Court case II K 543/24 – Court Ruling (Poland, 2025)

An employee (in the following referred to as the controller) was employed by a company as a cosmetologist. Part of their work allowed them to access, among other things, the personal data of clients. When entering into an employment contract, the controller signed a confidentiality agreement and a declaration confirming they were familiar with regulations related to personal data protection. The controller later began running their own business. They were dismissed from the company as a result from an investigation into another employee. The company found that an employee used the controller’s login details to access clients’ personal data (considered a trade secret) without permission, and later transferred this data to the controller. The employer brought a criminal complaint to the Court. In terms of data protection, the Court applied [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001000/U/D20181000Lj.pdf Article 107 of the Polish Data Protection Act] (Dz. U. 2018 poz. 1000), which implemented the GDPR. Under [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001000/U/D20181000Lj.pdf Article 107], a person who processes personal data without a legal basis or authorisation may be held criminally liable. The Court found that the controller used their access rights as an employee to download clients’ data (including contact information and health data) through another employee, in order to use said data for their own business activities. The employee who accessed the data on behalf of the controller was also found liable under [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001000/U/D20181000Lj.pdf Article 107]. The Court ordered the controller to pay a total of PLN 2,000 (approximately €470). The Court took into consideration the social harm and the aim of having a deterrent effect. However, the Court also considered the controller's lack of criminal record as a mitigating effect.