Court case II C 1228/19 – Court Ruling (Poland, 2022)

The controller (the defendant) was an electricity company. The data subject (the plaintiff) was a customer. On 6 February 2019, due to an error, an employee of the defendant emailed to one of the company’s clients a file containing the personal data of other clients (data subjects), including the the plaintiff's. The information included: first name, surname, ID number, address, customer number, and numbers of invoices. After learning about the security breach, the defendant notified the Polish DPA of the incident. The defendant also sent a notification to the affected data subjects and asked the recipients of the unintentional disclosure the delete the file. After receiving a notice of the security breach, the plaintiff filed a complaint with the Polish DPA. Moreover, she requested the defendant to terminate her contract by mutual agreement due to the loss of confidence. The defendant stated that a one time breach of the plaintiff’s personal data did not constitute a gross breach of contract and therefore did not provide grounds for termination of the contract. Hence, the plaintiff decided to terminate the contract herself despite a financial penalty. Moreover, due to the security breach and fear that her personal data could be used by third parties, she set up a subscription account with the Credit Information Bureau to receive information on credit obligations attributed to her. On top of that, she suffered non-pecuniary harm from the stress and psychological discomfort related to the fear that her personal data could be used by third parties. Apart from the proceedings at the DPA, the plaintiff brought an action to court seeking damages for the non-material harm caused by the incident on the basis of Article 82 GDPR in the amount of PLN 20,000 (€4,247). First, the District Court of Warsaw-Praga (the Court) confirmed that the incident constituted a 'personal data breach' within the meaning of Article 4(12) GDPR. It also recalled that any person who suffered