Polish SA: administrative fine of 9 625 € against Medical Centre for failure to notify a personal data breach
Background information
- Date of final decision: 15 October 2025
- National case
- Legal Reference(s): Article 31 (Co-operation with the supervisory authority), Article 34 (Communication of a personal data breach to the data subject)
- Decision: Administrative fine, Warning
- Key words: Administrative fine, Cooperation with the supervisory authority, Data subject rights
Summary of the Decision
Origin of the case
A Medical Centre dealing, inter alia, with the treatment of infertility, sent confirmation of the execution of the return transfer under the title of which the name of the genetic test was indicated to another person, also a patient of the Medical Centre (the patients have the same first name). The document contained personal data: first name, surname, bank account number, address. There was also the amount of the transfer and the name of the study carried out, revealing that it was part of extensive prenatal diagnostics.
Key Findings
In the course of the proceedings before the Polish Supervisory Authority (SA), it became apparent that the incident was the result of an employee’s error. However, the controller considered that the event did not involve the possibility of a violation of the rights and freedoms of natural persons, and therefore refrained from notifying the breach to the Polish SA. The patient themself learned about the incident from another Medical Centre patient.
In the event of incorrect confirmation of the return transfer, in the opinion of Polish SA, the controller misjudged the situation. The incident constituted a breach of the confidentiality of personal data with a high risk to the rights and freedoms of natural persons. The information contained in the return transfer confirmation allows conclusions to be drawn as to the state of health of the data subjects. They create a risk of specific, negative consequences – in the form of the possibility of violating their personality rights or discrimination.
Decision
The President of the Personal Data Protection Office has imposed on the Medical Centre an administrative fine of 9 625 € for infringing Article 33 (1) GDPR and issued a reprimand for infringing Article 34 (1) GDPR.
For further information:
- Press release: Failure to notify that a document has been erroneously sent with the patient’s data (English and Polish)
- Decision in Polish