Poland: criteria for reporting personal data breaches made even more stringent

The Polish DPA imposed a fine on an insurance company, for failure to notify a seemingly insignificant personal data breach.

Unauthorized recipient

Due to human error, a Polish insurance company, sent to an unauthorized recipient a document confirming award of damages further to an insurance claim. According to a summary of the decision published by the authority (the decision has not been made public yet), the message contained the first and the last name, mailing address, as well as data relating to the insured car such as its make, model and registration number.  The unauthorized recipient also received information on the policy number, damage number, the value of the damage and the sum of awarded damages. They informed the insurer about the situation, but the company did not respond.

Even incidental violations may be fined

Despite the scope and nature of data disclosed to the unauthorised recipient and the fact that the risk of misuse of the data could be regarded as low given the cooperation of the recipient, the Polish DPA imposed a fine of approximately EUR 24000. The Polish DPA stressed that data controllers are always obliged to notify the authority when there is even a mere risk of a violation of the rights and freedoms of individuals.

Thus, the authority did not accept the insurer’s claim that, pursuant to ENISA’s breach assessment methodology, the breach was unlikely to result in a risk to the rights and freedoms of the affected individual and thus did not require a notification. The Polish DPA explained that for an analysis to be thorough it must take into consideration first and foremost the interests of the data subject, rather than those of the controller.

The insurance company has filed a complaint against the decision and thus it may be changed by an administrative court.  Nevertheless, for the time being, controllers must take this decision into consideration when assessing the need to report a data breach.


Authored by Ewa Kacperek and Wiktoria Kossakowska-Wojdaszka.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.