RGPD

GDPR: Penalties for Non-Compliance and Review of Security Aspects

The fine imposed by the UODO (Polish Data Protection Authority) on a press organization reveals serious data security failings, thereby raising crucial questions about how organizations must manage the protection of personal data in accordance with

Contents
Schedule a discussion

Reading time:

7 min

The UODO penalizes serious data security failings, in disregard of GDPR compliance (GDPR security penalty).

The fine imposed by the UODO (Polish Data Protection Authority) on a press organization reveals serious data security failings, thereby raising crucial questions about how organizations must manage the protection of personal data in accordance with the GDPR.

This decision, handed down on 6 March 2025, illustrates the vigilance of regulatory authorities in their mission to ensure the security and integrity of data, pursuant to Articles 24(1) and 32 of the GDPR, which govern the obligation to ensure secure data processing conditions. Beyond the fine of 56,824 PLN, this case is part of a broader context in which the precise assessment of risks and the updating of privacy policies are essential. The stakes are all the higher for professionals in the sector, as they demonstrate the importance of a robust and up-to-date data security strategy in the face of constantly evolving regulatory requirements.

In this article, we will examine the infringements identified by the UODO, how the security shortcomings were determined, and what implications this has for other data controllers.

If you wish to engage a lawyer specializing in personal data law, contact me!

What were the infringements identified by the UODO under the GDPR?

The investigation conducted by the UODO (Polish Data Protection Authority) brought to light significant infringements in the area of data security, demonstrating critical deficiencies in the personal data management practices of a press organization. This ex officio investigation revealed that the data controller had failed to meet several obligations laid down by the GDPR, which are essential to guarantee the protection of individuals' data. The main infringements identified are as follows:

  • Absence of a risk analysis for the processing of personal data, which constitutes a direct violation of Article 24(1) of the GDPR.
  • The controller's data protection and IT security policies had not been reviewed or updated, resulting in inadequate system security.
  • The devices used were not encrypted, contrary to the requirements of their own IT security policy.
  • Absence of internal policies to ensure that personal data was published in accordance with Polish law.

These shortcomings led to a severe conclusion: the controller failed to ensure the secure processing of personal data, thereby violating Articles 32(1) and (2) of the GDPR. Furthermore, it is important to note that the press organization in question was in liquidation at the time of the investigation and did not submit a defense, adding to the seriousness of the situation. This raises essential questions about the responsibility of companies regarding data protection and its management in crisis situations. A lawyer specializing in software and database law can assist you in setting up compliant security systems and in managing the risks associated with data processing.

In short, the infringements identified by the UODO underscore the crucial importance of risk analysis and regular updates to privacy policies in order to avoid such financial penalties and to preserve user trust. This situation highlights how essential it is for data controllers to maintain high standards in data security and data protection practices.

Let's discuss your needs for 15 minutes!

How was the failure to comply with data security obligations determined?

The analysis of the failings observed by the UODO highlighted a manifest failure to comply with data security obligations, as set out by the GDPR and national legislation. The shortcomings were identified through a series of audits and assessments that revealed the following issues:

  • A significant absence of security protocols appropriate to the risks associated with the processing of personal data, in breach of Article 32 of the GDPR, which requires appropriate technical and organizational measures.
  • Reports confirm that the security measures did not comply with industry best practices, which jeopardized the confidentiality and integrity of the data.
  • The monitoring and supervision of access to personal data was not carried out adequately, resulting in vulnerabilities exploitable by third parties.

These failings revealed a culture of non-compliance within the company, where data protection appeared to be a secondary concern. Indeed, the way in which personal data was processed exposed flaws in staff training regarding privacy policies and data management. This state of affairs is not without impact on other organizations. The company at fault also lacked an incident management policy in the event of a data breach, which is nonetheless required for a swift and effective response under Article 33 of the GDPR.

This once again underscores that data protection cannot be regarded as a secondary element in an organization's overall strategy. Thus, this case highlights the need for all companies, regardless of their sector of activity, to implement adequate security measures and to cultivate a collective awareness of data protection. Given the rapid evolution of the regulatory landscape, it is essential that organizations regularly reassess their data security policies to ensure their compliance with the expectations of regulatory authorities. Achieving adequate levels of security is all the more pressing at a time when data breaches are proliferating, making compliance with the GDPR not only a legislative imperative but also a matter of trust between companies and consumers.

I want reliable legal documents!

What are the implications for other data controllers?

The consequences of this UODO decision extend well beyond the press organization targeted. Indeed, this case sheds light on crucial issues concerning the responsibility of data controllers in implementing the obligations laid down by the GDPR. The implications are significant for other companies, in particular:

Data protection
Implications for other data controllers
ImplicationDescription
Heightened vigilanceRigorous risk analysis and regular updating of privacy policies.
Ongoing trainingTraining programs on data security and protection (Art. 24 and 32 GDPR).
Documentation and complianceDocument security and processing procedures, assess and record risks.
Proactive approachAnticipate threats and put preventive measures in place.
Provided for informational purposes only; does not constitute legal advice.

The UODO clearly indicated that even controllers engaged in journalistic activities, as was the case here, cannot escape the requirement to guarantee data security. Article 85 of the GDPR does indeed allow certain derogations, but not with respect to Articles 24 and 32, which reaffirms the obligation for everyone to comply with security standards in the area of data processing.

Other organizations must be aware that integrating security requirements into their day-to-day operations is not only an act of compliance, but also an investment in the trust of their clients and users. This case is a reminder that data protection must never be regarded as a mere formality, but as a key element of corporate strategy.

To learn more

Why was a press organization penalized by the UODO?

The Polish data protection authority (UODO) penalized a press organization for serious data security failings. The decision, handed down on 6 March 2025, is based on Articles 24(1) and 32 of the GDPR, which require ensuring secure processing conditions.

What do Articles 24(1) and 32 of the GDPR provide for?

Articles 24(1) and 32 of the GDPR require the data controller to implement appropriate measures to guarantee the security of personal data. Failure to comply, as in the UODO decision, exposes the controller to financial penalties and to having its compliance called into question.

What was the amount of the fine imposed by the UODO?

The UODO imposed a fine of 56,824 PLN on the press organization concerned. Beyond the amount, the case illustrates the vigilance of regulatory authorities in their mission to ensure the security and integrity of personal data.

Why is risk assessment essential in data security?

A precise risk assessment makes it possible to identify vulnerabilities and to define appropriate security measures. The UODO decision underscores that this assessment, combined with the updating of privacy policies, is essential to a robust security strategy.

What should a compliant data security strategy contain?

A compliant strategy is based on a risk assessment, appropriate technical and organizational measures, regular updating of privacy policies, and documentation of compliance. These elements meet the requirements of Articles 24 and 32 of the GDPR.

Should privacy policies be updated?

Yes. The UODO decision is a reminder of the importance of regularly updating privacy policies in light of evolving risks. A static policy no longer reflects the reality of processing operations and weakens GDPR compliance in terms of security.

What are the consequences of a data security failing?

A failure to meet the GDPR's security obligations exposes the organization to financial penalties imposed by the supervisory authority, as illustrated by the UODO's fine, as well as to reputational harm. Data security is therefore a major concern for organizations.

Is a lawyer useful for data security?

A lawyer specializing in personal data law helps to assess risks, to structure a security strategy compliant with Articles 24 and 32 of the GDPR, and to update privacy policies. This support limits exposure to penalties.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

17 min

Franchisee in difficulty: what remedies against a defaulting franchisor?
Entering into a franchise often represents a considerable investment, both financial and personal. When the relationship with the franchisor deteriorates due to breaches of its contractual obligations, the consequences can be dramatic for the franchisee: turnover

5 min

CNIL Lawyer: Avoiding 5 Common GDPR Compliance Mistakes
Let's explore together the 5 most common GDPR compliance mistakes and how a CNIL lawyer can help you avoid them.

7 min

Participative franchising: a threat to the franchisee's independence?
The emergence of the participative franchising concept raises fundamental questions about the franchisee's independence.

3 min

Understanding the concept of website transfer
You must understand that carrying out a transfer of your website means transferring a complex set of assets including works of the mind and databases, as the Intellectual Property Code defines them. This operation covers the entire site, in particular:

7 min

Does the protection of personal data limit freedom of expression?
The protection of personal data has become a crucial issue in the digital age, where freedom of expression is also essential to ensuring open dialogue within society. This duality, however, raises a fundamental question: does the GDPR, which aims to regulate the process

13 min

Blockchain and Web3: new challenges for domain name protection
The emergence of blockchain technologies and the advent of Web3 are profoundly transforming domain name protection.
Prendre rendez-vous
Book an appointment