The Voivodeship Administrative Court in Warsaw: consequences of the event need not materialise
The Voivodeship Administrative Court in Warsaw, in a judgment of 26 April 2023*, upheld the decision of the President of the Personal Data Protection Office (UODO)** regarding the imposition of an administrative fine on a controller for failing to notify a personal data breach to the supervisory authority. According to the Court, the controller’s complaint did not deserve to be upheld.
As a reminder, this is a case in which the President of the Office (UODO) issued a decision in 2022 imposing a fine on the controller in the amount of almost PLN 16,000. The decision was as a result of the proceedings initiated by a notification of potential irregularities related to the processing of personal data by the controller. In the course of the investigation, it was revealed that a document of the company’s employee had been lost from the personal file. At that time, the controller considered that, although there had been a personal data breach consisting of the loss of an employment certificate of one of the employees in a result of the employer’s fault, it would not notify this personal data breach to the supervisory authority. In its view, the incident did not involve a risk to the rights or freedoms of the data subject. The controller disagreed with the supervisory authority's decision to impose a fine and therefore appealed to the Voivodeship Administrative Court.
Data breaches must be notified
The Court pointed out in the explanatory memorandum to the judgment that a data breach is a prerequisite for the controller to notify such an event. In the case of a breach, the timing of the response is very important. The controller shall notify the breach to the supervisory authority without undue delay, but no later than 72 hours after having become aware of it. In a situation where there is a high risk to the rights or freedoms of the persons whose data are affected by the breach, the controller should also notify the incident to those persons. Importantly, the Court emphasised that the possible consequences of the incident need not materialise. The mere emergence of the risk of a personal data breach to the rights or freedoms of data subjects triggers the obligation to notify the personal data breach to the supervisory authority.
Document beyond the controller’s control
The Court confirmed that the controller’s loss of the employee's employment certificate could lead to property and non-property damage, and therefore it should be considered that there was a risk to the data subject’s rights and freedoms. The controller indicated during the court proceedings that it had found the document in question. However, this had already occurred after the supervisory authority had issued its decision, and therefore, for obvious reasons, this fact could not affect the decision issued by the supervisory authority.
The Court upheld the position of the President of the Office in its response to the complaint that this document was beyond the controller's control, as the controller had no knowledge of where it was located, the extent of its content, who had access to it and whether it had been destroyed. The controller accepted the loss of the employee's employment certificate with the consequences for data protection. It was only when an administrative fine was issued that the search for the document intensified. Such an action, in the opinion of the President of the Personal Data Protection Office, may also be indicative of a disregard for data protection provisions.
The Voivodeship Administrative Court was in no doubt that the controller had failed to notify the personal data breach to the supervisory authority, which was the infringement of the GDPR. As it emphasised, the lack of knowledge as to where the employment certificate might have been located precluded the assumption that there was no risk to the individual's rights or freedoms.
The Court recalled that the purpose of the GDPR is to protect the fundamental rights and freedoms of individuals, and if there was any doubt on the part of the controller about the performance of its tasks, these values should be taken into account in the first instance. Consequently, the Court held that the President of the Personal Data Protection Office issued the contested decision without violating the law.