Poland: Issued interm ruling in UODO lawsuit over data leak from pandabuy platform

On 15 October 2024, the District Court for Warsaw-Śródmieście mandated the District Prosecutor's Office for Warszawa Śródmieście-Północ to investigate the data leak impacting Polish customers of the pandabuy platform. On 29 April 2024, the Personal Data Protection Office (UODO) had notified the prosecutor's office of a suspected crime involving the unauthorised leak of personal data from pandabuy platform, which included names, email addresses, phone numbers, and other information belonging to approximately 1.3 million customers worldwide, including those in Poland. This leaked data was later used to create an interactive map of Poland displayed on certain websites, violating personal data protection laws. Initially, the prosecutor’s office declined to investigate, citing insufficient grounds to proceed. In response, the UODO President filed a formal complaint. Upon review, the court found the evidence sufficient under Article 107(1) of the Personal Data Protection Act, ruling that the prosecutor's refusal was unjustified. The court determined that the data leak contravened both the Personal Data Protection Act and the GDPR, which regulate penalties for unauthorised data processing. As a result, the prosecutor’s office is now required to pursue an investigation, with potential penalties including fines, restriction of liberty, or imprisonment.