Polish SA: lack of procedures to protect personal data processed by the press - administrative fine of 13 500 €

7 May 2025

Background information

  • Date of final decision: 6 March 2025
  • National case
  • Legal Reference (s): Article 24 (Responsibility of the controller), Article 32 (Security of processing)
  • Decision: Administrative fine,  Compliance order
  • Key words: Administrative fine, Data security, Encryption, Personal data breach,  Data subject rights

 

Summary of the Decision

Origin of the case  

In 2022, Polskie Radio Szczecin (Polish Radio Szczecin) released a press article in which a conviction for sexual harassment was described. The journalist revealed that a parliament member’s son was the victim and did it in such a way that the child could be identified. Following the discovery of harassment, this person committed suicide. The case was investigated by the prosecutor. In this context, the President of the Personal Data Protection Office carried out a comprehensive inspection that revealed many shortcomings in the protection of personal data.


Key Findings

The inspection in Polskie Radio Szczecin proved the following breaches:

  1. Polskie Radio Szczecin, as controller, did not carry out a risk analysis for the processing of personal data in connection with its editorial activities (creation and publication of press material).
  2. Nor did it comply with its own personal data protection documentation.
  3. It also failed to implement data security measures to ensure the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and processing services due to:
    • lack of clear and transparent rules on the handling of press material containing personal data, regulating the obligation to verify such material prior to publication in terms of personal data identifying natural persons whose publication may infringe the law or the rights and freedoms of natural persons;
    • lack of encryption of personal data storage devices used outside the processing area;
  4. Finally, Polskie Radio Szczecin has not put in place appropriate technical and organisational measures to ensure that the effectiveness of the technical and organisational measures to ensure the security of personal data is regularly tested, measured and evaluated.

 

Decision

The President of the Personal Data Protection Office has imposed on Polskie Radio Szczecin an administrative fine of 13 500 € for infringement of Article 24(1) and 32(1,2) of the GDPR. Additionally, on the basis of the issued decision, Polskie Radio Szczecin is to correct organisational and technical errors within 60 days.

For further information: 
•    National press release: Lack of procedures to protect the rights of publication participants-fine for Polskie Radio Szczecin 
•    National decision (Polish)  

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.