Is sending an email containing personal data to the wrong addressee a data breach? The Polish Data Protection Authority sanctioned the telecom operator P4 on P4 Sp. z o.o. with a PLN 250,000 fine (c.a. EUR 53.000) as it did not notify the Authority and the personal data subjects of having sent a contract to the wrong person. The company did not consider the incident a data breach and therefore did not notify relevant parties accordingly. The data subject initiated the proceeding before the said DPA, and only after the company notified the personal data breach to the supervisory authority and communicated it to the subscriber. Find the decision in Polish here.
