Unknown – €4,700 Fine (Poland, 2024)

€4,700Urząd Ochrony Danych Osobowych20 November 2024Poland
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A subcontractor in Poland was fined EUR 4,700 for mistakenly publishing customer data during a website redesign for another company. This incident also affected around 20,000 people and showed that service providers must take data protection seriously. Companies should ensure their subcontractors have strong security measures in place.

What happened

A subcontractor accidentally published customer data, including names and passwords, during a website redesign.

Who was affected

About 20,000 customers whose personal data was mistakenly published online.

What the authority found

The Polish DPA found that the subcontractor failed to implement adequate security measures to protect personal data.

Why this matters

This case underscores the responsibility of subcontractors in data protection. Companies hiring service providers must verify that they have proper data security practices to avoid breaches.

GDPR Articles Cited

AI-verified

Art. 28(3)(c) GDPR
Art. 32(1) GDPR
View original scraped data
Art. 28(3) c) GDPR
f) GDPR
Art. 32(1) GDPR
(2) GDPR

Original data from scraper before AI verification against source document.

Source verified 15 March 2026
articles corrected
national law identified
amount discrepancy
entity split needed
date discrepancy
Poland enforcementUrząd Ochrony Danych Osobowych actionsAll Unknown actions
Full Legal Summary
Detailed

The Polish DPA has imposed a fine of EUR 4,700 on a subcontractor that was contracted to redesign the website of another company. This fine is linked to ETid-2491. Due to an error by an employee of the subcontractor, customer data (including first name, last name, email address, address, and encrypted passwords) was accidentally published on the website during the redesign process. The incident affected approximately 20,000 data subjects. During its investigation, the DPA found that the subcontractor had failed to implement and verify appropriate technical and organizational measures to protect personal data, which could have prevented such an incident.

Related Enforcement Actions (13)

Other enforcement actions involving Unknown in PL

Fine
Jan 2021· Urząd Ochrony Danych Osobowych

The Polish DPA (UODO) imposed a fine of EUR 19,000 on a hospital operator. A former employee had unlawfully copied the personal data of 100 patients f...

€19K
Fine
Mar 2022· Urząd Ochrony Danych Osobowych

The Polish DPA (UODO) has fined a data controller EUR 490 for failing to provide information requested by the DPA during an investigation.

€490
Fine
Aug 2022· Urząd Ochrony Danych Osobowych

The Polish DPA (UODO) has fined a data controller EUR 1,450 for failing to provide information requested by the DPA during an investigation.

€1K
Fine
Aug 2023· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 13,000 for failing to provide information requested by the DPA during an investigation.

€13K
Fine
Nov 2023· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 3,200 for failing to provide information requested by the DPA during an investigation.

€3K
Fine
Dec 2023· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 2,700 for failing to provide information requested by the DPA during an investigation.

€3K
Fine
Dec 2023· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 4,400 for failing to provide information requested by the DPA during an investigation.

€4K
Fine
Jan 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.

€2K
Fine
Jul 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 5,000 for failing to provide information requested by the DPA during an investigation.

€5K
Fine
Aug 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has fined a data controller EUR 4,500 for failing to provide information requested by the DPA during an investigation.

€5K
Fine
Oct 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 5,800 on a data controller. The controller failed to appoint a data protection officer and to provide the DPA...

€6K
Fine
Nov 2024· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 358,000 on a company. The company had inadvertently published customer data (first name, last name, email add...

€358K
Current
Nov 2024

Fine

€5K

Fine
Sept 2025· Urząd Ochrony Danych Osobowych

The Polish DPA has imposed a fine of EUR 2,670 on an unkonwn company in the health care sector. The controller appointed its CEO as the DPO.

€3K

Details

Fine Date

20 November 2024

Authority

Urząd Ochrony Danych Osobowych

Fine Amount

€4,700

Enforcement Tracker ID

ETid-2492

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Unknown - Poland (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: