The Voivodship Administrative Court in Warsaw on 31 August 2022 dismissed the complaint of the Lex Nostra Foundation for the Promotion of Mediation and Legal Education against the decision of the President of the Personal Data Protection Office to impose a financial penalty on the Foundation.
The merits of the case concerned the penalty for failing, contrary to the provisions of the GDPR, to report a personal data breach and failing to inform the Foundation's beneficiaries whose data had been lost because of the theft of document folders.
The WSA confirmed the Foundation's failure to make an adequate notification of the data security breach, which, as the controller of personal data, was obliged to do so. Meanwhile, the lack of notification could also have resulted in a violation of the rights and freedoms of the persons whose data had been lost. Consequently, there was a breach of the GDPR regulations.
The Court also confirmed that the PDPO was right to assume that the incident in question could have resulted in considerable damage including financial loss, identity theft and forgery, discrimination, and damage to an individual's reputation. In turn, the failure to provide the notification in question prevented the data subjects from taking any remedial action and failed to minimise the possible negative effects of the breach.
In the WSA's view, considering the above, the fine imposed on the Foundation was justified and adequate to the situation, which consequently led to the dismissal of the Foundation's complaint.
Ref. act II SA/Wa 2993/21
Personal data protection: see our offer
According to Article 4(12) of the GDPR, a personal data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed".
The data controller has the following obligations in relation to a data breach:
Learn more, explore Outsourcing of the Data Protection Officer (DPO)
The implementation of appropriate procedures for dealing with the incident or suspected data breach is the foundation of any organisation's data security policy. The speed with which action is taken, and the appropriate proficiency in identifying an incident, is critical to an organisation's security in processing personal data.
The controller, in case of any data breach, should assess the risk and classify the incident in terms of violation of rights and freedoms of natural persons. If, as part of the assessment, he/she identifies a risk of infringement of the rights and freedoms of natural persons, he/she is obliged to immediately inform the President of the Personal Data Protection Office about the breach.
Furthermore, it is important to note that, regardless of the risk assessment, the controller, if any incident occurs, is also obliged to implement countermeasures to reduce the risks and ensure an adequate level of personal data security.
Read also: What guidelines do the GDPR industry codes provide?
Personal data protection