The Voivodeship Administrative Court confirms that data breaches cannot be trivialised

Sharing non-anonymised personal data with a journalist is a personal data breach and should be notified to the President of the Personal Data Protection Office - the Voivodeship Administrative Court in Warsaw has ruled.

The Voivodeship Administrative Court in Warsaw dismissed the complaint of the District Public Prosecutor’s Office in Gorlice against the decision of the President of the Personal Data Protection Office, in which the supervisory authority imposed a fine of PLN 20,000 on the controller. The reason for such a sanction was the failure to notify a personal data breach to the supervisory authority and the failure to communicate it to the persons affected by the incident.

The breach consisted in providing to a journalist, by way of access to public information, documents containing the data of three persons. The President of the Personal Data Protection Office did not question the mere making available of the documentation by way of access to public information, but the fact that in making it available, the controller did not comply with the principles of personal data protection and did not anonymise the transmitted documents.

Before the Court, the Public Prosecutor’s Office argued that the breach did not involve a high risk to the rights or freedoms of persons (e.g. identity theft), as it concerned only three persons and the data had been obtained by only one journalist, who had anonymised it himself before publishing the documents. According to the complainant, the journalist’s action showed that he had no intention to use the data for criminal purposes or to make it available to others. Hence, in the opinion of the Public Prosecutor’s Office, there was no need to notify the breach to the President of the Personal Data Protection Office, as there was no high risk to the rights and freedoms of the persons affected by the breach.

These arguments did not convince the Voivodeship Administrative Court in Warsaw. The Court found that the applicant was trying to play down the extent of the breach. Meanwhile, the scope of the disclosed data was wide and included, among others, names, surnames, addresses, personal identification numbers (PESEL numbers), and identity documents numbers. Among this information was also the data of a minor, including his or her health condition.

In the opinion of the Voivodeship Administrative Court in Warsaw, the supervisory authority rightly considered the duration of the breaches as a circumstance incriminating the Public Prosecutor’s Office. From the moment the controller received the information about the breach until the time the decision of the President of the Personal Data Protection Office was issued, 27 months elapsed. In the Court’s view, during this time, the risk to the rights or freedoms of natural persons whose data had been disclosed could have materialised. Moreover, these persons could not have counteracted such a risk due to the fact that the Public Prosecutor’s Office did not comply with its obligation to communicate this breach to these persons.

In the decision upheld by the Voivodeship Administrative Court in Warsaw the President of the Personal Data Protection Office, in addition to a fine, also applied an order to communicate this breach to the persons affected.