[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk2ZCNGK9FrE6Y3epvmyruNrLN8Y4lRJ7wMwRSop204Q":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"5813a414-5a0f-45cf-b1ff-4150d0d0e990","UODO (Poland) - DKN.5131.34.2023","uodo-poland-dkn-5131-34-2023-ef7290","Show changes","Poland's Data Protection Authority (UODO) has fined a data controller €2,760 for violating multiple GDPR articles, including those related to data security and appropriate measures. The breach, involving unauthorized access to personal data processed via email, was deemed a data breach under GDPR Article 4(12). The controller failed to implement adequate technical and organizational measures, conduct risk assessments, or regularly test their effectiveness prior to the breach notification.","Poland's UODO fines a controller €2,760 for GDPR violations after an email data breach.","Help UODO (Poland) - DKN.5131.34.2023: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 12:50, 29 June 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators46 edits Tag: submission [1.0] Latest revision as of 12:56, 29 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators46 editsTag: Visual edit (One intermediate revision by the same user not shown)Line 11: Line 11: |Original_Source_Name_1=UODO|Original_Source_Name_1=UODO |Original_Source_Link_1=https:\u002F\u002Forzeczenia.uodo.gov.pl\u002Fdocument\u002Furn:ndoc:gov:pl:uodo:2023:dkn_5131_34\u002Fcontent?query=|Original_Source_Link_1=https:\u002F\u002Forzeczenia.uodo.gov.pl\u002Fdocument\u002Furn:ndoc:gov:pl:uodo:2023:dkn_5131_34\u002Fcontent |Original_Source_Language_1=Polish|Original_Source_Language_1=Polish |Original_Source_Language__Code_1=PL|Original_Source_Language__Code_1=PL Line 79: Line 79: === Holding ====== Holding === The DPA held that the controller had violated Articles 5(1)(f) and 5(2), 24(1), 25(1), 32(1), and 32(2) GDPR and issued it a fine of € 2,760. First, it pointed out that mere unauthorised access to personal data processed via email constitutes a data breach under [[Article 4 GDPR#12|Article 4(12) GDPR]]. The DPA held that the controller had violated [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 5 GDPR|5(2)]], [[Article 24 GDPR|24(1)]], [[Article 25 GDPR|25(1)]], [[Article 32 GDPR|32(1)]], and [[Article 32 GDPR|32(2) GDPR]] and issued it a fine of € 2,760. First, it pointed out that mere unauthorised access to personal data processed via email constitutes a data breach under [[Article 4 GDPR#12|Article 4(12) GDPR]]. Second, the DPA held that the controller had failed to implement appropriate technical and organisational measures to ensure the security of this personal data – it had only taken measures to comply with the aforementioned provisions of the GDPR after the data breach had been notified to the DPA. The controller had not previously conducted a risk assessment. In addition, it had failed to regularly test, measure, and evaluate the effectiveness of the technical and organisational measures implemented. Second, the DPA held that the controller had failed to implement appropriate technical and organisational measures to ensure the security of this personal data – it had only taken measures to comply with the aforementioned provisions of the GDPR after the data breach had been notified to the DPA. The controller had not previously conducted a risk assessment. In addition, it had failed to regularly test, measure, and evaluate the effectiveness of the technical and organisational measures implemented. Line 94: Line 94: The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. \u003Cpre>\u003Cpre>Decision DKN.5131.34.2023 The personal data concerned by the infringement of the provisions of Article 24(1), Article 25(1), Article 32(1) and (2) and Article 5(1)(f) and Article 5(2) of Regulation 2016\u002F679 do not belong to the special categories of personal data referred to in Article 9 of Regulation 2016\u002F679, or to the data listed in Article 10 of Regulation 2016\u002F679, but their wide scope (i.e. at least: first name and last name, parents’ first names, date of birth, bank account number, address of residence or stay, PESEL identification number, e-mail address, data concerning earnings, series and number of ID card, telephone number, image, data contained in passports, employment certificates, PCC-3 forms and personal questionnaires) is associated with a high risk of violation of the rights and freedoms of natural persons affected by the infringement. It should be emphasized in particular that the breach affected the PESEL identification number, the unauthorized disclosure of which (in combination with the name and surname) may have a real and negative impact on the protection of the rights and freedoms of an individual. The PESEL identification number, an eleven-digit numerical symbol that uniquely identifies an individual, containing, among other things, date of birth and gender, and therefore closely linked to the individual's private sphere and also subject, as a national identification number, to exceptional protection under Article 87 of Regulation 2016\u002F679, is data of a special nature and requires such special protection. \u003C\u002Fpre>Pursuant to Article 104 § 1 of the Act of June 14, 1960, the Code of Administrative Procedure (Journal of Laws of 2025, item 1691), Article 7 paragraphs 1 and 2, Article 60, Article 101, and Article 103 of the Act of May 10, 2018, on Personal Data Protection (Journal of Laws of 2019, item 1781, as amended), as well as Article 57 paragraph 1 letters a) and h), Article 58 paragraph 2 letter i), Article 83 paragraphs 1-3, Article 83 paragraph 4 letter a) in conjunction with Article 24 paragraph 1, Article 25 paragraph 1, and Article 32 paragraph 4 1 and 2, as well as Article 83 paragraph 5 letter a) in conjunction with Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation) (OJ L 119, 4.05.2016, p. 1, OJ L 127, 23.05.2018, p. 2, and OJ L 74, 4.03.2021, p. 35), hereinafter referred to as \"Regulation 2016\u002F679\", after conducting ex officio administrative proceedings regarding the infringement of personal data protection provisions by N. D., conducting business under the name G. (...), ul. (…), (…)-(…) C., President of the Personal Data Protection Office, finding that N. D., conducting business under the name G. (…), ul. (…), (…)-(…) C., has violated Article 24 paragraph 1, Article 25 paragraph 1, and Article 32 paragraphs 1 and 2 of Regulation 2016\u002F679, consisting of: a) failure to implement appropriate technical and organizational measures based on a risk analysis that takes into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, and the risk of infringement of the rights and freedoms of natural persons, ensuring the security of data processing via email, b) failure to implement appropriate technical and organizational measures to ensure the regular testing, measurement, and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processed via email, resulting in a violation of Article 5 paragraph 1 letter b) of the GDPR. Pursuant to Article 5(1)(f) of Regulation 2016\u002F679 (principle of integrity and confidentiality) and Article 5(2) of Regulation 2016\u002F679 (principle of accountability), imposes on N. D., conducting business under the name G. (...), for violating the provisions of Article 5(1)(f), Article 5(2), Article 25(1), and Article 32(1) and (2) of Regulation 2016\u002F679, an administrative fine of PLN 11,594 (in words: eleven thousand five hundred ninety-four zlotys). Justification 1. N. D. conducts business under the name G. (...), ul. (...), (…)-(…) C. (hereinafter referred to as the \"Controller\"). According to the entry in the Central Register and Information on Business Activity of the Republic of Poland, the Controller's predominant business activity is accounting and bookkeeping activities and tax consultancy. 2. On January 22, 2021, the Controller submitted an initial notification to the President of the Personal Data Protection Office (hereinafter also referred to as the \"President of the Personal Data Protection Office\" or the \"supervisory authority\") of a personal data breach, which was detected on January 21, 2021. The notification was registered ","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=UODO_(Poland)_-_DKN.5131.34.2023&diff=52010&oldid=52008","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F7\u002F7b\u002FLogoPL.png","2026-06-29T12:56:00+00:00","2026-06-29T14:00:20.101066+00:00",7,[18],{"name":19,"type":20},"UODO","vendor","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":21,"icon":23,"name":24,"slug":25},null,"GDPR","gdpr",[27,32,34,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":33},{"id":21,"icon":23,"name":24,"slug":25},{"category":35},{"id":36,"icon":23,"name":37,"slug":38},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]