Court case I C 321/24 – Court Ruling (Poland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Polish court ruled that a social insurance agency did not owe compensation to a woman whose personal data was mistakenly sent to a private email. This is important because it highlights the need for companies to securely handle personal data, but also clarifies that not all data breaches lead to compensation claims.
What happened
The court dismissed a lawsuit seeking compensation after a social insurance employee accidentally emailed personal data to their private account.
Who was affected
The woman whose personal data was included in the mistakenly sent email.
What the authority found
The court found that while the agency breached data protection rules by not securely transmitting the data, the woman did not prove she suffered actual harm from the incident.
Why this matters
This case shows that companies must take data security seriously, but it also indicates that fear of data misuse alone is not enough to claim compensation. Businesses should ensure they have proper data handling practices to avoid similar situations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject was covered by mandatory social insurance in Poland and stayed at a rehabilitation center in 2022. She shortened her stay after the death of her mother and informed the Social Insurance Institution (the controller) to avoid charges for the unused period. On 26 July 2022, a Social Insurance Institution employee accidentally sent an Excel file containing the data subbject’s personal data from their work email to their private email account. The data included her name, ID number, the name of the rehabilitation center, the duration of stay, and the reason for shortening the stay. The file was not encrypted, but the employee deleted it from the private email on the same day. The Social Insurance Institution informed the data subject about the incident, apologised, and explained the potential risks. The data subject feared that her data could be misused for financial or other purposes and took preventive steps such as blocking her bank account and requesting a new identity document. On 16 November 2023, the data subject filed a lawsuit seeking PLN 4,000 (€870) in compensation for non-material harm caused by the breach under Article 82 GDPR and the Polish Civil Code. She claimed that Social Insurance Institution violated her privacy by unlawfully processing her personal data. The Regional Court in Warsaw (Sąd Okręgowy w Warszawie) dismissed the claim in full on 7 October 2025. The court recognised that sending the Excel file breached Article 5 GDPR because the data were not securely transmitted. However, the court explained that a GDPR breach alone does not create a right to compensation. To obtain redress under Article 82 GDPR, the data subject must show that she suffered actual harm and that the harm was caused by the controller’s actions. The court found that the data subject did not prove that any third party accessed her personal data. Her fear of misuse, although genuine, was not reasonable given the circumstances: the file went only to the empl
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Court case I C 321/24 in PL
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case I C 321/24 - Poland (2025). Retrieved from cookiefines.eu
Last updated: