Details:

Summary One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty.

When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges). It concluded that although the infringement was finally removed, it was of a serious nature.However, when imposing a penalty, the President of the Office of Competition and Consumer Protection also took into account mitigating circumstances, such as good cooperation between the controller and the supervisory authority or lack of evidence that damage had been caused to the persons whose data had been disclosed.

Link: link link
Related articles:  Art. 6 GDPR
Type: Insufficient legal basis for data processing
Fine: EUR 12,950
Sector Individuals and Private Associations

 

All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/

Tags: case law