Fine for the National Public Prosecutor's Office for disclosing the data of a crime victim
The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of PLN 85,000 on the National Public Prosecutor's Office in connection with the breaches found. In addition, he ordered the National Public Prosecutor's Office to notify the victim, in accordance with the GDPR, of the possible consequences of the breach and of the measures, applied or proposed by the controller, to minimise the effects of the breach.
The issue concerns a press conference at which Mr Tomasz Szafrański, Prosecutor of the National Public Prosecutor's Office, and Mr Zbigniew Ziobro, Prosecutor General - Minister of Justice, discussed the case of one of the District Prosecutor's Offices. During the conference, the Prosecutor of the National Prosecutor's Office and the Minister of Justice - Prosecutor General disclosed personal data of a person having the status of a victim in criminal proceedings and information concerning the facts of the case contained in the judgment of the district court. Among the data disclosed, in addition to information such as name and surname, there was information constituting special categories of data. Despite the fact that a personal data breach occurred in this way, the controller did not report the personal data breach to the President of the Personal Data Protection Office, nor did he notify the natural person of the breach.
The President of the Personal Data Protection Office, having learnt about the above-mentioned data breach, requested the controller to provide relevant explanations. The Prosecutor's Office, in its reply, indicated that the event described in the letter of the President of the Personal Data Protection Office had not been analysed by the controller as, in its opinion, there were no grounds for doing so. The National Public Prosecutor's Office explained that the personal data referred to in the notice of initiation was part of the court's decision and was cited to illustrate the fundamental discrepancy between the crimes attributed to the convicted persons and the court's findings. And besides, the data of this person had already been disclosed during the court proceedings.
Afterwards, the President of the Personal Data Protection Office - Mirosław Wróblewski took appropriate action to establish whether the prosecutor Tomasz Szafrański acted under the authorisation referred to in Article 12 § 2 of the Act on the Public Prosecutor's Office. From the reply received, it appeared that relevant information was also in the possession of prosecutor Dariusz Barski and former prosecutor general Zbigniew Ziobro. It was also established that the Presidium Office of the National Prosecutor's Office is currently unable to obtain information from any of the above-mentioned persons.
In its correspondence with the President of the Personal Data Protection Office, the National Public Prosecutor's Office presented the position that the disclosure of the data was not a personal data breach, as the information was processed by the National Public Prosecutor's Office in connection with the performance of the statutory tasks of the National Public Prosecutor's Office, and this remains outside the competence of the President of the Personal Data Protection Office.
Mirosław Wróblewski, President of the Personal Data Protection Office, was of a different opinion, stating that there had been a personal data breach.
The National Public Prosecutor's Office - reminded the President of the Personal Data Protection Office in the decision issued on 2 September 2024 - as a public entity is obliged to act on the basis of the law and within its limits, pursuant to Article 7 of the Constitution of the Republic of Poland. Disclosure of a person's data, in particular that of a victim to such a broad extent, should have a legal basis. In turn, the GDPR clearly provides (in Article 6(1)) that the processing of data is lawful only in specific cases, this applies in particular to special categories of data which are under special protection, according to Article 9 of the GDPR.
It should be emphasised that the National Public Prosecutor's Office, as a law enforcement authority tasked with enforcing the law, should protect in no uncertain terms information about an individual who has been granted the status of a victim in a given case. In the present case, however, a natural person was granted the status of an injured person in criminal proceedings within the meaning of Article 49 § 1 of the Act of 6 June 1997 of the Code of Criminal Procedure, i.e. a direct violation or threat of his/her legal good by the offence was established.
The National Public Prosecutor's Office may, insofar as an important public interest so requires, disclose information from pending pre-trial proceedings or the activities of the National Public Prosecutor's Office. Here, however, it is about information from completed proceedings, in a case in which a final court judgement has already been made. Therefore, the provisions of the Prosecutor’s Office Law could not be invoked. The information disclosed must also not infringe on the rights or freedoms of persons. The National Public Prosecutor's Office, as an entity upholding the rule of law, should be particularly diligent in its actions.
An important part of the decision of the President of the Personal Data Protection Office is also to indicate to the National Public Prosecutor's Office how it should - in accordance with the provisions of the GDPR - notify the person whose data has been affected by the breach of what has happened, what consequences this may have. This information must also include the contact of the Data Protection Officer of the National Public Prosecutor's Office, who can provide more information to that person on the matter.