Background information
- Date of final decision: 30 April 2024
- National case
- Legal Reference: Article 33 (Notification of a personal data breach to the supervisory authority)
- Decision: Administrative fine
- Key words: Data subject rights, Personal data breach, Principles relating to processing of personal data, Data security, Responsibility of the controller
Summary of the Decision
Origin of the case
The "Maraton" Sports Association from Gorlice organised a competition and published a list of participants on Facebook. The competitors gave their consent to the processing of their data. However, the problem was that although the entry itself in the spreadsheet only showed name, surname, gender, club and town, after downloading the file it turned out that there was still hidden information. When the file was edited, the email address and date of birth information was visible. This made it possible to identify or make contact with these individuals.
The President of the Personal Data Protection Office received a signal from a third party regarding the incident and asked the controller for an explanation. The Association admitted that there had been a mistake. The Association authorities blamed the mistake on a volunteer working at the competition. The President of the Personal Data Protection Office then explained the procedure resulting from the GDPR. In the case of such an incident, the risk to which the data subjects were exposed should be assessed. This analysis should answer the question of whether the incident should be notified to the supervisory authority.
Key Findings
The Association responded that there had been a misunderstanding, explaining that it took extra work to obtain additional information from the posted starting list. The Association is a small organisation and has to rely on the work of volunteers. It has no legal knowledge and the Poviat Starosty refused to assist it in this regard. The Association obtained the consent of the participants in the competition to process their personal data, which it considered to be its key obligation.
However, this was not the subject of the enquiries made by the President of the Personal Data Protection Office. Rather than seeking "who is to blame", the enquiry focused on how the Association responded to the consequences of an incident where the privacy of specific individuals may have been breached.
The President of the Personal Data Protection Office requested additional information on several occasions, but did not receive it. In the end, he initiated administrative proceedings in light of his duties and powers. He asked for an indication of the number of persons whose personal data had been made available on the social network in the form of a list of participants in sports competitions. He did not receive any answer. In view of this, he assumed, on the basis of the evidence gathered in the case, that the breach could have affected around a hundred people and that the Association had not carried out an assessment of the risks to these people resulting from the disclosure of their data. The Association failed to do so because it did not understand the seriousness of the situation and did not notify the incident to the President of the Personal Data Protection Office. As a result, it failed to comply with its obligations.
Decision
The President of the Personal Data Protection Office explains that notifying a breach is not a bureaucratic procedure, but an effective tool to improve the security of personal data processing. The history of the competition organised by the "Maraton" Association proves that it had a serious problem with this. The data of more than a hundred people ended up in the hands of an unauthorised person who did not know how to handle it and made it public. As a result, the personal data of many people were breached.
The fact that there was no personal identification number (PESEL number) on the lists of players does not mean that these people cannot be identified. The risk was not high, but it can't be ignored. If the Association had carried out this reasoning, it would have known that it had a legal obligation - as the controller of those data - to notify a personal data breach to the President of the Personal Data Protection Office. The President would have suggested what to do next. This particular situation did not require the necessity to communicate the personal data breach to the data subject, but the data handling procedures at the "Maraton" Association need to be improved. The President of the Personal Data Protection Office has imposed a fine of 210 € for infringement of Article 33 of the GDPR.
For further information:
- Decision in national language (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.