Court dismissed P4's complaint against the decision of DPA

The company explained in the proceedings before the supervisory authority that the notification of personal data breaches after 24 hours was related to inadvertent errors of the law firm's employees responsible for sending the correspondence. However, as the supervisory authority noted, employees’ errors cannot justify the delay in notifying to the supervisory authority. The Court also agreed with this position. According to the Court, the errors of the company's employees cannot be considered as a circumstance justifying the delay in making the notification. According to the Court, these errors prove that the process of notifying to the supervisory authority of personal data breaches is not properly organised.

In the justification of the judgment of 5 October 2022, the Court found that the supervisory authority correctly assumed that the company had breached its obligations under the Telecommunications Law and Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications.

The Court confirmed that before issuing the decision, the supervisory authority clarified all the circumstances of the case and made a proper assessment of the collected evidence. Indeed, the controller, as a provider of telecommunication services, failed to comply with the obligation to notify the personal data breaches to the supervisory authority within the time limit strictly specified by the law, i.e. no later than 24 hours after becoming aware of the breaches. In addition, the Court found that the supervisory authority appropriately determined the amount of the fine, which is not only adequate to the infringement found, but also fulfils the intended function to be dissuasive.