In a groundbreaking ruling, the President of the Personal Data Protection Office (UODO) in Poland, Mirosław Wróblewski, has levied unprecedented fines totaling 27 million PLN against Poczta Polska (Polish Post) and 100,000 PLN against the Minister of Digital Affairs. This landmark decision came about due to unlawful processing of the personal data of nearly 30 million Polish citizens during the controversial postal elections of 2020.
On March 17, 2025, following extensive investigations, UODO announced that the breaches occurred when the personal information of adults listed in the PESEL register was shared without the legal basis required for such exchanges. The fines imposed on the entities are the highest penalties recorded in the history of the Office, reflecting the severity of the offenses.
The origins of this case date back to the attempts to organize postal elections amid the COVID-19 pandemic in 2020. The Prime Minister issued an administrative decision on April 16, 2020, authorizing Poczta Polska to prepare for these elections. A week later, on April 22, the Minister of Digital Affairs provided Poczta Polska with sensitive data extracted from the PESEL register, including numbers, names, registered addresses, and details of temporary departures abroad—all crucial for identifying voters.
However, after the elections were eventually canceled on May 10, 2020, the data was stored and only destroyed between May 15 and May 22. This period led to multiple complaints lodged by Polish citizens with UODO regarding the unauthorized access and processing of their personal information.
In his decision, Wróblewski emphasized that the unlawful sharing of personal data from the PESEL register "endangered the proper exercise of rights granted to citizens under the Constitution." He noted that the right to privacy, dignity, and good name are fundamental rights that all citizens hold.
This ruling not only imposes heavy financial penalties on Poczta Polska and the Minister of Digital Affairs, but it also opens avenues for burned citizens to pursue legal claims independently. According to Wróblewski, "The scale of the violation was enormous, affecting nearly 80% of Poland's population,” giving rise to fears about how their data was handled and whether it might be misused in the future.
The implications of this ruling are profound for data protection standards within Poland's public sector, particularly concerning Poczta Polska as a state-owned enterprise. As a public body, Poczta Polska is bound to adhere to the highest standards concerning data privacy, demanding rigorous compliance with applicable laws.
While the fines represent a significant step toward accountability in this case, the finality of UODO's decisions is not yet secure, as both Poczta Polska and the Minister have the option to appeal. Yet, should the penalties be upheld, they may result in further repercussions for individuals involved in the decision-making that led to the data breaches.
This decision serves as a cautionary tale for data administrators within Poland and poses a challenge to other entities managing personal information. It emphasizes the need for stringent adherence to data protection laws and the ramifications of failing to protect citizens' rights diligently.
Additionally, the decision invites scrutiny over prior administrative actions and may lead to a reevaluation of how data is treated within the public sector going forward. With potential civil actions looming against those responsible for the infractions, it remains critical for citizens to understand their rights under data protection regulations.
As this situation unfolds, the understanding of personal data management will likely be reshaped, affecting how Polish institutions interact with their citizens regarding data privacy moving forward.
The ruling underscores the importance of transparency and accountability in governmental operations, especially when it concerns the delicate matter of citizen data. As data breaches become a common occurrence in the modern age, lessons learned from this case could guide the implementation of more robust data protection frameworks across Poland and beyond.
In light of UODO's decisive action, there is hope that citizens will reclaim control over their personal information and that public institutions will enforce adherence to legal guidelines stringently in the future, leading to enhanced security and trust in public disciplines.
