Poland
Funeral Home
GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2025-04-15.
Case details
- Authority
- Polish National Personal Data Protection Office (UODO)
- Date
- 2025-04-15
- Controller / Processor
- Funeral Home
- Sector
- Health Care
- Quoted Articles
- Art. 5 (2) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Polish DPA has fined a funeral home EUR 7,800. The funeral home failed to implement sufficient technical and organisational measures to prevent a data breach. The funeral home had stored documents containing personal data in unlocked boxes. The company also transported those boxes in an open truck, which resulted in 10 boxes falling out of the truck and landing on the side of a road, where the boxes were found by the police. The driver did not notice the loss, due to the fact that that the boxes had not been counted. This resulted in the funeral home not reporting the incident to the DPA. During the investigation, the DPA found that the controller had failed to carry out a sufficient risk analysis and had failed to demonstrate sufficient supervision over the data processing.
---Update---
The decision made by the DPA was upheld by the Provincial Administrative Court in Warsaw.
Related fines