Polish SA: administrative fine of EUR 7 800 for non-public health care centre in Pyskowice for failing to carry out appropriate risk analysis

16 September 2025

Background information

  • Date of final decision: 04 July 2025
  • National case
  • Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller),  Article 25 (Data protection by design and by default),  Article 32 (Security of processing)
  • Decision: Administrative fine
  • Key words: Administrative fine, Data protection by design and by default, Data security, Lawfulness of processing, Data subject rights

 

Summary of the Decision

Origin of the case  

A doctor’s car was stolen while the doctor was seeing a patient during a home visit. Documentation of eight patients were unprotected in the car, including family names, forenames, dates of birth, home addresses, personal identification numbers (PESEL numbers), and health data. The health care centre, for which the doctor worked, reported this fact to the President of Personal Data Protection Office.

Key Findings

The Polish Supervisory Authority (SA) examined the data protection procedures in this health care centre. The data risk analysis turned out to be incomplete, thus not implementing appropriate safeguards for medical records for home visits. 

The health care centre also provided health services to patients in the form of home visits. Doctors used their private cars to do so by signing contracts with the health care centre. The Information Security Administrator of the health care centre already in 2017 drew attention to the problems that this entails. Carrying unsecured documentation is risky because it can be mislaid or lost as a result of theft. The Security Administrator alerted that the documentation should be moved to the facility on the same day and not taken overnight by the doctor.

However, when the doctor’s car was stolen, these recommendations were not implemented in the health care centre’s procedures. As a data controller, it did not identify the private cars of employees as an area of processing of personal data to which the provisions of the procedures for safeguarding that data refer. The procedures themselves also referred in very general terms to the circumstances of the processing outside the place of establishment of the controller. They did not respond to the real risks identified in the security audits. The change took place only after the theft – when the annex to the security policy on physical security was updated with a specific indication of the rules applicable in case of need to transport medical records outside the premises of the medical establishment. It was only then that the staff received the appropriate training and the doctors who went to the patients had provided them with the medical documents of the locked folders.

Decision 

The President of the Personal Data Protection Office has imposed non-public health care centre in Pyskowice an administrative fine of EUR 7 800 for infringement of Articles 24(1), 25(1) and 32(1,2) of the GDPR. 


For further information: 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.