RGPD
The fine imposed by the UODO (Polish Data Protection Authority) on a press organization reveals serious data security failings, thereby raising crucial questions about how organizations must manage the protection of personal data in accordance with
Reading time:
7 min
The fine imposed by the UODO (Polish Data Protection Authority) on a press organization reveals serious data security failings, thereby raising crucial questions about how organizations must manage the protection of personal data in accordance with the GDPR.
This decision, handed down on 6 March 2025, illustrates the vigilance of regulatory authorities in their mission to ensure the security and integrity of data, pursuant to Articles 24(1) and 32 of the GDPR, which govern the obligation to ensure secure data processing conditions. Beyond the fine of 56,824 PLN, this case is part of a broader context in which the precise assessment of risks and the updating of privacy policies are essential. The stakes are all the higher for professionals in the sector, as they demonstrate the importance of a robust and up-to-date data security strategy in the face of constantly evolving regulatory requirements.
In this article, we will examine the infringements identified by the UODO, how the security shortcomings were determined, and what implications this has for other data controllers.
If you wish to engage a lawyer specializing in personal data law, contact me!
The investigation conducted by the UODO (Polish Data Protection Authority) brought to light significant infringements in the area of data security, demonstrating critical deficiencies in the personal data management practices of a press organization. This ex officio investigation revealed that the data controller had failed to meet several obligations laid down by the GDPR, which are essential to guarantee the protection of individuals' data. The main infringements identified are as follows:
These shortcomings led to a severe conclusion: the controller failed to ensure the secure processing of personal data, thereby violating Articles 32(1) and (2) of the GDPR. Furthermore, it is important to note that the press organization in question was in liquidation at the time of the investigation and did not submit a defense, adding to the seriousness of the situation. This raises essential questions about the responsibility of companies regarding data protection and its management in crisis situations. A lawyer specializing in software and database law can assist you in setting up compliant security systems and in managing the risks associated with data processing.
In short, the infringements identified by the UODO underscore the crucial importance of risk analysis and regular updates to privacy policies in order to avoid such financial penalties and to preserve user trust. This situation highlights how essential it is for data controllers to maintain high standards in data security and data protection practices.
Let's discuss your needs for 15 minutes!
The analysis of the failings observed by the UODO highlighted a manifest failure to comply with data security obligations, as set out by the GDPR and national legislation. The shortcomings were identified through a series of audits and assessments that revealed the following issues:
These failings revealed a culture of non-compliance within the company, where data protection appeared to be a secondary concern. Indeed, the way in which personal data was processed exposed flaws in staff training regarding privacy policies and data management. This state of affairs is not without impact on other organizations. The company at fault also lacked an incident management policy in the event of a data breach, which is nonetheless required for a swift and effective response under Article 33 of the GDPR.
This once again underscores that data protection cannot be regarded as a secondary element in an organization's overall strategy. Thus, this case highlights the need for all companies, regardless of their sector of activity, to implement adequate security measures and to cultivate a collective awareness of data protection. Given the rapid evolution of the regulatory landscape, it is essential that organizations regularly reassess their data security policies to ensure their compliance with the expectations of regulatory authorities. Achieving adequate levels of security is all the more pressing at a time when data breaches are proliferating, making compliance with the GDPR not only a legislative imperative but also a matter of trust between companies and consumers.
I want reliable legal documents!
The consequences of this UODO decision extend well beyond the press organization targeted. Indeed, this case sheds light on crucial issues concerning the responsibility of data controllers in implementing the obligations laid down by the GDPR. The implications are significant for other companies, in particular:
The UODO clearly indicated that even controllers engaged in journalistic activities, as was the case here, cannot escape the requirement to guarantee data security. Article 85 of the GDPR does indeed allow certain derogations, but not with respect to Articles 24 and 32, which reaffirms the obligation for everyone to comply with security standards in the area of data processing.
Other organizations must be aware that integrating security requirements into their day-to-day operations is not only an act of compliance, but also an investment in the trust of their clients and users. This case is a reminder that data protection must never be regarded as a mere formality, but as a key element of corporate strategy.
To learn more
The Polish data protection authority (UODO) penalized a press organization for serious data security failings. The decision, handed down on 6 March 2025, is based on Articles 24(1) and 32 of the GDPR, which require ensuring secure processing conditions.
Articles 24(1) and 32 of the GDPR require the data controller to implement appropriate measures to guarantee the security of personal data. Failure to comply, as in the UODO decision, exposes the controller to financial penalties and to having its compliance called into question.
The UODO imposed a fine of 56,824 PLN on the press organization concerned. Beyond the amount, the case illustrates the vigilance of regulatory authorities in their mission to ensure the security and integrity of personal data.
A precise risk assessment makes it possible to identify vulnerabilities and to define appropriate security measures. The UODO decision underscores that this assessment, combined with the updating of privacy policies, is essential to a robust security strategy.
A compliant strategy is based on a risk assessment, appropriate technical and organizational measures, regular updating of privacy policies, and documentation of compliance. These elements meet the requirements of Articles 24 and 32 of the GDPR.
Yes. The UODO decision is a reminder of the importance of regularly updating privacy policies in light of evolving risks. A static policy no longer reflects the reality of processing operations and weakens GDPR compliance in terms of security.
A failure to meet the GDPR's security obligations exposes the organization to financial penalties imposed by the supervisory authority, as illustrated by the UODO's fine, as well as to reputational harm. Data security is therefore a major concern for organizations.
A lawyer specializing in personal data law helps to assess risks, to structure a security strategy compliant with Articles 24 and 32 of the GDPR, and to update privacy policies. This support limits exposure to penalties.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin