Polish SA imposed fine on telecom operator for failure to notify the personal data breach

3 January 2023

Background information

  • Date of final decision: 3 November 2022
  • National case
  • Controller: P4 Sp. z o.o.
  • Legal Reference: Article 174a(1) and (3) of the Polish Telecommunications Act, in conjunction with Article 2(1) and (2) (Notification to the competent national authority), and Article 3(1),(3) and (4) (Notification to the subscriber or individual) of Regulation 611/2013
  • Decision: Administrative Fine


Summary of the Decision


Origin of the case

The Polish SA received an email from a person indicating that he or she was an unauthorised recipient of a set of documents relating to the conclusion of a telecommunications contract. The Polish SA requested the concerned company to provide information on the said personal data breach, and to provide an assessment in terms of the obligation to notify the personal data breach to the supervisory authority and communicate it to the data subject.

The company responded that in the course of concluding the agreement, a copy of the contract with its attachments was sent to the e-mail address indicated  by the customer. The e-mail address turned out to be incorrect, which the customer himself pointed out and asked for its removal. In the company's opinion, there were no grounds for treating the incident in question as a personal data breach, and therefore the company did not notify the aforementioned breach to the Polish SA and did not communicate it to the customer.


Key Findings

Only after the company received a notice from the Polish SA on initiating administrative proceedings, the controller sent a notification of a personal data breach to the supervisory authority, along with the letter communication to the subscriber on the personal data breach.

In the case in question, the controller obtained twice the information that would allow it to become aware of the personal data breach. The first time was when the customer approached the controller with the information that the indicated e-mail address was incorrect and asked for its removal, which was noted by the company in the relevant notification. And the second time, when the controller received a letter from the Polish SA with a request to provide information on the personal data breach which involved allowing an unauthorised third party to consult a contract.



In the opinion of the Polish SA, already obtaining the first of the above-mentioned information was sufficient to become aware of the personal data breach. Meanwhile, the company notified the personal data breach to the supervisory authority and communicated it the subscriber only after the administrative proceedings in the case had been initiated and after reviewing the case file.

Therefore the Polish SA finding a violation of the Telecommunications Law, consisting in the failure to notify the personal data breach to the supervisory authority within 24 hours after having become aware of it and the failure to communicate the personal data breach to the subscriber without undue delay, imposed a fine of PLN 250,000 on P4 Sp. z o.o.

For further information: decision in national language (PL)

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.