[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3zkVKkuHy4wZ5TkH260P0AtgXVKN7yyLHzq9pNWjSAQ":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":25,"created_at":26,"published_at":27,"article":28,"tags":32,"podcasts":51},"f0786bb6-a4e0-4328-8894-b67eeb8818e2","polish-municipal-unit-fined-for-employee-data-leak-and-failure-to-report-gdpr-breach","5fe3df43-a149-47fa-9e0f-34e52e717e76","Polish Municipal Unit Fined for Employee Data Leak and Failure to Report GDPR Breach","A municipal social welfare unit in Poland was fined PLN 33,700 after an employee uploaded a file containing sensitive personal data — including quarantine status — to a private server, where it was subsequently indexed by public search engines. The root failures were threefold: inadequate technical and organisational controls to prevent unauthorised data sharing, a complete failure to report the breach to the supervisory authority (UODO), and a failure to notify the affected data subjects. This case illustrates that GDPR liability does not end with the breach itself — organisations that fail to follow mandatory notification obligations face compounded penalties. It also highlights how a single employee's insecure action, absent proper training and data handling controls, can expose an organisation to significant regulatory and reputational harm.","**Immediate actions:**\n- Audit all employee access to external file-sharing and personal cloud\u002Fserver resources and revoke unnecessary permissions immediately.\n- Establish a documented breach response procedure that includes DPA notification within 72 hours as required by GDPR Article 33.\n- Notify affected data subjects without undue delay wherever a breach is likely to result in high risk to their rights and freedoms.\n\n**Long-term improvements:**\n- Implement Data Loss Prevention (DLP) tools to detect and block unauthorised transfers of personal data to external or unapproved platforms.\n- Classify all data assets by sensitivity and enforce technical controls restricting how sensitive files (especially special category data) can be stored or shared.\n- Embed mandatory GDPR and data handling training into onboarding and annual refresher programmes for all staff.\n\n**Detection & monitoring measures:**\n- Deploy web monitoring or Google Dork-style alerting to detect if organisational data appears in public search engine indexes.\n- Implement centralised logging of file access and transfer events to enable rapid detection and forensic review of potential data incidents.\n- Conduct regular internal audits and simulated breach drills to test the organisation's incident response and notification readiness.",[12,13,14,15,16,17,18,19,20,21,22,23,24],"GDPR Article 5(1)(f) — Integrity and confidentiality","GDPR Article 25 — Data protection by design and by default","GDPR Article 32 — Security of processing","GDPR Article 33 — Notification of a personal data breach to the supervisory authority","GDPR Article 34 — Communication of a personal data breach to the data subject","NIST SP 800-53 IR-6 — Incident Reporting","NIST SP 800-53 AC-3 — Access Enforcement","NIST SP 800-53 SI-12 — Information Management and Retention","CIS Control 3 — Data Protection","CIS Control 14 — Security Awareness and Skills Training","CIS Control 17 — Incident Response Management","ISO\u002FIEC 27001:2022 Annex A 5.33 — Protection of records","ISO\u002FIEC 27001:2022 Annex A 6.3 — Information security awareness, education and training","published","2026-07-09T14:22:09.851207+00:00","2026-07-09T14:22:09.682+00:00",{"id":7,"url":29,"slug":30,"title":31},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=UODO_(Poland)_-_DKN.5131.27.2023&diff=52147&oldid=0","uodo-poland-dkn-5131-27-2023-37c6ac","UODO (Poland) - DKN.5131.27.2023",[33,39,45],{"id":34,"name":35,"slug":36,"description":37,"color":38},"182e11d5-57c4-444e-8ec8-4682ad60261b","Incident Response","incident-response","Slow detection, poor containment, missing playbooks","#14b8a6",{"id":40,"name":41,"slug":42,"description":43,"color":44},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":46,"name":47,"slug":48,"description":49,"color":50},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6",[]]