Mirosław Wróblewski, President of the Polish Data Protection Authority (UODO), has filed a report with the District Prosecutor’s Office in Warsaw-Śródmieście regarding a suspected crime involving the illegal processing of personal data. The case concerns the publication on the social media platform X (formerly Twitter) of data taken from passport applications of well-known public figures, including prosecutor Ewa Wrzosek, former minister Mariusz Kamiński, MP Marek Jakubiak, and their family members.
Exposed Data: Names, National ID Numbers, Addresses
Posts published by users under the handles @DorotaKania2, @Jan_Pinski, and @KoneserUS17 included a broad range of personal information. Disclosed details included full names, dates of birth, PESEL numbers (Polish national ID numbers), home addresses, marital status, citizenship, education, political affiliations, spousal information, distinguishing physical features, and parents’ names.
Although some of these individuals hold public office—meaning a degree of public access to their data (e.g., name and role) is expected—the publication of such detailed personal and family information exceeds legal limits and constitutes a serious invasion of privacy.
Serious Consequences: Identity Theft and Safety Risks
Publishing this information by unauthorized individuals poses significant threats—ranging from identity theft and financial loss, to defamation and loss of confidentiality. For public figures like prosecutor Wrzosek, such disclosures may even result in real threats to personal safety.
“This is not only an unprecedented violation of privacy, but also a real threat to the life and health of the individuals involved and their families,”
emphasized the President of UODO.
“Actions like this deserve a firm response from law enforcement authorities.”
What Does the Law Say?
According to Article 107(1) of the Polish Personal Data Protection Act, anyone who processes personal data without proper authorization is subject to a fine, restriction of liberty, or imprisonment of up to two years.
Additionally, under the General Data Protection Regulation (GDPR), personal data must be processed lawfully, fairly, and transparently. Processing is only lawful if at least one condition outlined in Article 6(1) of GDPR is met—such as the data subject’s consent, legal obligation, or public interest. In this case, none of these conditions were met.
UODO: Violation of Data Minimization Principle
The disclosure of such a wide range of information also violates the principle of data minimization, which mandates that only data necessary for a specific purpose should be processed. In this instance, data was processed and made public without any legal justification or public interest.
Source: ManagerPlus.pl
Office for Personal Data Protection (UODO)
