The President of the Office for Personal Data Protection (UODO), Mirosław Wróblewski, has decided to impose a financial penalty of 85,000 PLN on the National Public Prosecutor’s Office for confirmed personal data protection violations. This decision pertains to the disclosure of a victim’s personal data during a press conference organized by the Prosecutor of the National Public Prosecutor’s Office, Tomasz Szafrański, and the Attorney General – Minister of Justice, Zbigniew Ziobro.
During the conference, while discussing matters of one of the District Public Prosecutor’s Offices, the personal data of a victim, including their name, surname and other information belonging to special categories of data requiring special protection in accordance with GDPR were disclosed. Despite this data protection violation, the National Public Prosecutor’s Office neither reported this incident to the President of the UODO nor notified the person whose data was revealed about the breach and its consequences.
Upon obtaining information about the breach, the President of UODO requested an explanation from the National Public Prosecutor’s Office. Their response was that the data disclosure complied with regulations, citing that the information originated from publicly available court rulings and were quoted to illustrate inconsistencies in court verdicts. They argued that the data had previously been revealed in the course of court proceedings.
However, the President of UODO disagreed with their standpoint, concluding that there was indeed a violation of personal data protection regulations. According to the GDPR, the processing of data, especially sensitive data, requires an appropriate legal basis, and the National Public Prosecutor’s Office, as a public body, has an obligation to operate within the law. Disclosure of the victim’s data to such an extent should have an appropriate legal basis, which was lacking in this case.
Moreover, the President of UODO emphasized that the National Public Prosecutor’s Office should diligently protect the personal data of those granted the status of a victim in criminal proceedings. Therefore, the National Public Prosecutor’s Office has been mandated to inform the person whose data was leaked about the violation, its possible consequences, and implemented protective measures. As part of this notification, the Office should also provide the contact details of the data protection officer who can provide the victim with additional information.
The decision of the President of UODO as of September 2, 2024, serves as a reminder of the necessity to comply with GDPR regulations and stresses that even public institutions, such as the Public Prosecutor’s Office, must ensure personal data protection in accordance with current regulations.
Source: https://managerplus.pl/prezes-uodo-naklada-kare-85-tys-zl-na-prokurature-krajowa-za-naruszenie-ochrony-danych-osobowych-80237
