[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZ18NYqH7ivLRwcRzPhLFNhomvEG9_5J-ijL-3Hlw6q0":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":24,"created_at":25,"published_at":26,"article":27,"tags":31,"podcasts":50},"d77953a0-c0fb-4636-b0bd-557db98b9c6e","polish-municipal-welfare-unit-fined-for-unreported-health-data-breach-exposed-via-public-server","6a38eb77-2f16-4598-ae10-cc3e3968da12","Polish Municipal Welfare Unit Fined for Unreported Health Data Breach Exposed via Public Server","A municipal social welfare unit in Poland failed to implement adequate technical and organizational measures to protect sensitive health and quarantine data, which was inadvertently exposed on a public server and indexed by search engines. Compounding the violation, the organization failed to report the breach to the supervisory authority within the mandatory 72-hour window after discovering it in February 2021 — more than two months after the November 2020 exposure. The case also highlights a governance failure, as the unit initially denied being the data controller, suggesting a lack of clarity around data ownership and accountability. These combined failures — poor security hygiene, delayed breach notification, and unclear data controller responsibilities — represent a systemic breakdown in GDPR compliance that resulted in three separate fines.","**Immediate actions:**\n- Audit all public-facing servers and storage assets to ensure no sensitive personal data is inadvertently exposed or indexable by search engines.\n- Establish a documented breach notification procedure that enforces the 72-hour GDPR reporting obligation with assigned owners and escalation paths.\n- Clearly document and assign data controller responsibilities across all organizational units handling personal data.\n\n**Long-term improvements:**\n- Implement Data Protection Impact Assessments (DPIAs) for any system processing special category data such as health information.\n- Conduct regular staff training on GDPR obligations, including breach identification, reporting timelines, and data controller accountability.\n- Enforce a data minimization and classification policy to ensure sensitive data is stored only in appropriately secured, access-controlled environments.\n\n**Detection measures:**\n- Deploy web crawling and external exposure monitoring tools to detect publicly indexed sensitive data proactively.\n- Implement logging and alerting on access to repositories containing special category personal data to detect unauthorized or anomalous access early.",[12,13,14,15,16,17,18,19,20,21,22,23],"GDPR Article 5(1)(f) – Integrity and confidentiality principle","GDPR Article 25 – Data protection by design and by default","GDPR Article 32 – Security of processing","GDPR Article 33 – Notification of a personal data breach to the supervisory authority","GDPR Article 34 – Communication of a personal data breach to the data subject","NIST SP 800-53 IR-6 – Incident Reporting","NIST SP 800-53 AC-3 – Access Enforcement","NIST SP 800-53 RA-2 – Security Categorization","CIS Control 3 – Data Protection","CIS Control 17 – Incident Response Management","ISO\u002FIEC 27001:2022 A.5.33 – Protection of records","ITIL Service Management – Incident Management and Escalation Procedures","published","2026-07-09T14:21:23.760825+00:00","2026-07-09T14:21:23.423+00:00",{"id":7,"url":28,"slug":29,"title":30},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=UODO_(Poland)_-_DKN.5131.27.2023&diff=52150&oldid=52147","uodo-poland-dkn-5131-27-2023-e104f1","UODO (Poland) - DKN.5131.27.2023",[32,38,44],{"id":33,"name":34,"slug":35,"description":36,"color":37},"182e11d5-57c4-444e-8ec8-4682ad60261b","Incident Response","incident-response","Slow detection, poor containment, missing playbooks","#14b8a6",{"id":39,"name":40,"slug":41,"description":42,"color":43},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",{"id":45,"name":46,"slug":47,"description":48,"color":49},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6",[]]