UODO (Poland) - DKN.5131.6.2024

UODO - DKN.5131.6.2024
Authority:	UODO (Poland)
Jurisdiction:	Poland
Relevant Law:	Article 33(1) GDPR Article 34(1) GDPR Article 34(2) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	26.11.2024
Published:
Fine:	29,684 PLN
Parties:	n/a
National Case Number/Name:	DKN.5131.6.2024
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Polish
Original Source:	UODO (Poland) (in PL)
Initial Contributor:	w.p.

A controller was fined PLN 29,684 (€7,045) after a data breach resulted in the unauthorised disclosure of data concerning health to another person. They were ordered to inform the data subject about the breach after failing to notify both the data subject and the DPA.

English Summary

Facts

The DPA initiated ex officio proceedings against a hospital (the controller) after receiving information that the controller had erroneously sent documents containing personal data of a patient (data subject) to another person. The documents contained, inter alia, the name, birthday, national identification number and filled-in medical questionnaires. The controller didn’t retrieve these documents from the wrong recipient.

The DPA informed the the controller about the possibility of a data breach in November 2022 and requested clarification on the matter. The controller explained in December 2022, that the incident could not be identified. The controller stated that the data subject’s medical questionnaire was not missing. Additionally, the controller informed the DPA that the data subject was notified about the incident under Article 34 GDPR. Also, the controller implemented remedial measures, i.e., a talk with the ward manager and a training for the employees. In February 2023 the controller provided the DPA upon request with its assessment that the breach only contained a low risk for the data subject .

Only in March 2024 the controller officially notified the DPA one the breach pursuant to Article 33 GDPR. However he notice did not contain the information required under Article 34(2) and Article 33(3)(d) GDPR, i.e. measures to minimize its possible adverse effects of the breach.

Holding

The DPA found the controller violated Article 33(1) GDPR, Article 34(1) GDPR and (2) GDPR.

The DPA held that the controller failed to perform an adequate risk assessment of the breach. The DPA held, that given the extent and nature of the data breached - especially including the national identification number together with the name and health data - there is a substantial risk of harm to the data subject which the controller did not properly take into account. Moreover, the controller didn’t consider the fact that the documents remained with the unauthorised recipient. Thus, the breach posed a high risk to rights and freedoms of data subject, not low as indicated by the controller.

The DPA also emphasised that neither the DPA nor the data subject were notified sufficiently within due time under Article 33 and Article 34 GDPR. For the DPA, the controller didn’t demonstrate any reasons justifying delayed notification. The controller also behaved contradictory by first stating to the DPA that it could not identify the breach but at the same time notifying the data subject about the breach. However, the DPA found the content of the notification sent to the data subject to be inaccurate, since it mostly contained general statements. Hence, the data subject was unable to foresee negative consequences of the breach.

In consequence, the controller was fined PLN 29,684 (€7,045). In addition, the controller was ordered to notify the data subject about the breach by describing the measures (to be) taken by the controller to address the breach's consequences.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

On the basis of Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2024, item 572) in connection with Article 7, Article 60, Article 101 and Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) and Article 57 par. 1 letter a) and letter h), Article 58 par. 2 letter e) and letter i), Article 83 par. 1 and 2, Article 83 par. 4 letter a) in connection with Article 33 par. 1 and 34 par. 1, 2 and 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulations) (OJ EU L 119, 4.05.2016, p. 1 OJ EU L 127, 23.05.2018, p. 2 and OJ EU L 74, 4.03.2021, p. 35), hereinafter referred to as: Regulation 2016/679, after conducting ex officio administrative proceedings regarding the infringement of the provisions on personal data protection by X. ul. (...), President of the Office for Personal Data Protection, Personal Data,

1. Finding that X. ul.(…) violated the provisions of:a) art. 33 sec. 1 of Regulation 2016/679, consisting in failing to notify the President of the Personal Data Protection Office of a breach of personal data protection without undue delay, no later than 72 hours after the breach was discovered;b) art. 34 sec. 1 and 2 of Regulation 2016/679, consisting in failing to notify the data subject of a breach of personal data protection without undue delay and failing to provide that person, as part of the notification addressed to them, with an adequate description of the measures applied or proposed by the controller to remedy the breach of personal data protection, including measures to minimize its possible negative effects,

2. Imposes on X. ul. (…) an administrative fine of PLN 29,684.04 (in words: twenty-nine thousand six hundred eighty-four zlotys and four groszy),

3. Orders X. ul. (…) to notify – within 3 days from the date of service of this decision – the person whose data was disclosed in connection with the transfer of his/her medical records to an unauthorized person, of the breach of personal data protection in order to provide him/her with the information required in accordance with Art. 34 sec. 2 in connection with Art. 33 sec. 3 letter d) of Regulation 2016/679, i.e. a description of the measures applied or proposed by the controller to remedy the breach – including measures to minimize its possible negative effects.

Justification

On November 7, 2022, the President of the Personal Data Protection Office, hereinafter also referred to as the "President of the Personal Data Protection Office" or the "supervisory authority", received information from (...) regarding the possibility of a breach of personal data protection at X. ul. (...), hereinafter also referred to as the "Hospital" or "Administrator". The above-mentioned letter and its attachments showed that the medical documentation in the form of the Preoperative Anesthesia Questionnaire issued to the patient of the obstetrics and gynecology department together with her medical documentation contained personal data, i.e. name, surname, date of birth, PESEL number and health data, of another patient of the Administrator.

The President of the UODO conducted explanatory proceedings regarding the possibility of a breach of personal data protection in the Hospital (registered under reference number (...)), and then on 5 March 2024, he initiated ex officio administrative proceedings regarding the breach by the Hospital, as the data controller, of the obligations arising from the provisions of art. 33 sec. 1 and 34 sec. 1 and 2 of Regulation 2016/679.

As a result of the explanatory proceedings and administrative proceedings, the President of the UODO established the following factual circumstances.

I. The President of the UODO, after receiving information about the possibility of a breach of personal data protection in the Hospital, in letters dated 15 and 25 November 2022, requested the Controller to clarify whether, in connection with the erroneous issuance of a document in the form of a Preoperative Anesthesia Questionnaire to an unauthorized person, an analysis was carried out in terms of the risk of violating the rights or freedoms of natural persons necessary to assess whether a breach of personal data protection occurred resulting in the need to notify the President of the UODO and the data subject.

II. In response to the request of the President of the UODO, the Controller indicated in a letter dated 5 December 2022 that due to the lack of reporting of the error when issuing the documentation at the time of its occurrence, it was not possible to clearly identify the incident. In addition, it was indicated that the Department (...) was obliged to check the medical history of the data subject for irregularities in the issuance of documentation, however, it was found that all documents were in line with the standard and contained a correct anaesthesia questionnaire. In the aforementioned letter, the Administrator also indicated that it had notified the data subject of the breach of their personal data protection and had implemented remedial measures by holding a conversation with the head of the department and medical staff, as well as setting a date for the training "Procedures in the event of a breach and protection of personal data".

III. On 14 February 2023, the President of the UODO sent a letter to the Administrator in which he requested it to present the results of the risk analysis, based on which it was found that there was no high risk of violating the rights or freedoms of natural persons and the content of the information provided to the data subject. In the letter of 24 February 2023, the Hospital provided information on the risk analysis conducted and presented the content of the notification addressed to the data subject.

IV. The Controller reported the personal data breach only upon receiving a notification from the President of the Personal Data Protection Office about the initiation of the proceedings, i.e. on 27 March 2024, thus failing to meet the 72-hour deadline for reporting a personal data breach. As part of the aforementioned notification, the Hospital provided, among other things, information that it had notified the data subject of the data breach and attached the content of this notification. The notification did not contain the information required in accordance with Article 34 paragraph 2 in conjunction with Article 33 paragraph 3 letter d) of Regulation 2016/679, i.e. a description of the measures applied or proposed by the Controller to remedy the breach – including measures to minimise its possible negative effects. In this factual situation, after reviewing all the evidence gathered in the case, the President of the Personal Data Protection Office considered the following:

I. Infringement of art. 33 sec. 1 and art. 34 sec. 1 and 2 of Regulation 2016/679. Pursuant to art. 4 item 12 of Regulation 2016/679, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed.

Art. 33 sec. 1 and 3 of Regulation 2016/679 provide that in the event of a personal data breach, the controller shall, without undue delay – where possible, no later than 72 hours after becoming aware of the breach – notify the supervisory authority competent pursuant to Article 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. A notification submitted to the supervisory authority after 72 hours shall be accompanied by an explanation of the reasons for the delay. The notification referred to in paragraph 1 must at least: (a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects and the categories and approximate number of personal data entries concerned by the breach; (b) include the name, surname and contact details of the data protection officer or another contact point from which more information can be obtained; (c) describe the possible consequences of the personal data breach; (d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimise its potential negative effects.

In turn, pursuant to Article 34(1) of Regulation 20016/679, in a situation where there is a possibility of a high risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject of the breach without undue delay. Article 34(2) of the Regulation provides that a proper notification should: 1) describe in clear and plain language the nature of the personal data breach; 2) contain at least the information and measures referred to in Article 33(3)(a). b), c) and d) of Regulation 2016/679, i.e.:a) the name and contact details of the data protection officer or another contact point from which more information can be obtained;b) a description of the possible consequences of a personal data breach;c) a description of the measures taken or proposed by the controller to remedy the personal data breach, including, where appropriate, measures to minimise its possible negative effects.

The analysis of the above provisions indicates that depending on the level of risk of infringement of the rights or freedoms of natural persons the controller is dealing with, its obligations towards the supervisory authority and the data subjects are different. If, as a result of the risk analysis, the controller has determined that the probability of the risk of infringement of the rights or freedoms of natural persons is low, it is not obliged to report the breach to the President of the Personal Data Protection Office. It only has to enter the indicated breach in the internal register of breaches. In the event of a risk of infringement of the rights or freedoms of natural persons, the controller is obliged to report the data protection breach to the President of the Personal Data Protection Office, as well as to place an entry in the internal register of breaches. The occurrence of a high risk of infringement of the rights or freedoms of natural persons, in addition to an entry in the register of breaches, requires the controller to take appropriate actions both towards the supervisory authority (notification of a personal data protection breach), but also towards the data subjects. Therefore, in the event of personal data protection breaches that may cause a high risk of infringement of the rights or freedoms of natural persons, Regulation 2016/679 introduces an additional obligation for the controller to immediately notify the data subject, unless the controller has taken preventive measures before the breach occurred or remedial actions after the breach occurred (Article 34 paragraph 3 of Regulation 2026/679).

It follows from the above considerations that if the controller detects a breach of personal data protection, it is first necessary to carry out an analysis in terms of the risk of violating the rights or freedoms of natural persons. The controller is exempt from the obligation to notify the supervisory authority of the breach if the analysis shows that there is at most a small probability of a risk of violating the rights or freedoms of natural persons. However, it should be borne in mind that the supervisory authority will be able to ask the controller to justify the decision not to report the breach, therefore the conclusions from the analysis should be recorded in the internal register of breaches. It is worth noting that the Guidelines of the European Data Protection Board (EDPB) No. 9/2022[1] adopted on 28 March 2023, hereinafter referred to as Guidelines 9/2022, contain recommendations on reporting personal data protection breaches to the supervisory authority.

In Guidelines 9/2022, the EDPB, indicating the factors to be taken into account when assessing the risk, refers to recitals 75 and 76 of Regulation 2016/679, which suggest that the controller should take into account both the likelihood of occurrence and the severity of the risk to the rights and freedoms of the data subject. In the event of a personal data breach, the controller should focus on the risk of the breach affecting the natural person resulting from the breach. Therefore, when assessing the risk to the natural person resulting from the personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence. Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as: the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk to natural persons. The risk of a breach of a natural person's rights or freedoms in accordance with Guidelines 9/2022 will be greater when the consequences of the breach are more serious, as well as when the probability of their occurrence increases. The Guidelines indicate that in case of any doubts, the controller should report the breach, even if such caution may prove excessive. It should be emphasized that the assessment of the risk of a breach of a natural person's rights or freedoms should be made from the perspective of the person at risk, and not the interests of the controller. This is particularly important because, based on the notification of a breach of personal data protection, the natural person can assess whether, in their opinion, the security incident may cause negative consequences for them and take appropriate remedial action. Also, based on the information provided by the controller regarding the description of the nature of the breach and the measures applied or proposed to remedy the breach, the natural person can assess whether, after the breach, the controller still guarantees the proper processing of their personal data in a way that ensures their security. Failure to notify a personal data breach of an individual in the event of a high risk of infringement of their rights or freedoms deprives them not only of the possibility of an appropriate response to the breach, but also of the possibility of making an independent assessment of the breach, which after all concerns their personal data and may result in serious consequences for them. On the other hand, failure to report a personal data breach deprives the supervisory authority of the possibility of an appropriate response to the breach, which consists not only in assessing the risk of infringement of the rights or freedoms of an individual, but also, in particular, in verifying whether the controller has applied appropriate measures to remedy the breach and minimize the negative effects on data subjects, as well as whether it has applied appropriate security measures to minimize the risk of recurrence of the breach.

Reporting personal data breaches by controllers is therefore an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers shall inform the President of the UODO whether, in their opinion, there has been a high risk of infringement of the rights and freedoms of data subjects and, if such a risk has occurred, whether they have provided the individuals affected by the breach with relevant information. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to fulfilment of the conditions specified in Article 34 paragraph 3 letters a) and b) of Regulation 2016/679. The President of the UODO shall verify the assessment made by the controller and may, if the controller has not notified the data subjects, request such notification. Notifications of a personal data breach allow the supervisory authority to respond appropriately and limit the effects of such breaches, as the controller is obliged to take effective measures to ensure the protection of individuals and their personal data, which, on the one hand, will allow for the control of the effectiveness of the existing solutions and, on the other hand, for the assessment of modifications and improvements to prevent irregularities similar to those covered by the breach. On the other hand, notifying individuals of a breach provides the opportunity to provide them with information on the risk associated with the breach and to indicate the actions that they can take to protect themselves from the potential negative effects of the breach (this allows the individual to make an independent assessment of the breach in the context of the possibility of negative consequences for such a person and to decide whether or not to apply remedial actions).

As follows from the above considerations, the controller is obliged to immediately upon receiving information about a breach of personal data protection conduct an assessment of the risk associated with this breach, for the rights or freedoms of natural persons affected by the breach. The risk assessment should be the basis for the controller's decision leading to further actions in order to fulfil the obligations arising from Article 33 paragraph 1 and 34 paragraphs 1 and 2 of Regulation 2016/679.

In the case at hand, the Administrator, when providing an assessment of the risk of violating the rights or freedoms of natural persons in connection with the personal data protection breach, indicated that in his assessment, the risk of inconvenience related to disclosing the patient's personal data to an unauthorized person is low, and its existence does not require further proceedings. The basis for accepting such a level of risk was, among other things, the fact that "[...] the indicated effects in the context of the materialization of the analyzed risk have not occurred and will not occur". Furthermore, in a letter dated January 12, 2023, the Administrator indicated that "If we had known about the event in 2021, i.e. during the stay of both Ladies in one room, the possibility of proving to the medical staff an error in the scope of the anaesthesia questionnaires would have been much greater, and therefore the risk assessment would have been average". The hospital did inform the data subject of the breach of personal data protection by providing them with the content of the notification, but due to the failure to make an appropriate notification of the breach of personal data protection in this respect to the President of the Personal Data Protection Office within the time limit provided for by law (72 hours from the date of finding the breach), it deprived the supervisory authority of the possibility of taking an appropriate response to this breach, and consequently of the possibility of conducting an appropriate analysis of the content of the notification addressed to this person, in terms of the Controller's compliance with the obligations arising from Article 34 paragraph 2 in connection with Article 33 paragraph 3 of Regulation 2016/679 and providing the above-mentioned person with complete information on the possible consequences of the breach, as well as the measures that this person can take to protect themselves from the potential effects of the breach.

It should be remembered that the accidental disclosure of personal data even to one identified person may lead to an increase in the scale of the breach and thus the risk of violating the rights or freedoms of the data subject.

In the context of the above-mentioned risk assessment criteria proposed by the EDPB in Guidelines 9/2022, i.e. the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, the risk assessment presented by the controller was not supported by any considerations relating to the severity of the possible consequences of the breach. The controller did not take into account, for example, that the categories of personal data breached included health data, which are classified as special categories of personal data and as such should be subject to special protection by controllers. Consequently, the disclosure of personal data falling into this category carries a high risk of violating the rights or freedoms of the persons to whom they relate.

It should also be emphasized that information on the state of health, together with other personal data disclosed to an unauthorized person, i.e. name, surname, date of birth and PESEL registration number, undoubtedly allows for the identification of the data subject, especially considering the fact that, as the Controller emphasized, both ladies were placed in one room.

In addition, the evidence collected indicates that the patient's personal data may remain in the possession of an unauthorized person to this day. This means that the risk of violating the patient's rights or freedoms has not been eliminated. As indicated by the Provincial Administrative Court in Warsaw in its judgment of 21 January 2022, file reference II SA/Wa 1353/21, "(...) there is no certainty that before these activities this person did not, for example, make a photocopy or record the personal data contained in the content of the document in another way, e.g. by writing them down". Therefore, the above-mentioned is difficult for the President of the UODO to understand. the Controller’s claim that if it had known about the personal data breach earlier, the risk associated with it would have been higher, whereas the Controller, up until the time of reporting the personal data breach to the supervisory authority, had not taken any steps to minimise the risk of infringement of the rights or freedoms of the data subject, including failing to properly notify the data subject of the possible effects of the breach and failing to indicate possible measures that the data subject could take to protect their data against unauthorised use.

As indicated in Guidelines 9/2022, a personal data breach may potentially result in a number of negative consequences for individuals whose data is the subject of the breach. Among the possible consequences of a breach, the EDPB lists: physical harm, material or non-material damage. Examples of such damage include: discrimination, identity theft or identity fraud, financial losses, damage to reputation, breach of confidentiality of personal data, and significant economic or social damage. In this case, there is no doubt that due to the scope of data covered by the personal data breach in question, including the PESEL registration number together with the first and last name and health data, there is a high probability of the above-mentioned damage occurring. 

It should also be emphasized that despite the time separating the fact of the personal data breach from the Hospital receiving information about the event, the risk of violating the rights or freedoms of the data subject cannot be reduced by the fact that to date the Controller has no knowledge of the materialization of possible negative consequences of the personal data breach. In the risk analysis as of December 29, 2022, presented in the letter dated February 24, 2023, the controller identified the risk as "within the scope of the standard". It also noted, as already indicated above, that "The indicated effects in the context of the materialization of the analyzed threat have not occurred and will not occur". In connection with the above, it should be emphasized that the negative effects related to the breach of personal data protection do not have to materialize for the controller to be obliged to report a breach of personal data protection and to notify the data subject of such breach. This means that the Controller may not make the performance of the obligations arising from Art. 33 sec. 1 and Art. 34 sec. 1 of Regulation 2016/679 conditional on the occurrence of damage on the part of natural persons affected by the personal data protection breach. As stated by the Regional Administrative Court in Warsaw in its judgment of September 22, 2021 issued in case file reference no. Act II SA/Wa 791/21: "It should be emphasized that the possible consequences of the event do not have to materialize. In the content of Art. 33 sec. 1 of Regulation 2016/679 states that the mere occurrence of a personal data breach which involves a risk of infringement of the rights and freedoms of natural persons implies an obligation to notify the breach to the competent supervisory authority, unless it is unlikely that the breach will result in a risk of infringement of the rights and freedoms of natural persons" (and this Court ruled similarly in its judgments of 1 July 2022, file reference II SA/Wa 4143/21, of 31 August 2022, file reference II SA/Wa 2993/21, of 15 November 2022, file reference II SA/Wa 546/22 and of 26 April 2023, file reference II SA/Wa 1272/22).

As indicated in Guidelines 9/2022, when the controller becomes aware of a breach subject to the notification obligation, it must be reported without undue delay, no later than within 72 hours. Furthermore, the same guidelines indicate that in case of doubt, the Controller should, out of an abundance of caution, notify the supervisory authority of the personal data breach. The above therefore indicates that since the Controller decided to notify the data subject of a breach of their personal data protection, anticipating that the breach may involve a high risk to the rights or freedoms of natural persons, it was undoubtedly also obliged to report the personal data breach to the President of the UODO, which it did only after the President of the UODO had initiated administrative proceedings in the case. As follows from Article 33 sec. 1 of Regulation 2016/679, in the event of a breach of personal data protection, the controller shall report it to the supervisory authority without undue delay, unless it is unlikely that the breach will result in a risk of violating the rights or freedoms of natural persons.

In the context of the above explanations, the Hospital seems to forget that when applying the provisions of Regulation 2016/679, the purpose of this regulation (expressed in Article 1 paragraph 2) should be taken into account, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. In turn, the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In the event of any doubts, e.g. as to the performance of obligations by controllers - including in a situation where a breach of personal data protection has occurred - these values should be taken into account first.

Obtaining by the supervisory authority of the full information required in Article 33 paragraph 3 of Regulation 2016/679, information about a specific breach of personal data protection allows it to properly assess such a breach and respond appropriately, e.g. by requesting the controller to notify data subjects in a situation where this is necessary and the controller has not done so on its own initiative. Failure to respond appropriately and promptly to breaches of personal data protection increases the risk of damage related to them.

It is worth emphasizing that when assessing the risk of violating the rights or freedoms of natural persons, which is dependent on, among other things, reporting a breach of personal data protection, the probability factor and the gravity of potential negative effects should be taken into account together. A high level of any of these factors affects the overall assessment, on which the fulfilment of, among other things, the obligation specified in Article 33 paragraph 1 of Regulation 2016/679 depends. Considering that due to the scope of the disclosed personal data in the analyzed case, there was a possibility of serious negative consequences for the data subject (as shown above), the significance of the potential impact on the rights or freedoms of a natural person should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. It should therefore be stated that in connection with the breach in question, there was a high risk of violating the rights or freedoms of the natural person whose data is being processed, which consequently determines the obligation to report a breach of personal data protection to the supervisory authority.

The hospital has received information from the supervisory authority several times that medical records containing personal data in the scope of name, surname, date of birth, PESEL number and health data were in the possession of another patient of the Administrator. The Hospital received the first information about a possible breach of personal data protection together with a letter from the President of the Personal Data Protection Office dated November 15, 2022. At that time, the Administrator indicated that it had received too little information to identify the event. In connection with the above, the Administrator was provided with additional information regarding the event. Despite this, in a letter dated December 5, 2022, the Administrator informed that it was still not possible for him to detect the event, but at the same time indicated that he had informed the data subject about the breach of his personal data protection. The Administrator's conduct therefore indicates inconsistency, because on the one hand, he informed the supervisory authority about the inability to identify the event, which prevented him from reporting the breach of personal data protection, while on the other hand, he decided to notify the data subject about the breach of his personal data protection by providing him with certain information regarding the breach of personal data protection that occurred. On December 19, 2022, the President of the UODO provided the Administrator with an anesthesia questionnaire, which had been issued to an unauthorized person and which had been attached to the correspondence initiating the explanatory activities. Even then, the Administrator did not decide to report the personal data breach to the supervisory authority, justifying its position with the analysis of the event. The presented analysis showed that, theoretically, a personal data breach could have occurred, but the possibility of proving the occurrence of an event resulting in a breach of personal data protection is low, and the data subject may have significant inconveniences that can be overcome. According to the Administrator, as of the date of submitting the explanations (i.e. January 12, 2023), the risk of violating the rights or freedoms of natural persons was low, due to the fact that the event occurred over a year earlier and the threat had not materialized in the past. However, it is impossible to agree with the above. Based on the information provided to the Administrator by the supervisory authority, it had full opportunity to determine what had happened, including the ability to identify the person whose data had been disclosed to an unauthorized person. Consequently, it had sufficient information to determine the occurrence of a personal data breach, assess the level of risk of violating the rights or freedoms of that person and properly perform its obligations under Article 33 paragraph 1 and Article 34 paragraphs 1 and 2 of Regulation 2016/679.

Meanwhile, only after receiving notification of the initiation of administrative proceedings in the case, i.e. after 16 months from the moment of providing the Hospital with all information enabling it to determine the personal data breach, the Administrator decided to fulfill its obligation to report the personal data breach to the supervisory authority. Thus, the Administrator significantly exceeded the deadline set out in Article 33 paragraph 1 of Regulation 2016/679 for its fulfillment (72 hours from the date of detection). During this time, the factual circumstances presented to the Controller in the aforementioned letters from the authority have not changed. However, in the infringement notification form of March 27, 2024, the Controller indicated that it had conducted a new risk analysis, which showed the existence of a high risk of violating the rights or freedoms of natural persons. Moreover, in the aforementioned form, in point 3A, the Hospital stated that it had identified a personal data protection breach on November 24, 2022, i.e. less than a week after receiving the letter of the President of the UODO on this matter on November 18, 2022.

Therefore, the position of the Hospital contained in the letter dated February 24, 2023 that "If the situation occurred now and the Personal Data Protection Inspector and the Administrator of the entity were notified immediately, the risk assessment would be calculated completely differently. We assume that the President of the Personal Data Protection Office would be notified immediately and the risk would be assessed as unacceptable, because we could not predict what would happen to the personal and medical data that would be inappropriately transferred to a person unauthorized to process personal data and medical data" is unacceptable, since 16 months after the personal data protection breach was identified, the Administrator, in a reanalysis of the risk, determines the occurrence of a high risk of violating the rights or freedoms of natural persons and notifies the President of the UODO about the event. This is evidence of the lack of consistency of the Administrator towards the activities carried out concerning the protection of personal data and an inconsistent assessment of similar events, which de facto lead to the same consequences for the data subject.

At the same time, it is surprising that despite the initial failure to identify a risk that would require notification of a personal data breach to the supervisory authority, the Administrator decided to notify the data subject and implement remedial measures to prevent a recurrence of such a breach in the future. The above indicates a deliberate failure to notify the supervisory authority of a personal data breach in which there was a high risk of infringement of the rights or freedoms of a natural person.

To sum up the above, it should be stated that in the case in question there is a high risk of infringement of the rights or freedoms of the person covered by the personal data breach in question, which in turn resulted in the Hospital being obliged to report the personal data breach to the supervisory authority within 72 hours of its identification, in accordance with Article 33 paragraph 1 of Regulation 2016/679, and to notify that person of the breach of their personal data protection, in accordance with Article 34 paragraph 1 of Regulation 2016/679, which must contain all the information specified in Art. 34 sec. 2 of Regulation 2016/679.

It should also be noted that in the case at hand there is no basis to state that the Controller is exempt for any reason from the obligation to report a personal data breach to the supervisory authority within the period specified in Art. 33 sec. 1 of Regulation 2016/679 and from the obligation to notify the data subject of the breach (in accordance with Art. 34 sec. 1 of that Regulation). In the circumstances of the case at hand, it cannot be reasonably claimed that it is unlikely that the breach would result in a risk of violating the rights or freedoms of the data subject. The breach of personal data protection concerned, and this should be emphasised again, data in the scope of: first name, last name, PESEL registration number and health data, which data were made available to an unauthorised person. In the opinion of the supervisory authority, there is therefore no justification for the failure of the Hospital to fulfil its obligation arising from art. 33 sec. 1 of Regulation 2016/679 within the period specified in this provision. In the presented circumstances, such a significant delay in reporting the breach of personal data protection to the supervisory authority is therefore inadmissible.

In a situation where, as a result of a breach of personal data protection, there is a high risk of infringement of the rights or freedoms of natural persons, the controller is obliged to implement all appropriate technical and organisational measures to immediately identify the breach of personal data protection and quickly inform the supervisory authority, as well as the data subjects. The controller should fulfil this obligation as soon as possible.

On January 12, 2023, the Administrator provided the supervisory authority with information about the notification of the data subject and then, in a letter dated February 24, 2023, provided the content of this notification (date of forwarding the notification to the above-mentioned person: February 24, 2023). The notification referred to an earlier telephone conversation between the Administrator and the person, in which the Hospital's Data Protection Inspector provided the data subject with information about the occurrence of a breach of the protection of their personal data. In the content of the notification, the Administrator assured the data subject that the risk of violation of their rights or freedoms is low, and the risk of unpleasantness related to a breach of personal data protection will not occur or the possibility of its occurrence is insignificant. Furthermore, the Administrator presented the above-mentioned a description of the activities carried out by the Hospital in connection with the personal data breach that occurred, without indicating any possible consequences for that person of the breach of their personal data, or remedies that that person may take to minimize the effects of the data breach.

Subsequently, together with the notification of the personal data breach made on 27 March 2024 (in the content of which the Hospital indicated that the aforementioned breach was detected on 24 November 2022), the Controller again provided the data subject with information regarding the breach of their personal data. However, the content of the notification provided to the data subject does not contain all the information required pursuant to Article 34 paragraph 2 in conjunction with Article 33 paragraph 3 Regulation 2016/679, i.e. a description of the measures taken or proposed by the controller to address the breach - including, where appropriate, measures to minimise its negative effects, taking into account all the categories of personal data that have been breached, i.e. health data.

It should therefore be emphasised here again that health data, in accordance with Regulation 2016/679, are special categories of personal data and as such are subject to specific rules on processing and should be subject to special protection by their controllers, and in the event of a personal data breach, they create a high risk of violating the rights or freedoms of a natural person, which obliges the controller to notify such person of the consequences that may arise in connection with the breach of this category of data and the measures that he or she may take to minimise the negative effects of the breach. Failure to indicate the actions that such a person can take on their own to remedy the breach and minimize its potential effects, relating to all data disclosed to an unauthorized person as a result of a personal data breach, may make it difficult for the data subject to make the right decision regarding the proper protection of their data against unauthorized use. The EDPB indicates in the aforementioned guidelines that the main purpose of notifying individuals is to provide specific information on the steps they should take to protect themselves from the negative consequences of a breach of their personal data. It should be emphasized that the measures proposed to the data subject to remedy the breach, including measures to minimize its negative effects, should correlate with the possible negative consequences of the personal data breach presented to that person. It is therefore not sufficient to indicate in the content of the notification of a breach of personal data protection to "inform the Hospital immediately upon obtaining information about the unauthorized use of your data", because this prevents the data subject from actually preventing the negative effects of the breach of health data, in connection with the effect indicated by the Hospital in the form of discrimination against that person. Thus, the Administrator did not provide the data subject with all the required information, in accordance with art. 34 sec. 2 in connection with art. 33 sec. 3 letter d) of Regulation 2016/679.

Regardless of the above, it should be emphasized that the notification of the data subject of a breach of the protection of his or her personal data, in accordance with art. 34 sec. 1 of Regulation 2016/679, should take place immediately. It is difficult to assume that the transfer of the above notifications (although incomplete) to the person on February 24, 2023, and then on March 27, 2024, took place immediately, since the event took place in 2021, and the Hospital received the first information allowing for determining the breach of personal data protection from the President of the Personal Data Protection Office in a letter dated November 15, 2022. This means that the Administrator violated the above-mentioned provision of Regulation 2016/679.

When applying the provisions of Regulation 2016/679, the purpose of this regulation (expressed in Article 1, paragraph 2) should be taken into account, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. In turn, the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In the event of any doubts, e.g. regarding the performance of obligations by controllers - including in a situation where personal data protection has been breached - these values should be taken into account first.

Article 34 paragraphs 1 and 2 of Regulation 2016/679 aims not only to ensure the most effective protection of the fundamental rights or freedoms of data subjects, but also to implement the principle of transparency, which results from Article 5 paragraph 1 letter a) of Regulation 2016/679 (cf. Witold Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfilment of the obligation specified in Article 34 of Regulation 2016/679 is to provide data subjects with prompt and transparent information about a breach of their personal data, together with a description of the possible consequences of a personal data breach and the measures they can take to minimise its possible negative effects. Acting in accordance with the law and demonstrating care for the interests of data subjects, the controller should have provided the data subject without undue delay with the best possible protection of their personal data. To achieve this objective, it is necessary to indicate at least the information listed in Art. 34 sec. 2 of Regulation 2016/679, which obligation the controller has not fulfilled. Therefore, by deciding not to report a personal data breach to the supervisory authority within the period specified in Art. 33 sec. 1 Regulation 2016/679, and by failing to notify the data subject without undue delay and then providing him or her with all the required information, has in practice deprived that person of reliable information about the personal data breach and the possibility of counteracting potential damage.

Consequently, it should be stated that the Controller failed to notify the personal data breach to the supervisory authority within the time specified in art. 33 sec. 1 of Regulation 2016/679, i.e. within 72 hours from the moment the data breach was discovered, and failed to promptly and properly notify the data subject of the breach of their personal data, in accordance with art. 34 sec. 1 and 2 of Regulation 2016/679, which means that the Controller has breached these provisions.

In accordance with art. 34 sec. 4 of Regulation 2016/679, if the controller has not yet notified the data subject of the personal data breach, the supervisory authority – taking into account the likelihood that this personal data breach will result in a high risk – may request it to do so or may determine that one of the conditions referred to in sec. 3. In view of the above, the President of the UODO, acting under Article 58 paragraph 2 letter e) of Regulation 2016/679, ordered the Controller to notify the person affected by the personal data protection breach within the scope and within the period specified in the operative part of this decision.

II. Justification for imposing and determining the amount of the administrative fine. Taking into account the above findings and the identified infringements of the provisions of Regulation 2016/679, the President of the UODO, exercising his power specified in Article 58 paragraph 2 letter i) of Regulation 2016/679, according to which each supervisory authority has the power to apply, in addition to or instead of other remedial measures provided for in Article 58 paragraph 2 letters a)-h) and letter j) of that Regulation, an administrative fine under Article 83 paragraph 4 letter a) and paragraph 5 letter a) Regulation 2016/679, taking into account the circumstances established in the proceedings in question, found that in the case in question there were grounds for imposing an administrative fine on the Controller.

In accordance with Article 83 paragraph 4 letter a) of Regulation 2016/679, infringements of the provisions concerning the obligations of the controller and the processor referred to in Articles 8, 11, 25-39 and 42 and 43 are subject, in accordance with paragraph 2, to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - of up to 2% of its total annual global turnover from the previous financial year, whichever is higher.

In this case, the administrative fine was imposed on the Controller for infringement of Article 33 paragraph 1 and 34 paragraph 1 and 2 of Regulation 2016/679 on the basis of the above-mentioned Article 83 paragraph 4 letter a) of Regulation 2016/679.

When deciding to impose an administrative fine, the President of the UODO - in accordance with the content of Article 83 paragraph 2 letters a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, which constitute the necessity of applying such sanctions in this case and have an aggravating effect on the amount of the administrative fine imposed:

1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a of Regulation 2016/679). In this case, a violation of the provision of Article 33 paragraph 1 of Regulation 2016/679 (consisting in failing to notify the President of the UODO of a personal data breach without undue delay, no later than 72 hours after the breach was discovered) and Art. 34 sec. 1 and 2 of Regulation 2016/679 (consisting in failing to provide that person, as part of the notification addressed to them, with an adequate description of the measures applied or proposed by the controller to remedy the personal data breach, including measures to minimise its possible negative effects). They are related to an event consisting in the disclosure of personal data of one Hospital patient in the form of name, surname, PESEL registration number and health data as a result of providing the Anesthesiology Questionnaire Card to an unauthorised person. This event is of significant importance and serious nature, as it may lead to property or non-property damage for the person whose data has been breached, and the probability of their occurrence is high.

It should also be emphasized that in connection with the transfer of the Anesthesia Survey Card of the Hospital patient to an unauthorized person, information covered by medical confidentiality was unlawfully disclosed, which additionally increases the seriousness of the breach and indicates the possibility of negative consequences of the event for the person whose data is being accessed.

Although in this case there is no evidence that the person whose data was accessed by an unauthorized person suffered property damage, the breach of confidentiality of their data itself constitutes non-property damage (harm) for them. An individual whose data has been obtained in an unauthorized manner may at least feel fear of losing control over their data, identity theft or identity fraud, discrimination, or finally financial loss. As indicated by the District Court in Warsaw in its judgment of 6 August 2020, file reference XXV C 2596/19, fear, i.e. loss of security, constitutes real non-material damage entailing the obligation to make good it. In turn, the Court of Justice of the EU in its judgment of 14 December 2023 in the case Natsionalna agentsia za prihodite (C-340/21) emphasised that "Article 82 paragraph 1 of the GDPR should be interpreted as meaning that the fear of possible use by third parties in a manner constituting a misuse of personal data, which the data subject has as a result of an infringement of this regulation, may in itself constitute 'non-material damage' within the meaning of this provision".

The President of the UODO also considers the long duration of the infringement of the provisions of Regulation 2016/679 by the Hospital as an aggravating circumstance. It should be assumed that the infringement of the above-mentioned provisions of Regulation 2016/679 began on 18 November 2022 (i.e. when the Hospital received correspondence addressed to it by the President of the Personal Data Protection Office, thus obtaining information about the occurrence of a personal data breach). The infringement of Article 33 paragraph 1 of Regulation 2016/679 ended on 27 March 2024 with the notification of the personal data breach to the supervisory authority. On the other hand, the infringement of Article 34 paragraphs 1 and 2 of Regulation 2016/679 is still ongoing, as the person affected by the personal data breach has not yet received full and correct information regarding this breach.

In this case, the infringement of the provisions of Regulation 2016/679 concerned the personal data of only one person. Such a number of people affected by the breach, especially in view of the fact that the Hospital – due to the scale and scope of its activities – processes the personal data of a very large number of people, should be considered small, which speaks in favour of the Controller, but it did not change the overall assessment, i.e. the recognition in the analysed case of the premise of Article 83 paragraph 2 letter a) of Regulation 2016/679 as aggravating.

2. Intentional nature of the infringement (Article 83 paragraph 2 letter b of Regulation 2016/679). In accordance with the Guidelines of the Article 29 Working Party on the application and setting of administrative pecuniary penalties for the purposes of Regulation No. 2016/679 (hereinafter referred to as the WP253 Guidelines), confirmed by the Guidelines 04/2022 on the calculation of administrative pecuniary penalties under the GDPR (hereinafter referred to as the Guidelines 04/2022[2]), intentionality "includes both knowledge and deliberate action, in connection with the characteristics of the prohibited act". The Controller made a conscious decision, supported by the risk analysis of 29 December 2022, not to notify the President of the Personal Data Protection Office of the breach of personal data protection within 72 hours of its detection and to notify the data subject without undue delay. There is no doubt that the Administrator, when processing special category personal data, such as health data, should have knowledge in the field of personal data protection, including the consequences of finding a breach of personal data protection resulting in a high risk of violating the rights or freedoms of natural persons (and this knowledge may be required not only from the Administrator but also from the data protection officer appointed by him). Being aware of this, the Administrator decided not to perform his obligations specified in art. 33 sec. 1 and art. 34 sec. 1 and 2 of Regulation 2016/679.

3. Actions taken to minimise the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679). By failing to provide the data subject with full information concerning the breach of their personal data protection, the Controller deprived them of knowledge of the actual level of risk, which deprives them of the ability to independently assess the effects of the breach of their data protection, and consequently made it difficult to take appropriate actions to prevent the effects of this breach. It should be pointed out again that health data constitute a special category of personal data and as such should be subject to special protection, and consequently, the effects of a breach of protection of this category of data may be particularly severe. Although it is worth noting that the Controller decided to notify the data subject of the breach of their personal data protection, it did not provide them with full information concerning the security measures that they can independently take to prevent the use of their personal data in the form of health data. 4. Categories of personal data concerned by the breach (Article 83 paragraph 2 letter g of Regulation 2016/679). Personal data contained in the Anesthesia Questionnaire document of a patient who was incorrectly issued to an unauthorized person, concerned by the breach of the provisions of Regulation 2016/679, include data concerning the first name, last name, PESEL registration number and health data. The nature of the activity conducted by the Controller requires it to process personal data subject to special protection under Article 9 paragraph 1 of Regulation 2016/679.

It should also be noted that the Anesthesia Questionnaire contains a PESEL number, i.e. an eleven-digit numerical symbol that uniquely identifies a natural person, containing the date of birth, serial number, gender designation and control number, and therefore closely related to the private sphere of the natural person and also subject, as a national identification number, to exceptional protection under Article 87 of Regulation 2016/679, is data of a special nature and requires such special protection. There is no other such specific data that would uniquely identify a natural person. It is not without reason that the PESEL number serves as data identifying each person and is commonly used in contacts with various institutions and in legal circulation. The PESEL number together with the first and last name uniquely identifies a natural person, in a way that allows the negative effects of the breach (e.g. identity theft, loan fraud) to be attributed to that specific person.

In this context, it is worth recalling the EDPB Guidelines 04/2022, which indicate: "As regards the requirement to include the categories of personal data concerned by the breach (Article 83 paragraph 2 letter g) of [Regulation 2016/679], [Regulation 2016/679] clearly indicates the types of data that are subject to special protection and therefore a more rigorous response when imposing fines. This applies at least to the types of data covered by Article 9 and 10 [of Regulation 2016/679] and data not covered by these articles, the dissemination of which immediately causes harm or discomfort to the data subject (e.g. location data, private communication data, national identification numbers or financial data such as transaction records or credit card numbers). Generally speaking, the more such categories of data are affected by the breach or the more sensitive the data is, the more weight the supervisory authority may attach to such a factor. The amount of data relating to each data subject also matters, the scale of the infringement of the right to privacy and the protection of personal data increases." It is worth pointing out once again the emerging case law in this area, where, for example, in the judgment of 15 November 2022, file ref. Act II SA/Wa 546/22, the Provincial Administrative Court in Warsaw indicated: "It was also obvious that when determining the penalty, the body had to take into account the fact that the violation concerned highly sensitive data (including PESEL, address, health data)." This view was also shared by the above-mentioned Court in its judgment of 21 June 2023 in case file reference II SA/Wa 150/23, where the Provincial Administrative Court in Warsaw indicated: "To sum up, the Court is of the opinion that the disclosure of the PESEL number indicates a high risk of violating the rights or freedoms of natural persons." When deciding to impose an administrative fine, the President of the Personal Data Protection Office took into account the following circumstances of the case, which constituted the necessity to apply this type of sanction in this case and had a mitigating effect on the amount of the administrative fine imposed:

1. The degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its possible negative effects (Article 83 paragraph 2 letter f of Regulation 206/679). The Controller reported a breach of personal data protection as a result of the initiation of administrative proceedings in this case by the President of the Personal Data Protection Office and although this report was a specific response to the supervisory authority's request, it is a manifestation of an appropriate response to the letters addressed to the Hospital, and therefore this circumstance should be classified as mitigating. At the same time, the President of the UODO notices the actions taken by the Administrator to inform the data subject about the breach of protection of his/her personal data, and although the notification addressed to the person does not provide that person with all the information required by the provisions of Regulation 2016/679 (i.e. a description of the measures applied or proposed by the administrator to remedy the breach of protection of personal data, including measures to minimize its possible negative effects relating to the category of personal data in the form of health data), the Hospital's action in this respect should be considered a mitigating circumstance.

The other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the breach found in this case, were considered by the President of the UODO to be neutral in his opinion, i.e. having neither an aggravating nor a mitigating effect on the amount of the administrative fine imposed.

1. The degree of responsibility of the controller, taking into account the technical and organisational measures implemented by it under Art. 25 and 32 (Art. 83 sec. 2 letter d of Regulation 2016/679). Due to the nature of the infringement of the provisions of Regulation 2016/679 found in this case (failure to notify the President of the UODO of a personal data breach without undue delay, no later than 72 hours after its detection) and the lack of proper notification to the data subject due to the failure to provide them with all the information required in accordance with Art. 34 sec. 2 of Regulation 2016/679 (failure to provide a description of the measures taken or proposed by the controller to remedy the breach – including, where appropriate, measures to minimise its negative effects, taking into account all the breached categories of personal data, i.e. health data) – which in their essence do not involve the technical and organisational measures applied by the controller – it should be assumed that the premise indicated in Article 83 paragraph 2 letter d) of Regulation 2016/679 has neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine. It is irrelevant in assessing the Hospital's breach of the provisions of Article 33 paragraph 1 and Article 34 paragraphs 1 and 2 of Regulation 2016/679.

2. Any relevant previous infringements by the controller or processor (Article 83 paragraph 2 letter e of Regulation 2016/679). The President of the UODO did not find any relevant previous infringements of Regulation 2016/679 by X, therefore there is no basis to treat this circumstance as an aggravating factor, however, it is the duty of each controller to comply with the law (including the provisions on personal data protection), therefore the lack of previous similar infringements of personal data protection cannot be considered a mitigating circumstance when imposing sanctions.

3. The manner in which the supervisory authority learned of the infringement (Article 83 paragraph 2 letter h of Regulation 2016/679). The infringement of Article 33 paragraph 1 and Article 34 paragraph 1 and 2 of Regulation 2016/679 related to the issuance of an unauthorised person of the Anaesthesia Survey Card of another patient, the President of the UODO was informed by (...), which provided information obtained from a third party with access to this data. Failure to notify the supervisory authority of a personal data breach within 72 hours of its discovery and failure to immediately notify the data subject and provide them with a description of the measures applied or proposed by the controller to remedy the personal data breach, including measures to minimise its possible negative effects, is, however, the subject of these proceedings and in the circumstances of the factual situation under consideration, the supervisory authority assumed that it would not treat this premise as an aggravating circumstance.

4. Compliance with the measures previously applied in the same case, referred to in Article 58 sec. 2 of Regulation 2016/679 (Article 83 paragraph 2 letter i of Regulation 2016/679). Before issuing this decision, the President of the UODO did not apply any of the measures listed in Article 58 paragraph 2 of Regulation 2016/679 to the controller in the case at issue, and therefore the controller was not obliged to take any actions related to their application, and which actions, assessed by the President of the UODO, could have an aggravating or mitigating effect on the assessment of the identified infringement.

5. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83 paragraph 2 letter j of Regulation 2016/679). The hospital did not inform whether it applies approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in the provisions of Regulation 2016/679 - mandatory for administrators and processors, and therefore the circumstance of their non-application cannot be considered to the detriment of the Administrator in this case. On the other hand, the circumstance of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of the processed personal data could be considered to the benefit of the Administrator.

6. Financial benefits achieved directly or indirectly in connection with the infringement or losses avoided (art. 83 sec. 2 letter k of Regulation 2016/679). The President of the UODO did not find that the controller gained any financial benefits or avoided such losses in connection with the infringement. There is therefore no basis to treat this circumstance as incriminating the controller. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed definitely negatively. On the other hand, the failure of the controller to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be a mitigating factor for the Controller. This is confirmed by the very wording of the provision of art. 83 sec. 2 letter k of Regulation 2016/679. k) Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" – those accruing to the entity committing the infringement.

7. Other aggravating or mitigating factors (Article 83 paragraph 2 letter k of Regulation 2016/679). The President of the UODO, in a comprehensive examination of the case, did not note any circumstances other than those described above that could have an impact on the assessment of the infringement and the amount of the administrative fine imposed.

Finally, it is necessary to indicate that when determining the amount of the administrative fine in this case, the President of the UODO applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the guidelines presented in this document:

1. The President of the UODO categorized the infringement of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The infringement of Article 33 paragraph 1 and Article 34 paragraph 1 and 2 of Regulation 2016/679 belongs – in accordance with Article 83 paragraph 4 letter a) of Regulation 2016/679 – to the category of infringements punishable by the lower of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 10,000,000 or up to 2% of the total annual turnover of the undertaking in the previous financial year). It was therefore in abstracto (isolated from the individual circumstances of a specific case) considered by the EU legislator to be less serious than the infringements indicated in Article 83 paragraph 5 of Regulation 2016/679).

2. The President of the UODO assessed the infringement found in this case as a low level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, the circumstances listed in Article 83(2) of Regulation 2016/679 that relate to the subject of the infringement (constitute the “seriousness” of the infringement) were taken into account, i.e. the nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679), the intentional or unintentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679) and the categories of personal data concerned by the infringement (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. At this point, it should be pointed out that considering their combined impact on the assessment of the infringement found in this case, taken as a whole, leads to the conclusion that its level of seriousness is also in concreto low (on the scale of seriousness of infringements presented in point 60 of Guidelines 04/2022). The consequence of this is to adopt – as the starting amount for calculating the fine – a value within the range of 0 to 10% of the maximum fine that can be imposed on the Hospital. Considering that the provision of Art. 83 paragraph 4 of Regulation 2016/679 obliges the President of the UODO to adopt, as the maximum amount for the infringements indicated in this provision, the amount of EUR 10 000 000 or – if that value is higher than EUR 10 000 000 – an amount constituting 2% of the turnover in the previous financial year, the President of the UODO states that the so-called static maximum amount of the fine – EUR 10,000,000. The application of a 2% rate applied to the Hospital's turnover for the financial year ended on 31 December 2023 ((…) EUR, i.e. the equivalent of (…) PLN at the average EUR exchange rate of 29 January 2024) gives the amount of (…) EUR - lower than the static maximum amount of the fine referred to in Article 83 paragraph 4 of Regulation 2016/679. Having a range from 0 to 10,000,000 EUR, the President of the Personal Data Protection Office adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the amount of the fine of EUR 200,000 (constituting 2% of the static maximum amount of the fine). 3. The President of the UODO adjusted the starting amount corresponding to the low seriousness of the identified infringement to the Hospital's turnover as a measure of its size and economic power (see Chapter 4.3 of Guidelines 04/2022). In accordance with Guidelines 04/2022, in the case of enterprises with an annual turnover between EUR 10 and 50 million, the supervisory authority may consider further calculating the amount of the fine based on a value between 1.5 and 10% of the starting amount. Considering that the turnover of the Hospital in the last reporting year (ending on 31 December 2023) amounted to PLN (…), i.e. EUR (…) (according to the average EUR exchange rate of 29 January 2024), the President of the UODO considered it appropriate to adjust the amount of the penalty to be calculated to a value corresponding to 4% of the starting amount, i.e. to EUR 8,000 (equivalent to PLN 34,922.40).

4. The President of the UODO assessed the impact on the established infringement of the remaining circumstances (apart from those included above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to its subjective aspect, i.e. to the entity itself that is the perpetrator of the infringement of the provisions of Regulation 2016/679 and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The President of the UODO considered that the mitigating circumstances in this case are the degree of cooperation of the Hospital with the supervisory authority in order to eliminate the infringement and mitigate its negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). On the other hand, the actions taken by the Hospital in order to minimize the damage suffered by the data subject have an aggravating effect on the amount of the penalty (Article 83 paragraph 2 letter c) of Regulation 2016/679. The remaining conditions (from Article 83 sec. 2 letters d), e), h), i), j) and k) of Regulation 2016/679) – as indicated above – had neither a mitigating nor an aggravating effect on the assessment of the infringement of the provisions of Regulation 2016/679 and, consequently, on the amount of the penalty. Due to the existence of the above mitigating and aggravating circumstances in the case, the President of the UODO decided to reduce the amount of the penalty established above; in the opinion of the President of the UODO, the reduction of the amount to EUR 6,800 (equivalent to PLN 29,684.04) is adequate to the assessed impact of the above-mentioned circumstances on the assessment of the infringement.

5. The President of the UODO decided that the amount of the above penalty does not require additional correction due to the principle of proportionality referred to in Article 83 sec. 1 of Regulation 2016/679, which is one of the three penalty directives (see Chapter 7 of Guidelines 04/2022). A fine of EUR 6,800 will be an effective penalty (due to its severity, it will achieve its repressive purpose, which is to punish unlawful conduct) and a deterrent penalty (effectively discouraging both the Hospital and other controllers from committing future infringements of the provisions of Regulation 2016/679). The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see points 137 and 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to Article 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary). The amount of EUR 6,800 (equivalent to PLN 29,684.04) is the threshold above which further increases in the amount of the penalty will not be associated with an increase in its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the fine could be at the expense of its effectiveness and deterrent nature, as well as the coherent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities in the EU and EEA internal market.

In the opinion of the President of the UODO, the administrative fine applied fulfils the functions referred to in Article 83 paragraph 1 of Regulation 2016/679 in the established circumstances of this case, i.e. it is effective, proportionate and deterrent in this individual case.

It should be emphasised that the fine will be effective if its imposition leads to the Hospital fulfilling its obligations in the field of personal data protection in the future, in particular in the field of reporting a breach of personal data protection to the President of the UODO.

In the opinion of the President of the Personal Data Protection Office, the administrative fine will also fulfil a repressive function, as it will constitute a response to the Hospital's breach of the provisions of Regulation 2016/679. It will also fulfil a preventive function. In the opinion of the President of the Personal Data Protection Office, it will indicate to both the Hospital and other administrators the reprehensibility of disregarding the obligations of administrators related to the occurrence of a personal data protection breach, which are intended to prevent its negative and often severe effects for the persons affected by the breach, as well as to eliminate these effects or at least limit them.

Pursuant to the content of art. 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the "Personal Data Protection Office", the equivalent of the amounts expressed in euros referred to in art. 83 of Regulation 2016/679, is calculated in złoty at the average euro exchange rate announced by the National Bank of Poland in the exchange rate table on 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average euro exchange rate on 28 January - at the average euro exchange rate announced in the exchange rate table of the National Bank of Poland closest after that date.

Taking the above into account, the President of the UODO, on the basis of art. 83 sec. 4 letter a) in connection with art. 103 of the UODO, for the violation described in the operative part of this decision, imposed on the Hospital - using the average euro exchange rate of 29 January 2024 (1EUR = 4.3653 PLN) - an administrative fine in the amount of PLN 29,684.04 (which is the equivalent of EUR 6,800).

In the opinion of the President of the UODO, the imposed fine of PLN 29,684.04 (in words: twenty-nine thousand six hundred eighty-four zlotys and four groszy) meets, in the established circumstances of this case, the conditions referred to in art. 83 sec. 1 of Regulation 2016/679 due to the seriousness of the established infringement in the context of the basic objective of Regulation 2016/679 – protection of fundamental rights and rights of natural persons, in particular the right to personal data protection. Referring to the amount of the administrative fine imposed on the Hospital, the President of the UODO considered that it is proportionate to the financial situation of the Controller and will not constitute an excessive burden for it.

The financial report presented by the Administrator shows that the Hospital's total revenues for the financial year ended on December 31, 2023 amounted to PLN (…), therefore the amount of the administrative fine imposed in this case constitutes approx. (…)% of the above amount of revenues. At the same time, it is worth emphasizing that the amount of the fine imposed, PLN 29,684.04, is only 0.07% of the maximum fine that the President of the Personal Data Protection Office could – applying the static maximum fine (i.e. EUR 10,000,000) in accordance with Article 83, paragraph 4 of Regulation 2016/679 – impose on the Hospital for the violation of the provisions of Regulation 2016/679 found in this case.

The amount of the penalty was set at such a level that, on the one hand, it constituted an adequate response of the supervisory authority to the degree of breach of the administrator's obligations, but on the other hand, it did not result in a situation in which the need to pay the financial penalty would entail negative consequences, such as a significant reduction in employment or a significant decrease in the Hospital's turnover. According to the President of the Personal Data Protection Office, the Hospital should and is able to bear the consequences of its negligence in the area of data protection, as evidenced by the Hospital's financial report sent to the President of the Personal Data Protection Office on 8 April 2024. Moreover, when moderating the amount of the penalty, the supervisory authority took into account the financial situation of the Administrator as at the date of issue of this administrative decision, i.e. the fact that in the period from (...) to the present, (...) is pending at the Hospital.

In this factual and legal situation, the President of the Personal Data Protection Office decided as in the verdict.

[1] The above-mentioned The Guidelines updated and supplemented the WP29 Guidelines on notification of personal data breaches under Regulation 2016/679 (Wp250 rev.01), adopted on 3 October 2017.

[2] https://edpb.europa.eu/system/files/2024-01/edpb_guidelines_042022_calculationofadministrativefines_pl_0.pdf