Court case I C 321/24 – Court Ruling (Poland, 2025)

A data subject was covered by mandatory social insurance in Poland and stayed at a rehabilitation center in 2022. She shortened her stay after the death of her mother and informed the Social Insurance Institution (the controller) to avoid charges for the unused period. On 26 July 2022, a Social Insurance Institution employee accidentally sent an Excel file containing the data subbject’s personal data from their work email to their private email account. The data included her name, ID number, the name of the rehabilitation center, the duration of stay, and the reason for shortening the stay. The file was not encrypted, but the employee deleted it from the private email on the same day. The Social Insurance Institution informed the data subject about the incident, apologised, and explained the potential risks. The data subject feared that her data could be misused for financial or other purposes and took preventive steps such as blocking her bank account and requesting a new identity document. On 16 November 2023, the data subject filed a lawsuit seeking PLN 4,000 (€870) in compensation for non-material harm caused by the breach under Article 82 GDPR and the Polish Civil Code. She claimed that Social Insurance Institution violated her privacy by unlawfully processing her personal data. The Regional Court in Warsaw (Sąd Okręgowy w Warszawie) dismissed the claim in full on 7 October 2025. The court recognised that sending the Excel file breached Article 5 GDPR because the data were not securely transmitted. However, the court explained that a GDPR breach alone does not create a right to compensation. To obtain redress under Article 82 GDPR, the data subject must show that she suffered actual harm and that the harm was caused by the controller’s actions. The court found that the data subject did not prove that any third party accessed her personal data. Her fear of misuse, although genuine, was not reasonable given the circumstances: the file went only to the empl