Municipality of Dobrzyniewo Duże – €1,700 Fine (Poland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Municipality of Dobrzyniewo Duże was fined €1,700 after a laptop containing personal data was stolen from an employee's home. They failed to implement adequate security measures to protect this data. This case highlights the importance of securing personal data, even when it is stored on portable devices.
What happened
A laptop containing personal data was stolen from an employee's home, compromising the data's confidentiality.
Who was affected
Individuals whose personal data was stored on the stolen laptop were affected.
What the authority found
The Polish data protection authority found that the municipality failed to implement sufficient security measures to protect personal data, violating GDPR.
Why this matters
This case emphasizes the need for organizations to ensure robust data protection measures, particularly for portable devices, to prevent data breaches and protect personal information.
GDPR Articles Cited
In February 2022, a security breach occured at the Municipality of Dobrzyniewo Duże (the controller). There was a break-in at an employee's flat and a laptop was stolen containing files with personal data of individuals (data subjects). As a consequence, the confidentiality of the personal data was compromised. The controller determined the scale of the resulting breach, which showed that the stolen computer contained 51 records with personal data in the following areas: name, address of residence or stay and PESEL (personal identification number). The Polish DPA initiated an ex officio investigation into the security breach as well as the controller's data processing practices. The DPA recalled the obligation of the controller to ensure confidentiality and integrity of personal data. Under the GDPR, the controller is obliged to ensure an adequate level of data protection through the implementation of appropriate technical and organisational measures, as well as measures aimed at the optimal configuration of the operating systems used by regularly testing, measuring and assessing the effectiveness of said measures in the form of security tests of the IT infrastructure. The DPA held that the controller did not take sufficient measures in order to prevent the security breach during the laptop theft, in breach of Article 32(1) GDPR. Moreover, the DPA found a violation of Articles 24(1) and 25(1) GDPR because the controller failed to apply technical measures ensuring a level of security corresponding to the risk of infringement of the rights or freedoms of natural persons by ensuring the ability to continuously monitor the confidentiality, integrity, availability and resilience of the processing systems and services. Since the confidentiality of the personal data in question was compromised as a result of the incident, the controller also violated Article 5(1)(f) GDPR. The consequence of a breach of the confidentiality principle by the controller was also a breach of
Related Enforcement Actions (0)
No other enforcement actions found for Municipality of Dobrzyniewo Duże in PL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 November 2022
Authority
Urząd Ochrony Danych Osobowych
Fine Amount
€1,700
GDPRhub ID
gdprhub-5455About this data
Cite as: Cookie Fines. Municipality of Dobrzyniewo Duże - Poland (2022). Retrieved from cookiefines.eu
Last updated: