Court case I C 874/22 – Court Ruling (Poland, 2025)

A data subject owned a vehicle that was involved in a road collision. The data subject’s insurer (the controller) handled the claim settlement and calculated the damages. However, the controller disclosed personal data of the data subject to the other person involved, and accidentally paid part of the compensation meant for the data subject to the other person. The data subject brought a case to the court. The data subject argued that they felt stress and concern for their security as a result of the loss of control over their personal data, and requested compensation. The controller argued that the case should be dismissed, as the data subject failed to identify the legal basis for the claimed amount and failed to indicate whether they were seeking compensation or damages from the proceedings. Furthermore, the controller argued that the data breach occurred due to a human error, and could not have been prevented. The court found a violation of Articles 24 and 32 GDPR. According to the court, the fact that an employee had mistakenly forwarded a document containing a data subject’s data was already sufficient to demonstrate that the controller had not implemented appropriate measures to ensure security of processing. In terms of damages under Article 82(1) GDPR, the fear of misuse or dissemination of their data can be sufficient. Applied to this case, the court stated that the controller caused the data subject non-material damage by transferring an unnecessary amount of data to a third person. Finally, the fact that the data breach happened as a result of a human error was irrelevant. In calculating the damages, the court considered that while the data subject’s fear was justified, the damage was also limited; this is because the data was not made public or processed further unlawfully. Therefore, the court ordered the controller to pay the data subject PLN 1,500 (approximately €350) in damages.