Failure to notify that a document has been erroneously sent with the patient’s data
The President of the Personal Data Protection Office imposed a fine of PLN 40 000 on Gyncentrum (Medical Center) for failing to notify a personal data breach. In the same case, the President of the Personal Data Protection Office issued a reprimand to the company for failing to communicate the data breach to the data subjects without undue delay.
The Medical Centre dealing, inter alia, with the treatment of infertility, sent confirmation of the execution of the return transferunder the title of which the name of the genetic test was indicated to another person, also the patient of the Medical Centre (the patients have the same first name). The document contained personal data: first name, surname, bank account number, address. There was also the amount of the transfer and the name of the study carried out, revealing that it was part of extensive prenatal diagnostics.
In the course of the proceedings before the President of the Personal Data Protection Office, it became apparent that the incident was the result of employee’s error. However, the data controller considered that the event did not involve the possibility of a violation of the rights and freedoms of natural persons, and therefore refrained from notifying the breach to the President of the Personal Data Protection Office. The patient itself learned about the incident from another Medical Centre patient.
In this case, it is crucial to assess whether the situation may give rise to a risk to the rights and freedoms of natural persons. The GDPR requires, when assessing that risk, the use of a three-step scale.
Breaches do not need to be reported to the President of the Personal Data Protection Office, but only documented if the likelihood of a breach of the rights and freedoms of natural persons is excluded. However, this is the case where, although the incident occurred, there is no risk to its consequences (the GDPR uses the word unlikely).
If the risk cannot be considered unlikely (it is likely that certain risks materialise), it is the controller’s responsibility to notify the data breach to the President of the Personal Data Protection Office and to include the relevant entry in the internal register of data breaches.
The identification of a high risk to the rights and freedoms of natural persons, in addition to the notification in record of data breaches, requires the controller to take appropriate action both in relation to the supervisory authority (notification of a personal data breach) and in relation to the data subjects (communicating a personal data breach to them).
In the event of incorrect confirmation of the return transfer, in the opinion of President of the Personal Data Protection Office, the controller misunderstood the situation. The incident constituted a breach of the confidentiality of data with a high risk to the rights and freedoms of natural persons. The information contained in the return transfer confirmation allows conclusions to be drawn as to the state of health of the data subjects. They it create sa risk of specific, negative consequences – in the form of the possibility of violating their personality rights or discrimination.
If the risk is high, it is necessary to inform the President of the Personal Data Protection Office and the data subjects.
In its decision, the President of the Personal Data Protection Office indicates that the notification of personal data breaches by controllers is an effective tool to improve the security of the processing of personal data. When notifying a breach, controllers shall inform the supervisory authority whether they consider it to be a high risk to the rights and freedoms of data subjects and, if any, whether they have provided relevant information to the affected individuals. In certain cases, they may also indicate that there is no notification requirement, in view of the special circumstances provided for in Article 34 (3) GDPR. The position of the controller within the scope indicated is subject to verification of the President of the Personal Data Protection Office. It is worth stressing that the notification of an incident and the control of the correct handling of the incident carried out by the President of the Personal Data Protection Office serve the interests of the controller and of the data subjects equally, contributing to the correct implementation of the controller’s obligations in question and to the protection of the rights and freedoms of data subjects.
Decision in Polish: DKN.5131.3.2025