The Polish Supreme Administrative Court (NSA) ruled against a bank that failed to promptly notify affected individuals about a data breach in accordance with GDPR regulations. The bank had been penalized over half a million zlotys for not adequately securing sensitive employee data after a former employee retained access to the bank's Electronic Service Platform. This employee was able to log in and view confidential information, including personal details and medical leave data of current employees.

The incident highlights significant lapses in data protection measures and the responsibilities of organizations under GDPR. Although the bank reported the data breach to the President of the Personal Data Protection Office (UODO), they chose not to inform the 10,500 affected individuals, arguing that the former employee's prior access to the system limited the need for such notifications. However, the court found that the lack of timely notification was a violation of the data protection regulations.

This ruling serves as a stern warning to organizations regarding their obligations under data protection laws. The adjudication emphasizes the need for strict control over access to sensitive data, especially when an employee leaves. It also underscores the potential financial repercussions for failing to comply with GDPR, reinforcing the importance of safeguarding personal data and conducting regular audits of user access rights.