The Supreme Administrative Court dismissed the cassation appeal

The Supreme Administrative Court dismissed the cassation appeal of the owner of the dental clinic against the decision of the President of the Polish SA

By judgment of 24 November 2025, the Supreme Administrative Court dismissed the cassation appeal against the decision of the President of the Personal Data Protection Office imposing an administrative fine on an entrepreneur – the owner of a dental clinic – for non-compliance with an order issued by its final decision.

In connection with the personal data breach notified in July 2019 by the entrepreneur, the President of the Office issued a decision in which he ordered the entrepreneur to inform the persons affected by this breach of the unauthorised copying of their personal data by a former employee of the clinic (who wanted to use these data for marketing purposes of his own business).

In the course of the proceedings conducted by the President of the Personal Data Protection Office to verify the implementation of the decision, the entrepreneur initially avoided responding to requests to confirm and prove the implementation of this decision. He then provided vague, evasive and contradictory explanations; claimed, for example, that it did not know how many persons data had been unlawfully disclosed, or that it did not know how to execute the order of the President of the Personal Data Protection Office. The entrepreneur even maintained that it was the duty of the President of the Office to communicate the incident that occurred in the clinic to the persons affected.

Finally, the entrepreneur provided evidence of the sending of 37 communications in the form of an invoice for the purchase of 37 postage stamps and a written statement from the person who, as an alleged postal worker, sent the entrepreneur letters to be sent by ordinary (unregistered) mail. Such evidence of the correct informing of the persons affected by the breach could not be treated by the President of the Personal Data Protection Office as reliable, and therefore, for non-compliance with the order imposed by a final decision, he punished the entrepreneur with an administrative fine of PLN 85 588. It is worth noting that, shortly after notification of the penalty decision to the entrepreneur, it submitted undisputed evidence of the correct implementation of the order of the President of the Office – copies of the letters and confirmations of their sending by registered letters. However, those letters were sent to the persons affected after issuing a final decision by the supervisory authority.

In January 2021, the entrepreneur lodged a complaint against the decision of the President of the Personal Data Protection Office with the Voivodship Administrative Court in Warsaw, asking for the decision to be annulled in its entirety and for the proceedings to be discontinued, or for the imposition of a fine to be waived and for a reprimand to be issued. The entrepreneur alleged that the supervisory authority had infringed the procedural rules by failing to provide a proper explanation of the facts of the case, resulting in a subjective assessment of the incident and an inadequate amount of the administrative fine imposed.

However, in November 2021, the Voivodship Administrative Court dismissed the complaint, stating that the decision of the supervisory authority was lawful both as regards the breach itself and the amount of the fine imposed.

Therefore, the entrepreneur lodged a cassation appeal with the Supreme Administrative Court, referring to the fact that it provided undisputed evidence of the correct implementation of the order of the President of the Office.

However, in its judgment of November 2025, the Supreme Administrative Court found that the entrepreneur’s action leading to the execution of the order of the decision of the President of the Personal Data Protection Office was late. The President of the Personal Data Protection Office assesses the case and applies appropriate corrective measures as at the date of the decision. In its judgment, the Supreme Administrative Court also emphasised that it was the entrepreneur who was obliged to have documents for the communication of the breach to the persons affected by it and the obligation to demonstrate to the supervisory authority the implementation of its obligation (which results from the accountability principle).

In informing about this case and the judgment of the Supreme Administrative Court, the supervisory authority wishes to draw attention to the specific – and so far, rarely used – remedy at its disposal, which is an administrative fine imposed for ‘non-compliance with an order issued by a supervisory authority’. It is a measure that is independent of the tools that provide, in the event of failure to comply with an obligation imposed by an administrative decision, for the provisions of the Act on enforcement proceedings in the administration. Due to the fact that this measure is much more onerous than the so-called fines used in administrative enforcement for the purpose of coercion, the President of the Office provides for its application in situations of intentional, notorious or disrespectful attitude to personal data protection obligations of non-execution of orders of its decisions by controllers or processors.

Decision of the President of the Personal Data Protection Office (in Polish): DKE.561.11.2020

Judgment ref. no. III OSK 2183/22 of the Supreme Administrative Court