The development of technology and the ever-increasing importance of data as a resource pose particular challenges in terms of securing data leaks. Data leaks may entail not only administrative consequences under the General Data Protection Regulation (GDPR) but also civil liability for contractors whose interests have been violated.

The aim of this study is to analyze the basis of civil liability in a situation where an entrepreneur has failed to implement an adequate information security policy and his contractor has suffered damage as a result of a data leak.

Scope of responsibilities regarding personal data security

Pursuant to Article 24(1) of the GDPR, the controller is required to implement appropriate technical and organizational measures to ensure that processing is carried out in accordance with this Regulation. These measures should be appropriate to the nature, scope, context, and purposes of the processing, and the risk to the rights and freedoms of natural persons.

Here, the internal information security policy plays a key role, including access rights management, incident response procedures, password policy, data storage and encryption policies, and employee training.

Civil liability – legal basis and conditions

If data leakage occurs due to lack of adequate security measures, civil liability may be based on:

contractual regime , in accordance with Article 471 of the Civil Code (CC), when the damage results from improper performance of a contractual obligation (e.g. cooperation agreement, data processing agreement),
tort regime , based on Article 415 of the Civil Code, in the event of a breach of general principles of diligence or legal provisions, when there is no obligation relationship between the parties,
Article 82 of the GDPR , which provides for the possibility of a natural person whose data have been breached to seek compensation from the controller or processor.

In the context of business relationships, the key provision is Article 471 of the Civil Code, which stipulates that a debtor is obligated to redress damage resulting from non-performance or improper performance of an obligation, unless they can demonstrate that the non-performance or improper performance was caused by circumstances for which they are not responsible. Therefore, the existence of the obligation, its improper performance, damage to the contractor, and a causal link between the breach and the damage must be demonstrated.

The significance of the lack of an information security policy as a breach of due diligence

The Court of Justice of the European Union has repeatedly recognized the duty of due diligence in protecting personal data. On December 14, 2023, the CJEU issued a judgment in Case C-340/21, according to which any person who has suffered material or non-material damage as a result of an infringement of this Regulation has the right to obtain compensation from the controller or processor for the damage suffered. Importantly, the CJEU found that the mere fear of future use of personal data by third parties satisfies the criterion of "non-material damage."

Similarly, in relations between contractors, failure to implement adequate technical and organisational measures (including a formal security policy) may constitute evidence of gross negligence and thus constitute a basis for liability for damages suffered by the other party.

Practical consequences and claims

In the event of a data leak, the injured contractor may claim, among other things:

reimbursement of costs incurred in connection with the breach (e.g. audits, notifications to individuals, PR services),
compensation for image damage,
compensation for violation of personal rights (if the data concerned his employees or clients),
recourse against administrative penalties (e.g. under appropriate contractual provisions).

The ultimate extent of liability depends on the circumstances of the specific case and whether a causal link between the security policy deficiencies and the resulting damage can be demonstrated.

Conclusions

Under current law, failure to implement an information security policy may constitute grounds for civil liability – for both individuals and businesses. Equally important is the fact that a data leak can severely damage a company's reputation, built over the years, which can lead to difficulties attracting new customers and the departure of existing ones, which will ultimately impact the organization's financial performance.

It should be recognized that having an up-to-date and effectively implemented information security policy should be standard for every professional participant in business transactions.

This article is for informational purposes only and does not constitute legal advice.
The law is current as of August 19, 2025.

Author:

Olga Jacykowska

Trainee attorney
+48 795 888 714 | o.jacykowska@kglegal.pl

Series editor:

Mateusz Grosicki

Attorney, partner
+48 506 367 109 | m.grosicki@kglegal.pl

Post Views: 46

Graś i Wspólnicy Law Firm is – Professionalism Experience Support.

Civil liability for personal data leakage – analysis in the context of the obligation to implement an information security policy

Latest posts

Draft amendment to the Act on Ownership of Premises

Sanctions in the KSeF

The principle of equal pay in labor law – scope, meaning and legal consequences

Co-financing for the registration of trademarks and industrial designs

Compensation claims for a decrease in the value of real estate as a result of changes to the Municipal Spatial Development Plan

Our cycles

Law Firm Warsaw
Graś and Partners

Our services

Menu

Contact us!