he President of the Polish Data Protection Authority (UODO) has imposed an administrative fine of PLN 40,000 on a medical entity for failing to report a personal data breach and for not informing the affected patient, in breach of the obligations set out in the GDPR.
The case involved the unauthorised disclosure of special category personal data, specifically data concerning the health of a patient. Despite the sensitive nature of the data and the obvious risk to the rights and freedoms of the data subject, the controller did not notify the breach to the supervisory authority nor did it inform the patient.
In its reasoning, UODO emphasised that:
-
health data constitutes a special category of personal data under Article 9 GDPR,
-
even a single incident involving such data may result in serious consequences for the data subject,
-
the absence of effective incident response procedures constitutes an independent infringement of Article 32 GDPR.
The authority underlined that healthcare providers are required to implement enhanced technical and organisational measures, including clear procedures for identifying, assessing and reporting personal data breaches.
This decision once again confirms that the healthcare sector remains one of the most strictly supervised areas of GDPR enforcement in Poland, and that failure to comply with breach notification obligations may lead to significant administrative fines.