argued that he was not at fault for the aforementioned incident. Pursuant to Article 82(1) of Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (hereinafter also referred to as the \"GDPR\" or \"General Data Protection Regulation\"), any person who has suffered material or non-material damage as a result of an infringement of this Regulation has the right to obtain compensation from the controller or processor for the damage suffered. Each controller involved in processing shall be liable for damage caused by processing that infringes this Regulation. A processor shall be liable for damage caused by processing only where it has failed to comply with the obligations directly imposed on processors by this Regulation, or has acted outside or contrary to the controller's lawful instructions (paragraph 2). The controller or processor shall be exempt from liability under paragraph 2 if they prove that they are not responsible for the event giving rise to the damage (paragraph 3). Therefore, pursuant to Article 82(2) of the GDPR, a processor may only be held liable where: 1) it has failed to comply with the obligations directly imposed on it by the provisions of the GDPR, or 2) it has acted outside or contrary to the controller's lawful instructions. A third case is also distinguished in the literature: when it has acted within its own discretion, outside the scope of the arrangements with the controller [M. Górski, in: M. Sakowska-Baryła (ed.), General Data Protection Regulation, p. 587, No. 4]. However, it seems that in such a situation, the controller should be treated (in terms of liability) as a controller in certain (many) cases, in accordance with Article 28(10) of the GDPR. According to Recital 146 of the Preamble to the GDPR: \"Processing carried out in breach of this Regulation also includes processing that infringes the delegated and implementing acts adopted pursuant to this Regulation and Member State law further specifying this Regulation.\" Liability under Article 82 of the GDPR is contingent upon: 1) material or non-material damage suffered by the data subject; 2) infringement by the controller or processor of the provisions of the GDPR (including delegated, implementing or national law adopted pursuant to the provisions of the GDPR); 3) the existence of a causal link between the damage and the infringement; 4) fault on the part of the controller or processor (a contrario Art. 82 sec. 3 GDPR). (Article 82 GDPR, ed. Litwiński 2025, 2nd ed.\u002FPaweł Barta, Maciej Kawecki, Paweł Litwiński [in:] Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation). Commentary published in: General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary, ed. Dr. Paweł Litwiński, Legalis). As explained in Recital 146, the concept of damage should be interpreted broadly, in light of the case law of the Court of Justice, in a way that fully reflects the objectives of the Regulation. This does not affect claims for damages resulting from the infringement of other provisions of EU law or the law of a Member State. In the commented provision, the legislator specified pecuniary and non-pecuniary damage. This refers to damage to legally protected assets or interests, both pecuniary (e.g., financial loss suffered by a person as a result of data processing infringing the Regulation) and non-pecuniary (e.g., harm suffered by a person as a result of unlawful disclosure of health data; infringement of privacy or reputation). Pecuniary damage covers both incurred losses and lost profits, while non-pecuniary damage concerns various types of damage to non-pecuniary assets (...) The right to compensation for damage resulting from a breach of the provisions of the commented Regulation is independent of other rights to compensation arising from other provisions. It should be assumed that the legal structure in question constitutes a modification of the general rules on compensation specified in civil law. The literature on the subject has noted that Article Article 82 does not refer to an existing contractual relationship between the parties (as a prerequisite for liability), the breach of which could constitute a source of the obligation to compensate for damages (pecuniary or non-pecuniary), and Article 82 is closer to the structure of liability for damages in tort (P. Fajgielski [in:] Commentary to Regulation No. 2016\u002F679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 3rd ed., Warsaw 2025, art. 82, LEX). Personal data are not identical to personal rights, although certain types of them may constitute elements of identity and privacy (judgment of the Supreme Court of December 13, 2018, I CSK 690\u002F17, Legalis). A violation of personal data protection regulations may constitute a basis for liability for infringement of personal rights if the unlawful processing of such data results in a violation of the right to reputation (judgment of the Administrative Court in Warsaw of June 22, 2023, I ACa 352\u002F23, Legalis). However, it should be emphasized that a violation of personal data protection regulations may also justify the protection provided for in Articles 23 and 24 of the Civil Code, provided it has led to an infringement of personal rights. However, personal data are not the same as personal rights (judgment of the Administrative Court in Warsaw of September 18, 2019, VI ACa 254\u002F18, Legalis). In this case, on February 11, 2021, the Office of the Financial Ombudsman undisputedly disclosed the plaintiff's personal data, including his first and last name, mailing address, policy number and name, case reference number of the Financial Ombudsman, and the names of financial market entities, to institutions and third parties whose addresses were included in the ePUAP database by providing them with a letter addressed to the plaintiff containing an attachment in the form of a letter dated February 4, 2021, addressed to the President of the Management Board of (...) S.A. In the Court's opinion, there is no doubt that the defendant, as the administrator of the EZD and ePUAP systems, is responsible for the aforementioned incident. The breach resulted from an error by an employee of the defendant. The case files indicate that the defendant failed to sufficiently secure the aforementioned systems to the best of its ability, for example, by failing to limit the ability to send mail merges in EZD, which was possible before the incident. The Ombudsman, as the data controller, should have taken steps to secure the data, but as evidence gathered in this case indicates, he did not take such steps. The defendant also failed to demonstrate that, in the circumstances of this case, there was an exculpatory ground excluding his obligation to redress the damage. It should be added that in the letter from the Financial Ombudsman dated February 12, 2021, addressed to the plaintiff, it was indicated that, due to the erroneous sending of a letter containing his personal data, entities and institutions unauthorized to process it gained access to the aforementioned data, and that the possible consequences of a breach of the plaintiff's personal data that may occur include: stress related to the breach of the plaintiff's personal data protection and lack of control over personal data; receiving unsolicited correspondence; and impersonating the plaintiff in order to obtain additional information about the plaintiff (e.g., data on financial and personal circumstances). The Financial Ombudsman later attempted to withdraw responsibility for the incident.According to the evidence, the letter dated February 4, 2021, was shared with 28,366 unauthorized entities. Although the response was modest considering the sheer number of recipients, as only approximately 100 entities responded to the plaintiff, it must still be concluded that the scale of the breach of the plaintiff's data was significant. In the Court's opinion, the fact that the letter was sent to public institutions and entities is irrelevant, as there is no guarantee that the plaintiff's data is safe there, as evidenced by the circumstances of this case. In the Court's opinion, the plaintiff demonstrated that he suffered non-pecuniary damage in connection with the aforementioned incident. The incident of February 11, 2021, caused him discomfort and stress, and to this day, he still wonders who possesses his data. In connection with the incident, the plaintiff received numerous messages and correspondence, underscoring the seriousness of the situation. The deterioration of the plaintiff's mental condition was also confirmed by the testimony of witness J. S.. The plaintiff claimed compensation in the amount of PLN 50,000.00. In the Court's opinion, this amount is excessive and unjustified in the socio-economic context, as well as in light of the established case law in this type of case. According to the Court, the circumstances described above constitute grounds for awarding compensation for a personal data breach in the amount of PLN 40,000.00. This is a very high amount, but nevertheless adequate to the breach of the plaintiff's personal data, justified primarily by the fact that the plaintiff's data was transferred to 28,366 institutions and entities. The remaining claim was dismissed. The Court ruled on the interest rate pursuant to Article 103 of the Code of Criminal Procedure. Article 481 § 1 of the Civil Code, according to which, if a debtor delays payment of a monetary obligation, the creditor may demand interest for the period of delay, even if the debtor has not suffered any damage and even if the delay was due to circumstances for which the debtor is not responsible. If the default interest rate was not specified, statutory default interest is due at an amount equal to the sum of the National Bank of Poland's reference rate and 5.5 percentage points. However, if the receivable bears interest at a higher rate, the creditor may demand default interest at that higher rate (§ 2). By letter dated November 16, 2021, the plaintiff requested the defendant to pay PLN 200,000 in compensation within 14 days of receipt of the letter. The letter was delivered to the Financial Ombudsman on November 22, 2021. In response to the aforementioned letter, the Financial Ombudsman, in a letter dated December 6, 2021, denied liability for the event. The court found that interest on the awarded amount of PLN 40,000 was due from December 7, 2021, i.e., from the day following the day on which the defendant refused to accept liability for the incident of February 11, 2021, dismissing the remaining interest claim. The court ruled on the costs of the proceedings pursuant to Article 100 of the Code of Civil Procedure, which provides that if the claims are only partially upheld, the costs will be mutually offset or shared. However, the court may require one party to reimburse all costs if the other party only partially succeeds in their claim or if the determination of the amount due depends on mutual calculation or the court's assessment. Due to the circumstances of the case and the scale of the violations, the Court awarded K. S. the amount of PLN 9,717.00 from the Financial Ombudsman as reimbursement of court costs, including PLN 7,200.00 for legal representation costs, PLN 17.00 for the power of attorney fee, and PLN 2,500 for the lawsuit fee. The issue of statutory interest for late payment of the monetary claim, from the date the judgment becomes final and binding until the date of payment, on the amount awarded as reimbursement of court costs, was ruled pursuant to Article 98 § 1 (1) of the Code of Civil Procedure. District Court Judge Agnieszka Rafałko","The Regional Court in Warsaw has ordered Poland's Financial Ombudsman to pay PLN 40,000 (approximately $10,000 USD) in non-material damages to a customer. The Ombudsman disclosed the customer's personal data to 28,366 unauthorized entities through a government platform due to an IT system failure. The court found the Ombudsman liable under Article 82 of the GDPR for failing to implement adequate security measures, leading to the data subject's non-material damages, including stress and loss of control over their data.","Polish court orders Financial Ombudsman to pay PLN 40,000 for data breach.","Help SO Warszawa - III C 904\u002F23: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 08:45, 30 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators48 edits Tag: submission [1.0] (No difference) Latest revision as of 08:45, 30 June 2026 SO Warszawa - III C 904\u002F23 Court: SO Warszawa (Poland) Jurisdiction: Poland Relevant Law: Article 82 GDPR Decided: 16.02.2026 Published: 19.06.2026 Parties: National Case Number\u002FName: III C 904\u002F23 European Case Law Identifier: Appeal from: Appeal to: Unknown Original Language(s): Polish Original Source: Portal Orzeczeń Sądów Powszechnych (in Polish) Initial Contributor: av A court ordered the Financial Ombudsman to pay PLN 40,000 in non-material damages for sending a letter containing the personal data of a customer to 28,366 unauthorised entities on a government platform. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Financial Ombudsman’s office (the controller) sent a letter containing the personal data of a customer (the data subject) to 28,366 public institutions and entities registered on an official government platform in February 2021. The data subject demanded compensation for the unauthorised disclosure of his personal data from the controller in November 2021. The controller refused to accept liability for the incident. The supervisory authority issued the controller a reprimand in September 2022 for disclosure of personal data in violation of Article 6(1) GDPR. The data subject brought a lawsuit for damages under Article 82 GDPR before the Regional Court in Warsaw in August 2023. The data subject stated that they had experienced severe stress and lost the sense of security and control over their data as a result of the unauthorised disclosure of the letter. The controller argued it was not at fault for the incident as it was caused by a temporary IT system failure that the controller could not have foreseen. Holding The Regional Court in Warsaw held that the controller was undoubtedly liable for the unauthorised disclosure of the data subject’s personal data pursuant to Article 82 GDPR: the controller was an administrator for the government platform and had not taken adequate measures to secure the data. Second, the court held that the data subject had suffered non-material damage in connection with the aforementioned incident. It took into account that the data had been disclosed to numerous entities. In addition, the deterioration of the data subject’s mental state was confirmed by a witness. The court awarded the data subject PLN 40,000 in damages. It considered the data subject’s claim of PLN 50,000 to be excessive in light of established case law. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. JUSTIFICATION of the judgment of October 23, 2025 (p. 503) By the lawsuit of August 22, 2023 (p. 244), filed against the Financial Ombudsman, the plaintiff, K. S., requested that the defendant pay him the amount of PLN 50,000, with statutory default interest on this amount from November 30, 2021, to the date of actual payment, and that the defendant pay him the costs of the proceedings, including the costs of legal representation at twice the minimum rates, the stamp duty on the power of attorney, and reimbursement of the costs of the party and the attorney according to the list of costs, if any, with statutory interest from the date the judgment becomes final and binding until the date of payment. In support of the claim, the plaintiff argued that the defendant violated the confidentiality of his personal data by disclosing it to public entities by sending a cover letter addressed to the plaintiff to institutions whose addresses were listed in the ePUAP database, containing an attachment in the form of a letter dated February 4, 2021, addressed to the President of the Management Board of (...) S.A. The plaintiff stated that, due to the aforementioned incident, he experienced severe stress, received numerous correspondence from entities that received his data, and lost his sense of security and control over his own data. He alleged that unauthorized persons had learned that he was in dispute with an insurer and had an insurance policy. The plaintiff primarily cited the following legal bases for his claims: - Article 24 § 1 of the Civil Code in conjunction with Article 448 of the Civil Code. due to the infringement of the plaintiff's personal rights, i.e., the right to privacy and the right to confidentiality of correspondence, by disclosing his personal data, i.e., name, address, and policy name, along with the reference number of the case conducted with the Financial Ombudsman, to an unlimited number of entities, which numbered at least 28,402 unauthorized persons, - Article 5(1)(f) of the GDPR regarding the defendant's violation of the principle of integrity and confidentiality in terms of accidental data loss, - Article 82 of the GDPR, under which the plaintiff may seek compensation for the damage suffered, - Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, under which the plaintiff has the inviolable right to the protection of his personal rights, in this case, personal data, primarily in the context of their fair processing. (lawsuit, pp. 3-23) In response to the lawsuit dated February 15, 2024, (p. 444), the defendant requested the dismissal of the claim in its entirety and an award of legal costs, including attorney fees, against the plaintiff, in accordance with applicable standards. As a precautionary measure, if the Court were to find the claim justified, the defendant argued that the amount claimed by the plaintiff was excessive and that awarding it would lead to the plaintiff's unjust enrichment vis-à-vis the defendant. Therefore, the defendant requests a reduction. In its response to the lawsuit, the defendant stated that it was not responsible for the personal data incident, explaining that it used IT systems dedicated to administrative bodies, and that the dispatch of the letter referred to above was due to a temporary system failure – a system error and suspension. The defendant argued that it exercised the utmost care in selecting IT systems specifically dedicated to administrative services and could not have foreseen their temporary malfunction, and that it attempted to immediately prevent the consequences of the incident. It argued that the defendant's employee operating the system at the time of the incident had previously been trained in all procedures related to the operation of the EZD and ePUAP systems. The defendant also indicated that it had taken steps to avoid a similar incident in the future by contacting the operators of the EZD system (which is used by the Financial Ombudsman) and ePUAP with proposals for modifying the IT systems and implementing procedures at the Office of the Financial Ombudsman to protect customer personal data. According to the defendant, the lack of fault excludes its liability under both Article 82 of the GDPR and Article 448 of the Civil Code. In the defendant's opinion, the plaintiff has failed to demonstrate any damage (injury) it allegedly suffered in connection with the aforementioned incident. The defendant argued that the circle of recipients to whom the plaintiff's data was transferred was closed and that, despite the fact that the plaintiff's data was shared with 28,402 entities, these were public entities or entities entrusted with public tasks, and that the risk of material damage to the plaintiff resulting from unauthorized use of the shared data was negligible. The defendant argued that any use of","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=SO_Warszawa_-_III_C_904\u002F23&diff=52013&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-06-30T08:45:48+00:00","2026-06-30T10:00:19.20701+00:00",7,[18],{"name":19,"type":20},"Financial Ombudsman","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":39,"icon":23,"name":40,"slug":41},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]