As seen on the European Data Protection Board website, a decision that reminds us how broad the definition of “personal information” is in the GDPR. The monetary penalty is not large by U.S. standards (slightly more than $12,100.00), but it’s the point and notification required.
Background information
- Date of final decision: 6 July 2022
- National case
- Controller: Surveyor General of Poland (GGK)
- Legal Reference: Notification of a personal data breach to the supervisory authority (Article 33(1)), Communication of a personal data breach to the data subject (Article 34(1))
- Decision: Administrative Fine, order to communicate the breach to the data subjects
- Key words: Notification, communication, Surveyor General
Summary of the Decision
Origin of the case
At the beginning of April 2022, land and mortgage register numbers were visible for more than 48 hours in the service maintained by the Surveyor General of Poland, i.e. www.geoportal.gov.pl. With a land and mortgage register number, it is easy to determine a range of property owners’ data, including inter alia their personal identification numbers (PESEL numbers), first and last names, parents’ names, and property address. However, the Polish Supervisory Authority (SA) learned of the personal data breach not from the controller, who should notify it to the supervisory authority, but from the media. Therefore, in a letter dated April 7, 2022, the Polish SA informed the Surveyor General of Poland about the obligation to notify the personal data breaches to the supervisory authority, and about the need to communicate it to the persons affected when it is likely to result in a high risk to the rights and freedoms of natural persons.
Key Findings
As there was still no notification of a personal data breach from the GGK, the supervisory authority initiated administrative proceedings. During this proceeding, the GGK maintained that land and mortgage register numbers do not constitute personal data. In addition, the GGK maintained that land and mortgage register numbers are also visible in other services, and the brief appearance of the numbers on www.geoportal.gov.pl did not result in any risk to the rights and freedoms of natural persons. In its administrative decision, the Polish SA recalled the definition of personal data set forth in Article 4(1) of the GDPR, according to which personal data is any information about an identified or identifiable, directly or indirectly, natural person. The Polish SA also cited the judgment of the Voivodeship Administrative Court in Warsaw (ref. II Sa/Wa 2222/20), in which the court confirmed that land and mortgage register numbers constitute personal data.
Decision
The Polish SA has imposed another administrative fine, this time in the amount of PLN 60,000.00, on the Surveyor General of Poland. It is the third administrative fine imposed on GGK by the Polish SA since the GDPR came into force. In issuing the decision imposing the administrative fine, the DPA took into account, among other things, that in its view the personal data breach was of a high gravity and serious nature, and that the failure to notify the incident to the Polish SA, as well as the failure to communicate it to the individuals, was intentional. Also relevant for determining the fine was the fact that the Polish SA learned about the personal data breach from the media, and not from the controller itself.
For further information: decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.