The President of the Polish Data Protection Authority (UODO) has imposed an administrative fine on a court bailiff for failing to comply with the obligations set out in Articles 33 and 34 of the GDPR, namely the failure to notify a personal data breach to the supervisory authority and the failure to inform the affected data subject.
The case concerned correspondence containing personal data — including the individual’s name, address and national identification number (PESEL) — which was sent to an unauthorised recipient. Despite identifying the incident, the data controller did not notify the breach to UODO, incorrectly assuming that the risk to the data subject was negligible.
In its decision, UODO clearly stated that:
-
the controller is responsible for assessing the risk associated with a personal data breach, but such assessment must be properly documented,
-
failure to notify a breach requires a well-founded and objective conclusion that the breach is unlikely to result in any risk to the rights and freedoms of natural persons,
-
disclosure of identification data, such as a national ID number, generally entails at least a medium level of risk.
UODO also emphasised that professional secrecy or public trust professions — including court bailiffs, notaries or lawyers — are not exempt from GDPR obligations. On the contrary, entities processing personal data in sensitive legal contexts are expected to exercise an increased level of diligence and accountability.
This decision serves as an important reminder that data breach notification duties are a core element of GDPR compliance, and that failure to meet them may result in financial penalties, regardless of whether the breach was intentional or accidental.