District Court Warsaw-Praga (Poland) - II C 1228/19

From GDPRhub
District Court Warsaw-Praga - II C 1228/19
Courts logo1.png
Court: District Court Warsaw-Praga (Poland)
Jurisdiction: Poland
Relevant Law: Article 4(12) GDPR
Article 82(1) GDPR
Decided: 17.03.2022
Published:
Parties:
National Case Number/Name: II C 1228/19
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Polish
Original Source: (in Polish)
Initial Contributor: P.balkanska01

In a case against an electricity company, the District Court in Warsaw awarded a data subject €212 for non-material damages suffered as a result of a data breach. The Court applied Article 82 GDPR.

English Summary

Facts

The controller (the defendant) was an electricity company. The data subject (the plaintiff) was a customer. On 6 February 2019, due to an error, an employee of the defendant emailed to one of the company’s clients a file containing the personal data of other clients (data subjects), including the the plaintiff's. The information included: first name, surname, ID number, address, customer number, and numbers of invoices. After learning about the security breach, the defendant notified the Polish DPA of the incident. The defendant also sent a notification to the affected data subjects and asked the recipients of the unintentional disclosure the delete the file.

After receiving a notice of the security breach, the plaintiff filed a complaint with the Polish DPA. Moreover, she requested the defendant to terminate her contract by mutual agreement due to the loss of confidence. The defendant stated that a one time breach of the plaintiff’s personal data did not constitute a gross breach of contract and therefore did not provide grounds for termination of the contract. Hence, the plaintiff decided to terminate the contract herself despite a financial penalty. Moreover, due to the security breach and fear that her personal data could be used by third parties, she set up a subscription account with the Credit Information Bureau to receive information on credit obligations attributed to her. On top of that, she suffered non-pecuniary harm from the stress and psychological discomfort related to the fear that her personal data could be used by third parties.

Apart from the proceedings at the DPA, the plaintiff brought an action to court seeking damages for the non-material harm caused by the incident on the basis of Article 82 GDPR in the amount of PLN 20,000 (€4,247).

Holding

First, the District Court of Warsaw-Praga (the Court) confirmed that the incident constituted a 'personal data breach' within the meaning of Article 4(12) GDPR. It also recalled that any person who suffered material or non-material damages due to a breach of the GDPR has a right to obtain compensation from the controller or processor under Article 82(1) GDPR.

Second, the Court assessed the extent of the damage suffered by the plaintiff. It considered the personal data disclosed in the security breach to be 'highly sensitive'. The Court held that the plaintiff's fear of unauthorised use of her data by third parties must be considered 'real' given the news appearing in the media space reporting the illegal use of personal data to take out loans on other persons.

Third, the Court noted that after learning of the violation, the defendant took all the necessary steps in order to prevent the damage from increasing further. The actions of the defendant led to the deletion of the file with personal data from the possession of the unauthorised party, which removed any further possibility of harm.

The Court concluded that apart from the fear of her personal data being used by an unauthorised third party, the plaintiff was not affected by any further consequences. Thus, the non-pecuniary damage was small and the demand for PLN 20,000 (ca. €4,247) was excessive and inadequate to the extent of the damage suffered. The Court decided that the appropriate sum to award the plaintiff for inadequate protection under the GDPR and the infringement of her right to privacy was PLN 1,000 (ca. €212).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

JUSTIFICATION
The plaintiff B.N. filed a lawsuit against (...) Sp. z o. o. in W. (now after changing the name: (...) Sp. z o.o. in W.) at:

1.
statement of infringement by the defendant company of the Plaintiff's personal data;

2.
ordering the Defendant to pay the Claimant compensation in the amount of PLN 20,000.00;

3.
In addition, the Claimant requested that the Defendant be ordered to pay court costs in accordance with the standards prescribed by law.

By letter of December 23, 2019 Following the Court's commitment, the claimant clarified her claim by requesting:
payment of compensation for non-pecuniary damage in the amount of PLN 20,000 for the violation of the Plaintiff's personal data by the Defendant. At the same time, she explained that the request contained in point 1 of the statement of claim that the Defendant violated the claimant's personal data is not a separate request (k.17).
In response to the lawsuit, the Defendant requested that the claim be dismissed in its entirety and that the Claimant pay the costs of the proceedings to the Defendant (k.29).
The plaintiff, replaced by a proxy, in the reply of January 28, 2021, modified the demand in such a way that instead of the compensation indicated in the lawsuit in the amount of PLN 20,000.00, she requested compensation in the amount of PLN 20,000.00 and also requested that the costs of the trial be awarded ( k.62).
By order of March 1, 2021, the Court ordered the return of the modified statement of claim due to formal deficiencies in the form of a lack of a copy of the modified statement of claim for the opposing party (k.67).
In the pleading of March 15, 2021, the Plaintiff modified the claim in such a way that instead of the compensation indicated in the lawsuit in the amount of PLN 20,000.00, she requested compensation in the amount of PLN 20,000.00 and also requested the award of the costs of the trial (k.77).
In final statements, at the hearing on March 3, 2022, the plaintiff upheld the claim, while the defendant applied for its dismissal.

The court established the following facts:

The defendant (...) Sp. z o. o. in W. (current name (...) Sp. z o.o. in W.) sold electricity to the Plaintiff B.N. from autumn 2018 to the Plaintiff's property.

(evidence: k. 13, e-mail correspondence, k.14 letter (...) sp. z o.o. of August 14, 2019, k.199-200 evidence from the hearing of the plaintiff B.N., k.49-51 copy of the National Court Register; k.195-198 full excerpt from the National Court Register)

On February 6, 2019, an employee of the Defendant company, as a result of an error, sent to one of the company's clients - (...), by e-mail a file with an attachment - a financial document containing the personal data of other clients, including the personal data of the Plaintiff. This file contained customer personal data, such as: name, surname, PESEL number, address, i.e. street, building and apartment number, postal code, city, customer number (...) number of the contract concluded with the Company, account number assigned to each customer separately for making payments, numbers of invoices and correcting invoices together with the information contained therein, balance (as of February 6, 2019), a list of all issued invoices and corrections, date of sale, date of issue, payment date, payment date, KWh, excise tax amount in PLN, net and gross value, VAT amount, payment status. The defendant company learned about the employee's mistake only on April 24, 2019, in a letter from the client M. S. (1), who received a file with data by e-mail. The client of M. S. (1) asked the Company whether he should provide his data to the relevant authorities.
(
proof: k.7-9 notification of a personal data breach, k. 40 letter from M. S. (1))

The defendant company, immediately after learning about the mistaken disclosure of customers' personal data to an unauthorized person (M. S. (1)), submitted a notification of a personal data breach to the President of the Office for Personal Data Protection. At the same time, (...) Sp. z o. o. w W. sent to its clients, including B.N., a notification of a personal data breach, in which it indicated what data had been disclosed, what security measures customers could take to prevent the negative effects of the breach, and what possible consequences may result from the fact that the data were made available an unauthorized person, e.g.: third parties obtaining loans from non-bank institutions to the detriment of the Injured Party, obtaining access to health care services to which the Injured Party is entitled; insurance fraud; the use by third parties of the civil rights of the Injured. The company also called on M.S. (1) to delete the data received by mistake. Due to the behavior of M. S. (1), who, being in possession of personal data of other clients, delayed their removal, the Defendant filed a notification about the possibility of committing a crime by processing personal data of the Defendant's clients, to which M. S. (1) was not authorized to process. The preparatory criminal proceedings were discontinued by the prosecutor on December 31, 2019, due to the statement that the social harmfulness of the act is negligible, because despite the fact that M. S. (1) stored the data file on his computer in the period from February 6, 2019 to November 18, 2019 , the file was eventually deleted, and M. S. (1) did not provide this personal data to third parties and did not process or use it itself. And during the investigation, the data file was removed from M. S.'s computer (1) and secured for the purposes of the investigation. In addition, in the same decision, the prosecutor discontinued the case of M.S. (1) using unlawfully obtained information on customers in its own business activity (...) Sp. z o. o. due to not committing such an act (Article 17 § 1 point 1 of the Code of Criminal Procedure).

(evidence: k.36-39 notification of a personal data breach, k.7-9 notification of a personal data breach, k.41-44 decision to discontinue the investigation, k.45-47 decision of the Court to uphold the appealed decision of June 5, 2020, sheets 95-96 of the testimony of the witness K. K., sheets 169-170 of the testimony of the witness M. S. (1)).

On May 9, 2019, a notification from (...) Sp. z o. o. about the breach of customers' personal data was delivered to the Plaintiff B.N. On the same day, B.N. filed a complaint to the President of the Office for Personal Data Protection about the loss by (...) Sp. z o. o. in W. of the Plaintiff's personal data. In addition, the Claimant asked the Defendant Company to terminate the agreement of October 2, 2019 by mutual consent, due to the loss of trust in (...) Sp. z o. o. In response of August 14, 2019, the Company again apologized for exposing Plaintiff B.N. to inconvenience related to the breach of Plaintiff's personal data. The company indicated that it makes every effort to remove all effects of this breach and informed that the contractor (...) to whom the plaintiff's personal data was mistakenly sent received a request from the company to delete the data and stop the violations and that the company requested the contractor to stop the unlawful processing of personal data Plaintiffs, refraining from disclosing them to third parties or using them in any other way, and permanently deleting the file containing these data from all storage media.
In addition, the Defendant indicated that a breach of the protection of the Plaintiff's personal data by making them available once to an unauthorized person does not constitute a gross breach of the provisions of the Agreement No. (...) of September 26, 2018, and thus does not give grounds for terminating the Agreement under immediately or by agreement of the parties. The plaintiff decided to terminate the contract, despite incurring a financial penalty. In addition, due to the incident, she set up an account with the Credit Information Bureau, fearing that her personal data could be used by third parties to incur credit obligations on her. B.N. pays PLN 25 per year for a subscription at BIK.

(evidence: k.7-9 notification of a breach of personal data protection, k.10 B.N.'s complaint to the Office for Personal Data Protection, k.11-12 letter from the President of the Personal Data Protection Office, k.13 e-mail correspondence, k.14 letter (.. z o.o. of August 14, 2019, sheets 199-200, evidence from the interrogation of the plaintiff B.N.)
The above facts were established by the Court on the basis of documentary evidence, witness statements and the plaintiff's cross-examination.
The court omitted the evidence from the UODO documents in the case (...), in the .xml format, due to the impossibility of deciphering the string of characters.
Notwithstanding the foregoing, the facts of the case were undisputed between the parties, who were in dispute only as to the legal consequences of the facts described above.

The District Court held as follows:

In the lawsuit, the claimant requested that compensation be awarded to her under Art. 82 of the GDPR/Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on data protection)/.
According to Art. 82 sec. 1 of the GDPR, any person who has suffered material or non-material damage as a result of a breach of this Regulation (GDPR) has the right to obtain compensation from the controller or processor for the damage suffered.
In Article 82 sec. 2 of the GDPR stipulates that each controller involved in the processing is liable for damage caused by processing that violates this regulation. The processor shall be liable for damage caused by processing only if it has failed to comply with the obligations that this Regulation imposes directly on processors, or if it has acted outside or against the lawful instructions of the controller.
Article 82 sec. 3 of the GDPR, specifies that the administrator or processor is released from liability under paragraph 2, if they prove that they are in no way to blame for the event that led to the loss.
Joke. 82 sec. 2 and sec. 3 of the GDPR, it is clear that the basis for liability for damage is fault, because the responsible entity may release itself from this liability by demonstrating that it is not at fault.

Personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general regulation on data protection), is any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular on the basis of an identifier such as name and surname, identification number, location data, online identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person (Article 4(1) of the GDPR).
Processing means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise sharing, matching or combining, limiting, deleting or destroying (Article 4(2) of the GDPR).
According to the Regulation, the administrator is a natural or legal person, public authority, unit or other entity that, alone or jointly with others, determines the purposes and means of processing personal data; if the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may also be designated by Union or Member State law (Article 4(7) of the GDPR).
According to Art. 4 point 12 of the GDPR, "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed;
The disclosure by the Defendant company of the Plaintiff's personal data to an unauthorized person - M.S. (1), is a violation of the protection of personal data within the meaning of Art. 4 point 12 GDPR. The defendant company failed to fulfill its obligations set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/EC.
The Defendant Company admitted the fact of unauthorized sending of a file with personal data, including the Plaintiff's personal data, to an unauthorized entity, thereby admitting its fault in the violation of personal data protection.
As a consequence, the Defendant Company, pursuant to Art. 82 sec. 2 GDPR, as an entity participating in data processing, is liable for damages caused by data processing that violates the GDPR Regulation.
The plaintiff claims pursuant to Art. 82 sec. 1 of the GDPR, compensation for non-material damage resulting from the violation of the Regulation (GDPR) by the Defendant Company.

Plaintiff's personal data in the form of e.g. name, surname, PESEL number, address, i.e. street, building and apartment number, postal code, city, customer number (...) number of the contract concluded with the Company, account number assigned to the customer separately for making payments, invoice and correcting invoice numbers together with with the information contained therein, balance (as of February 6, 2019), a list of all issued invoices and corrections, date of sale, date of issue, payment date, payment date, amount of KWh used, amount of excise duty in PLN, net and gross value, VAT amount, payment status were made available by the Defendant to an unauthorized third party almost three years ago. Unauthorized person - M. S. (1) stored the file with the Plaintiff's personal data on the computer in the period from February 6, 2019 to November 18, 2019, until the law enforcement authorities deleted it on November 18, 2019. files with this data from the M. S. computer (1).

These personal data of the Claimant were highly sensitive data. Due to the violation of the protection of her personal data by the Defendant company, the Plaintiff lived in this period in fear of the possibility of using her personal data, transferring this personal data by an unauthorized entity to other unauthorized entities, including real fear that her personal data might be used by unauthorized persons to incur credit obligations without their knowledge and consent, and be used for other purposes. The plaintiff's concerns were real due to the commonly known facts appearing in the media space informing about the illegal use of other people's personal data in order to take out loans for these people. The claimant was harmed - non-financial damage causing stress and psychological discomfort related to the fear that her personal data could be used by unauthorized persons to incur financial liabilities on her name or use these data for other purposes by third parties.

For fear of such use of her personal data, the Plaintiff set up, among other things, a paid account at the Credit Information Bureau to obtain information about any loans taken out in her name. Having an account at BIK costs the Claimant PLN 25 per year. This expense is a pecuniary damage that is not covered by the claim at all.

The plaintiff, as the factual basis for claiming compensation in the lawsuit, additionally indicated the non-pecuniary damage caused to her related to the violation of her personal rights by the administrator (the Defendant Company) as a result of making her personal data available to an unauthorized person.

The catalog of human personal rights specified in art. 23 k.c. is open, exemplary. Therefore, he also has the right to privacy, the violation of which has been alleged in these proceedings by both parties. An element of the right to privacy is the so-called information autonomy, i.e. the right to disclose information about oneself (Article 51 of the Constitution) (Judgement of the Supreme Court of February 21, 2020, I CSK 565/18). The Claimant agreed to the processing of her personal data by the Defendant, but not to the disclosure of this data to third parties. In this case, there was not so much a threat of someone else's actions, but a violation of the plaintiff's personal interest in the form of the right to privacy. For this reason, protection under Art. 24 k.c. in relation to joke. 448 k.c. is due to the Claimant.
Therefore, there is a convergence of grounds for liability to repair non-pecuniary damage based on Art. 82 sec. 1 of the GDPR and to repair the harm (non-material damage) caused by the violation of the plaintiff's personal interest - the right to privacy in the field of information autonomy as to deciding on the disclosure of information about yourself under art. 23 k.c. in relation to joke. 24 k.c. in relation to joke. 448 k.c.

With regard to the determination of non-pecuniary damage under Art. 82 sec. 1 GDPR and non-pecuniary damage under Art. 448 k.c. in relation to joke. 24 k.c. resulting from the same event - the Defendant Company making the file with the Plaintiff's personal data available to an unauthorized person, the Court took into account that the Defendant Company, after inflicting this non-pecuniary damage, took a number of deliberate actions to remove the effects of this damage and prevent further extension of the scope of this damage non-pecuniary damage. The Defendant Company notified the Plaintiff of the breach of her personal data, indicated what consequences may result from the breach of the Plaintiff's personal data, notified the President of the Personal Data Protection Office, asked the unauthorized person (M.S. (1)), to whom the file with the personal data of clients was transferred, to return or destroy the file with personal data and its further non-dissemination, non-sharing. After the original refusal to return or destroy the file with personal data by the entity unauthorized to process them (M.S. (1)), the infringer The Defendant Company notified the law enforcement authorities of the unauthorized person about the possibility of committing a crime by processing the personal data of the Defendant's clients, for whose processing M.S. ( 1) was not entitled.

Finally, the actions of the defendant led to the removal of the file with personal data by an unauthorized entity (M. S. (1) ) for their possession and further processing and sharing. The defendant company led to the removal of the further possibility of the claimant's injustice (non-pecuniary damage). These actions of the Defendant led very significantly to reducing the scope of non-pecuniary damage (harm caused) to the Claimant.

Only from April 2019. from the date of providing personal data to an unauthorized entity until November 18, 2019. i.e. until the law enforcement authorities removed the file with the Plaintiff's personal data from M. S.'s computer (2), there was a fear that this personal data would be used by an unauthorized entity and that it would be made available to other entities.

During this period of several months, the Plaintiff, apart from the fear of taking a loan for her personal data or using her personal data for other purposes and breaching her privacy, did not experience any negative consequences caused by the breach of the Defendant, the Plaintiff's data was not used in any way. In addition, in the course of these proceedings and the criminal proceedings, it was established that an unauthorized third party did not use the received data, did not share it further, or did not process it in any way. Personal data of clients, including the Plaintiff, were removed from the device of an unauthorized person. In addition to this and the Plaintiff's concerns about the use of her personal data in the future, she was not affected by any further consequences. Considering the above, it should be noted that the non-pecuniary damage suffered by the Claimant in connection with the violation of the protection of her personal data and the right to privacy is small. Therefore, the claim for compensation in the amount of PLN 20,000.00 is excessive and inadequate to the extent of the non-pecuniary damage (harm) she suffered as a result of the protection of her personal data inconsistent with the GDPR regulation and the violation of her right to privacy to decide what information about herself and to whom she wants to provide.

In the Court's opinion, the appropriate amount of compensation that will make it possible to repair the non-pecuniary damage (harm) of the Claimant, caused by the violation of the regulation on the protection of personal data and the violation of the claimant's personal interest in the form of the right to privacy, is PLN 1,000.00. Such amount fulfills the function of compensatory damages in this case. It remains a financial gain and at the same time compensates for the harm (non-material damage) that the Defendant caused to the Claimant.

For these reasons, in point I of the judgment, the Court awarded the amount of PLN 1,000.00 from the Defendant to the Plaintiff, and in point II of the judgment dismissed the claim in the remaining scope, in the absence of premises and grounds to award higher compensation (compensation) for non-pecuniary damage.
The Court ruled on the costs of the trial in point III of the judgment, pursuant to Art. 100 of the Code of Civil Procedure, canceling the costs of the proceedings between the parties. Because the Plaintiff won the case in principle, and losing in the overwhelming scope when it comes to the amount of compensation (compensation) dismissed, in the amount of PLN 19,000 out of the claimed PLN 20,000. The amount of compensation (compensation) sought for non-pecuniary damage depends largely on the discretion of the judge, and the GDPR is a relatively new legal act, there are not many rulings on the amount of compensation for non-pecuniary damage related to the violation of the regulation on the protection of personal data. Due to the partial acceptance of the demands of both parties, it was justified in the case under examination to mutually abolish the costs of the proceedings.
Judge SO Piotr Rempoła