The controller should notify the personal data breach to the President of the SA without undue delay
The President of the Personal Data Protection Office has imposed an administrative fine of PLN 10,000 on the District Court in Krakow (hereafter also referred to as the Court or controller) for failing to notify the personal data breach to the supervisory authority and for failing to communicate the breach to the data subject without undue delay. According to the GDPR, the notification should be done not later than 72 hours after having become aware of it.
The Personal Data Protection Office received a personal data breach notification from the Minister of Foreign Affairs (also referred to as the MFA). It concerned the delivery of a damaged and incomplete package by the postal operator to the addressee. The President of the Polish SA was informed not by the data controller, but by the MFA, to which the addressee reported incorrectness in its delivery.
Upon receiving information about the breach, the Ministry of Foreign Affairs notified the supervisory authority that the Consulate General of the Republic of Poland had sent, at the request of the District Court in Krakow, as legal assistance, correspondence containing personal data through a postal operator. The Consulate notified the District Court in Krakow, the data controller as the sender of the package, that the postal operator had delivered the damaged and incomplete correspondence to the addressee. However, the Court, despite being the controller of the sent data in the concerned case, did not to notify the personal data breach to the supervisory authority.
The protection of special categories of personal data was breached
In the case concerned, the protection of the personal data of seven persons was breached, whereby four of them were facing a high risk of violation of their rights or freedoms due to the extent of the personal data breached. The breach included PESEL numbers (Polish: Powszechny Elektroniczny System Ewidencji Ludności; Universal Electronic System for Registration of the Population), as well as information about the plaintiff's health and psychological opinions of two children. This information was linked to, among other things, first and last names and the context of the divorce case, could result in loss of control over the data, risks associated with the release of PESEL numbers, but also discrimination in the environment of these individuals or breaches of their personal rights. The easiness of identification of persons, based on the data indicated, should also be emphasised. These circumstances were not taken into account by the controller when analysing the incident, even if forced by subpoenas from the President of the Polish SA. The Court limited its actions to checking in the postal operator's system whether there were annotations regarding the delivery of correspondence.
The controller, by deciding not to notify the personal data breach to the supervisory authority as well as not to communicate it to the data subjects, in practice deprived the data subjects of reliable information about the personal data breach provided without undue delay and the opportunity to prevent potential damage.
The President of the Personal Data Protection Office urged the Court to indicate whether an analysis of the risk of breach of the rights or freedoms of individuals necessary for assessing whether there has been a data protection breach resulting in the need to notify the breach to the supervisory authority and communicate it to the persons affected by the breach has been carried out. However, the Court pointed out that the authority competent to exercise supervision over the processing of personal data processed in court proceedings in the exercise of justice or the performance of legal protection tasks, the controller of which are courts within the meaning of Articles 174da and 175db of the Law on the System of Common Courts is, for the District Court in Krakow, the President of the Court of Appeals in Krakow. According to the Polish SA, since the breach occurred in connection with the administrative part of the court's activities, it should be notified under the procedure provided for in Article 33(1) of the GDPR to the President of the Polish SA, as the competent supervisory authority. Also not irrelevant to the case is the fact that it is not within the competence of the judicial supervisory bodies referred to in Article 175 dd § 1 of the Law on the System of Common Courts to accept notifications of data protection breaches, or to assess them on their merits.
Aggravating circumstances
The authority's proceedings also revealed other incorrectness related to the breach. The Court's data protection officer misjudged the level of risk to the rights and freedoms of natural persons. This was because he indicated that the fact that the documents were drawn up in Polish and sent to the UK did not create a high risk in this regard. In the opinion of the President of the Personal Data Protection Office, the fact that documents containing personal data were drawn up in Polish and sent to a country where the official language is English does not mitigate the level of risk. In the era of tools that allow the rapid translation of documents, as well as due to the fact that in the UK a large part of the population speaks Polish, it is wrong to assume that this circumstance allows to mitigate the level of risk.
The President of the Polish supervisory authority considered the long duration of the breach as an aggravating circumstance. From the time the controller became aware of the personal data breach until the date of this decision, 16 months elapsed, during which the risk of a high-level breach of the rights or freedoms of the four individuals subject to such a risk could have been realised, and which the individuals could not have countered due to the controller's failure to communicate the breach to them.
The President of the Personal Data Protection Office ordered the controller to provide the four persons whose data contained in the documents included in the damaged postal package were particularly vulnerable with the information required under Article 34(2) of the GDPR, within three days of receiving the decision. At issue is the high risk of breaching the rights and freedoms of the plaintiff, the defendant and their two children.
Decision is available here (in Polish)