Poland
Głównego Geodetę Kraju
GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2022-07-06.
Case details
- Authority
- Polish National Personal Data Protection Office (UODO)
- Date
- 2022-07-06
- Controller / Processor
- Głównego Geodetę Kraju
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 33 (1) GDPR, Art. 34 (1) GDPR
- Type of violation
- Insufficient fulfilment of data breach notification obligations
Summary
The Polish DPA has imposed a fine of EUR 12,450 on the public cartography institute Głównego Geodetę Kraju. The institute had suffered a data breach in which numerous land register numbers were visible on the institute's website for more than 48 hours. The land register number allows a number of owners' data to be determined, including their first and last names, the names of their parents and the address of the property. The institute had failed to report the breach to the DPA, with the result that it learned of the incident through media reports. The institute also failed to inform the data subjects of the incident. For this reason, the DPA found that the controller violated Article 33 (1) GDPR and Article 34 (1) GDPR.
Related fines