[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzpcB8V3nk8lm5DtM3IAdHpA6JFMijQ9P2Gpr9hlE1HM":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"bbf5dcc0-b2e6-497a-8c30-d91f6bf54441","UODO (Poland) - DKN.5131.34.2023","uodo-poland-dkn-5131-34-2023-48f7cb","← Older revision Revision as of 17:23, 30 June 2026 Line 69: Line 69: }} }} The DPA fined an accounting and tax consulting company € 2,760 for failure to implement technical and organisational measures following a data breach that lead to unauthorised access to personal data processed via email. The DPA fined an accounting and tax consulting company €2,760 for a failure to implement technical and organisational measures following a data breach that lead to unauthorised access to personal data processed via email. == English Summary == == English Summary ==","Poland's data protection authority (UODO) has fined an accounting and tax consulting company €2,760 for failing to implement adequate technical and organizational measures after a data breach. The breach involved unauthorized access to an employee's email account, exposing sensitive personal data of clients, their employees, and children. The DPA ruled that unauthorized access alone constitutes a data breach and found the company had not conducted risk assessments or tested security measures prior to the incident.","Poland's UODO fines accounting firm €2,760 for data breach due to inadequate security measures.","Help UODO (Poland) - DKN.5131.34.2023: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 12:56, 29 June 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 editsTag: Visual edit← Older edit Latest revision as of 17:23, 30 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 editsmTag: Visual edit Line 69: Line 69: }}}} The DPA fined an accounting and tax consulting company € 2,760 for failure to implement technical and organisational measures following a data breach that lead to unauthorised access to personal data processed via email.The DPA fined an accounting and tax consulting company €2,760 for a failure to implement technical and organisational measures following a data breach that lead to unauthorised access to personal data processed via email. == English Summary ==== English Summary == Latest revision as of 17:23, 30 June 2026 UODO - DKN.5131.34.2023 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 32(1) GDPR Article 32(2) GDPR Type: Investigation Outcome: Violation Found Started: 12.12.2023 Decided: 13.06.2026 Published: 26.06.2026 Fine: 2,760 EUR Parties: n\u002Fa National Case Number\u002FName: DKN.5131.34.2023 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: av The DPA fined an accounting and tax consulting company €2,760 for a failure to implement technical and organisational measures following a data breach that lead to unauthorised access to personal data processed via email. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An unauthorised entity gained access to an email account belonging to an employee at an accounting, bookkeeping and tax consulting company (the controller). The account contained personal data of clients, their employees, and their children (the data subjects), including their names, dates of birth, salary information, and tax declarations. The controller notified the supervisory authority of a data breach in January 2021. The DPA initiated administrative proceedings regarding possible GDPR violations in December 2023. The controller argued that no personal data breach within the meaning of Article 4(12) GDPR had occurred as the unauthorised entity had only accessed and not obtained the personal data in question. Holding The DPA held that the controller had violated Articles 5(1)(f) and 5(2), 24(1), 25(1), 32(1), and 32(2) GDPR and issued it a fine of € 2,760. First, it pointed out that mere unauthorised access to personal data processed via email constitutes a data breach under Article 4(12) GDPR. Second, the DPA held that the controller had failed to implement appropriate technical and organisational measures to ensure the security of this personal data – it had only taken measures to comply with the aforementioned provisions of the GDPR after the data breach had been notified to the DPA. The controller had not previously conducted a risk assessment. In addition, it had failed to regularly test, measure, and evaluate the effectiveness of the technical and organisational measures implemented. Finally, the DPA found that the processing posed a high risk to the rights and freedoms of data subjects: it affected a large number of individuals and concerned a broad scope of personal data. When determining the amount of the fine, the DPA took into account that there was a clear imbalance between the data subjects and the controller – the data subjects were required to provide personal data to the controller to fulfil obligations under labour law, social security law, and tax law and could not independently control the data. Consequently, the DPA considered the GDPR infringements to be of significant gravity. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. Decision DKN.5131.34.2023 Pursuant to Article 104 § 1 of the Act of June 14, 1960, the Code of Administrative Procedure (Journal of Laws of 2025, item 1691), Article 7 paragraphs 1 and 2, Article 60, Article 101, and Article 103 of the Act of May 10, 2018, on Personal Data Protection (Journal of Laws of 2019, item 1781, as amended), as well as Article 57 paragraph 1 letters a) and h), Article 58 paragraph 2 letter i), Article 83 paragraphs 1-3, Article 83 paragraph 4 letter a) in conjunction with Article 24 paragraph 1, Article 25 paragraph 1, and Article 32 paragraph 4 1 and 2, as well as Article 83 paragraph 5 letter a) in conjunction with Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation) (OJ L 119, 4.05.2016, p. 1, OJ L 127, 23.05.2018, p. 2, and OJ L 74, 4.03.2021, p. 35), hereinafter referred to as \"Regulation 2016\u002F679\", after conducting ex officio administrative proceedings regarding the infringement of personal data protection provisions by N. D., conducting business under the name G. (...), ul. (…), (…)-(…) C., President of the Personal Data Protection Office, finding that N. D., conducting business under the name G. (…), ul. (…), (…)-(…) C., has violated Article 24 paragraph 1, Article 25 paragraph 1, and Article 32 paragraphs 1 and 2 of Regulation 2016\u002F679, consisting of: a) failure to implement appropriate technical and organizational measures based on a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, and the risk of infringement of the rights and freedoms of natural persons, ensuring the security of data processing via email, b) failure to implement appropriate technical and organizational measures to ensure the regular testing, measurement, and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processed via email, resulting in a violation of Article 5 paragraph 1 letter b) of the GDPR. Pursuant to Article 5(1)(f) of Regulation 2016\u002F679 (principle of integrity and confidentiality) and Article 5(2) of Regulation 2016\u002F679 (principle of accountability), imposes on N. D., conducting business under the name G. (...), for violating the provisions of Article 5(1)(f), Article 5(2), Article 25(1), and Article 32(1) and (2) of Regulation 2016\u002F679, an administrative fine of PLN 11,594 (in words: eleven thousand five hundred ninety-four zlotys). Justification 1. N. D. conducts business under the name G. (...), ul. (...), (…)-(…) C. (hereinafter referred to as the \"Controller\"). According to the entry in the Central Register and Information on Business Activity of the Republic of Poland, the Controller's predominant business activity is accounting and bookkeeping activities and tax consultancy. 2. On January 22, 2021, the Controller submitted an initial notification to the President of the Personal Data Protection Office (hereinafter also referred to as the \"President of the Personal Data Protection Office\" or the \"supervisory authority\") of a personal data breach, which was detected on January 21, 2021. The notification was registered under reference number DKN.5130.719.2021. On January 25, 2021, the Controller submitted a supplementary notification containing updated information regarding the aforementioned breach. The personal data breach involved an unauthorized entity gainin","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=UODO_(Poland)_-_DKN.5131.34.2023&diff=52032&oldid=52010","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F7\u002F7b\u002FLogoPL.png","2026-06-30T17:23:37+00:00","2026-06-30T18:00:16.864748+00:00",7,[18],{"name":19,"type":20},"UODO","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]