GDPR misunderstanding blamed for father’s thwarted search for daughter

It seems that a misunderstanding over how GDPR should be applied was responsible for thwarting a distraught father trying to find his daughter after an accident.

Legitimate interest. GDPR may feel like a legal quagmire, but actually, there is a lot of common sense to it. And of all the legal ways in which data can be processed, legitimate interests could perhaps be called the common-sense basis.  Sure, there can be ambiguity-but isn’t that the point? Common-sense is not something you can write an algorithm for. There are no hard and fast rules.

Besides, another legal basis covered by GDPR says that processing is necessary in order to protect the vital interests of the data subject or of another natural person.

For the father concerned, the event must have been traumatic. GDPR got the blame, but the real culprit may have been scare stories in the media.

It happened in Poland. A school bus was involved in a crash with a lorry. The father of a school girl involved in the crash, Jozef Dmowski, said that “Our daughter called us to say she was not seriously injured and that we shouldn’t worry.”

Then things went wrong. Mr Dmowski said: “But soon after her phone’s battery died. We were trying to reach the hospitals but it was a horribly difficult task to get any information”.

This is where GDPR entered the story.

A government spokesperson said: “An erroneous and exaggerated interpretation of GDPR,” by medics meant they were reluctant to supply the father with the information he needed on where his daughter was.

The spokesman continued:

“On behalf of the Ministry of Digitisation, I assure you that I will do my utmost care to make hospitals more sensitive to a more rational approach to the subject.

“Of course, it can not be that we get all the information about patients by phone, but it is possible to use methods that authenticate the caller as a parent.

“In many cases, the processing of such data is justified by the so-called protection of the vital interests of people, as mentioned in the GDPR.”

The Daily Express headlined: “Father’s fury as EU’s GDPR sees doctors refuse to reveal injured daughter’s whereabouts.” The reality is that GDPR is not the bureaucratic monstrosity as some people claim. At heart, it’s about the belief that privacy is a human right, but this does not mean common-sense cannot be applied when a parents’ human right to care for their children or a child’s human right to be cared for is entailed.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.