Ikonka home dla okruszków News and events
photo
18.03.2025

Administrative fines for GDPR infringement during correspondence elections in 2020

The President of the Personal Data Protection Office, Mirosław Wróblewski, has imposed an administrative fines of EUR 6 444 174 on Poczta Polska S.A. (the Polish Post) and EUR 23 757 on Minister of Digital Affairs. The fines concerns processing personal data of 30 million citizens from personal identification number (PESEL number) register in relation to the preparations of so-called envelope elections in April and May 2020.

“The fact that personal data from the PESEL register were illegitimately made available and processed by Poczta Polska jeopardised the proper exercise of citizens’ rights under the Constitution. It guarantees citizens the right to legal protection of private life, family life, honour and reputation and to decide on their personal life" - pointed out the President of the Personal Data Protection Office in his decision of 17 March 2025 (DKN.5131.1.2025).

The fine imposed on the Minister of Digital Affairs is the maximum fine that is provided for by law for public sector entities in Poland. In the case of a fine for Poczta Polska, the amount of the fine, in the opinion of the President of the Personal Data Protection Office, fulfils the function of a fine specified in the GDPR and constitutes an adequate and fair response of the supervisory authority to the identified infringements due to, inter alia, the nature and gravity of the infringements.

Origin of the case

This case concerns an attempt to organise the election of the President of the Republic of Poland only in a correspondence way in spring 2020. At that time, the COVID-19 pandemic was ongoing in Poland. The authorities have started to organise the electoral process in this form, even though the act amending the electoral rules has not yet entered into force. This act, which was not in force in April 2020, assumed that the Poczta Polska would deliver election packages printed by the Polish Security Printing Works to voters’ mailboxes, and that voters would cast their votes by correspondence way so as not to gather in person at polling stations.

On 16 April 2020, the Prime Minister ordered Poczta Polska, by an administrative decision, to undertake preparations for the envelope elections of the President of the Republic of Poland. Referring to this instruction, on 20 April 2020, Poczta Polska subsequently made a request, the data of 30 million Polish citizens who were to be of legal age and resided in Poland on the planned election day, to be made available to it from the PESEL register.

The Minister of Digital Affairs gave his consent and the data recorded to the DVD were delivered (made available) to Poczta Polska on 22 April 2020 and were processed there.

The personal data of around 30 million Polish citizens were destroyed only between 15 and 22 May 2020, after it became clear that the elections on 10 May 2020 would not take place.

Citizens’ complaints and court judgments

Immediately after the disclosure of personal data from the PESEL register to Poczta Polska without a legal basis, citizens began to submit numerous complaints to the President of the Personal Data Protection Office. However, Mr Jan Nowak, the President of the Personal Data Protection Office in that time, considered these complaints to be unfounded.

However, the Commissioner of Human Rights took actions in this case. Firstly, on 29 April 2020, the Commissioner lodged a complaint with the Voivodeship Administrative Court in Warsaw against the decision of the Prime Minister of 16 April 2020. As a result of that complaint, the Voivodeship Administrative Court, by judgment of 15 September 2020 (VII SA/Wa 992/20), found that the contested decision not only grossly infringed the law, but was also issued without a legal basis (Article 156(1) point 2 of the Code of Administrative Procedure). This judgment was upheld by the Supreme Administrative Court in its judgment of 28 June 2024 (III OSK 4524/21).

Secondly, on 15 May 2020, the Commissioner filed a complaint with the Voivodeship Administrative Court against the action of the Minister of Digital Affairs of 22 April 2020 consisting in making personal data of nearly 30 million adult Polish citizens from the PESEL register available to Poczta Polska. By judgment of 26 February 2021 (IV SA/Wa 1817/20), the Voivodeship Administrative Court declared the actions of the Minister for Digital Affairs to be ineffective. By judgment of 13 March 2024 (II OSK 1630/21) the Supreme Administrative Court upheld the judgment of the Voivodeship Administrative Court.

The legitimacy of administrative court judgments in March and June 2024 unambiguously and definitively shaped the legal situation, from which it is clear that during the organisation of the envelope elections, personal data of 30 million adult Polish citizens were unlawfully made available by the Minister of Digital Affairs to Poczta Polska and processed by the Poczta Polska without a legal basis.

Due to the public nature of the case (resulting both from numerous complaints received by the Personal Data Protection Office and from the processing of personal data of approximately 30 million adult Polish citizens), the President of the Personal Data Protection Office initiated ex officio administrative proceedings to assess the actions of the Minister of Digital Affairs and Poczta Polska in April and May 2020 for violation of the provisions of the General Data Protection Regulation (GDPR).

What has the President of the Personal Data Protection Office determined?

In the proceedings, the President of the Personal Data Protection Office established that, without a legal basis, the Minister of Digital Affairs had provided Poczta Polska with the following data:

• PESEL number,

• names, surnames,

• the last current registered address for permanent residence (and if it is missing: the last one outdated)

• address of registration for temporary stay (together with the declared date of this stay),

• as well as the currently registered temporary departure outside the country.

These data concerned all adult Polish citizens whose country of residence on 10 May 2020 was Poland. After receiving them, Poczta Polska processed them without a legal basis.

In its decision, the President of the Personal Data Protection Office considered that the infringements attributed to Poczta Polska were of a serious nature. They are against the basic principles of personal data processing. The Minister, being the entity responsible for maintaining and developing the PESEL register – which is the central and most important state collection of personal data of natural persons – should not only have the highest knowledge of the law, but also provide a guarantee of respect for the rights and freedoms of citizens (including those relating to the processing of their personal data included in the register). Meanwhile, in an authoritative and unilateral manner, he decided to make available to Poczta Polska the personal data of all Polish citizens, who were of legal age on 10 May 2020, whose country of residence on that day was Poland. 

In this situation, the President of the Personal Data Protection Office considered the imposition of the above-mentioned administrative fines to be justified and necessary.

The President of the Personal Data Protection Office also considered the scope of the data processed and the significant number of persons affected by the infringement to be an aggravating circumstance. The Minister provided Poczta Polska with information on about 30 million people with Polish citizenship, which accounted for almost 80% of the country's population.

The President of the Personal Data Protection Office took into account, as an aggravating circumstance affecting the amount of the fine imposed, the possibility of non-material damage on the part of the data subjects, such as, in particular, fear or uncertainty resulting from the fact that it was impossible to exercise control over their personal data, in view of the fact that they had been unlawfully made available to Poczta Polska.

The President of the Personal Data Protection Office assessed that the violations of Poczta Polska within the entire data protection system are fundamental. In its decision, the supervisory authority indicated that Poczta Polska, being a state-owned company, should, in connection with the performance of the public tasks entrusted to it, be characterised by the utmost diligence and respect for applicable law, including the provisions on the protection of personal data. When receiving the Prime Minister’s decision of 16 April 2020, obliging Poczta Polska to take steps to prepare for the elections, the company should have carried out an in-depth analysis of whether it could process data from the PESEL register on that basis.

In this situation, the President of the Personal Data Protection Office considered the imposition of the above-mentioned administrative fines to be justified and necessary.

The details of the case can be found in the decision of the President of the Personal Data Protection Office ref. no. DKN 5131.1.2025.

https://uodo.gov.pl/decyzje/DKN.5131.1.2025

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stawki 2, 00-193 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.