Poland
Poczta Polska SA (Polish Post)
GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2025-03-17.
Case details
- Authority
- Polish National Personal Data Protection Office (UODO)
- Date
- 2025-03-17
- Controller / Processor
- Poczta Polska SA (Polish Post)
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 6 (1) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Polish DPA has imposed a fine of EUR 6.3 million on Poczta Polska SA (Polish Post) for the unlawful disclosure of personal data of over 30 million citizens from the PESEL database, in connection with the planned postal vote during the Covid-19 pandemic.
Although the law amending the electoral regulations had not yet come into effect, the Ministry of Digital Affairs transferred sensitive data such as names, addresses, and PESEL numbers to the postal company. The data was only deleted weeks later—too late, according to the DPA, and in violation of data protection regulations.
--Update--
The Provincial Administrative Court in Warsaw overturned the DPA's decision. The court argued that, even though the Prime Minister's decision on which the processing had been based was overturned at a later stage, the decision enjoyed the presumption of legality. Therefore, the controller could base its processing on this decision.
Related fines