The controller should regularly assess and test the security measures in place
The Supreme Administrative Court dismissed the company’s appeal against the decision of the President of the Personal Data Protection Office and confirmed that, from the date the GDPR came into force, the data controller should regularly assess and test the security measures put in place.
The case began in 2019 following a report by the controller of a personal data breach concerning pay-as-you-go subscribers, in which an unauthorised person gained access to the personal data of over 114,000 Virgin Mobile customers. Subsequently, the President of the Personal Data Protection Office initiated administrative proceedings of his own accord to investigate whether the breach of personal data protection regulations had occurred as a result of a failure to implement appropriate technical and organisational measures.
In 2022, the President of the Personal Data Protection Office issued an administrative decision in the case and imposed a fine of PLN 1,968,524 on the company. However, this decision was appealed to the Voivodeship Administrative Court in Warsaw. Following that judgement, the President of the Personal Data Protection Office reconsidered the case. In its subsequent decision, the supervisory authority discussed in detail the grounds justifying the amount of the fine imposed and, at the same time, upheld its previous position regarding the breach of the GDPR. The amount of the fine was recalculated on the basis of the decision relating to the financial year preceding the issuance of the decision and amounted to PLN 1,599,395.
However, the company also disagreed with this ruling by the supervisory authority. It therefore lodged an appeal with the Voivodeship Administrative Court against the decision of the President of the Personal Data Protection Office, which the court dismissed in its entirety.
The company lodged a cassation appeal against this ruling of the Voivodeship Administrative Court with the Supreme Administrative Court, which, on 7 May 2026, held that the appeal lacked valid grounds. The Supreme Administrative Court deemed the allegations contained therein to be unfounded.
In the Supreme Administrative Court’s view, the supervisory authority, upon re-examining the case, correctly assessed the condition relating to the manner in which knowledge of the personal data breach was acquired, namely the reporting of that personal data breach to the President of the Personal Data Protection Office. In the supervisory authority’s view, this did not constitute a mitigating circumstance in determining the penalty, as it is of a neutral nature.
The Supreme Administrative Court also confirmed that the supervisory authority had correctly determined the duration of the breach of personal data protection regulations – that is, from the date on which the GDPR came into force until the date on which the controller obtained certification (22 July 2020). The court agreed with the position of the President of the Personal Data Protection Office that, as early as the date on which the GDPR came into force (25 May 2018), the company was obliged to have systems in place to ensure the regular testing, measurement and evaluation of the effectiveness of security measures for the processing of personal data.
Case No. III OSK 2694/23
Case No. II SA/Wa 272/21
DKN.5112.1.2020