Poland: requirement to report even minor personal data breaches

The Polish Data Protection Authority ("Polish DPA") has fined a Polish insurance company approximately €24,000 over a seemingly minor personal data breach.

The insurance company sent a sensitive document by human error to an unauthorised third-party, which confirmed an award of damages following an insurance claim. Although the decision has yet to be made public, the case summary confirmed that the message contained personal information including the policy holder's first name, last name and mailing address, in addition to details of the insured car and information of the insurance claim, including policy number, damage number, value of damage and sum of awarded damages.

Although the error was flagged to the insurance company by the unauthorised recipient, the company did not respond, nor take any further actions. As a result of the personal data breach, although seemingly minor in scope and nature, the Polish DPA imposed a fine of approximately EUR 24,000. The insurer argued that the data breach did not require a notification to the Polish DPA (or to the data subject), as it was unlikely to result in a risk to the rights and freedoms of the individual. This was dismissed by the Polish DPA.

The supervisory authority emphasised that a thorough analysis must be undertaken to consider the interests of the data subject in the first instance, instead of those of the controller. Controllers therefore may still be obliged to notify the authority, even if the risk of misuse of data is negligible. This appears to contrast with the general position under Article 33 that controller need not notify its supervisory authority of a personal data breach if it is "unlikely" to result in a risk to the rights and freedoms of natural persons.  The Polish DPA did not address the reason for this contrast.

The decision of the Polish DPA indicates that even insignificant breaches should be reported, at least as far as the Polish DPA is concerned. Controllers should bear this decision in mind when determining whether personal data breaches require notification under GDPR to the supervisory authority.

The insurance company has filed a complaint against the Polish DPA's decision, which could result in it being overturned by the Polish administrative court.


Katie Hewson

Jenna Franklin

Isabella Clark