A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 April 2021
The Polish Data Protection Authority (the “Polish DPA”) has imposed an administrative fine amounting to EUR 20,000 (PNL 85,000) on an entrepreneur for failing to comply with an order to notify data subjects of a personal data breach. This is the first fine imposed by the Polish DPA for non-compliance with an administrative order under the GDPR. The decision provides a useful reminder that data protection regulators can, and do, order data subject notification in spite of a controller concluding that the requisite threshold under Article 34 has not been met.
The entrepreneur was undertaking an economic activity in the healthcare sector when a personal data breach occurred. The Polish DPA ordered the entrepreneur to communicate the breach to its patients and to provide them with recommendations on how to minimise the potential adverse effects of the incident.
The Polish DPA went so far as to provide the entrepreneur with the wording of the communication to data subjects, together with instructions on the method of delivery. However, the entrepreneur failed to notify data subjects which resulted in them being unable to understand the nature of the breach and the possible consequences.
In light of the entrepreneur’s failure to notify data subjects, the Polish DPA commenced ex officio proceedings to enforce compliance.
In deciding the fine, the Polish DPA took into consideration:
The entrepreneur’s failure to comply with the guidelines provided by the Polish DPA showed a total disregard for their data protection obligations as a controller.
The Polish DPA’s decision serves as a reminder that in case of non-compliance, the supervisory authority can, under Article 58 (2) GDPR, use its corrective powers to order administrative fines and/or the communication of a personal data breach to data subjects.
It also demonstrates that compliance with the recommendations of the supervisory authority is expected and will be enforced. This element of the decision serves as a reminder of the importance of keeping accurate records of the actions taken in notifying data subjects.
London - Walbrook
+44(0)20 7894 6061
Patrick Hill, Hans Allnutt, Eleanor Ludlam
Pilar Rodríguez, Diego Zapatero Méndez, Astrid Hardy, Diana Lopez
Annabel Walker, Imogen Jones, Jonathan Brogden, Alistair Cooper
Eleanor Ludlam, Astrid Hardy
Hans Allnutt, Cameron Carr
Rhiannon Webster, Jade Kowalski, Charlotte Halford, Eleanor Ludlam, Rebecca Morgan