The President of the Polish Data Protection Office (UODO) imposed a fine of almost PLN 17 million on a data controller for data protection breaches related to outsourcing HR processes. The penalty concerned serious violations of personal data security principles, leading to a data leak involving employees’ PESEL numbers and passport numbers. Additionally, after discovering the incident, the controller failed to properly inform staff about the breach or its potential consequences.

The amount of the fine was influenced not only by the scale of the breach (affecting many employees), but also by:

• the lack of risk analysis and security assessment of the HR service provider;
• inadequate supervision of the processor entrusted with creating employee schedules;
• excluding the Data Protection Officer (DPO) from the processes;
• the failure to implement the principle of data minimisation – PESEL numbers were transferred for the purpose of creating work schedules;
• notifying the affected employees only through press releases.

This is a clear message from the UODO: when an employer entrusts data to another entity, it does not relieve them of responsibility. Employers must actively supervise data processing activities and ensure appropriate security measures are in place. Simply signing an off-the-shelf data processing agreement downloaded from the internet is not enough.

Find more articles in PRO HR July 2025.