The President of the Personal Data Protection Office (UODO), Mirosław Wróblewski, has imposed a total fine of PLN 78,000 on the Municipal Police Commander in Kraków. The sanction concerns the disclosure of a woman’s personal data in a press release and the failure to ensure proper oversight of personal data processing. The case is linked to events from 2023, when the police attempted to persuade the woman to reveal who had assisted her in obtaining an abortion.
After the case was publicized by the media, the police issued a statement explaining their actions. Along with it, however, special-category personal data were made public, including information concerning the woman’s health. This disclosure became the basis for the intervention by the President of the UODO.
In a separate proceeding initiated following a complaint filed by the person whose data were disclosed, the President of the UODO had previously fined the Polish National Police Headquarters. In that decision, the authority emphasized that the police’s legal right to collect data in the course of proceedings does not authorize their subsequent disclosure to the public.
What the police statement contained
During the proceedings against the Municipal Police Commander in Kraków, it was established that the woman had previously appeared in a television report in which she herself disclosed her first name and image. However, when presenting its position in the press release, the police included additional information that had not previously been public.
This information concerned, among other things, the woman’s psychophysical condition, her behavior during the police intervention, assessments formulated by officers, as well as details about her health. The statement included references to mental health, psychiatric treatment, medications taken, reproductive health, methods of purchasing medical products, and suspicions of legal violations.
After approximately one hour, the police modified the content of the statement, limiting the scope of the disclosed information. Nevertheless, it still contained data relating to the woman’s health condition, course of treatment, and health-related habits.
Incident notification and UODO response
The Municipal Police Commander learned of the personal data breach from the attorney representing the woman. He subsequently reported the incident to the President of the UODO, acting in accordance with applicable regulations. He indicated that the publication was unintentional and resulted from haste and inattention on the part of the press team. The personal data originated from the police Command Support System.
The Commander also acknowledged that the breach could pose a high risk to the rights or freedoms of the individual concerned. To mitigate the effects, the removal of the statement from the website was ordered, and the woman was informed about the incident.
Lack of risk analysis and insufficient safeguards
The proceedings showed that the Commander’s Press and Information Team processed personal data without first assessing the risks to the rights or freedoms of individuals. The technical and organizational measures in place were not regularly tested or updated, and their effectiveness was not systematically evaluated.
The President of the UODO stressed that the incident cannot be regarded solely as the result of unintended actions. Data obtained by the police in the course of their statutory duties were used for another purpose—media communication—without a legal basis and without being necessary for the performance of police tasks.
Misuse of particularly sensitive data
At the heart of the case was the use of internal police resources to disclose information that had not previously existed in the public domain. Publishing this information was not necessary to achieve statutory objectives and concerned particularly sensitive data of an identifiable individual.
According to the President of the UODO, the incident could have been avoided had the Commander conducted a risk analysis, identified threats, and implemented appropriate technical and organizational measures. In that case, the person whose personal data—including data of a particularly sensitive nature—were disclosed would not have been placed in a situation threatening her privacy and security.
Source: managerplus.pl
