Poczta Polska SA (Polish Post) – Fine (Poland, 2025)

Fine
Urząd Ochrony Danych Osobowych17 March 2025Poland
overturned
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Poczta Polska was initially fined €6.3 million for improperly disclosing personal data of over 30 million citizens during the Covid-19 pandemic. This ruling was later overturned, which is significant because it shows how legal interpretations can change. Small business owners should be aware that data handling decisions can be contested and may require careful legal consideration.

What happened

Poczta Polska disclosed personal data from the PESEL database without proper legal authority for a planned postal vote.

Who was affected

Over 30 million Polish citizens whose personal data was disclosed were affected.

What the authority found

The Polish data protection authority found that Poczta Polska violated GDPR by unlawfully disclosing personal data, but this decision was later overturned by a court.

Why this matters

This case highlights the complexities of data protection laws and the importance of understanding legal bases for data processing. Businesses should stay informed about legal changes that could affect their operations.

GDPR Articles Cited

AI-verified

Art. 5(1)(a) GDPR
Art. 6(1) GDPR
View original scraped data
Art. 6(1) GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 156 § 1 pkt. 2 k.p.a.

Entities Involved

Poczta Polska SA
€27,000,000
(controller)
Minister Cyfryzacji
€100,000
(controller)
Source verified 10 April 2026
articles corrected
national law identified
amount discrepancy
entity split needed
Poland enforcementUrząd Ochrony Danych Osobowych actionsAll Poczta Polska SA (Polish Post) actions
Full Legal Summary
Detailed

The Polish DPA has imposed a fine of EUR 6.3 million on Poczta Polska SA (Polish Post) for the unlawful disclosure of personal data of over 30 million citizens from the PESEL database, in connection with the planned postal vote during the Covid-19 pandemic. Although the law amending the electoral regulations had not yet come into effect, the Ministry of Digital Affairs transferred sensitive data such as names, addresses, and PESEL numbers to the postal company. The data was only deleted weeks later—too late, according to the DPA, and in violation of data protection regulations. --Update-- The Provincial Administrative Court in Warsaw overturned the DPA's decision. The court argued that, even though the Prime Minister's decision on which the processing had been based was overturned at a later stage, the decision enjoyed the presumption of legality. Therefore, the controller could base its processing on this decision.

Related Enforcement Actions (1)

Other enforcement actions involving Poczta Polska SA (Polish Post) in PL

Fine
Mar 2025· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 6.3 million on Poczta Polska SA (Polish Post) for the unlawful disclosure of personal data of over 30 million...

€6.3M
Current
Mar 2025

Fine

Details

Fine Date

17 March 2025

Authority

Urząd Ochrony Danych Osobowych

Enforcement Tracker ID

ETid-2563

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Poczta Polska SA (Polish Post) - Poland (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: