Personal Data Protection Office of Poland

07/06/2026 | Press release | Archived content

Fine for failure to implement measures to ensure the security of personal data

The President of the Personal Data Protection Office, Mirosław Wróblewski imposed a fine of PLN 11 594 on the controller running a tax advisory firm. In this case, due to the lack of appropriate safeguards, an unauthorised person took over an e-mail account containing the personal data of 111 data subjects.

The controller running the tax advisory firm notified to the President of the Personal Data Protection Office a personal data breach consisting in obtaining by an unauthorised entity access to the e-mail account of one of the employees. In total, the mailbox was used to process the personal data of more than one hundred data subjects - including customers, their employees and children registered for health insurance.

This breach notification was an impulse to assess the controller's compliance with the obligations arising from the GDPR provisions regarding proper data security and the organisation of a personal data protection system in the area of data management in electronic form, including via e-mail.

The tax advisory firm explained to the supervisory authority that although the unauthorised person sent a message from the seized account, there is no evidence that they obtained the data stored there. The President of the Personal Data Protection Office did not agree with the content of the explanations provided by the controller. It is not known when exactly the mailbox was seized and how long it was used in an unauthorised manner. An employee of the firm used it sporadically. The hosting service provider blocked the mailbox due to the activation of the anti-spam mechanism. The controller was not able to determine the circumstances in which the spam was sent. It did not have access to logs or other means to determine whether the data had been downloaded by an unauthorised entity.

The President of the Personal Data Protection Office pointed out that, under the GDPR, 'personal data breach' means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The lack of evidence of obtaining personal data by an unauthorised entity does not mean the personal data breach has not occurred.

The controller was obliged to take measures to ensure an adequate level of protection of personal data by implementing appropriate technical and organisational measures. Prior to becoming aware of a personal data breach, the controller did not have separate policy on the personal data protection and did not carry out a risk assessment for the processing of personal data through the systems affected by the breach. The safeguards have not been tested regularly and their effectiveness has not been evaluated.

After the disclosure of the personal data breach, but already during the proceedings conducted by the President of the Personal Data Protection Office, the controller took action to implement the requirements arising from Regulation 2016/679. The controller, among others, carried out risk assessment, implemented the Information Security Policy and other regulations. After the occurrence of the personal data breach, the controller also carried out an audit of the IT infrastructure.

A fine of PLN 11 594 was imposed by the President of the Personal Data Protection Office following an administrative proceeding initiated ex officio. It is not a controller or processor who has allowed the unauthorised processing of personal data who is subject to an administrative sanction, but the entity which has failed to comply with a standard of security measures appropriate to the circumstances.

Personal Data Protection Office of Poland published this content on July 06, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 16, 2026 at 06:37 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]