Back to Feed
GDPRJul 9, 2026

UODO (Poland) - DKN.5131.27.2023

Poland's UODO fines municipal welfare unit €7,800 for GDPR violations including data breach non-notification

Summary

Poland's Data Protection Authority (UODO) imposed three separate fines totaling PLN 33,700 (€7,800) on a municipal social welfare unit for multiple GDPR violations. The violations included failure to implement appropriate technical and organizational security measures and failure to notify a data breach involving health data and quarantine information that was inadvertently exposed via a public server and indexed by search engines in November 2020. The authority determined the unit acted as a data controller despite initial claims otherwise, and the breach went unreported despite being discovered in February 2021.

Full text

Help UODO (Poland) - DKN.5131.27.2023: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 12:18, 9 July 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators72 edits Tag: submission [1.0] Revision as of 12:28, 9 July 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators72 editsTag: Visual editNewer edit → Line 73: Line 73: }}}} The DPA imposed three separate fines amounting to PLN 33,700 (€ 7,800) on a municipal social welfare unit for multiple GDPR violations, including a failure to notify a data breach that involved health data of customers.The DPA imposed three separate fines amounting to PLN 33,700 (€7,800) on a municipal social welfare for multiple GDPR violations, including a failure to implement appropriate technical and organisational measures and a failure to notify a data breach that involved health data of customers. == English Summary ==== English Summary == Revision as of 12:28, 9 July 2026 UODO - DKN.5131.27.2023 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 32(1) GDPR Article 32(2) GDPR Article 33(1) GDPR Article 34(1) GDPR Type: Investigation Outcome: Violation Found Started: 09.08.2023 Decided: 19.05.2026 Published: 30.06.2026 Fine: 33,700 PLN Parties: n/a National Case Number/Name: DKN.5131.27.2023 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: av The DPA imposed three separate fines amounting to PLN 33,700 (€7,800) on a municipal social welfare for multiple GDPR violations, including a failure to implement appropriate technical and organisational measures and a failure to notify a data breach that involved health data of customers. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A municipal social welfare unit (the controller) processed the personal data of the residents of the municipality (the data subjects), including names, addresses, and information regarding whether certain individuals were subject to mandatory quarantine to prevent and combat the SARS-COV-2 virus. An employee of the controller posted a file containing this information on a private server in November 2020. An automated search engine indexing bot subsequently accessed the file and made its full contents available in search results to any Internet user. The supervisory authority received an electronic report concerning a potential data breach in February 2021. The controller had not notified the DPA or the data subjects of this incident, as it concluded it had not acted as a controller in the context of the processing operations at issue. The DPA launched an investigation into the unauthorised disclosure of personal data and initiated administrative proceedings against the controller in August 2023. Holding The DPA issued the controller three separate fines amounting to PLN 33,700 (€7,800) in total, as it considered its GDPR violations were the result of three separate courses of conduct. It held that the social welfare unit had clearly determined the means and purposes of processing and acted as controller within the meaning of Article 4(7) GDPR – the employee responsible for the processing operations had acted with the unit’s authorisation, at its instruction, and on its behalf. First, the DPA held the controller had violated Articles 24(1), 25(1), 32(1), and 32(2) GDPR by failing to implement appropriate technical and organisational measures and imposed a fine of PLN 15,000 (€ 3,460) on the controller. This resulted in violations of the principles of integrity, confidentiality and accountability set out in Articles 5(1)(f) and 5(2) GDPR. There was a document in effect during the data breach that identified the risk level of processing as high. However, the DPA pointed out this document did not include, among other things, the number of data subjects, the periods for data storage, and the duration of the processing. The measures implemented were not reviewed or updated and also proved to be ineffective. Second, the DPA issued the controller a fine of PLN 5,500 (€1,270) for an infringement of Article 33(1) GDPR due to a failure to report the data breach to the supervisory authority. Finally, the DPA held that the controller had violated Article 34(1) GDPR by failing to notify the data subjects of the data breach and imposed a fine of PLN 5,500 (€1,270) on the controller. In addition, it ordered the controller to notify the data subjects of the breach in question. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. Warsaw, May 19, 2026 not final Decision DKN.5131.27.2023 Pursuant to Article 104 § 1 of the Act of June 14, 1960 - Code of Administrative Procedure[1], hereinafter referred to as the "KPA", in conjunction with Article 7 paragraphs 1 and 2, Article 60 and Article 102 paragraph 1 point 1 and paragraph 3 of the Act of May 10, 2018 on Personal Data Protection[2], hereinafter referred to as the "Personal Data Protection Act", and Article 57 paragraph 1 letters a) and h), Article 58 paragraph 2 letter i), Article 83 paragraphs 1-3, Article 83 paragraph 4 letter a) in conjunction with Article 25 paragraph 1, Article 32 paragraphs 1 and 2, Article Pursuant to Articles 33(1), 34(1), and 83(5)(a), in conjunction with Article 5(1)(f) and 5(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[3], hereinafter referred to as "Regulation 2016/679", after conducting ex officio administrative proceedings regarding the infringement of personal data protection provisions by the Social Welfare Center in D., hereinafter referred to as the "Center", the President of the Personal Data Protection Office, hereinafter referred to as the "President of the Personal Data Protection Office": I) finding that the Center has violated the provisions of Article 24(1), Article 25(1), and Article 32(1) of the Personal Data Protection Regulation, 1 and 2 of Regulation 2016/679, consisting in the failure to implement appropriate technical and organizational measures designed to effectively implement data protection principles and to provide the necessary safeguards for processing, including ensuring a level of security appropriate to the risk of violations of the rights and freedoms of natural persons of varying likelihood and severity, and resulting in a violation of the principles set out in Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679, imposes on the Center, for violation of the provisions of Article 5 paragraph 1 letter f) and 2, Article 25 paragraph 1, and Article 32 paragraphs 1 and 2 of Regulation 2016/679, an administrative fine of PLN 15,000 (in words: fifteen thousand zlotys); II) finding the Center to have violated the provisions of Article 33 paragraph 1 of Regulation 2016/679, consisting in failure to notify the supervisory authority of a personal data breach, imposes an administrative fine on the Center in the amount of PLN 5,500 (in words: five thousand five hundred zlotys); III) Finding that the Center has violated the provision of Article 34 paragraph 1 of Regulation 2016/679, consisting in failing to notify data subjects of a personal data breach: 1) Imposes an administrative fine on the Center in the amount of PLN 13,200 (in words: thirteen thousand two hun

Entities

UODO (Poland Data Protection Authority) (vendor)