Court case C 310/23 – Court Ruling (Poland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Polish court upheld a decision against a credit institution for mishandling a customer's personal data after they canceled their loan application. This case matters because it shows that companies must respect users' requests regarding their personal information.
What happened
A credit institution continued to send marketing communications to a customer who canceled their loan application.
Who was affected
The customer who applied for a loan and later requested the cancellation of their application.
What the authority found
The court found that the credit institution violated the customer's right to privacy by not properly handling their personal data and failing to respond to their requests.
Why this matters
This ruling reinforces the importance of respecting user requests for data deletion and proper communication. Businesses should ensure they have clear processes for handling customer data requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject applied for a loan with a Polish credit institution, the controller. After reviewing the loan conditions, they decided not to proceed and requested the cancellation of their application. Despite this cancellation, the data subject continued to receive marketing communications and alerts from the controller and related entities. The data subject objected to the processing of their personal data on multiple occasions and submitted requests under Article 15 GDPR to obtain information about which entities received their data, the purpose of sharing it, and the legal basis for processing. They also requested the deletion of their personal data. The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA. The DPA issued a final decision warning the controller for violating Article 6(1), Article 5(1)(b) and Article 5(1)(e) GDPR. The DPA also found that the controller failed to meet the obligations under Article 15(1) and Article 15(3) GDPR by providing incorrect information and failing to supply a copy of the personal data. Following the DPA’s decision, the data subject requested that the controller pay PLN3,000 (€709,95) in compensation and issue a written apology for violating their personal rights, including the right to privacy and protection of personal data. The court upheld the claim in its entirety, finding that the controller unlawfully violated the data subject’s personal right to privacy under Articles 23 and 24 of the Polish Civil Code, rather than directly under the GDPR. The court clarified that personal data, as defined under Article 4(1) GDPR, is not in itself a personal right, but the improper handling of specific personal data can constitute a violation of the right to privacy. The court explained that the burden of proof of the absence of unlawfulness lies with the defendant and proceed to assess whether the contro
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case C 310/23 in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case C 310/23 - Poland (2025). Retrieved from cookiefines.eu
Last updated: