Can public administration bodies, such as the Police, the Social Insurance Institution (ZUS), or municipal offices, be classified as trusted recipients?

ANSWER

In its latest guidance, the Polish Data Protection Authority (UODO), when defining a trusted recipient, places particular emphasis on the following two aspects:

• maintaining an ongoing relationship with the recipient (e.g., through close business cooperation or a shared organizational structure);
• having knowledge of important details concerning the recipient (e.g., its security procedures and a history of positive cooperation in similar situations).

Therefore, if these elements are absent in the circumstances of a particular data breach, there are no grounds for automatically considering such authorities to be trusted recipients.

The guidance expressly states that each case requires an individual assessment, and no entity can be regarded as a "trusted recipient" by default.

A similar conclusion can be drawn from one of the recent decisions of the President of the Polish Data Protection Authority (Case No. DKN.5131.1.2024), concerning a bank as a public-trust institution that simultaneously acted as an unauthorized, accidental recipient of personal data.

In that decision, the authority categorically stated that:

"In order to conclude that, in a specific situation, personal data has been disclosed to a trusted unauthorized recipient, there must be circumstances in which the data controller maintains an ongoing relationship with the recipient and may be familiar with its procedures, history, and other relevant details, enabling that recipient to be regarded as 'trusted'."

The decision further noted that:

"The evidence gathered shows that employees of another bank became acquainted with the set of documents. However, there is no indication that the controller and the third party had entered into any agreements or developed procedures for such circumstances, which would be crucial to effectively minimize the risk of consequences arising from a personal data breach and to support the conclusion that the unauthorized recipient was a trusted recipient."

The authority also emphasized that:

"Adopting the opposite view (...) would effectively lead to a form of automatism, whereby every case in which the unauthorized recipient was an entity acting lawfully would result in that entity being considered a trusted recipient. Such an approach could lead to unjustified failures to notify data subjects of personal data breaches in situations involving a high risk to their rights or freedoms."

For this reason, the European Data Protection Board (EDPB), in its guidance, did not consider the mere fact that an unauthorized recipient operates within the law to be sufficient for classification as a trusted recipient. Instead, it requires the existence of an ongoing relationship with that recipient, allowing the controller to be familiar with the recipient's procedures, history, and other relevant details.