[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4PgfINOrNvv7Tc6ECNHKIdI-SlsUpv9neLRFTbvDewU":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"e37e8cba-aa1d-45f0-93b3-e865b63a2afb","UODO (Poland) - DKN.5131.17.2025","uodo-poland-dkn-5131-17-2025-01ac82","← Older revision Revision as of 08:53, 16 June 2026 Line 66: Line 66: A municipality (the controller) published personal data of data subjects who signed a petition in the Public Information Bulletin. This included data subjects’ names, addresses and signatures. The DPA initiated an ex-officio investigation after receiving a complaint from a data subject. A municipality (the controller) published personal data of data subjects who signed a petition in the Public Information Bulletin. This included data subjects’ names, addresses and signatures. The DPA initiated an ex-officio investigation after receiving a complaint from a data subject. During its investigations, the DPA requested the controller to clarify if it had assessed the risk of a data breach. The controller stated that it had not notified the DPA in accordance with [[Article 33 GDPR|Article 33 GDPR]], as it considered that the risk to data subjects’ rights and freedoms was low. The controller claimed there was no disclosure, as only one person downloaded the file. In addition, the controller also argued that the investigation was redundant, as its complaints department in its data protection office (DPO) had already initiated administrative proceedings on the case. Finally, the controller stated that the publication of the data was an unintentional mistake, and that the file had been replaced with an anonymised one after the error was discovered. During its investigations, the DPA requested the controller to clarify if it had assessed the risk of a data breach. The controller stated that it had not notified the DPA in accordance with [[Article 33 GDPR]], as it considered that the risk to data subjects’ rights and freedoms was low. Finally, the controller stated that the publication of the data was an unintentional mistake, and that the file had been replaced with an anonymised one after the error was discovered. === Holding === === Holding === The DPA first clarified that it had initiated an ex-officio investigation after finding new potential violations by the controller; the DPA stated it needed to assess whether the controller complied with its obligations towards data subjects and the DPA in general. The DPA first clarified that it had initiated an ex-officio investigation after finding new potential violations by the controller; the DPA stated it needed to assess whether the controller complied with its obligations towards data subjects and the DPA in general. The DPA found a violation of [[Article 33 GDPR|Article 33 GDPR]], as the controller had failed to inform the DPA of the data breach within the statutory time limit. According to EDPB guidelines, a low risk to data subjects should be interpreted narrowly. In case of any doubt, the controller should report the breach. [FOOTNOTE]The DPA dismissed the controller’s arguments, and stated that it had incorrectly assessed the level of risk towards data subjects. According to the DPA, the controller had an obligation to report the data breach even if only one identified person had accessed the data. The DPA also took into consideration the data that was disclosed, especially the data subjects’ addresses. Finally, the DPA highlighted that the reporting obligations apply when the data breach happens, regardless of whether the risk materialises. The DPA found a violation of [[Article 33 GDPR]], as the controller had failed to inform the DPA of the data breach within the statutory time limit. According to EDPB guidelines, a low risk to data subjects should be interpreted narrowly. In case of any doubt, the controller should report the breach. Guidelines 9\u002F2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, https:\u002F\u002Fwww.edpb.europa.eu\u002Fsystem\u002Ffiles\u002F2023-04\u002Fedpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf , p. 18 The DPA dismissed the controller’s arguments, and stated that it had incorrectly assessed the level of risk towards data subjects. According to the DPA, the controller had an obligation to report the data breach even if only one identified person had accessed the data. The DPA also took into consideration the data that was disclosed, especially the data subjects’ addresses. Finally, the DPA highlighted that the reporting obligations apply when the data breach happens, regardless of whether the risk materialises. The DPA fined the controller PLN 7,700 (approximately €1,813). The DPA took into consideration the fact that the controller was a public sector entity, in accordance with national law. The DPA fined the controller PLN 7,700 (approximately €1,813). The DPA took into consideration the fact that the controller was a public sector entity, in accordance with national law.","Poland's DPA has fined a municipality PLN 7,700 (approx. €1,813) for failing to notify the authority of a personal data breach within the GDPR's statutory time limit. The municipality had published personal data, including names and addresses, of individuals who signed a petition. Despite the municipality's claims of low risk and unintentional error, the DPA ruled that the risk assessment was incorrect and that reporting obligations apply regardless of the perceived risk or the number of individuals accessing the data.","Polish DPA fines municipality for GDPR breach notification failure.","Help UODO (Poland) - DKN.5131.17.2025: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:52, 16 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators686 edits Tag: submission [1.0] Latest revision as of 08:53, 16 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators686 editsmTag: Visual edit Line 66: Line 66: A municipality (the controller) published personal data of data subjects who signed a petition in the Public Information Bulletin. This included data subjects’ names, addresses and signatures. The DPA initiated an ex-officio investigation after receiving a complaint from a data subject.A municipality (the controller) published personal data of data subjects who signed a petition in the Public Information Bulletin. This included data subjects’ names, addresses and signatures. The DPA initiated an ex-officio investigation after receiving a complaint from a data subject. During its investigations, the DPA requested the controller to clarify if it had assessed the risk of a data breach. The controller stated that it had not notified the DPA in accordance with [[Article 33 GDPR|Article 33 GDPR]], as it considered that the risk to data subjects’ rights and freedoms was low. The controller claimed there was no disclosure, as only one person downloaded the file. In addition, the controller also argued that the investigation was redundant, as its complaints department in its data protection office (DPO) had already initiated administrative proceedings on the case. Finally, the controller stated that the publication of the data was an unintentional mistake, and that the file had been replaced with an anonymised one after the error was discovered.During its investigations, the DPA requested the controller to clarify if it had assessed the risk of a data breach. The controller stated that it had not notified the DPA in accordance with [[Article 33 GDPR]], as it considered that the risk to data subjects’ rights and freedoms was low. Finally, the controller stated that the publication of the data was an unintentional mistake, and that the file had been replaced with an anonymised one after the error was discovered. === Holding ====== Holding === The DPA first clarified that it had initiated an ex-officio investigation after finding new potential violations by the controller; the DPA stated it needed to assess whether the controller complied with its obligations towards data subjects and the DPA in general. The DPA first clarified that it had initiated an ex-officio investigation after finding new potential violations by the controller; the DPA stated it needed to assess whether the controller complied with its obligations towards data subjects and the DPA in general. The DPA found a violation of [[Article 33 GDPR|Article 33 GDPR]], as the controller had failed to inform the DPA of the data breach within the statutory time limit. According to EDPB guidelines, a low risk to data subjects should be interpreted narrowly. In case of any doubt, the controller should report the breach. [FOOTNOTE]The DPA dismissed the controller’s arguments, and stated that it had incorrectly assessed the level of risk towards data subjects. According to the DPA, the controller had an obligation to report the data breach even if only one identified person had accessed the data. The DPA also took into consideration the data that was disclosed, especially the data subjects’ addresses. Finally, the DPA highlighted that the reporting obligations apply when the data breach happens, regardless of whether the risk materialises. The DPA found a violation of [[Article 33 GDPR]], as the controller had failed to inform the DPA of the data breach within the statutory time limit. According to EDPB guidelines, a low risk to data subjects should be interpreted narrowly. In case of any doubt, the controller should report the breach.\u003Cref>Guidelines 9\u002F2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, \u003Cnowiki>https:\u002F\u002Fwww.edpb.europa.eu\u002Fsystem\u002Ffiles\u002F2023-04\u002Fedpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf\u003C\u002Fnowiki>, p. 18\u003C\u002Fref> The DPA dismissed the controller’s arguments, and stated that it had incorrectly assessed the level of risk towards data subjects. According to the DPA, the controller had an obligation to report the data breach even if only one identified person had accessed the data. The DPA also took into consideration the data that was disclosed, especially the data subjects’ addresses. Finally, the DPA highlighted that the reporting obligations apply when the data breach happens, regardless of whether the risk materialises. The DPA fined the controller PLN 7,700 (approximately €1,813). The DPA took into consideration the fact that the controller was a public sector entity, in accordance with national law.The DPA fined the controller PLN 7,700 (approximately €1,813). The DPA took into consideration the fact that the controller was a public sector entity, in accordance with national law. Latest revision as of 08:53, 16 June 2026 UODO - DKN.5131.17.2025 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 33(1) GDPR Type: Investigation Outcome: Violation Found Started: 07.10.2025 Decided: 30.04.2026 Published: 25.05.2026 Fine: 7,700 PLN Parties: n\u002Fa National Case Number\u002FName: DKN.5131.17.2025 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: ap The DPA fined a municipality PLN 7,700 (approximately €1,813) for not reporting a data breach to the DPA. The municipality mistakenly published a file with information of data subjects who signed a petition. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A municipality (the controller) published personal data of data subjects who signed a petition in the Public Information Bulletin. This included data subjects’ names, addresses and signatures. The DPA initiated an ex-officio investigation after receiving a complaint from a data subject. During its investigations, the DPA requested the controller to clarify if it had assessed the risk of a data breach. The controller stated that it had not notified the DPA in accordance with Article 33 GDPR, as it considered that the risk to data subjects’ rights and freedoms was low. Finally, the controller stated that the publication of the data was an unintentional mistake, and that the file had been replaced with an anonymised one after the error was discovered. Holding The DPA first clarified that it had initiated an ex-officio investigation after finding new potential violations by the controller; the DPA stated it needed to assess whether the controller complied with its obligations towards data subjects and the DPA in general. The DPA found a violation of Article 33 GDPR, as the controller had failed to inform the DPA of the data breach within the statutory time limit. According to EDPB guidelines, a low risk to data subjects should be interpreted narrowly. In case of any doubt, the controller should report the breach.[1] The DPA dismissed the controller’s arguments, and stated that it had incorrectly assessed the level of risk towards data subjects. According to the DPA, the controller had an obligation to report the data breach even if only one identified person had accessed the data. The DPA also took into consideration the data that was disclosed, especially the data subjects’ addresses. Finally, the DPA highlighted that the reporting obligations apply when the data breach happens, regardless of whether the risk materialises. The DPA fined the controller PLN 7,700 (approximately €1,813). The DPA took into consideration the fact that the controller was a public sector entity, in accordance w","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=UODO_(Poland)_-_DKN.5131.17.2025&diff=51877&oldid=51876","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F7\u002F7b\u002FLogoPL.png","2026-06-16T08:53:52+00:00","2026-06-16T10:00:07.949033+00:00",7,[18],{"name":19,"type":20},"EDPB","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]