Back to Feed
PolicyJul 14, 2026

UODO (Poland) - DKE.561.4.2026

Poland's DPA fines individual for non-compliance with unlawful surveillance ruling.

Summary

Poland's Data Protection Authority (UODO) has fined an individual PLN 26,711 (approximately €6,174) for failing to comply with a previous decision that deemed their camera surveillance unlawful. The controller's surveillance extended beyond their property, impacting public roads and neighbors' properties, and continued even after police intervention. The DPA found this to be a violation of Article 5(2) GDPR, as the controller failed to demonstrate compliance with the authority's decision and continued to process data unlawfully, with the intent to harass data subjects.

Full text

Help UODO (Poland) - DKE.561.4.2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:56, 14 July 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 edits Tag: submission [1.0] Latest revision as of 08:58, 14 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 editsmTag: Visual edit Line 71: Line 71: === Holding ====== Holding === The DPA found a violation of [[Article 5 GDPR#2|Article 5(2) GDPR]], as the controller had failed to demonstrate compliance with the DPA’s decision. The DPA stated that the obligation to demonstrate compliance with the principle of lawfulness (Article 5(1)(a) GDPR) extended to complying with decisions from the DPA.The DPA found a violation of [[Article 5 GDPR#2|Article 5(2) GDPR]], as the controller had failed to demonstrate compliance with the DPA’s decision. The DPA stated that the obligation to demonstrate compliance with the principle of lawfulness ([[Article 5 GDPR|Article 5(1)(a) GDPR]]) extended to complying with decisions from the DPA. The DPA reiterated that the controller processed data subjects’ personal data unlawfully through their surveillance camera. The DPA took into account the small size of the local community and the number of data subjects affected, and concluded that the controller’s continuous monitoring disrupted the community’s functioning by deeply interfering with data subjects’ lives. In addition, the DPA stated that the manner in which the controller used the surveillance footage suggested that the processing purpose was to harass data subjects. The DPA reiterated that the controller processed data subjects’ personal data unlawfully through their surveillance camera. The DPA took into account the small size of the local community and the number of data subjects affected, and concluded that the controller’s continuous monitoring disrupted the community’s functioning by deeply interfering with data subjects’ lives. In addition, the DPA stated that the manner in which the controller used the surveillance footage suggested that the processing purpose was to harass data subjects. Latest revision as of 08:58, 14 July 2026 UODO - DKE.561.4.2026 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 5(1)(a) GDPR Article 5(2) GDPR Type: Investigation Outcome: Violation Found Started: 10.12.2025 Decided: 22.05.2026 Published: Fine: 26,711 PLN Parties: n/a National Case Number/Name: DKE.561.4.2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: ap The DPA fined an individual PLN 26,711 (approximately €6,174) for refusing to comply with an earlier decision stating its camera surveillance beyond their property was unlawful. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA initiated an ex officio investigation against an individual (the controller) after several data subjects complained about the controller’s video surveillance extending beyond the boundary of their property to include public roads and the data subjects’ properties. The DPA decided that the controller had unlawfully processed data subjects’ data. The DPA held that the controller had the obligation to erase the data, and prohibited the controller from future monitoring. The DPA requested the controller to provide evidence of compliance with the decision, but did not receive a response form the controller. The DPA later received a complaint from one of the data subjects, stating that the controller continued to violate the GDPR despite the DPA’s decision. The DPA found that the controller had reinstalled the cameras and continued to cover areas outside their property, even after the cameras were removed by police officers. Holding The DPA found a violation of Article 5(2) GDPR, as the controller had failed to demonstrate compliance with the DPA’s decision. The DPA stated that the obligation to demonstrate compliance with the principle of lawfulness (Article 5(1)(a) GDPR) extended to complying with decisions from the DPA. The DPA reiterated that the controller processed data subjects’ personal data unlawfully through their surveillance camera. The DPA took into account the small size of the local community and the number of data subjects affected, and concluded that the controller’s continuous monitoring disrupted the community’s functioning by deeply interfering with data subjects’ lives. In addition, the DPA stated that the manner in which the controller used the surveillance footage suggested that the processing purpose was to harass data subjects. The DPA fined the controller PLN 26,711 (approximately €6,174). Comment It is interesting to note that the DPA considered the images and voice footage “sensitive data in a certain sense”, as the controller could combine this data with data subjects’ location and identity (name and address). This sensitive nature of the data was an aggravating factor when assessing the fine. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. Emblem of the Republic of Poland Office for Personal Data Protection Portal of Judgments Availability BIP Content Metrics Judgments Legal acts History Decision logo Warsaw, 22 May 2026 Illegitimate Decision DKE.561.4.2026 Pursuant to Article 104 § 1 of the Act of 14 June 1960. Code of Administrative Procedure (Journal of Laws U. of 2025, item 1691), Article 7(1) and (2), Article 60 and Article 101 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws No. U. of 2019, item 1781, as amended) and Article 57(1)(a), Article 58(2)(i), Article 83(1) and Article 83(6) in conjunction with Article 58(2)(d) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/ Urz. EU L 119 of 04.05.2016, p. 1, OJ Urz. EU L 127, 23.05.2018, p. 2, and OJ Urz. EU L 74 of 4.03.2021, p. 35), after the administrative procedure initiated ex officio on the imposition on Mr B. E., zam.: ul. (...), (...)-(...) W., administrative monetary penalty, President of the Office for Personal Data Protection, stating Mr. B's failure to do so. E., zam. ul. (...), (...)-(...) W., order of the administrative decision of the President of the Office for Personal Data Protection of 21 October 2025, no. DS.523.6546.2024.( ...), imposes an administrative financial penalty on him in the amount of 26 711 zlotys (in words: twenty-six thousand seven hundred and eleven zlotys). Justification I. Facts 1. The President of the Office for Personal Data Protection, hereinafter referred to as the “President of the Office of Personal Data”, by the Administrative Decision of 21 October 2025, ref. DS.523.6546.2024.(...), hereinafter referred to as ‘Ordering Decision’, acting on the basis of Article 58(2)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 21 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 3, p. Urz. EU L 119 of 04.05.2016, p. 1, OJ Urz. EU L 127, 23.05.2018, p. 2, and OJ Urz. EU L 74, 4.03.2021, p. 35) (hereinafter referred to as ‘Regulation 2016/679’), ordered Mr B. E. zam. ul. (...), (...)-(...) W. (hereinafter also referred to as „Administratorem”“Controller” or “Obliged”), to cease the processing of personal data of the following persons (hereinafter collectively referred to as “Complainan

Entities

UODO (vendor)