An unnamed news outlet – €13,070 Fine (Poland, 2025)

The DPA carried out an ex officio investigation on a news outlet (the controller). The investigation concerned the security of the processing of personal data. The investigation highlighted several issues with the controller’s operations: * the controller did not carry out a risk analysis for the processing personal data; * the controller’s data protection and IT security policies were not reviewed and updated; * the controller did not encrypt the drives on its devices, in violation of its own IT security policy; * the controller had no internal policies to ensure that personal data were published in accordance with Polish law. At the time of the investigation, the controller was in liquidation and did not submit a defense. The DPA held that the controller failed to ensure the secure processing of personal data, in violations of Articles 24(1) and 32(1) and (2) GDPR. For this reason, the DPA fined the controller PLN 56,824 (€13,500). On Article 85 GDPR and national derogations The controller’s journalistic activity was covered by GDPR derogations under Polish lawSee the Polish Press Act (Dz. U. z 2018 r. poz. 1914, available [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001914/T/D20181914L.pdf here]) and the Polish Data Protection Act Dz. U. (z 2019 r., poz. 1781, available [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20190001781/T/D20191781L.pdf here]).. However, the DPA clarified that under Article 85 GDPR, only specific GDPR provisions can be derogated under national law. In particular, the DPA pointed out that national law cannot provide for derogations to Articles 24 and 32. For this reason, controllers that engage in journalistic activities must still process personal data securely. On security and risk assessments The DPA explained in some detail how controllers should determine the appropriate security measures for processing a personal data. The DPA described a two-step process: first, controllers must assess the level of risk associated w