UODO (Poland) - DKN.5131.33.2023
From GDPRhub
| UODO - DKN.5131.33.2023 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR Article 9 GDPR Article 33(1) GDPR Article 34(1) GDPR Article 34(2) GDPR Article 1 the Law on data protection for the purposes of the prevention and prosecution of criminal offence (Ustawa o ochronie danych osobowych przetwarzanych w związku z zapobieganiem i zwalczaniem przestępczości) Article 12 para 2 Law Law on Public Prosecutors (Prawo o prokuraturze) |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 02.09.2024 |
| Published: | |
| Fine: | 85,000 PLN |
| Parties: | The National Public Prosecutor's Office (Prokuratura Krajowa) |
| National Case Number/Name: | DKN.5131.33.2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (Poland) (in PL) |
| Initial Contributor: | wp |
The National Public Prosecutor's Office, acting as a controller, committed a data breach unlawfully disclosing data subject’s personal data during the press conference. The DPA fined the controller PLN 85,000 and ordered to inform data subject about the breach.
English Summary
Facts
A press conference was organized by the National Public Prosecutor's Office (Prokuratura Krajowa), the controller. During the conference, the controller’s employee disclosed the facts of the case and personal data of injured person (a data subject) involved in criminal proceedings before one of regional courts in Poland. The employee read the fragments of the final ruling. The disclosed data amounted to name, surname, the status of injured party, the criminal offence suffered by the data subject, data concerning health.
The controller processed the data referring to the criminal proceedings at hand in order to verify basis for potential extraordinary appeal (skarga nadzwyczajna) by the Attorney General (Prokurator Generalny).
A third-party informed the Polish DPA (UODO) about the incident. The DPA started ex officio proceedings. Neither the DPA nor the data subject were informed about the incident by the controller.
The controller explained the personal data disclosed during the press conference were heard in proceedings in court. Hence, the data were already known to the public. The controller quoted Article 12 para 2 of Law on Public Prosecutors (Prawo o prokuraturze) ) to be a legal basis for disclosure of information referring to activities of public prosecutors, to media and public opinion. According to the controller the aforementioned provision excluded from disclosure only classified information, and the data at hand were not of that kind. Moreover, the controller claimed the GDPR was not applicable, since the main activity of the public prosecutors was covered by provisions of the Law on data protection for the purposes of the prevention and prosecution of criminal offence (Ustawa o ochronie danych osobowych przetwarzanych w związku z zapobieganiem i zwalczaniem przestępczości).
Holding
The DPA found the controller violated Article 5(1)(a) GDPR, Article 6(1) GDPR, Article 9 GDPR, Article 33(1) GDPR, Article 34(1) GDPR and Article 34(2) GDPR.
The controller organised the press conference to inform the public opinion about changes to personnel working within one of the public prosecutor’s office of lower instance. Allegedly, the public prosecutors involved in the criminal proceedings at hand failed to proceed it properly. The disclosure of the data subject’s data was then not a part of criminal offences’ prosecution, being the main activity of public prosecutors under the Law on Public Prosecutors. Thus, the GDPR was applicable.
Due to the their nature, the personal data disclosed during the press conference were classified as special categories of data under Article 9(1) GDPR.
The DPA emphasised the controller processed the data unlawfully. Whilst the controller indicated Article 12 para 2 of Law on Public Prosecutors as a legal basis of processing, it refers to ongoing examination proceedings or to the main activity of the public prosecutors. None of them was identified by the DPA during the investigation. Besides, to rely on Article 12 para 2 of Law on Public Prosecutors the controller was obliged to authorise an employee to discuss the details of criminal proceedings. Nevertheless, the controller didn’t inform the DPA whether the employee was authorised and by whom.
As a result, the controller violated Article 6(1) GDPR and Article 9 GDPR, and additionally Article 5(1)(a) GDPR.
For the DPA, the disclosure of the data during the press conference was a data breach. The press conference was streamed online and in the TV and the data contained sensitive information. Because of that, the disclosure posed a high risk to rights and freedoms of the data subject. Consequently, the controller was obliged to notify the breach to the DPA and the data subject. However, the controller didn’t find a reason to analyse the disclosure under Article 33(1) and Article 34(1) GDPR. That led to violation of both provisions.
In conclusion, the DPA imposed a fine of PLN 85,000 (approximately €19,800) and ordered the controller to notify the data breach to the data subject under Article 34(2) GDPR within 3 days.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
On the basis of art. 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2024, item 572) in connection with art. 7 par. 1 and par. 2, art. 60, art. 102 par. 1 point 1 and par. 3 of the Act on Personal Data Protection (Journal of Laws of 2019, item 1781) and art. 57 par. 1 letter a) and letter h), art. 58 par. 2 letter e) and letter i), art. 83 par. 1 and 2, art. 83 par. 4 letter a) in connection with art. 33 par. 1 and art. 34 par. 1, par. 2 and par. 4 and Article 83(5)(a) in conjunction with Article 5(1)(a), Article 6(1) and Article 9(1), 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4.05.2016, p. 1, OJ EU L 127, 23.05.2018, p. 2 and OJ EU L 74, 4.03.2021, p. 35), hereinafter referred to as "Regulation 2016/679", after conducting ex officio administrative proceedings regarding an infringement of the provisions on personal data protection by the National Prosecutor's Office with its registered office in Warsaw at ul. Postępu 3, President of the Personal Data Protection Office, finding a violation by the National Prosecutor's Office with its registered office in Warsaw at ul. Postępu 3, of the provisions of: a) Art. 6 sec. 1 and Art. 9 sec. 1 of Regulation 2016/679, consisting in the disclosure on (…), without legal basis, during a press conference by the National Prosecutor's Office of the personal data of the injured party, contained in the judgment of the District Court (…) of (…), with file reference number: (…), which resulted in a violation of Art. 5 sec. 1 letter a) of Regulation 2016/679, i.e. the "principle of legality", b) Art. 33 sec. 1 of Regulation 2016/679, consisting in failure to notify the President of the Personal Data Protection Office of a breach of personal data protection that took place (...) during a press conference of the National Prosecutor's Office without undue delay, no later than 72 hours after the breach was identified, c) Art. 34 sec. 1 and sec. 2 of Regulation 2016/679, consisting in failure to notify the person whose data was disclosed by the National Prosecutor's Office during a press conference (...) of a breach of personal data protection, without undue delay, 1) imposes on the National Prosecutor's Office an administrative fine of PLN 85,000 (in words: eighty-five thousand zlotys); 2) orders the National Prosecutor's Office to notify, within 3 days of receipt of this decision, the person whose personal data were disclosed during the press conference (...) without a legal basis, of the breach of protection of his or her personal data in order to provide the information required in accordance with Article 34 paragraph 2 of Regulation 2016/679, i.e.: a) a description of the nature of the personal data breach; b) the name and contact details of the data protection officer or another contact point from which more information can be obtained; c) a description of the possible consequences of the personal data breach, taking into account the category of persons and the scope of data covered by the breach; d) a description of the measures taken or proposed by the controller to remedy the breach – including measures to minimise its possible negative effects, taking into account the category of persons and the scope of data covered by the breach. Justification The President of the Personal Data Protection Office, hereinafter referred to as the "President of the Personal Data Protection Office" or "authority", (...) received information from a third party about a breach of personal data protection committed by the National Prosecutor's Office with its registered office in Warsaw at ul. Postępu 3 (hereinafter also referred to as the "Administrator"). This breach consisted in the disclosure during a press conference (...) by the National Prosecutor's Office of the personal data of the injured party, contained in the judgment of the District Court (...) of (...), file reference number: (...). The President of the Personal Data Protection Office, as a result of the explanatory proceedings conducted (ref.: (...)) and administrative proceedings (ref.: DKN.5131.33.2023), initiated ex officio (...) regarding the infringement by the Administrator of the provisions of art. 5 sec. 1 letter a), art. 6 sec. 1, art. 9 sec. 1, art. 33 sec. 1 and art. 34 sec. 1 and sec. 2 of Regulation 2016/679, established the following factual circumstances. 1. (...) a press conference of the National Prosecutor's Office was held, attended by a representative of the National Prosecutor's Office (Director of the Presidential Office of the National Prosecutor's Office - prosecutor Tomasz Szafrański) and the Prosecutor General (Minister of Justice - Zbigniew Ziobro). This conference was devoted to personnel decisions that took place in the District Prosecutor's Office (...) in connection with the case of assault (...). During the press conference, the National Prosecutor's Office disclosed personal data of a person with the status of an injured party in criminal proceedings and information regarding the factual circumstances of the case contained in the judgment of the District Court (...) of (...), file reference number: (...). The disclosed data included her name and surname and information that she was the victim of an assault (...) and the fact that she had been granted the status of an injured party. Information about her health was also disclosed, as she had suffered damage to her health – (...). Furthermore, before the aforementioned speech of the prosecutor of the National Prosecutor’s Office, who disclosed the aforementioned information, the Prosecutor General – Minister of Justice indicated that the attackers (...). Thus, during the press conference it was also disclosed that she had been granted the status of an injured party in a criminal case (...). The recording of the above conference is available at (...). 2. The National Prosecutor’s Office is the administrator of the data disclosed during the conference referred to in point 1, within the meaning of Article 4 point 7 of Regulation 2016/679. The disclosed personal data of the injured person in the invoked case came from the case files and were processed by the National Prosecutor's Office in connection with the analysis preceding the decision on the submission by the Prosecutor General of an extraordinary appeal against the judgment issued. 3. The National Prosecutor's Office did not report the breach of personal data protection to the President of the UODO, nor did it notify the natural person whose data it concerns of this breach. 4. The President of the UODO, in letters of 9 and 10 August 2023, submitted to the Controller a request to provide explanations in connection with the above. event, in which request he asked, among other things, whether the Controller had analysed the event in terms of a breach of the rights or freedoms of a natural person (injured person) in order to assess whether a data protection breach had occurred resulting in the obligation to report a personal data protection breach to the President of the Personal Data Protection Office and to notify the data subject of such a breach. The National Prosecutor's Office, in a letter dated 29 August 2023, indicated that "(...) due to the lack of appropriate grounds, the event described in the report was not the subject of analysis by the data controller of the National Prosecutor's Office, in the context referred to in the letter dated 10 August 2023". 5. The Controller, in a letter dated 27 October 2023, indicated that the quoted "(...) [the] personal data to which the notification of initiation of the proceedings relates constituted part of the judgment issued on (...) in criminal case reference number files of the (...) District Court (...), as well as its justification. The aforementioned fragments of the judgment and its justification were cited to illustrate the fundamental discrepancy between the crimes attributed to the convicted persons and the factual findings made by the court and reflected in the content of the justification. Moreover, these data had already been made public in advance as part of the open court proceedings ongoing in this case, both during the evidentiary activities conducted by the court and the public announcement of the judgment. Importantly, the personal data of the injured party in the cited case were processed by the National Prosecutor's Office in connection with the analysis preceding the decision on the filing by the Prosecutor General of an extraordinary appeal against the judgment. Data processing in connection with criminal proceedings is, in principle, covered by the regulations contained in the Act of 14 December 2018 on the protection of personal data processed in connection with the prevention and combating of crime (Journal of Laws of 2023, item 1206), however - in accordance with Art. 3 point 1 of this Act - the scope of its application excludes, among others, data contained in files or record-keeping devices maintained on the basis of the legal acts indicated in this provision, including - which is important for this case - on the basis of the Code of Criminal Procedure, and personal data processed on the basis of the Act of 28 January 2016 - the Law on the Public Prosecutor's Office (Journal of Laws of 2024, item 390). Despite this, these data are not exempt from legal protection, as the rigors of their processing and disclosure result from both the Code of Criminal Procedure and the Public Prosecution Act. In the case at hand, the legal basis for providing information including fragments constituting part of the criminal case file, the judgment and its justification was the provision of Article 12 § 2 of the Public Prosecution Act, authorizing the provision of information to the media not only from the ongoing preparatory proceedings, but also regarding the activities of the public prosecutor's office, whose tasks, it is worth noting, include prosecuting crimes and guarding the rule of law, and within their framework, among others, analyzing court case files in order to make a decision on the filing of extraordinary remedies by the Public Prosecutor General. From the scope of this information, which the prosecutor acting under the cited provision is authorized to make public, the legislator excluded only classified information. However, such information does not apply to the administrative proceedings, about which notification was made. Taking into account the arguments presented, it should be stated that there was no violation of the provisions on the protection of personal data, including those related to their processing, and therefore taking actions aimed at explaining something that did not occur was and is unfounded.Regardless of the above, it should be pointed out that the President of the Personal Data Protection Office is not competent to perform supervisory activities in relation to personal data processed by common organizational units of the prosecutor's office as part of the implementation of the tasks specified in Art. 2 of the Law on the Public Prosecution Office. This results directly from Art. 1 point 3 of the Act on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crime. The method of exercising supervision over the processing of personal data as part of the implementation of the tasks specified in Art. 2 of the Law on the Public Prosecution Office, the administrators of which are common organizational units of the prosecutor's office, is comprehensively specified in Art. 191a of the Law on the Public Prosecution Office, amended by the Act of 7 July 2023 amending the Act - Code of Civil Procedure, the Act - Law on the Organization of Common Courts, the Act - Code of Criminal Procedure and certain other acts (Journal of Laws item 1860). The above is confirmed both in the decisions of the President of the Personal Data Protection Office, including the decision of (...), No. (...) and the decision of (...), No. (...), as well as in the judgment of the Regional Administrative Court in Warsaw of 5 October 2020, file reference II SA/Wa 2620/19, in the justification of which it was correctly indicated that all substantive actions undertaken by the President of the Personal Data Protection Office as part of the supervision of the processing of personal data by common prosecutor's office units when performing their tasks specified in Art. 2 of the Law on the Public Prosecutor's Office would be unauthorized (performed without a legal basis). The lack of grounds for assuming that the provisions on personal data protection have been violated and the exclusion of the competences of the President of the Personal Data Protection Office in the scope of supervision over the processing of data by prosecutor's office units when performing their statutory tasks exclude the existence of the obligation on the part of the data controller to make the notification referred to in Art. 33 sec. 1 of Regulation 2016/679 and the notification referred to in art. 34 paragraph 1 of this regulation, and consequently, obviously, considering – due to their failure to comply – the infringement of the cited provisions by him.”6. The Administrator, in a letter of 12 March 2024, in response to the request of the President of the UODO to indicate under whose authorization prosecutor Tomasz Szafrański appeared during the press conference in question and what procedural role the National Prosecutor's Office played therein, indicated that “(...) relevant information is in the possession of prosecutor Dariusz Barski, former Prosecutor General Mr. Zbigniew Ziobro and former director of the Presidential Office of the National Prosecutor's Office Mr. Tomasz Szafrański. At present, the Presidential Office cannot obtain information from any of the above-mentioned persons.” Furthermore, it was indicated that “in accordance with art. 12 § 2 of the Act (...) Law on the Public Prosecutor's Office, information on the activities of the prosecutor's office is provided to the media by the Prosecutor General, the head of the organizational unit of the prosecutor's office or an authorized prosecutor. The Organizational Unit, which is the National Prosecutor's Office, therefore provides information on its activities through its head or an authorized prosecutor. During press conferences organized by the National Prosecutor's Office, it is the entity providing information on criminal proceedings or its other activities". In a letter dated April 11, 2024, the Administrator repeated the explanations regarding the role of the National Prosecutor's Office in the above-mentioned press conference, indicating at the same time that he was unable to indicate as of the date of the response who authorized prosecutor Tomasz Szafrański to provide information to the media regarding case file reference number: (...) (due to the absence of the above-mentioned prosecutor at work). Furthermore, the Administrator referred to the content of art. 191a of the Act on the Public Prosecutor's Office, indicating that the President of the UODO is not the competent supervisory authority in this matter.7. In the letter dated 13 May 2024, the Administrator indicated that the information disclosed during the press conference was processed by the National Public Prosecutor's Office in connection with the analysis preceding the decision on an extraordinary appeal against the judgment, as the implementation of the statutory tasks of the prosecutor's office. "The data processing took place in connection with criminal proceedings, which, as a rule, are covered by the regulations contained in the Act of 14 December 2018 on the protection of personal data processed in connection with the prevention and combating of crime (...). Supervision over the processing of personal data as part of the implementation of the tasks specified in Art. 2 of the Act on the Public Prosecutor's Office, which results directly from Art. 1 point 3 of the Act (...), remains outside the jurisdiction of the President of the Personal Data Protection Office. The method of exercising supervision over the processing of personal data as part of the implementation of the tasks specified in Art. 2 of the Law on the Public Prosecutor's Office is regulated by Art. 191a of this Act. Pursuant to the content of Art. 191a § 1 point 3 of the Law on the Public Prosecutor's Office, supervision over the processing of personal data, the administrator of which is the National Public Prosecutor's Office, is performed by the National Public Prosecutor". The Administrator also referred to the positions of the President of the UODO expressed in cases (...), (...), (...), in which the authority considered itself incompetent. The Administrator also indicated that "(...) the provision of explanations by the National Public Prosecutor's Office, including in a letter dated 17 October 2023 (...), clearly indicating that the President of the Personal Data Protection Office, in the scope covered by the case in question, is not competent to supervise the processing of personal data, because it took place as part of the implementation of the tasks specified in Art. 2 of the Law on the Public Prosecutor's Office, sending subsequent summonses containing requests to provide explanations should be considered incomprehensible and without grounds for their implementation (...)."8. The case files contain printouts from press articles describing a press conference organized in connection with staff changes in the District Prosecutor's Office (...) and the disclosure of the personal data of the injured party:a) (...);b) (...);c) (...);d) (...). After reviewing all the evidence collected in the case, the President of the UODO considered the following. The subject of these proceedings is the violation by the Administrator of the provisions of art. 5 sec. 1 letter a), art. 6 sec. 1 and art. 9, art. 33 sec. 1 and art. 34 sec. 1 and sec. 2 of Regulation 2016/679, in connection with the disclosure during a press conference (...) by the National Prosecutor's Office of the personal data of the injured party, contained in the judgment of the District Court (...) of (...), file reference number (...), and the subsequent failure to report the breach of personal data protection to the President of the UODO, as well as the failure to notify the data subject of it. I. In assessing the event in question, the President of the UODO examined whether the above disclosure of the personal data of the injured party on the above-mentioned press conference constituted a breach of personal data protection, as well as whether the President of the UODO is the competent supervisory authority to verify the correctness of compliance with the provisions of Regulation 2016/679 by the controller of these data (the National Prosecutor's Office) in connection with the above-mentioned event. The President of the UODO also examined whether the disclosure of personal data in question was part of the tasks of the prosecutor's office, referred to in Art. 2 and Art. 3 of the Act of 28 January 2016 - the Law on the Prosecutor's Office, and therefore whether the provisions of Regulation 2016/679 or the Act of 14 December 2018 on the protection of personal data processed in connection with the prevention and combating of crime, hereinafter referred to as the "2018 UODO", will apply to its assessment, and whether it was lawful. The President of the UODO also analyzed the legal provisions in order to determine the appropriate entity as the controller of personal data disclosed during the press conference of the National Prosecutor's Office on (...). During the press conference, the prosecutor of the National Prosecutor's Office read a fragment of a court judgment (issued by a criminal court, the proceedings were finally concluded), thus disclosing the personal data of the injured party. The files were previously analyzed by the Prosecutor General in order to assess the validity of using an extraordinary remedy, i.e. an extraordinary complaint to the Supreme Court. The person authorized to file such a complaint is, among others, the Prosecutor General, in accordance with Art. 89 § 2 of the Act of 8 December 2017 on the Supreme Court (Journal of Laws of 2024, item 622). The National Prosecutor's Office provides services to the Prosecutor General and the National Prosecutor (Art. 17 §1 of the Law on the Prosecutor's Office). In accordance with Art. 13 § 6 of the Public Prosecution Act, the common organizational units of the public prosecutor's office are the administrators of data processed within the framework of the tasks performed, with the exception of the data referred to in § 5. In accordance with art. 16 of the Public Prosecution Act, the common organizational units of the public prosecutor's office are: the national public prosecutor's office, regional public prosecutor's offices, district public prosecutor's offices and district public prosecutor's offices. Thus, the National Public Prosecutor's Office should be considered the administrator of the data disclosed during the aforementioned conference. At this point, it should be noted that due to the data processing process itself, the manner and circumstances in which the data was disclosed (press conference of the prosecutor's office representatives), the stage of the case from which the disclosed information came (completed court proceedings in the criminal case), as well as the status of the person in the proceedings (the injured party) whose data was disclosed, means that in this case the President of the UODO retains his competences as a supervisory authority, and the provisions of Regulation 2016/679 will apply, and not the UODO of 2018, as discussed in more detail later in this decision. (…) a press conference of the National Prosecutor's Office was held, devoted to the personnel decisions taken in the District Prosecutor's Office (…) in connection with the case of an assault on (…). The assault took place during (…) in (…) an attempt was made (…). The District Court (...) sentenced the person responsible for the above-mentioned attack on (...). During the conference, the prosecutor of the National Prosecutor's Office, describing what in his opinion were the irregularities in the already closed proceedings (before the court), cited fragments of the files, providing, among other things, the name and surname of the injured party in the attack (...) and the description of the course of the attack itself, information that the injured party suffered damage to her health, and a moment earlier the Prosecutor General - Minister of Justice provided information, (...) (and this was the reason for the attack and the motive of the perpetrators of the attack). The purpose of the press conference, during which the personal data of the injured party were disclosed, was to inform the public opinion about the reasons for the personnel decisions already made in the above-mentioned prosecutor's office, resulting from the evaluation of the work of the prosecutor subordinate to the Prosecutor General in the official path. Therefore, this is not a task related to prosecuting crimes and guarding the rule of law, within the meaning of Art. 2 or Art. 3 of the Act on the Public Prosecution Office, and thus the provisions of Regulation 2016/679 will apply, and not the 2018 Personal Data Protection Act. At the same time, due to the specific position of the public prosecutor's office in the structure of state authority (it is subordinate to the minister, i.e. an authority of the executive, not the judiciary; see Art. 1 § 2 of the Act on the Public Prosecution Office), it is not covered by the exclusion referred to in Art. 55 paragraph 3 of Regulation 2016/679. It should also be noted that in the event of disclosure by organizational units of the prosecutor's office of information from files of completed criminal proceedings, the manner of such disclosure is important (i.e. the process itself, not the source of the information). It directly translates into the choice of provisions according to which a given event should be assessed. The President of the UODO made a similar assessment in the decision of March 14, 2023, file ref. DKN.5131.45.2022, in which it found that the improper disclosure by an organizational unit of the prosecutor's office of information contained in concluded criminal proceedings, constituting personal data, under the Act of 6 September 2001 on Access to Public Information (Journal of Laws of 2022, item 902), hereinafter referred to as "udip", should be assessed in accordance with the provisions of Regulation 2016/679, and not the UODO of 2018. The Regional Administrative Court in Warsaw, in its judgment of 6 November 2023, reference number II SA/Wa 996/23, agreed with this position of the authority, dismissing the complaint against the above-mentioned decision. The Court assessed the above-mentioned decision of the President of the UODO as lawful, while indicating that "the President of the UODO applied the correct provisions in the case (...)". In the opinion of the President of the UODO, in the above manner, not only the first and last name (...) was disclosed, but also data related to the event itself, which, due to the context and circumstances, clearly indicate that she is a victim of an assault (and on what grounds), a person injured in a criminal case, and also allow for the identification of her (...), as well as information about the fact that she suffered damage to her health. In accordance with Regulation 2016/679, (...) belong to a special category of data and as such are subject to increased protection under Article 9 paragraph 1 of the aforementioned legal act. II. The National Prosecutor's Office, as a public entity, is obliged to act on the basis of the law and within its limits, in accordance with Article 7 of the Constitution of the Republic of Poland of 2 April 1997 (Journal of Laws No. 78 item 483, as amended). The subject disclosure of the personal data of the aggrieved person, in such a broad scope, also covering special category data, should be based on a legal basis. This means that when analysing the premises of the above disclosure (understood in accordance with Art. 4 point 2 of Regulation 2016/679 as a form of processing personal data), account should be taken of the content of Art. 6 sec. 1 of Regulation 2016/676 in relation to so-called ordinary data (such as first name, last name, information contained in the content of the judgment) and Art. 9 sec. 1 and 2 of Regulation 2016/679 in relation to special categories of data (such as information on (...)). Furthermore, the premises for data processing should also correlate with the principles set out in Art. Article 5 paragraph 1 of Regulation 2016/679, and in particular the principle of lawfulness, fairness and transparency expressed in Article 5 paragraph 1 letter a) of Regulation 2016/679, and the controller should be able to demonstrate compliance with them (Article 5 paragraph 2 of Regulation 2016/679). According to Article 6 paragraph 1 of Regulation 2016/679, processing is lawful only if - and to the extent that - at least one of the following conditions is met: the data subject has consented to the processing of his or her personal data for one or more specific purposes (letter a); processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (letter b); processing is necessary for compliance with a legal obligation to which the controller is subject (letter c); processing is necessary to protect the vital interests of the data subject or another natural person (letter d); processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (letter e); processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data, in particular where the data subject is a child (letter f). The first subparagraph, letter f), does not apply to processing carried out by public authorities in the performance of their duties. In the case of special categories of data, i.e., among others: (...), it should be emphasized that Regulation 2016/679 prohibits their processing (Article 9 paragraph 1), unless one of the grounds indicated in Article 9 paragraph 2 of Regulation 2016/679 occurs. In accordance with Article 9 paragraph 1 of Regulation 2016/679, it is prohibited to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and to process genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning health, sex life or sexual orientation of such a person. In accordance with Article 9 paragraph 2 of Regulation 2016/679, the provision of paragraph 1 shall not apply if one of the following conditions is met: the data subject has given explicit consent to the processing of the personal data for one or more specific purposes, unless Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject (a); processing is necessary for the performance of the obligations and exercise of specific rights of the controller or of the data subject in the field of employment law, social security and social protection, insofar as authorised by Union or Member State law or a collective agreement under Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject (b); processing is necessary to protect the vital interests of the data subject or of another natural person and the data subject is physically or legally incapable of giving consent (c); the processing is carried out within the framework of legitimate activities carried out with appropriate safeguards by a foundation, association or other non-profit entity with political, ideological, religious or trade union objectives, provided that the processing concerns only members or former members of that entity or persons maintaining regular contacts with it in connection with its objectives and that the personal data are not disclosed outside that entity without the consent of the data subjects (letter d); the processing concerns personal data manifestly made public by the data subject (letter e); the processing is necessary for the establishment, exercise or defence of legal claims or in the course of the administration of justice by the courts (letter f); the processing is necessary for reasons of important public interest, based on Union or Member State law, which are proportionate to the objective pursued, do not affect the substance of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject (letter g); processing is necessary for the purposes of preventive or occupational medicine, for the assessment of an employee's fitness for work, for medical diagnosis, for the provision of healthcare or social security, treatment or the management of healthcare or social security systems and services based on Union or Member State law or in accordance with a contract with a healthcare professional and subject to the conditions and safeguards referred to in paragraph 3 (h); processing is necessary for reasons of public interest in the field of public health, such as protecting against serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, based on Union or Member State law which lays down suitable specific measures to safeguard the rights and freedoms of data subjects, in particular professional secrecy (i); processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR; 1, on the basis of Union or Member State law, which are proportionate to the objective pursued, do not violate the essence of the right to data protection and provide for appropriate, specific measures to protect the fundamental rights and interests of the data subject (letter j). It should be noted here that the National Prosecutor's Office, in its letter of 27 October 2023, indicated that the legal basis for the disclosure of the injured party's personal data was "(...) Art. 12 § 2 of the Prosecutor's Office Act, authorizing the provision of information to the media not only from ongoing preparatory proceedings, but also regarding the activities of the prosecutor's office, whose tasks, it is worth noting, include prosecuting crimes and upholding the rule of law, and within their framework, among others, analyzing court case files in order to decide on the filing of extraordinary appeals by the Prosecutor General. From the scope of information that a prosecutor acting under the cited provision is authorized to make public, the legislator has excluded only classified information". In accordance with art. 12 § 2 of the Law on the Public Prosecution Service, the Prosecutor General and heads of organizational units of the public prosecutor's office may personally provide the media, or authorize another prosecutor for this purpose, with information from ongoing preparatory proceedings or concerning the activities of the public prosecutor's office, excluding classified information, taking into account an important public interest. The above norm, while permitting the disclosure of information by an organizational unit of the public prosecutor's office, also specifies the circumstances in which this may occur, i.e. the information should concern ongoing preparatory proceedings or the activities of the public prosecutor's office, provided that there is an important public interest in doing so. Meanwhile, the information disclosed during the press conference on (...) came from completed proceedings, decided by a common court (a final court judgment was issued), therefore it was not preparatory proceedings referred to in the above. provisions of the Law on the Public Prosecutor's Office. When analysing the second premise indicated in art. 12 § 2 of the Public Prosecution Act, it is necessary to consider what is meant by the concept of the activities of the public prosecutor's office. At this point, it should be noted that in accordance with art. 2 of the Public Prosecution Act, the public prosecutor's office performs tasks in the scope of prosecuting crimes and safeguards the rule of law. In accordance with art. 3 § 1 of the aforementioned act, the duties specified in art. 2 are performed by the Public Prosecutor General, the National Public Prosecutor and other deputies of the Public Prosecutor General and prosecutors subordinate to them by: 1) conducting or supervising preparatory proceedings in criminal cases and performing the function of public prosecutor before courts; 2) bringing actions in civil cases and submitting applications and participating in court proceedings in civil cases, within the scope of labour law and social security, if required by the protection of the rule of law, public interest, property or citizens’ rights; 3) taking measures prescribed by law, aimed at the correct and uniform application of the law in court, administrative proceedings, in petty offence cases and in other proceedings provided for by law; 4) supervising the execution of decisions on temporary arrest and other decisions on deprivation of liberty; 5) conducting research into the issue of crime and its combating and prevention, and cooperating with the entities referred to in Art. 7 sec. 1 points 1, 2 and 4-8 of the Act of 20 July 2018 - The Law on Higher Education and Science (Journal of Laws of 2023, item 742), in the scope of conducting research on the issues of crime, its combating, prevention and control; 6) collecting, processing and analysing data in IT systems, including personal data, originating from proceedings conducted or supervised on the basis of the Act and from participation in court, administrative, petty offence cases or other proceedings provided for by the Act, transferring data and analysis results to the competent authorities, including authorities of another country, if the Act or an international agreement ratified by the Republic of Poland so provides; 7) appealing to court against unlawful administrative decisions and participating in court proceedings in matters of the lawfulness of such decisions; 8) coordinating activities in the field of prosecuting crimes or fiscal crimes conducted by other state bodies; 9) cooperating with state bodies, state organizational units and social organizations in preventing crime and other violations of the law; 10) cooperating with the Head of the National Criminal Information Center to the extent necessary to perform its statutory tasks; 11) cooperating and participating in activities undertaken by international or supranational organizations and international teams operating on the basis of international agreements, including agreements establishing international organizations, ratified by the Republic of Poland; 12) giving opinions on draft normative acts; 13) cooperating with organizations associating prosecutors or employees of prosecutor's offices, including co-financing joint research or training projects; 14) undertaking other activities specified in the acts. In the opinion of the President of the Personal Data Protection Office, the disclosure of the injured party's personal data, which took place (...), cannot be considered information concerning the activities of the prosecutor's office within the meaning of Art. 2 or Art. 3 of the Law on the Public Prosecution Service. The performance of these tasks does not require the Administrator to publicly disclose (e.g. during press conferences) the personal data of the parties to proceedings concluded with a final judgment of a common court, including injured parties. Moreover, persons who have been granted the status of an injured party should be particularly protected by the prosecutor's office units. In addition, the above provision also specifies who may disclose information in this procedure. In accordance with the content of Art. 12 § 2 of the Law on the Public Prosecution Service, the Prosecutor General and heads of organizational units of the prosecutor's office may personally provide the media with, or authorize another prosecutor for this purpose, to disclose information from ongoing preparatory proceedings or from the scope of the prosecutor's office's activities. It should be emphasized here that the President of the UODO asked the Administrator three times to indicate in what role and under whose authorization prosecutor Tomasz Szafrański appeared during the press conference in question. The responses received by the President of the UODO indicate that information in this respect is in the possession of "prosecutor Dariusz Barski, former Prosecutor General (...) and former director of the Presidential Office of the National Prosecutor's Office, prosecutor Tomasz Szafrański. At present, the Presidential Office cannot obtain information from any of the above-mentioned persons" (letter of March 12, 2024) or "determining who authorized the prosecutor to provide the media with information regarding case file reference: (...) of the District Court (...) will possibly be possible no earlier than in the second half of April this year (...)" (letter of April 11, 2024). In a letter dated May 13, 2024, the Administrator, citing the lack of competence of the President of the UODO in the scope of supervision over the prosecutor's office, refused to provide an answer in this respect. At this point, attention should be paid to the content of art. 12 § 5 of the Law on the Prosecutor's Office, according to which art. 119-121 of the Act of June 26, 1974 - the Labor Code (Journal of Laws of 2023, item 1465, as amended), hereinafter referred to as the "Labor Code", shall apply accordingly to the liability of persons referred to in § 1 and 2. Therefore, a person who has caused damage to a third party may be held financially liable for the damage caused in an amount not exceeding the amount of three months' salary due to him on the day the damage was caused (art. 119 of the Labor Code). It should be emphasized, however, that the decision in question is related to the administrative liability incurred by the Administrator for violating the provisions of Regulation 2016/679. The Administrator, on the other hand, has the possibility to apply legal measures that allow him to pursue legal and financial liability - in particular in civil recourse proceedings, or by bringing the person guilty of violating the provisions on the protection of personal data to criminal liability for their violation. The President of the UODO is of the opinion that in order to ensure effective protection of personal data, effective mechanisms for pursuing liability for their violation by administrators, including in relation to the administrator's employees, are necessary. However, this liability should be pursued in the appropriate procedures indicated above. It should be emphasized that Article Article 12 § 2 of the Public Prosecution Act cannot be considered a legal basis for disclosing personal data, especially since the Controller did not demonstrate an important public interest at any stage of the proceedings conducted before the President of the Personal Data Protection Office that would justify disclosing the personal data of the injured party. It should also be emphasised that disclosing the data of the injured party had no added value and was unnecessary in the context of the purpose for which the press conference on (...) was convened, which additionally confirms that it was held without a legal basis and that the effect is a violation of the rights or freedoms of the data subject. It should be emphasised here that the National Public Prosecutor's Office as a public authority, a law enforcement authority, responsible for enforcing compliance with the law, should itself comply with it in a way that does not raise any doubts, and therefore also protect information about the natural person who has been granted the status of an injured party in a given case. (…) obtained the status of an injured party in criminal proceedings within the meaning of Article 49 § 1 of the Act of 6 June 1997 - the Code of Criminal Procedure (Journal of Laws of 2024, item 37, as amended), i.e. a direct violation or threat to their legal interests by a crime was established. When analyzing the disclosure of personal data in question, the President of the UODO also considered whether they did not constitute public information. However, the injured party was not a person performing a public function, but a victim of a crime (established by a final court judgment). Referring to the position of the National Prosecutor's Office expressed in a letter of 27 October 2023, in which the Administrator referred to the decisions of the President of the UODO of (…), reference number (…), and of (…), reference number (…), and the judgment of the Provincial Administrative Court in Warsaw of 5 October 2020, reference number Act II SA/Wa 2620/19, as justification for recognizing that the President of the UODO is not the supervisory authority competent to assess the event in question in the context of a breach of personal data protection and provisions on personal data protection, it should be indicated that the authority does not share this position. The decisions and the judgment indicated by the Administrator concern proceedings conducted in cases initiated by a lodged complaint, and not proceedings conducted ex officio in connection with the occurrence of a breach of personal data protection. Furthermore, the disputed disclosure of data is not related to the combating and prevention of crime, as was the case in the cases in which the above-mentioned decisions were issued. decisions and judgment, and is assessed, as already shown above, on the basis of the provisions of Regulation 2016/679, and not the 2018 UODO, and therefore there can be no question of the lack of competence of the President of the UODO as a supervisory authority in this respect. In response to the arguments of the Administrator contained in the letter of 13 May 2024, in which he referred to three cases ((...)), transferred by the President of the UODO, according to the competence, to the supervisory authority indicated in art. 191a § 1 of the Law on the Public Prosecutor's Office, it should be noted that the above-mentioned the cases concerned breaches of personal data protection in organizational units of the prosecutor's office, subject to reporting and assessment under the provisions of the 2018 UODO. Due to the change in the provisions of the Prosecutor's Office Act, from 14 December 2023, the President of the UODO is not the competent supervisory authority in the cases specified in Article 191a of the Prosecutor's Office Act. However, it should be emphasized again that the case in question does not concern a breach of the provisions of the 2018 Act, but of the provisions of Regulation 2016/679. This means that the President of the UODO retains the full scope of his competences when assessing the case in question. Referring to the Administrator's claim contained in a letter dated October 27, 2023, in which he stated that, quoted "[t]hese data have already been previously made public as part of the ongoing open court proceedings in this case, both during the evidentiary activities conducted by the court and the public announcement of the judgment", it should be noted that the public nature of the data does not mean their general availability. The public nature of the data at a specific time (e.g. during the hearing, at the time of the announcement of the judgment) for a specific group of people does not mean that these data may be disclosed to an unlimited number of people, as was the case during the conference broadcast on television and the Internet on (...). Making public or recording a hearing (announcement of a judgment), e.g. in the form of a recording of a court hearing, requires the consent of the court (see Article 357 and Article 358 of the Code of Criminal Procedure), and therefore there can be no voluntary action by a representative of law enforcement authorities in this respect. In connection with the above, the disclosure of the personal data of the injured party during the press conference with (...) took place without a legal basis, and thus in violation of Article 6 paragraph 1 and Article 9 paragraph 1 of Regulation 2016/679. As a result, the principle of legality, reliability and transparency was violated [Article 5 paragraph 1 letter a) of Regulation 2016/679]. III. Pursuant to Article 33 paragraph 1 of Regulation 2016/679 in the event of a personal data breach, the controller shall, without undue delay – if possible, no later than 72 hours after the breach is discovered – notify the supervisory authority competent in accordance with Art. 55, unless it is unlikely that the breach will result in a risk of infringement of the rights or freedoms of natural persons. An explanation of the reasons for the delay shall be attached to the notification submitted to the supervisory authority after 72 hours. Referring to the rights or freedoms of persons affected by the breach, it should be noted that, in accordance with Art. 34 sec. 1 of Regulation 2016/679, if a personal data breach is likely to result in a high risk of infringement of the rights or freedoms of natural persons, the controller shall notify the data subject of such breach without undue delay. The notification referred to in sec. 1 of this Article, shall describe in clear and plain language the nature of the personal data breach and include at least the information and measures referred to in Article 33 paragraph 3 letters b), c) and d) (paragraph 2). Notification of personal data breaches by controllers is an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers shall inform the President of the UODO whether, in their opinion, there has been a high risk to the rights and freedoms of data subjects and - if such a risk has occurred - whether they have provided relevant information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfilment of the conditions set out in Article 34 paragraph 3 letters a) - letter c) of Regulation 2016/679. The President of the UODO verifies the assessment made by the administrator and may – if the administrator has not notified the data subjects – request such notification from him/her. Notifications of a personal data protection breach allow the supervisory authority to respond appropriately, which may limit the effects of such breaches, because the administrator is obliged to take effective measures to ensure the protection of natural persons and their personal data, which, on the one hand, will allow for the control of the effectiveness of the existing solutions, and on the other hand, the assessment of modifications and improvements aimed at preventing irregularities similar to those covered by the breach. In the opinion of the President of the UODO, the event in question (the personal data of the injured party, including special categories of their personal data, were disclosed in a public forum during a conference, including on television and the Internet, i.e. to an unspecified large number of people) constitutes a personal data protection breach, resulting in a high risk of violating the rights or freedoms of the person covered by it. This entails an obligation on the part of the Administrator to implement the provisions of Article 33 sec. 1 and 34 sec. 1 of Regulation 2016/679. The National Prosecutor's Office, through its actions, exposed a natural person whose data was subject to a breach of personal data protection to a violation of their personal rights and, as a consequence, to their secondary victimisation. The disclosed information about the injured party makes it easy to identify this person. The name and surname and information about the court case ((...)) give an unlimited number of people access to their personal data thanks to the fact that this conference was broadcast on television and disclosed. This means that people with access to this information and to the Internet can obtain a much wider range of information about this person. This increases the probability of unequivocally identifying this person, but also increases the level of possible consequences for this person (property and non-property damage), and therefore the risk of increasing the severity of the consequences for this person increases. It is worth recalling here (...) that the risk of violating this person's rights or freedoms may have already materialised. (…) the risk could therefore have materialised, but it is also possible that the form of further materialisation of this risk will not be different in the future. In the case at hand, which should be emphasised again, there was a breach of personal data protection of one person, resulting in a high risk of violation of their rights or freedoms due to the scope of the personal data breached (special category data in the form of (…)), the type and context of the breach – information was disclosed about a natural person recognised as a victim in criminal proceedings, who was attacked and whose (…) was publicised through the public disclosure of their personal data during a conference with (…). As indicated by Guidelines 9/2022[1], a breach of personal data protection may potentially cause a number of negative consequences for natural persons whose data are the subject of this breach. Among the possible consequences of the breach, the EDPB lists: physical harm, material or non-material damage. Examples of such damage include: discrimination, identity theft or identity fraud, financial losses, damage to reputation, breach of confidentiality of personal data and significant economic or social damage. There is no doubt that due to the fact that the personal data protection breach covered information (...) of the injured party together with their name and surname, there may be consequences in the form of discrimination or damage to the reputation of the person to whom the data relates. The media context of the personal data protection breach in connection with their publication during a press conference is also significant for such an assessment. It should be emphasized here that the President of the UODO, before initiating administrative proceedings, first asked the National Prosecutor's Office (twice) about the subject disclosure of data. In response, he received information that "(...) due to the lack of appropriate grounds, the event described in the notification was not the subject of analysis by the data controller of the National Prosecutor's Office, in the context referred to in the letter of 10 August 2023". This means that the Controller did not conduct any analysis of the subject disclosure of data in terms of the need to fulfil its obligations under Article 33 paragraph 1 and Article 34 paragraph 1 of Regulation 2016/679, despite the authority's inquiries about the subject event. Therefore, it did not assess whether the event constitutes a breach of personal data protection, or whether it causes a high risk of violating the rights or freedoms of the person covered by it, or whether it is subject to notification to the supervisory authority and whether the natural person should be informed of it. Such action, in the opinion of the President of the UODO, constitutes an intentionally disregarding approach of the Controller to the protection of personal data. It should also be borne in mind that the Controller's fulfilment of its obligation under Article 33 sec. 1 and 34 sec. 1 of Regulation 2016/679 cannot be made dependent on the materialization of the risk resulting from the infringement of the rights or freedoms of natural persons whose data are affected by the personal data protection infringement. As stated by the Regional Administrative Court in Warsaw in its judgment of 22 September 2021 issued in case reference number II SA/Wa 791/21: "[t]he possible consequences of the event do not have to materialize. In the content of Art. 33 sec. 1 of Regulation 2016/679 states that the mere occurrence of a personal data breach which involves a risk of infringement of the rights and freedoms of natural persons implies an obligation to notify the competent supervisory authority, unless it is unlikely that the breach will result in a risk of infringement of the rights and freedoms of natural persons" (whereas this Court ruled similarly in its judgment of 1 July 2022 in case file reference II SA/Wa 4143/21 and in its judgments of 31 August 2022, file reference II SA/Wa 2993/21, of 15 November 2022, file reference II SA/Wa 546/22 and of 26 April 2023, file reference II SA/Wa 1272/22). It should be noted here that Article 34 sec. 1 and 2 of Regulation 2016/679 aims not only to ensure the most effective protection of the fundamental rights or freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5 sec. 1 letter a) of Regulation 2016/679 (cf. Witold Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary. eds. E. Bielak-Jomaa, D. Lubasz, Warsaw 2018). Proper performance of the obligation specified in Art. 34 of Regulation 2016/679 should provide the data subject with prompt and transparent information on a breach of the protection of his or her personal data, together with a description of the possible consequences of the breach of the protection of personal data and the measures that he or she can take to minimize its possible negative effects. It should therefore be noted that in order to take care of the interests of the data subject and to act in accordance with the law, the Administrator should have provided that person with the opportunity to make the best possible, independent assessment of the infringement of their rights or freedoms in connection with the event that occurred. Achieving this goal requires the Administrator to provide the data subject with at least the information specified in Article 34 paragraph 2 of Regulation 2016/679 in a form that allows the data subject to review the content of the notification addressed to them multiple times. Consequently, it should be stated that the Administrator did not notify the personal data protection breach to the supervisory authority in compliance with the obligation under Article 33 paragraph 1 of Regulation 2016/679 and did not notify the data subject without undue delay of the breach of their data protection, in accordance with Article 34 paragraph 1 of Regulation 2016/679, which means that the Controller has breached these provisions. When assessing the circumstances of the personal data protection breach in question, it should be emphasised that when applying Regulation 2016/679, it should be borne in mind that its purpose (expressed in Article 1, paragraph 2) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In the event of any doubts, e.g. as to the performance of obligations by controllers - not only in a situation where a personal data protection breach has occurred, but also when developing technical and organisational security measures to prevent it - these values should be taken into account first. In accordance with Article 34, paragraph 4 of Regulation 2016/679, if the controller has not yet notified the data subject of a personal data breach, the supervisory authority – taking into account the likelihood that the personal data breach will result in a high risk – may require it to do so or may determine that one of the conditions referred to in paragraph 3 has been met. In turn, it results from the content of Article 58 paragraph 2 letter e) of Regulation 2016/679 that each supervisory authority has the remedial power to order the controller to notify the data subject of a data breach. Taking into account the above findings and the identified infringements of the provisions of Regulation 2016/679, the President of the UODO, exercising his power specified in Article 58 paragraph 2 letter e) i) Regulation 2016/679, according to which each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Article 58 paragraph 2 letters a) to h) and letter j) of that Regulation, an administrative pecuniary penalty under Article 83 paragraph 4 letters a) and paragraph 5 letters a) of Regulation 2016/679, having regard to the circumstances established in the proceedings in question, found that in the case in question there were grounds for imposing an administrative pecuniary penalty on the Controller. In accordance with Article 83 paragraph 4 letter a) of Regulation 2016/679, infringements of the provisions concerning the obligations of the controller and the processor referred to in Articles 8, 11, 25-39 and 42 and 43 are subject to, in accordance with paragraph 2 an administrative fine of up to EUR 10,000,000, or in the case of an undertaking – up to 2% of its total annual worldwide turnover in the previous financial year, whichever is higher. In accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679, infringements of the provisions concerning the basic principles of processing, including the conditions for consent, referred to in Articles 5, 6, 7 and 9, shall be subject to an administrative fine of up to EUR 20,000,000, or in the case of an undertaking – up to 4% of its total annual worldwide turnover in the previous financial year, whichever is higher. In turn, under Article 102 paragraph 1 point 1 of the Act of 10 May 2018 on the Protection of Personal Data (hereinafter referred to as the UODO), it follows that the President of the UODO may impose, by way of a decision, administrative fines of up to PLN 100,000 on: public finance sector entities referred to in art. 9 points 1-12 and 14 of the Act of 27 August 2009 on Public Finance, a research institute or the National Bank of Poland. It also follows from par. 3 of this article that the administrative fines referred to, among others, in par. 1, are imposed by the President of the UODO on the basis and under the conditions specified in art. 83 of Regulation 2016/679. In this case, the administrative fine was imposed on the Administrator for violating art. 33 par. 1 and art. 34 par. 1 and 2 of Regulation 2016/679 on the basis of the above-mentioned art. 83 sec. 4 letter a) of Regulation 2016/679, while for the infringement of art. 5 sec. 1 letter a), art. 6 sec. 1 and art. 9 sec. 1 of Regulation 2016/679 – on the basis of art. 83 sec. 5 letter a) of that Regulation. Pursuant to the content of art. 83 sec. 2 of Regulation 2016/679, administrative pecuniary penalties shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in art. 58 sec. 2 letters a) - h) and letter j) of Regulation 2016/679. When deciding to impose an administrative pecuniary penalty on the Controller, the President of the UODO – in accordance with the content of art. 83 sec. 2 letters a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative pecuniary penalty imposed: 1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered [Article 83 letters 2 letters a of Regulation 2016/679]. The infringement of the provisions of Regulation 2016/679 found in this case is of significant importance and serious nature, because the personal data of the injured party was disclosed without a legal basis by a representative of the National Prosecutor's Office, i.e. an entity that should take special care of the well-being and security of these persons' data. This entails not only the potential, but also the real possibility of third parties using this data without the knowledge and consent of the data subject, and therefore involves the risk of damage, in particular in the form of discrimination, loss of reputation and loss of control over one's own data. It is worth citing the judgment of the District Court in Warsaw of 6 August 2020, file reference: XXV C 2596/19, in which the court indicated that the loss of security constitutes real non-pecuniary damage entailing the obligation to repair it. In this case, the personal data of the injured party (including their special categories of data) were disclosed to a wide audience by the National Prosecutor's Office without a legal basis, because the press conference during which the personal data protection breach occurred was broadcast in the media. (...) This means that although the disclosure of data itself should be classified as a one-off (...). In addition, reporting of personal data breaches by data controllers is an effective tool contributing to a real improvement in the security of personal data processing. First of all, based on the information provided by controllers in personal data breach reports, the supervisory authority may assess whether the controller has correctly analysed the impact of the breach on the rights or freedoms of data subjects covered by the breach and, consequently, whether there is a high risk of infringement of the rights or freedoms of natural persons and it is necessary to notify these persons of the breach of their data. Properly fulfilled by controllers, the obligations specified in Article 33 paragraph 1 and Article 34 paragraph 1 of Regulation 2016/679 also allow for limiting the negative effects of personal data breaches and eliminating or at least reducing the risk of such breaches in the future, as controllers are obliged to take actions that will ensure proper protection of personal data by applying appropriate security measures and monitoring their effectiveness. Reporting a personal data breach to the supervisory authority gives it the opportunity to respond appropriately, allowing for limiting the effects of such a breach. In turn, failure to notify data subjects of a breach of their personal data protection may result in material or non-material damage, and the probability of their occurrence is high. This is clearly indicated by the judgment of the District Court in Warsaw of 6 August 2020, file reference XXV C 2596/19. In turn, the Court of Justice of the EU in its judgment of 14 December 2023 in the case Natsionalna agentsia za prihodite (C-340/21) emphasized that "[a]rticle 82 paragraph 1 of the GDPR should be interpreted as meaning that the fear of possible use by third parties in a manner constituting a misuse of personal data, which the data subject has as a result of a breach of this regulation, may in itself constitute "non-material damage" within the meaning of that provision". The President of the UODO considers the long duration of the breach to be an aggravating circumstance. From the date of receipt by the Controller of information about the breach of personal data protection (the conference took place (...), the first call from the President of the Personal Data Protection Office (...)) until the date of issue of this decision, more than (...) have passed, during which the risk of violating the rights or freedoms of a natural person (a person with the status of an injured party granted in criminal proceedings), in relation to whom such a risk occurred at a high level, could have been realised. The personal data protection breach in question concerned one natural person, who was the injured party. Such a number of people affected by the breach, especially in view of the fact that the National Prosecutor's Office processes the personal data of many people, should be considered small, but this does not change the overall assessment, i.e. the recognition in the analysed case of the premise of Article 83 paragraph 2 letter a) of Regulation 2016/679 as aggravating. 2. Intentional nature of the infringement [Article 83 paragraph 2 letter b) of Regulation 2016/679]. In accordance with the Guidelines of the Article 29 Working Party on the application and setting of administrative pecuniary penalties for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, approved by the EDPB on 25 May 2018), intentionality "includes both knowledge and deliberate action, in connection with the characteristics of the prohibited act". In this case, the President of the UODO found a violation of the provisions of Regulation 2016/679, which refers to the legal basis for the processing of personal data and the controller's notification obligations towards the supervisory authority and the data subject. In both cases, in the opinion of the President of the UODO, there was an intentional violation. The body adopted such a motion after a thorough analysis of the recording from the press conference, during which the prosecutor, while discussing the case, disclosed the personal data of the injured party, because he reported the case too broadly. The intentional nature of the violation consists, among other things, in the fact that the Administrator did not take care of technical and organizational measures that would not allow for such a gross violation of the rights or freedoms of the injured party. In the opinion of the President of the UODO, this disclosure was a conscious action, as it was intended to highlight the irregularities that appeared in the proceedings (criticism of the work of the prosecutor's office handling the case and the court that issued the ruling). Furthermore, a person holding such an important position as the Director of the Presidential Office of the National Prosecutor's Office should be aware of their actions. Of no small importance for the acceptance of the nature of the violation of the provisions of Regulation 2016/679 as intentional is the fact that the National Prosecutor's Office is a special institution due to its position in the hierarchy of prosecutorial units, as well as due to the role it performs in the process of prosecuting and preventing crimes. Its task is to ensure compliance with the law, to uphold the rule of law, to respect the rights or freedoms of persons, and persons who have been granted the status of injured parties due to their role in the criminal process should be under special protection. The disclosure of special categories of data of the injured party, which should also be protected, in accordance with the provision of Article 9 paragraph 1 of Regulation 2016/679, is also of no small importance. In relation to the failure to fulfil the Administrator's obligations arising from Article 33 and Article 34 of Regulation 2016/679, the President of the UODO found that this constituted deliberate action by the Administrator. The Administrator made a conscious decision not to notify the President of the UODO and the data subject of the personal data breach. This event concerned the disclosure of personal data of one natural person (a person who was granted the status of an injured party in the proceedings) without a legal basis, which included, among others, special categories of data. Being aware of this, the Administrator decided not to report the breach to the President of the UODO and notify the data subject, despite the fact that the President of the UODO first informed the Administrator of the obligations incumbent on the administrator in connection with the data protection breach. After all, the mere initiation by the President of the UODO of these proceedings on the obligation to report a personal data breach to the supervisory authority and to notify the data subject of the breach should give the Controller at least some doubts as to the correctness of the position he adopted. 3. Actions taken by the controller to minimize the damage suffered by data subjects [Article 83 paragraph 2 letter c) of Regulation 2016/679]. The controller has not demonstrated that it has taken any action to minimize the effects of the breach. In fact, during the proceedings it was indicated (in a letter dated 29 August 2023) that "in the absence of appropriate grounds, the event described in the report was not the subject of analysis by the controller of the data of the National Prosecutor's Office (...)". Therefore, the Administrator did not take any actions to minimize the consequences for the natural person, such as a public admission of the error, a written apology, or a proposal for compensation, which could mitigate the harm to the person affected by the violation. The above indications regarding actions aimed at eliminating the consequences of the violation of personal rights are – in the opinion of the President of the Personal Data Protection Office – also applicable to actions that can be taken to redress non-material damage (harm) caused by the violation of personal data protection. It is reasonable to expect an entity guarding the rule of law, such as the National Prosecutor's Office, to take appropriate actions in this respect. 4. Degree of cooperation with the supervisory authority in order to eliminate the violation and mitigate its possible negative effects [Article 83 paragraph 2 letter f) of Regulation 2016/679]. During the explanatory proceedings and during the initiated administrative proceedings, the Administrator responded to the supervisory authority's requests. However, the fact of responding to the authority's requests cannot be treated by the President of the UODO as a mitigating premise, but as an expression of the implementation of legal obligations incumbent on the Administrator. The aforementioned correspondence between the authority and the Administrator did not contribute to the removal of the breach or to mitigating its possible negative effects, because the Administrator did not report the breach of personal data protection, nor did it take action to notify the data subject of this breach. Therefore, the authority decided that such conduct of the Administrator constitutes an aggravating premise (increasing the amount of the administrative fine imposed). 5. Categories of personal data concerned by the breach [Article 83 paragraph 2 letter g) of Regulation 2016/679]. The personal data of the injured party disclosed during the conference on (...) include information (...) and therefore constitute data subject to special protection under Article 9 paragraph 1 of Regulation 2016/679. This imposes on the controllers of this data the obligation to treat this information in a special way, also due to the possible negative consequences for the data subjects in the event of its disclosure to unauthorised persons, including discrimination or loss of reputation. In this context, it is worth recalling the EDPB Guidelines 04/2022, which indicate: "As regards the requirement to take into account the categories of personal data concerned by the breach (Article 83(2)(g) of [Regulation 2016/679]), [Regulation 2016/679] clearly indicates the types of data that are subject to special protection and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Article 9 and 10 [of Regulation 2016/679] and data not covered by these articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g. location data, private communication data, national identification numbers or financial data such as transaction records or credit card numbers). Generally speaking, the more such categories of data are affected by the breach or the more sensitive the data is, the more weight the supervisory authority may attach to such a factor. The amount of data relating to each data subject is also significant, the scale of the infringement of the right to privacy and personal data protection increases”. When determining the amount of the administrative fine, the President of the UODO found no grounds for taking into account mitigating circumstances affecting the final amount of the fine. In the opinion of the authority, all the grounds listed in Article 83 paragraph 2 letters a) to j) of Regulation 2016/679 constitute either aggravating or merely neutral grounds. Also, applying the ground listed in Article 83 paragraph 2 2 let. k) of Regulation 2016/679 (requiring that any other aggravating or mitigating factors applicable to the circumstances of the case be taken into account), no mitigating circumstances were found, only neutral ones (as noted below in point 7). The other circumstances indicated below, referred to in Art. 83 let. 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were considered by the President of the UODO to be neutral in his assessment, i.e. having neither an aggravating nor a mitigating effect on the amount of the administrative fine imposed. 1. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by it under Art. 25 and 32 [Art. 83 let. 2 let. d) Regulation 2016/679]. The infringement assessed in these proceedings (failure to notify the President of the UODO of a breach of personal data protection and failure to notify the breach of personal data protection of data subjects and infringement of the provisions of art. 5 sec. 1 letter a), art. 6 sec. 1 and art. 9 sec. 1 of Regulation 2016/679 is not related to the technical and organizational measures applied by the Administrator. 2. Relevant previous infringements of the provisions of Regulation 2016/679 by the administrator [art. 83 sec. 2 letter e) of Regulation 2016/679]. The President of the UODO did not find any previous infringements of the provisions on personal data protection committed by the Administrator, therefore there is no basis to treat this circumstance as aggravating. And since such a state (compliance with personal data protection regulations) is a natural state, resulting from the legal obligations incumbent on the Controller, it cannot have a mitigating effect on the assessment of the breach made by the President of the UODO. 3. The manner in which the supervisory authority learned of the breach [Article 83 paragraph 2 letter h) of Regulation 2016/679]. The President of the UODO was informed of the occurrence of a personal data protection breach, i.e. the disclosure of the personal data of the injured party during a press conference, by a third party, as well as from the press conference itself, and not by the Controller. However, the failure to report a personal data breach to the supervisory authority and to notify the data subject of the personal data breach (i.e. infringement of the provisions of Article 33(1) and Article 34(1) of Regulation 2016/679) is the subject of this decision and, in the circumstances of the factual situation under consideration, the authority assumed that it would not treat this premise as an aggravating circumstance. 4. Compliance with previously applied measures in the same case, referred to in Article 58 paragraph 2 of Regulation 2016/679 [Article 83 paragraph 2 letter i) of Regulation 2016/679]. Before issuing this decision, the President of the UODO did not apply any measures listed in Article 58 paragraph 2 of Regulation 2016/679 to the Controller in the case at hand, and therefore the Controller was not obliged to take any actions related to their application, and which actions, assessed by the President of the UODO, could have an aggravating or mitigating effect on the assessment of the identified infringement. 5. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 [Article 83 sec. 2 letter j) of Regulation 2016/679]. The Controller does not apply the instruments referred to in Art. 40 and Art. 42 of Regulation 2016/679. However, their adoption, implementation and application is not – as provided for in the provisions of Regulation 2016/679 – mandatory for controllers and processors, therefore the circumstance of their non-application cannot be considered to the Controller's detriment in this case. On the other hand, the circumstance of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of the processed personal data could be considered to the Controller's advantage. 6. Financial benefits directly or indirectly achieved in connection with the infringement or losses avoided [Art. 83 sec. 2 letter (k) of Regulation 2016/679]. The President of the UODO did not find that the Administrator had gained any financial benefits or avoided such losses in connection with the infringement. There is therefore no basis for treating this circumstance as aggravating the Administrator. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed decidedly negatively. On the other hand, the failure of the Administrator to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be mitigating for the Administrator. This is confirmed by the very wording of the provision of Article 83 paragraph 2 letter k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - incurred by the entity committing the infringement. 7. Other aggravating or mitigating factors applicable to the circumstances of the case [Article 83 paragraph 2 letter k) Regulation 2016/679]. The President of the Personal Data Protection Office, in his comprehensive consideration of the case, did not note any circumstances other than those described above that could have an impact on the assessment of the infringement and the amount of the imposed administrative fine. Taking into account all the circumstances discussed above, the President of the Personal Data Protection Office considered that imposing an administrative fine on the National Prosecutor's Office is necessary and justified by the gravity, nature and scope of the infringements of the provisions of Regulation 2016/679 alleged against the Administrator. It should be stated that applying any other remedy to the Administrator provided for in Art. 58 sec. 2 of Regulation 2016/679, in particular, limiting it to a warning (Article 58 paragraph 2 letter b) of Regulation 2016/679), would not be proportionate to the irregularities found in the process of personal data processing and would not guarantee that the Controller would not commit further negligence in the future. Referring to the amount of the administrative fine imposed on the Controller, it should be noted that - in view of the fact that the Controller is a public finance sector entity, referred to in Article 9 item 1) of the Act of 27 August 2009 on public finances (Journal of Laws of 2023, item 1270, as amended) - Article 102 paragraph 1 shall apply. 1 point 1 of the Personal Data Protection Act, which limits the amount (up to PLN 100,000) of an administrative fine that may be imposed on a public finance sector entity. In justifying the fact of imposing an administrative fine of PLN 85,000 on the Administrator, it should be noted that in the opinion of the President of the UODO, a fine of a lower amount would not fulfil its deterrent function, which is, among others, directly referred to in Art. 83 sec. 1 of Regulation 2016/670; it would also not discipline the Administrator to properly cooperate with the President of the UODO in the future (and as indicated below, the fine imposed in this specific case is also disciplinary and preventive in nature). In the opinion of the President of the UODO, the administrative fine applied fulfils the functions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it will be effective, proportionate and deterrent in this individual case. According to the President of the UODO, the administrative fine imposed on the National Prosecutor's Office will be effective because it will lead to a situation in which the Administrator will properly protect personal data against disclosure without a legal basis. The effectiveness of this penalty is therefore equivalent to a guarantee that the National Prosecutor's Office will carefully approach the requirements set by the provisions on the protection of personal data from the moment of conclusion of these proceedings. In addition, the penalty in question should also ensure that the Data Administrator, in the event of another breach of personal data protection, will be able to properly assess it, as well as fulfill the obligations incumbent on it (Articles 33 and 34 of Regulation 2016/679). The applied administrative fine is also proportionate to the established breach of the provisions of Regulation 2016/679, in particular its seriousness, the negative effect on the person affected by the breach of personal data protection and the high risk of negative consequences that they may suffer. According to the President of the UODO, the administrative fine imposed on the Administrator does not constitute an excessive burden for him, given the statutory limitation of its amount in the case of public finance sector entities. In particular, its payment will not affect the ability of the National Prosecutor's Office to fulfill its statutory tasks. According to the President of the UODO, the Administrator should and is able to bear the consequences of its negligence in the area of data protection, hence the imposition of an administrative fine of PLN 85,000 (in words: eighty-five thousand zlotys) is fully justified. In the opinion of the President of the UODO, the administrative fine will fulfill an educational function in these specific circumstances, but also a preventive one; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the National Prosecutor's Office and other data controllers the reprehensibility of disregarding the obligations of controllers related to the occurrence of a breach of personal data protection, as well as the liability of state authorities for unlawful actions taken by them using their power and the possibilities provided by this power. Therefore, the administrative fine applied meets, in the established circumstances of this case, the conditions referred to in Article 83 paragraph 1 of Regulation 2016/679, due to the gravity of the identified infringements in the context of the basic requirements and principles of Regulation 2016/679 - in particular the principle of legality, reliability and transparency expressed in Article 5 paragraph 1 letter a) of Regulation 2016/679. In this factual and legal situation, the President of the Personal Data Protection Office decided as in the verdict. [1] Guidelines of the European Data Protection Board (EDPB) No. 9/2022, adopted on 28 March 2023 on reporting personal data protection breaches in accordance with the GDPR; available at: https://uodo.gov.pl/pl/537/2902.
