Get useful tips, learn best practices and read the latest newsThe Whistlelink Blog

High penalties for failing to promptly notify the DPA of an incident 

High penalties for data protection breaches in Poland by SZiP law firm.

Download our free whitepaper:

How to get compliant with the Whistleblowing Law

Authored by Agata Majewska, Counselor at Law and a specialist in data protection and compliance law at SZiP, one of the leading law firms in the southern Polish market and a valued partner to Whistlelink, this article brings attention to the significant penalties imposed on data controllers in Poland in March 2024. 

In March 2024, the President of the Office for Personal Data Protection issued two decisive rulings, imposing substantial financial penalties on data controllers. Both cases involved failure to promptly notify the authority of identified personal data security breaches. What actionable guidance can data controllers derive from these cases?  

A fine exceeding one million for non-cooperation with the authority. 

Santander Bank Polska S.A. faced a hefty fine of nearly PLN 1.5 million for the following infractions: 

  • Neglecting to report a data protection incident to the Data Protection Authority (DPA). This incident involved the inadvertent public exposure of bank documents contained in a parcel abandoned at a housing estate. The documents had been stolen during transit by a courier company. Despite the occurrence in November 2018, the DPA only learned of the incident through an online article in August 2022.  
     
  • Failing to notify 158 affected individuals about the breach and the potential risks it posed to them. 

Furthermore, Toyota Bank Polska S.A. received a fine exceeding 48 thousand zlotys due to: 

  • Neglecting to promptly report a violation of personal data protection to the President of the DPA. This violation occurred when a bank employee mistakenly sent a package containing a contract and loan repayment schedule to another bank customer. Although the bank documented the incident, it failed to report it to the supervisory authority within the mandated 72-hour timeframe. Instead, the report was submitted almost 1.5 years after the discovery of the incident! 

What determined the high penalties? 

The justification behind the DPA’s decision underscores the factors contributing to the imposition of significant penalties, notably: 

  • Toyota Bank’s failure to promptly notify the President of the DPA of the breach impeded the authority’s capacity to respond effectively and assess the contents of the customer’s notification, regarding the Administrator’s adherence to its obligations under the provisions of the GDPR, and provide thorough details regarding the potential ramifications of the breach and viable measures to mitigate its effects. 
     
  • The penalised entity’s inability to demonstrate that the unintended recipient of the personal data could be deemed a trusted party raised concerns about data security.   
     
  • In both cases, the risk assessment failed to consider the perspective of bank customers, potentially exposing them to non-pecuniary damages resulting from the breach. Personal data such as names, PESEL numbers, contract details, and addresses were compromised, violating confidentiality and banking secrecy laws and exacerbating the breach’s severity.  
     
  • The breach also involved the unlawful disclosure of information covered by bank secrecy, intensifying its seriousness and highlighting the potential adverse effects on data subjects.   
     
  • Santander’s outright failure to notify the President of the DPA and Toyota Bank’s continued violation lasting nearly 18 months (only brought to light due to a customer’s complaint to the authority regarding their compromised data) emphasised the severity of the situation.  
     
  • Both entities deliberately and knowingly failed to promptly report the breaches, indicating the willful nature of the violations. 
     
  • Santander’s history of previous data protection violations further compounded the severity of the current breach. 
     

What implications do the decisions under discussion hold for administrators? 

A pivotal takeaway from both rulings highlights the critical importance of promptly notifying the supervisory authority of any personal data security breach, provided the rights and freedoms of those affected are at risk of infringement. 

As emphasised by the President of the DPA, “Notifications of a personal data breach enable the supervisory authority to respond effectively, mitigating the impact of such breaches (…) Additionally, informing individuals affected by the breach offers them insight into associated risks and guidance on protective measures to mitigate potential adverse effects.” 

In doing so, the President of the DPA underscores not only the purpose of notification but also the broader objectives of data protection regulations. These regulations aim to safeguard individuals’ interests and shield them from the adverse consequences of unauthorized data disclosure. 

This article is a guest post from Ślązak, Zapiór and Partners Law Firm in Poland. Please visit their website to learn more about their services!

Follow the Whistlelink blog to stay updated about the latest news and corporate best practices!  

Would you like to learn more about a whistleblowing service and safe internal reporting channels? Explore Whistlelink’s all-in-one solution here or book a free demo with our team of whistleblowing experts.  

If you have any thoughts about this article or would like to know more about Whistlelink, we’d love to hear from you.

Are you looking for a safe and secure whistleblowing solution for your organisation?Please book a free demo of our system in the calendar below!

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88

WEBINARThe Whistleblowing Law

Annelie DemredVP, Strategy and Growth

Are you up to date?

Wednesday   |   11:00 – 11:30

WHISTLELINK BLOGWhat to read next...​

A comprehensive comparison of simple whistleblowing solutions: Email, forms, mail, or digital systems?
Protecting whistleblowers as a key element of implementing ESG principles 
Spain’s new Whistleblower Protection Authority: What you need to know
Whistlelink resources

Download your free Whitepaper

Nice to meet you!

Get in touch

Our team would like to offer you a free demo of Whistlelink.
Please select a suitable time in our calendar.

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88

HAPPY TO MEET YOU!

Get in touch

Our team is ready to answer your questions. Find the answer by visiting our support centre, or fill out the form below and we'll be in touch as soon as possible. Or simply give us a call!

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88

HAPPY TO MEET YOU!

Get in touch

Our team is ready to answer your questions. Find the answer by visiting our support centre, or fill out the form below and we'll be in touch as soon as possible. Or simply give us a call!

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88