Background information
- Date of final decision: 03 June 2025
- National case
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 28 (Processor), Article 32 (Security of processing), Article 33 (Notification of a personal data breach to the supervisory authority)
- Decision: Administrative fine
- Key words: Administrative fine, Accountability, Data security, Lawfulness of processing, Data subject rights,
Data protection by design and by default
Summary of the Decision
Origin of the case
The Social Welfare Centre in Aleksandrów was attacked by hackers in 2022. As a result, it lost access to the personal data of 1500 customers, which were very detailed. Both the Mayor of Aleksandrów and the Social Welfare Centre notified the incident to the President of Personal Data Protection Office.
Key Findings
The President of Personal Data Protection Office, Polish SA verified why the incident had occurred. The proceedings revealed that both institutions did not have sufficient safeguards for the data, both technical and organisational.
The problem was that although the Social Welfare Centre (data controller) and the Mayor (authority/processor on behalf of the controller) analysed the risk to the data of the data subjects, they did so in an insufficient manner. Although they were aware – and included in the risk analysis – that a ransomware attack was possible, they ignored that risk. They did not apply sufficient protective technical measures. To do so, they used an operating system on the server, which was no longer supported bythe manufacturer already two years before the incident. The ransomware attack was to be protected by back-up. Although this was done on a network drive, this back-up copy was also encrypted as a result of the attack. As a result, the lost data had to be reproduced with the help of an external party.
At the same time, the Social Welfare Centre, which was the controller of the data, did not check regularly whether the Mayor was processing data safely, which would, in the meantime, have made it possible to detect these problems.
Decision
The President of the Personal Data Protection Office has imposed on the Social Welfare Centre an administrative fine of EUR 1 170 for infringement of Article 5 (1)(f), (2)(a), Article 24 (1), 25 (1), 28 (1) 32 (1,2), and 33 (1) of the GDPR, as well as on Mayor of Aleksandów an administrative fine of EUR 2 341 for infringement of Article 32 (1,2) in connection with Article 28 (3)(c,f) of the GDPR.
For further information:
• National press release: A solid risk analysis and control procedures would avoid an incident. Administrative fine for Social (English)
• National Decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.