In June 2025, the Polish data protection authority (UODO) imposed a record fine of PLN 16,932,657 on a personal data controller (an employer). The employer had entrusted the processing of employee personal data to an external company in order to manage work schedules. The lack of a risk analysis for this process, the failure to implement appropriate safeguards and the failure to enforce the provisions of the data processing agreement led to the disclosure of personal data in a publicly accessible directory. As a result of an error, employees’ personal data – including high-risk data such as PESEL numbers and passport numbers – became accessible to unauthorised entities.

Unfulfilled obligations

A key element of this is the authority’s clear indication that a data controller (in this case, the employer) cannot adopt a passive approach after transferring processes (and consequently personal data) to a subcontractor. The supervisory authority formulated a number of critical remarks regarding the shortcomings:

Lack of a genuine risk analysis: UODO emphasised that, in this case, neither the controller nor the processor carried out a reliable risk analysis before commencing the data operations. Such an analysis should take into account specific threats arising from the nature of the services provided by the processor and the types of data being processed.

Superficial verification of the processor and a “blanket” agreement: Controllers often limit themselves to signing a data processing agreement (Article 28 GDPR), frequently using free template forms from the internet. They assume that the subcontractor “knows what they are doing.” UODO unequivocally stated that it is the controller’s obligation to verify whether the processor actually provides sufficient guarantees of implementing appropriate technical and organisational measures.

Failure to apply data minimisation: In this case, PESEL and passport numbers were processed in the system used to record working time. In the authority’s view, this violated the data minimisation principle (Article 5(1)(c) GDPR) – for identification purposes, data that expose employees to a lower risk of identity theft would have been sufficient.

Lack of supervision and audit: The controller did not exercise its right to inspect and audit the processor, which could have allowed the early detection of system configuration errors.

Ignoring the role of the DPO: It was found that the Data Protection Officer (DPO) was not involved in all matters relating to data protection, preventing them from properly advising on the planned data processing operations.

UODO’s decision is a clear signal of the standards expected by the supervisory authority. To avoid similar sanctions, organisations should implement the following mechanisms:

Active oversight of processors: “Paper” compliance is not enough, i.e. signing an off-the-shelf template agreement from the internet. The controller must regularly monitor any entities entrusted with its personal data. Audits of subcontractors should become the norm, not the exception.

Implementing “Privacy by Design” and “Privacy by Default”: Already at the system design stage (e.g. recording working time), the scope of collected data should be limited to the absolute minimum, e.g. avoiding the use of PESEL or passport numbers for that purpose.

Use of risk analysis: Operations on large datasets, or transferring such datasets outside the organisation, should require a risk analysis. Such an analysis must be documented and should address specific threats.

Strengthening the role of the DPO: The DPO should have a genuine influence on decisions made within the organisation.

Incident reporting: An organisation should have an efficient system for detecting breaches and notifying both the supervisory authority and data subjects. In the case discussed, the lack of a swift response and direct notification contributed to the severity of the authority’s assessment.

Summary

The fine imposed sends a clear message that UODO pays close attention to the processing of employees’ personal data by employers. Entering into a template processing agreement with a contractor does not relieve employers of responsibility for outsourced processes. Once again, UODO also highlighted the need for caution when processing PESEL numbers. The fact that the Labour Code expressly allows an employer to obtain such information does not automatically mean that the employer may replicate it and place it freely in various datasets.

Read more about Polish HR law – PRO HR Year Book 2025