Unknown – €19,000 Fine (Poland, 2021)

€19,000Urząd Ochrony Danych Osobowych5 January 2021Poland
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A Polish hospital operator was fined EUR 19,000 after a former employee unlawfully copied patient data, including sensitive personal information. The hospital did not inform the affected patients about the breach despite the high risk to their data. This case stresses the importance of promptly notifying individuals when their data is compromised.

What happened

A former hospital employee unlawfully copied personal data of 100 patients, and the hospital failed to inform the patients about the breach.

Who was affected

Patients whose personal data, including social security numbers and contact details, were unlawfully accessed and copied.

What the authority found

The Polish data protection authority ruled that the hospital violated GDPR by not informing patients about the data breach.

Why this matters

This case serves as a warning to healthcare providers about the critical need to protect patient data and the legal obligation to notify individuals when their data is at risk. It highlights the importance of compliance with GDPR's breach notification requirements.

GDPR Articles Cited

Art. 34(1) GDPR
Art. 58(2)(e) GDPR
Poland enforcementUrząd Ochrony Danych Osobowych actionsAll Unknown actions
Full Legal Summary
Detailed

The Polish DPA (UODO) imposed a fine of EUR 19,000 on a hospital operator. A former employee had unlawfully copied the personal data of 100 patients from the hospital's computer network. The leaked data included the social security number, name, date of birth, address and telephone number of the data subjects. Although the controller considered the potential risk to the data subjects to be high, she had not informed the data subjects about the incident. The DPA then requested the controller to immediately inform the data subjects about the incident and provide them with advice on how to minimize the potential negative impact of the breach. However, the controller did not comply with this request.

Related Enforcement Actions (8)

Other enforcement actions involving Unknown in PL

Current
Jan 2021

Fine

€19K

Fine
Mar 2022· Urząd Ochrony Danych Osobowych

The Polish DPA (UODO) has fined a data controller EUR 490 for failing to provide information requested by the DPA during an investigation.

€490
Fine
Aug 2022· Urząd Ochrony Danych Osobowych

The Polish DPA (UODO) has fined a data controller EUR 1,450 for failing to provide information requested by the DPA during an investigation.

€1K
Fine
Aug 2023· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 13,000 for failing to provide information requested by the DPA during an investigation.

€13K
Fine
Nov 2023· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 3,200 for failing to provide information requested by the DPA during an investigation.

€3K
Fine
Oct 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 5,800 on a data controller. The controller failed to appoint a data protection officer and to provide the DPA...

€6K
Fine
Nov 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 4,700 on a subcontractor that was contracted to redesign the website of another company. This fine is linked ...

€5K
Fine
Nov 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 358,000 on a company. The company had inadvertently published customer data (first name, last name, email add...

€358K
Fine
Sept 2025· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 2,670 on an unkonwn company in the health care sector. The controller appointed its CEO as the DPO.

€3K

Details

Fine Date

5 January 2021

Authority

Urząd Ochrony Danych Osobowych

Fine Amount

€19,000

Enforcement Tracker ID

ETid-551

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Unknown - Poland (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: