Notifying individuals in the event of a data breach – key takeaways from the Supreme Administrative Court ruling

GDPR Principles

Not every data breach automatically requires notifying data subjects. The key factor is the assessment of the risk to their rights and freedoms. This assessment forms part of the evaluation of the incident and its potential consequences. If the breach is likely to result in a high risk to the rights or freedoms of natural persons, the controller must not only report the breach to the supervisory authority (PUODO) but also notify the affected individuals.

Subject of the Case

In the case under review, an email was sent with an unencrypted attachment containing personal data – name, surname, PESEL number, and financial information – to the wrong recipient. The controller neither reported the breach to the supervisory authority nor notified the affected data subject, assuming that the associated risk was negligible. The case was brought before the PUODO and later before the administrative court.

PUODO’s Position

The PUODO held that the disclosure of such a set of data, even concerning a single person, constitutes a serious personal data breach. According to the authority, it is not evidence of data misuse but the mere fact of disclosure that creates a high risk to the rights or freedoms of a natural person. What matters is the severity and potential impact of the breach, not the likelihood that the risk will materialize. Therefore, the obligation to notify was fully justified.

Regional Administrative Court (WSA) Ruling

The WSA disagreed with PUODO’s decision and ruled in favor of the controller. The Court held that the disclosure of data concerning a single individual did not pose a significant risk, particularly since the recipient of the file was known and did not use the information unlawfully. In the Court’s view, the authority failed to demonstrate that the situation could have led to serious negative consequences for the affected individual. The decision was overturned, leading to a cassation appeal.

Supreme Administrative Court (NSA) Assessment

The Supreme Administrative Court sided with PUODO, holding that the potential risk to the rights and freedoms of an individual is sufficient to classify the incident as a serious breach. The case will therefore be re-examined by the WSA. Data such as name, surname, and PESEL number can be exploited for identity theft, obtaining loans, or gaining access to medical services. Accordingly, the controller should have both reported the breach and notified the affected individual.

Risk Assessment Criteria

The NSA emphasized that the controller must assess the risk of a breach not based on subjective belief but using objective criteria — such as prior experience with similar cases or information security expertise. The relevant circumstances include the type and categories of data, the number of individuals affected, the context of the breach, and the possibility that third parties may exploit the data.

Threshold for Reporting

In order for a controller not to report a breach to PUODO, there must be a low probability that the incident will result in a risk to the rights or freedoms of individuals – not merely that no harm has yet occurred. The potential for such harm is enough to trigger the notification obligation. A high risk to the rights or freedoms of an individual is sufficient to require informing the data subjects.

Importance of the PESEL Number

The Court made it clear that the disclosure of a PESEL number poses a real threat. .This identifier is widely used in dealings with financial institutions, as well as public and private entities. Combined with other personal data, it enables identity theft, fraud, or the taking out of credit in someone else’s name. Thus, its mere disclosure may constitute a high risk to an individual’s rights and freedoms. 

Practical Implications

Each breach should be analyzed individually, taking into account the type of data and the possible consequences of disclosure. The controller should document the risk assessment process and the rationale behind the decision to report or not report the breach. Simply assuming that an incident is minor is insufficient — failure to report without justification may be considered a violation of Articles 33 and 34 of the GDPR and result in administrative fines.

Summary

The Supreme Administrative Court’s ruling serves as a reminder that the obligation to notify data subjects of a breach is not automatic but requires a careful and documented risk assessment. The key is a proportionate approach, grounded in the real consequences of data disclosure. In an era of increasing data incidents, every case should be treated seriously, with response procedures designed to protect not only data but also client trust.

Judgment of the Supreme Administrative Court (NSA) of 1 October 2025, case no. III OSK 1830/22, concerning PUODO decision of 21 June 2021, ref. DKN.5131.3.2021