The Supreme Administrative Court upheld the arguments of the President of the PL SA

The Supreme Administrative Court dismissed Bank Millennium's cassation appeal against the judgment of the Voivodeship Administrative Court in Warsaw, which upheld the decision of the President of the Personal Data Protection Office imposing an administrative fine of over PLN 350,000 on the bank for failing to report a personal data breach and failing to notify the data subjects. Thus, the Supreme Administrative Court agreed with the arguments of the President of the Personal Data Protection Office.

The President of the Office imposed an administrative fine on Bank Millennium due to the fact that the Bank failed to fulfill its obligations as a controller in connection with a personal data breach that occurred as a result of the loss by a courier service provider of correspondence sent by the bank containing the personal data of the bank's customers, such as: name, surname, PESEL number, registered address, bank account numbers, and identification numbers assigned to the bank's customers. The Personal Data Protection Office learned about the incident from a complaint received by the bank. The controller considered that the risk of negative consequences for the persons affected by the breach was medium, and therefore did not report the breach to the supervisory authority and did not fulfill its obligation to notify the data subjects in accordance with the GDPR. The failure to notify the supervisory authority of the breach (breach of Article 33(1) of the GDPR) and to notify the data subjects (breach of Article 34(1)) was the reason for imposing the fine.

Bank Millennium lodged a complaint against the decision of the President of the Personal Data Protection Office with the Voivodship Administrative Court in Warsaw.

However, in its judgment, the Voivodeship Administrative Court had no doubt that the incident to which the proceedings related constituted a personal data breach referred to in Article 4(12) of the GDPR (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed). Furthermore, the bank had no information about what had happened to the above-mentioned shipment, which, in the opinion of the Voivodeship Administrative Court, was further confirmation that there had been a breach of personal data protection regulations. In the opinion of the Court, the supervisory authority also correctly concluded that the bank was the controller of the personal data affected by the breach. It was the bank, not the postal operator, that determined the purposes and means of data processing. The Voivodeship Administrative Court also emphasised that the bank, as the controller, had assessed the risk of a violation of rights or freedoms as medium, which meant that it should at least have notified the Personal Data Protection Office.

In connection with the judgment, Bank Millennium lodged a cassation appeal with the Supreme Administrative Court, requesting that the judgment be overturned in its entirety. In its appeal, it pointed out, among other things, that the Voivodeship Administrative Court had misinterpreted the law by assuming that the bank was obliged to report the personal data breach and notify the data subjects of the breach, whereas at the time of the loss of the shipment, it was the courier company that had control over the shipment and was therefore the data controller. The bank also disagreed with the administrative fine imposed by the President of the Personal Data Protection Office, stating that the Voivodeship Administrative Court had assumed, without analyzing the premises, that the fine was effective, proportionate, and dissuasive.

However, these arguments did not convince the Supreme Administrative Court, which dismissed Bank Millenium's complaint.

Supreme Administrative Court judgment: ref. no. III OSK 2416/22

DKN.5131.16.2021