(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Comunicate
/
Administrative fine of EUR 24 000 imposed by the Polish Data Protection Authority on an insurance company for breach of Articles 35 and 83 of the GDPR

Administrative fine of EUR 24 000 imposed by the Polish Data Protection Authority on an insurance company for breach of Articles 35 and 83 of the GDPR

img 530 Views

The National Centre for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the administrative fine in the amount of EUR 24,000 imposed by the Polish Data Protection Authority (SA) on an insurance company for violation of Article 35 (Data Protection Impact Assessment) and 83 (General conditions for imposing administrative fines) of the GDPR.

The Polish SA has been informed that an unauthorised recipient has received a document confirming the granting of compensation in an email attachment. The e-mail from the insurance company contained personal data such as: name, surname, postal address, model and registration number of the car, policy number and the amount of compensation granted. The unauthorised recipient informed the insurance company that he had received an e-mail with an attachment containing another person’s personal data, but received no reply.

Following the investigations, the Polish SA decided to impose an administrative fine under Article 83(2)(a) of the GDPR, taking into account aggravating circumstances such as: the long duration of the breach, the intentional nature of the finding of a breach of data protection regulations in other ongoing proceedings against the company, the unsatisfactory level of cooperation with the Supervisory Authority.

At the same time, the Polish SA pointed out that the company is subject to specific obligations imposed by Article 35(1) of the Law of 11 September 2015 on insurance and reinsurance activities, according to which the insurance company and its employees, as well as persons and entities through which it carries out insurance operations, are obliged to keep the individual insurance contract secret. 

The NCPDP, as the national supervisory authority for personal data processing, emphasises the responsibility of personal data controllers to comply with the provisions of the legislative framework for personal data protection and to ensure that personal data processing operations comply with the legislation in force.

img
Newsletter No. 24

I. Information and training activities carried out by NCPDP        In the last quarter of 2025 (October – December), the National Center for the Protection of Personal Data (NCPDP) continued to register important developments in the achievement of its objectives, placing particular emphasis on planning and carrying out activities aimed at informing and […]

img 19 Views
img
Participation of representatives of the National Centre for the Personal Data Protection in the 65th meeting of the Bureau of the Committee of Convention 108

       From 18–19 March 2026, representatives of the National Centre for the Personal Data Protection (NCPDP) attended the 65th meeting of the Bureau of the Consultative Committee of the Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108) – TPD-BUR, held in Paris, France.        The […]

img 16 Views
img Video gallery
img Information