UODO (Poland) - DKN.5131.17.2025

Summary

Poland's Data Protection Authority (UODO) has fined a municipality PLN 7,700 (approximately €1,813) for failing to report a data breach. The municipality mistakenly published personal data of individuals who signed a petition, including names and addresses. Despite the municipality's claim of low risk, the UODO found a violation of Article 33 of GDPR, emphasizing the obligation to report breaches regardless of perceived risk.

Full text

Help UODO (Poland) - DKN.5131.17.2025: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:52, 16 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators686 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 08:52, 16 June 2026 UODO - DKN.5131.17.2025 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 33(1) GDPR Type: Investigation Outcome: Violation Found Started: 07.10.2025 Decided: 30.04.2026 Published: 25.05.2026 Fine: 7,700 PLN Parties: n/a National Case Number/Name: DKN.5131.17.2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: ap The DPA fined a municipality PLN 7,700 (approximately €1,813) for not reporting a data breach to the DPA. The municipality mistakenly published a file with information of data subjects who signed a petition. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A municipality (the controller) published personal data of data subjects who signed a petition in the Public Information Bulletin. This included data subjects’ names, addresses and signatures. The DPA initiated an ex-officio investigation after receiving a complaint from a data subject. During its investigations, the DPA requested the controller to clarify if it had assessed the risk of a data breach. The controller stated that it had not notified the DPA in accordance with Article 33 GDPR, as it considered that the risk to data subjects’ rights and freedoms was low. The controller claimed there was no disclosure, as only one person downloaded the file. In addition, the controller also argued that the investigation was redundant, as its complaints department in its data protection office (DPO) had already initiated administrative proceedings on the case. Finally, the controller stated that the publication of the data was an unintentional mistake, and that the file had been replaced with an anonymised one after the error was discovered. Holding The DPA first clarified that it had initiated an ex-officio investigation after finding new potential violations by the controller; the DPA stated it needed to assess whether the controller complied with its obligations towards data subjects and the DPA in general. The DPA found a violation of Article 33 GDPR, as the controller had failed to inform the DPA of the data breach within the statutory time limit. According to EDPB guidelines, a low risk to data subjects should be interpreted narrowly. In case of any doubt, the controller should report the breach. [FOOTNOTE]The DPA dismissed the controller’s arguments, and stated that it had incorrectly assessed the level of risk towards data subjects. According to the DPA, the controller had an obligation to report the data breach even if only one identified person had accessed the data. The DPA also took into consideration the data that was disclosed, especially the data subjects’ addresses. Finally, the DPA highlighted that the reporting obligations apply when the data breach happens, regardless of whether the risk materialises. The DPA fined the controller PLN 7,700 (approximately €1,813). The DPA took into consideration the fact that the controller was a public sector entity, in accordance with national law. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. Warsaw, April 30, 2026, not final Decision DKN.5131.17.2025 On the basis of art. 104 § 1 of the Act of June 14, 1960, the Code of Administrative Procedure (Journal of Laws, 2025, item 1691), in conjunction with art. 7 sec. 1 and 2, art. 60, art. 102 sec. 1 item 1 and sec. 3 of the Act of May 10, 2018, on the Protection of Personal Data (Journal of Laws, 2019, item 1781, as amended), and art. 57 sec. 1 letter a) and letter h), art. 58 sec. 2 letter i), art. 83 sec. 1-2, and art. 83 sec. 4 letter a) in conjunction with art. 33 sec. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.05.2016, p. 1; OJ L 127, 23.05.2018, p. 2; and OJ L 74, 4.03.2021, p. 35), hereinafter referred to as: Regulation 2016/679, after conducting ex officio administrative proceedings regarding the infringement of personal data protection provisions by the Mayor of the City and Commune of D. (City and Commune Office of D., ul. (...), (...)-(…) D.), the President of the Personal Data Protection Office, having found an infringement by the Mayor of the City and Commune of D. D. (City and Commune Office of D., ul. (…), (…)-(…) D.) provisions of art. 33 sec. 1 of Regulation 2016/679, consisting in failing to report a personal data breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after the breach was discovered, imposes on the Mayor of the City and Commune of D. (City and Commune Office of D., ul. (...), (...)-(…) D.) an administrative fine of PLN 7,700 (seven thousand seven hundred zlotys). Justification 1. The President of the Personal Data Protection Office, hereinafter also referred to as the "President of the Personal Data Protection Office" or the "supervisory authority," received a complaint regarding irregularities in the processing of personal data of a specific natural person (the complainant) by the Mayor of the City and Commune of D. (City and Commune Office of D., ul. (...), (...)-(…) D.), hereinafter also referred to as the "Mayor" and "Administrator," from which it follows that: "In (...) the MIG Office on the Public Information Bulletin (BIP) https://(…) under (…) published personal data of (…) persons who signed the petition." The published personal data included first names, last names, residential addresses, and specimen signatures. The aforementioned complaint initiated administrative proceedings in an individual case, in which the supervisory authority decides on the rights of a specific data subject, regulated by personal data protection regulations, in connection with the reported situation. 2. In connection with the information obtained, in a letter dated October 7, 2025, the President of the Personal Data Protection Office, pursuant to Article 58 paragraph 1 letters a) and e) of Regulation 2016/679, requested the Mayor to clarify whether, in connection with the event, an analysis was conducted to determine the risk of infringement of the rights and freedoms of natural persons, necessary to assess whether a personal data breach occurred, necessitating notification to the President of the Personal Data Protection Office and the data subject. In his response of October 13, 2025, the Mayor explained that administrative proceedings were already underway in this case by the Department of Complaints of the Personal Data Protection Office (ref. (...)). Therefore, pursuant to Article 105 § 1 of the Act of June 14, 1960, the Code of Administrative Procedure (Journal of Laws of 2025, item 1691), hereinafter also referred to as the "Kpa," he requested that the proceedings be discontinued due to their illegitimacy. At the same time, the question contained in the letter from the President of the Personal Data Protection Office dated October 7, 2025, remained unanswered. The Mayor expressed doubts as to the necessity of providing the aforementioned information due to the ongoing complaint proceedings, in which he commented on the circumstances underlying the individual complaint. 3. In a letter dated October 15, 2

Entities