The Supreme Administrative Court fully upheld the decision of the President of the Personal Data Protection Office imposing a fine on Santander Bank Polska S.A

The Supreme Administrative Court agreed with the President of the Personal Data Protection Office that, by failing to properly communicate a personal data breach to individuals, the bank violated the provisions of the GDPR. The President of the Personal Data Protection Office imposed a fine of PLN 545,748 for the infringement of Article 34(1) GDPR and ordered the bank to promptly notify employees (as their data had been compromised), including informing them about the potential consequences of the incident and the measures they could take to protect themselves against its negative effects.

On 6 March 2026, the Supreme Administrative Court dismissed the company's cassation appeal. In doing so, it fully upheld the earlier judgment of the Voivodeship Administrative Court in this case, which had also ruled in favour of the President of the Personal Data Protection Office. In particular, the Supreme Administrative Court disagreed with the complainant's argument that the data had been accessed by a trusted person/recipient, and therefore there was no high risk of a breach of the rights or freedoms of natural persons. According to the Court, what matters in this case is not whether an unauthorized person actually became acquainted with the personal data of others, but the fact that such a risk occurred (i.e. that the person had the possibility to access the data). Consequently, given the scope of the data involved, there was a high risk to the rights or freedoms of data subjects. This is because the PUE ZUS (Electronic Services Platform of the Social Insurance Institutions; hereinafter: ZUS Electronic Services Platform) allows access to data such as names and surnames, personal identification numbers, residential or correspondence addresses, as well as information on sick leave, which constitutes health data and thus falls within a special category of personal data.

Unauthorised access to employees' data from the ZUS Electronic Services Platform

The incident notified by Santander Bank Polska S.A. to the Personal Data Protection Office consisted in the fact that a former employee's access to the ZUS Electronic Services Platform had not been revoked. As a result, even after leaving the bank, he retained access to other employees' data on the company's payer profile in this platform. Moreover, further proceedings showed that over a period of eight months he logged into the platform as many as five times after his employment contract had already expired.

The President of the Personal Data Protection Office, after analysing the notification, concluded that a data confidentiality breach had occurred and, moreover, that it gave rise to a high risk to the rights or freedoms of the individuals concerned. Therefore, the authority ordered the controller to inform those individuals about the breach. However, Santander Bank Polska S.A., following its own assessment, considered that no infringement of the GDPR had taken place and that the incident had been notified merely "as a precaution." Furthermore, the company stated that there was no need to inform employees about the incident, as it did not pose a high risk to their rights or freedoms. Instead, only a notice reminding employees of the rules for processing personal data was posted on the company's internal communication platform.

The Personal Data Protection Office: individuals whose data has been breached must be informed

However, the President of the Personal Data Protection Office noted that this information was too general and only referred to example types of breaches. It did not indicate that an actual incident had occurred, so the recipients had no reason to take action to protect their data. The purpose of the obligation to inform data subjects about a data breach is precisely to enable them to take such protective measures and respond appropriately.

The supervisory authority also emphasised that the information on the internal platform could only reach current employees of the bank, whereas the breach potentially involved the data of former employees as well. Therefore, all conditions for notifying those individuals were met, especially since the incident posed a high risk to them - data from the ZUS Electronic Services Platform could be used, for example, to obtain information about a person's health or to take out a loan in the name of the data subject. An additional aggravating factor for the controller was that, during the proceedings, it consistently maintained that it saw no need to communicate the incident to the data subjects.

DKN.5131.33.2021