Polish SA: administrative fine of 4 935 € for bailiff for failure to notify a personal data breach without undue delay

National News
17 Februar 2026
pl

Background information

Date of final decision: 23 October 2025
National case
Legal Reference(s): Article 31 (Co-operation with the supervisory authority), Article 33 (Notification of a personal data breach to the supervisory authority), Article 34 (Communication of a personal data breach to the data subject)
Decision: administrative fine, communication order personal data breach
Key words: administrative fine, cooperation with the supervisory authority, data subject rights

Summary of the Decision

Origin of the case

The bailiff, by mistake, sent a letter of attachment of earnings to the wrong person. That letter included, inter alia: name, Personal Identification Number (PESEL), address, amount of bailiff’s attachment of earnings. Polish Supervisory Authority (SA) learned of this notification from the person who was the unauthorised recipient of this correspondence. The person also informed the bailiff and indicated that the bailiff feared that his data could also be made available to the wrong addressee – if someone had mistakenly changed the envelopes. The bailiff did not notify the incident either to Polish SA or to the data subject.

Key Findings

The Polish SA found that there had indeed been a mistake by the bailiff’s office. However, the controller considered that it was ‘unlikely’ that the incident could result in a risk to the rights and freedoms of the data subject. The bailiff had not notified the breach to the SA and had not informed the data subject, since the error was an isolated case among thousands of letters sent, and since the erroneous recipient of the delivery had taken the issue of the protection of personal data seriously, it was unlikely that that event would result in a risk to the rights and freedoms of the data subject.
The proceedings of the Polish SA revealed that the bailiff had no basis for such an assessment of the situation, since the bailiff had not carried out any analysis of the risk of breach to the rights and freedoms of the person concerned.

Decision

The Polish SA has imposed on the bailiff an administrative fine of 1 818 € for infringement of Article 33 (1) GDPR and an administrative fine of 3 117 € for infringement of Article 34 (1)-(2) GDPR and ordered to communicate the data breach to the data subjects.

For further information: