Back to Feed
PolicyJun 29, 2026

UODO (Poland) - DKN.5131.34.2023

Poland's UODO fines accounting firm €2,760 for data breach due to inadequate security.

Summary

Poland's data protection authority (UODO) has fined an accounting and tax consulting company €2,760 for failing to implement adequate technical and organizational measures following a data breach. The breach involved unauthorized access to an employee's email account, exposing sensitive personal data of clients and their families. The DPA ruled that mere unauthorized access constitutes a data breach and that the company's security measures were insufficient, only being implemented after the breach was reported.

Full text

Help UODO (Poland) - DKN.5131.34.2023: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 12:50, 29 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators46 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 12:50, 29 June 2026 UODO - DKN.5131.34.2023 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 32(1) GDPR Article 32(2) GDPR Type: Investigation Outcome: Violation Found Started: 12.12.2023 Decided: 13.06.2026 Published: 26.06.2026 Fine: 2,760 EUR Parties: n/a National Case Number/Name: DKN.5131.34.2023 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Polish Original Source: UODO (in PL) Initial Contributor: av The DPA fined an accounting and tax consulting company € 2,760 for failure to implement technical and organisational measures following a data breach that lead to unauthorised access to personal data processed via email. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An unauthorised entity gained access to an email account belonging to an employee at an accounting, bookkeeping and tax consulting company (the controller). The account contained personal data of clients, their employees, and their children (the data subjects), including their names, dates of birth, salary information, and tax declarations. The controller notified the supervisory authority of a data breach in January 2021. The DPA initiated administrative proceedings regarding possible GDPR violations in December 2023. The controller argued that no personal data breach within the meaning of Article 4(12) GDPR had occurred as the unauthorised entity had only accessed and not obtained the personal data in question. Holding The DPA held that the controller had violated Articles 5(1)(f) and 5(2), 24(1), 25(1), 32(1), and 32(2) GDPR and issued it a fine of € 2,760. First, it pointed out that mere unauthorised access to personal data processed via email constitutes a data breach under Article 4(12) GDPR. Second, the DPA held that the controller had failed to implement appropriate technical and organisational measures to ensure the security of this personal data – it had only taken measures to comply with the aforementioned provisions of the GDPR after the data breach had been notified to the DPA. The controller had not previously conducted a risk assessment. In addition, it had failed to regularly test, measure, and evaluate the effectiveness of the technical and organisational measures implemented. Finally, the DPA found that the processing posed a high risk to the rights and freedoms of data subjects: it affected a large number of individuals and concerned a broad scope of personal data. When determining the amount of the fine, the DPA took into account that there was a clear imbalance between the data subjects and the controller – the data subjects were required to provide personal data to the controller to fulfil obligations under labour law, social security law, and tax law and could not independently control the data. Consequently, the DPA considered the GDPR infringements to be of significant gravity. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. The personal data concerned by the infringement of the provisions of Article 24(1), Article 25(1), Article 32(1) and (2) and Article 5(1)(f) and Article 5(2) of Regulation 2016/679 do not belong to the special categories of personal data referred to in Article 9 of Regulation 2016/679, or to the data listed in Article 10 of Regulation 2016/679, but their wide scope (i.e. at least: first name and last name, parents’ first names, date of birth, bank account number, address of residence or stay, PESEL identification number, e-mail address, data concerning earnings, series and number of ID card, telephone number, image, data contained in passports, employment certificates, PCC-3 forms and personal questionnaires) is associated with a high risk of violation of the rights and freedoms of natural persons affected by the infringement. It should be emphasized in particular that the breach affected the PESEL identification number, the unauthorized disclosure of which (in combination with the name and surname) may have a real and negative impact on the protection of the rights and freedoms of an individual. The PESEL identification number, an eleven-digit numerical symbol that uniquely identifies an individual, containing, among other things, date of birth and gender, and therefore closely linked to the individual's private sphere and also subject, as a national identification number, to exceptional protection under Article 87 of Regulation 2016/679, is data of a special nature and requires such special protection. Retrieved from "https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.34.2023&oldid=52008" Categories: UODO (Poland)PolandArticle 5(1)(f) GDPRArticle 5(2) GDPRArticle 24(1) GDPRArticle 25(1) GDPRArticle 32(1) GDPRArticle 32(2) GDPR2026Polish This page was last edited on 29 June 2026, at 12:50. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities

email (product)