UODO (Poland) - DKN.5131.29.2022: Difference between revisions

From GDPRhub
m (Reverted edits by Nzm (talk) to last revision by Mg)
Tags: Rollback Reverted
m (Made redirect more explicit)
 
(5 intermediate revisions by 2 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=UODO
|Original_Source_Name_1=UODO
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKN.5131.59.2022
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKN.5131.29.2022
|Original_Source_Language_1=Polish
|Original_Source_Language_1=Polish
|Original_Source_Language__Code_1=PL
|Original_Source_Language__Code_1=PL
Line 19: Line 19:
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=


|Type=Investigation
|Type=Complaint
|Outcome=Violation Found
|Outcome=Upheld
|Date_Started=08.12.2022
|Date_Started=
|Date_Decided=12.03.2024
|Date_Decided=07.09.2022
|Date_Published=
|Date_Published=
|Year=2024
|Year=2022
|Fine=330,000
|Fine=529
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 33(1) GDPR
|GDPR_Article_1=Article 28(1) GDPR
|GDPR_Article_Link_1=Article 33 GDPR#1
|GDPR_Article_Link_1=Article 28 GDPR#1
|GDPR_Article_2=Article 33(3) GDPR
|GDPR_Article_2=Article 28(3) GDPR
|GDPR_Article_Link_2=Article 33 GDPR#3
|GDPR_Article_Link_2=Article 28 GDPR#3
|GDPR_Article_3=Article 34(1) GDPR
|GDPR_Article_3=Article 28(9) GDPR
|GDPR_Article_Link_3=Article 34 GDPR#1
|GDPR_Article_Link_3=Article 28 GDPR#9
|GDPR_Article_4=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=
Line 49: Line 49:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=
|Party_Name_1=Sułkowice Cultural Center
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=


|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=nzm
|Initial_Contributor=
|
|
}}
}}
 
<big>Looking for '''decision [https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.59.2022 DKN.5131.59.2022]''' (a bank failing to notify about a data breach, from the '''25.04.2024 newsletter''')? Due to a technical error it is [https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.59.2022 here], we apologize for any inconvenience</big>
The DPA imposed a PLN 1,440,549 (€330,000) to a bank for failing to notify the DPA and data subjects of a data breach concerning banking documents which contained numerous personal data, including names and national identification numbers.
The Polish DPA fined a cultural organisation €529 for not concluding a written agreement under [[Article 28 GDPR]] with its processor.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In November 2018, an article was published regarding the publication of banking documents from Santander Bank Polska S.A. (“controller”), which were found in an abandoned parcel on a housing estate, after it had been stolen during the transportation. The Polish DPA (“UODO”) requested the controller to clarify whether it had notified the DPA and the data subjects of this data breach. The UODO also asked the controller to indicate the number of persons affected by the breach and to explain what measures it had taken to minimize the risk of this type of event occurring again.  
In May 2020, the Polish DPA received a notification of personal data breach caused by the Sułkowice Cultural Centre (the controller). The data breach affected 30 persons, including employees of the controller. The DPA initiated an investigation, in which it found that the controller entrusted the processing of personal data to an entity (the processor) without entering into a written data processing agreement. Moreover, they did not verify whether the processor provides sufficient guarantees of the implementation of appropriate technical and organisational measures in accordance with the GDPR.
 
The controller responded that the data breach involved a maximum of 158 persons and that the documents were from November 2018. It also indicated that the breach was not reported to the DPA as (i) the parcel was found by one identified person a short time after it was lost, (ii) this person took the documents directly to the police station and it was verified that no documents were missing and (iii) the person admitted that they had not copied the documents. As a result, data subjects were not informed of the breach either.
 
Regarding the measures taken to minimize the risk of this type of incident reoccurring in the future, the controller explained that a working group had been set up to analyse the incident and develop mechanisms to prevent similar situations from arising in the future (a process had been developed for paper documentation, controls on different levels…).  
 
After receiving this response, the UODO asked the controller to indicate the precise scope of the personal data affected by the breach and to clarify if they were the sole controller of this personal data.  


The controller responded that the following data was concerned: names, dates of birth, bank account numbers, home addresses, PESEL registration number (national identification number), email addresses, user names and/or passwords, data on earnings and/or assets, ID card numbers, phone numbers, information about bank products (loans, bank accounts, names of contracts…), dates of insurance, information about insured properties. The controller indicated that the breach did not concern data referred to in [[Article 9 GDPR|Articles 9]] and [[Article 10 GDPR|10 GDPR]].  
The processor was responsible for keeping accounting books and records as well as preparing reports. Therefore, they were entrusted with the processing of employee's and former employee's personal data, including names, dates of birth, bank account numbers, residence addresses, personal identification number (PESEL), email addresses, data on earnings and/or property, the mother's family names, series and numbers of ID cards, telephone numbers, and health data.


On 8 December 2022, the UODO initiated proceedings against the controller.
Since the Polish DPA was not able to obtain information on any contract concluded between the controller and the processor with regards to the above-discussed processing operations, the DPA initiated ex officio administrative proceesings against the controller.


=== Holding ===
=== Holding ===
Regarding the personal data breach in itself, under [[Article 33 GDPR#1|Articles 33(1)]] and [[Article 33 GDPR#3|33(3) GDPR]], the controller is obliged to notify the competent national supervisory authority without undue delay and where feasible, no longer than 72 hours after becoming aware of it, unless the breach is not likely to pose a risk to the rights and freedoms of the data subjects. [[Article 34 GDPR#1|Article 34(1) GDPR]] establishes that when a data breach is likely to result in a high risk to the rights and freedoms for data subjects, the controller must communicate the breach to the data subjects without undue delay.
First, the Polish DPA reiterated [[Article 28 GDPR#1|Article 28(1) GDPR]], which prescribes that sufficient guarantees to implement appropriate technical and organisational measures must exist whenever the controller mandates data processing activities to be carried out on their behalf. Moreover, in line with [[Article 28 GDPR#3|Article 28(3) GDPR]], a data processing agreement must be concluded between the controller and the processor, which stipulates the conditions of processing. Additionally, [[Article 28 GDPR#9|Article 28(9) GDPR]] requires the agreement to be in writing, including in electronic form.  
 
Therefore, if a risk of infringement to the rights and freedoms of data subjects is low, the controller is not obliged to report the infringement to the DPA. When a controller detects a personal data breach, it is first necessary to carry out an analysis with regard to the risk of a violation to data subjects. The UODO emphasized that this assessment should be made through the lens of the data subject at risk, and not the interests of the controller.
 
In the present case, the DPA held that the controller, due to the scale and object of its activity (provision of various types of financial services), processes the personal data of a very large number of customers. The UODO considered that there was no certainty that before the person who delivered the documents to the police station, the documents had not been seen by other persons. There was also no doubt that the data subjects could easily be identified based on the data disclosed.
 
The UODO pointed out that the assessment made by the controller was based on the belief that the person who came into possession of the parcel was an honest finder. The UODO considered that a third party who found a parcel of bank documentation containing very detailed personal data of the controller’s clients and who does not have any relationship with the controller does not allow them to be assumed to be a trusted recipient.  


In addition, the DPA considered that according to EDPB Guidelines 9/2022, a data breach can potentially cause a number of negative consequences for the data subject, for example identity theft, identity fraud, financial loss etc. In the present case, given the scope of the personal data, especially the PESEL registration numbers alongside first and last names, the UODO considered that there was a high probability of these damages occurring. In particular, the DPA indicated that the EDPB recognized the importance of national identification numbers and stressed that this type of data breach requires the implementation of actions, including the notification of the DPA and data subjects.  
Second, the DPA clarified the roles of the entities involved in processing. As the employer and main administrator, the Cultural Centre was considered to be the controller. Meanwhile, the entity entrusted with keeping accouting records should be the processor as they were only processing data on the controller's behalf. Hence, it was the responsibility of the controller to fulfill the requirements of [[Article 28 GDPR|Article 28 GDPR]].  


The DPA also added that the notification of the breach to data subjects under [[Article 34 GDPR#1|Article 34(1) GDPR]] is not made conditional on the existence of an infringement of the rights and freedoms of the data subjects affected by the breach.
The DPA concluded that the controller failed to comply with Article 28(1)(3) and (9) GDPR by not concluding a written agreement with the processor. It imposed a €529 fine on the controller for this violation.  
 
In light of all these considerations, the UODO concluded that in the present case, there was a high risk of infringement of the data subjects affected by the breach. Therefore, the controller should have notified the DPA under [[Article 33 GDPR#1|Article 33(1) GDPR]] and the data subjects affected by the breach under [[Article 34 GDPR#1|Article 34(1) GDPR]].
 
Regarding the corrective measure taken, the UODO took multiple elements into account: firstly, the DPA considered the nature of the processing, the number of data subjects affected and the extent of the damage suffered by them.
 
Secondly, the DPA took into account the fact that the controller made a conscious decision not to notify the breach to the DPA, as well as the data subjects. The UODO considered that there was no doubt that the controller, who processes personal data on a mass scale, had knowledge of the consequences of ascertaining a personal data breach resulting in a high risk for the rights and freedoms of the data subjects. The controller was therefore aware of its responsibility, but disregarded its obligations and neglected to notify the DPA and data subjects.
 
Finally, the UODO also looked into any relevant previous breaches by the controller, and found violations that were related to data breaches. It also took into account, among other things, the degree of cooperation with the DPA to remedy the breach, the categories of personal data affected, the actions taken by the controller to minimize the breach, how the DPA became aware of the breach.
 
Thus, the DPA imposed a PLN 1,440,549 (€330,000) fine to the controller. The UODO also ordered the controller to notify the data subjects affected by the breach within 3 days of the notification of the decision.


== Comment ==
== Comment ==
Line 113: Line 93:


<pre>
<pre>
Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775, as amended), Art. 7(1) 1 and 2 and art. 60, art. 101 and art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), as well as Art. 57 section 1 letter a) and h), art. 58 section 2 lit. e) and i), Art. 83 section 1, 2 and 3, art. 83 section 4 lit. a) in connection with Art. 33 section 1 and art. 34 section 1, 2 and 4 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on data protection) (OJ EU L 119 of 04/05/2016, p. 1, OJ L 127 of 23/05/2018, p. 2 and OJ L 74 of 4/03/2021, p. 35), hereinafter referred to as "Regulation 2016/679", after ex officio administrative proceedings initiated regarding the violation of personal data protection provisions by Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warszawa) President of the Personal Data Protection Office,1) noting a violation by Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warszawa) provisions: a) Art. 33 section 1 of Regulation 2016/679, consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach, b) Art. 34 section 1 of Regulation 2016/679, consisting in failure to notify data subjects about a breach of personal data protection without undue delay,
PRESIDENT
THE SECURITY OFFICE
PERSONAL DATA


imposes on Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warsaw) an administrative fine in the amount of PLN 1,440,549 (in words: one million four hundred and forty thousand five hundred and forty-nine zlotys),2) ordered by Santander Bank Polska S.A. with its registered office in Warsaw (Al. Jana Pawła II 17, 00-854 Warszawa) notify - within 3 days from the date of delivery of this decision - persons whose data protection was violated as a result of an event entered in the Personal Data Breach Register of Santander Bank Polska S.A. under the number (...), about the violation of the protection of their personal data in order to provide these persons with the information required in accordance with Art. 34 section 2 of Regulation 2016/679, i.e.: a) description of the nature of the personal data protection breach; b) name and contact details of the data protection officer or designation of another contact point from which more information can be obtained; c) description of the possible consequences of the data protection breach personal data; d) a description of the measures taken or proposed by the controller to address the breach - including measures to minimize its possible negative effects.
Warsaw, September 7, 2022


Justification
DECISION


On August 23, 2022, the President of the Personal Data Protection Office, hereinafter also referred to as the "President of the Personal Data Protection Office" or the "supervisory authority", from an article published on the website (...) at (...), received information about a breach of the protection of personal data of Santander Bank customers Polska S.A. with its registered office in Warsaw, hereinafter referred to as: "Bank" or "Administrator", consisting in making public bank documents contained in a parcel abandoned in a housing estate in K., after it was previously stolen during transport by a courier company. The article itself was published on (...) November 2018, while the incident took place on (...) November 2018.  The entry shows that "(...)". The website also reported about the incident two days earlier (...).
DKN.5131.29.2022


In connection with the above, in a letter of August 25, 2022, the President of the Personal Data Protection Office, pursuant to Art. 58 section 1 letter a) and e) of Regulation 2016/679, asked the Bank to clarify whether, in connection with the event, the Bank reported, in accordance with Art. 33 of Regulation 2016/679, the President of the Personal Data Protection Office (UODO), a breach of personal data protection in the above scope, and if so, when and how it was done and whether the Bank fulfilled the obligation to notify data subjects about the breach of their personal data, pursuant to Art. 34 section 1 and 2 of Regulation 2016/679. The President of the Personal Data Protection Office also asked for information on: when and how the Bank determined that the documents indicated in the letter had been made public, the number of persons affected by the personal data protection breach in question, the period from which the public documents come from and an explanation of what actions were taken to minimize the risk of recurrence of this type of events in the future.
Based on Article. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended), art. 7 sec. 1, art. 60 and art. 102 paragraph. 2 and sec. 3 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "uodo", as well as art. 57 sec. 1 lit. a) and h), art. 58 sec. 2 lit. i), art. 83 sec. 1 and 2 and article. 83 sec. 4 lit. a) in connection with Art. 28 sec. 1, 3 and 9 of the Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general on data protection) (Journal of Laws UE L 119 of May 4, 2016, p. 1, Journal of Laws UE L 127 of May 23, 2018, p. 2 and EU Official Journal L 74 of March 4, 2021, p. 35), hereinafter referred to as: "Regulation 2016/679", after conducting the administrative proceedings initiated ex officio regarding the infringement by Sułkowicki Ośrodek Kultury with its seat in Sułkowice at ul. May 1, 70 provisions on the protection of personal data, President of the Office for Personal Data Protection


In a letter of September 5, 2022, the Bank asked the President of the Personal Data Protection Office to extend the deadline for responding to September 16, 2022, justifying it with the need to "reliably establish (with many people representing various units in the bank), namely: to investigate by the Bank the circumstances of the event after its disclosure; the premises of the bank's assessment of the event; conclusions and actions that the bank took in connection with the occurrence of this event in order to comprehensively answer the questions of the President of the Personal Data Protection Office.
finding an infringement by the Sułkowice Cultural Center with its seat in Sułkowice at ul. 1 Maja 70, the provisions of art. 28 sec. 1, 3 and 9 of Regulation 2016/679, consisting in entrusting Mr. K. G. running a business under the name of [...] with the processing of personal data without a written entrustment agreement and without verifying whether the processing entity provides sufficient guarantees for the implementation of appropriate technical and organizational measures to the processing complied with the requirements of Regulation 2016/679 and protected the rights of data subjects, it is imposed on the Sułkowicki Cultural Center with its seat in Sułkowice at ul. On May 1, 70, an administrative fine in the amount of PLN 2,500 (say: two thousand five hundred zlotys).


The response provided by the Bank in a letter of September 16, 2022 shows that the Bank determined that the documents indicated in the supervisory authority's letter were found in a block of flats in K. on (...) November 2018. This was done by the unit (…) by monitoring news appearing on the Internet. On the website (…) she found an entry regarding the discovery of the Bank's documents in a block of flats in K. Two days later, the website (…) also reported the incident. The personal data protection breach in question affected a maximum of 158 people (this number was determined on the basis of the data included in the documentation sent, indicating the identification numbers of the customers whose documents were found). The published documents came from the period from (...) November 2018 to (...) November 2018 (date of sending the parcel to (...) the Bank Branch in K.). The personal data protection breach was not reported to the President of the Personal Data Protection Office. The following circumstances influenced this decision:
Justification
 
the parcel was found by one identified person shortly after it was lost by the courier;
 
it has been verified that no documents are missing; the person who found the documents took them directly to the police station;
 
this person admitted that he did not copy the documents.
 
Therefore, the data subjects were not informed about the personal data protection breach.
 
The bank also described what actions were taken to minimize the risk of recurrence of this type of events in the future, therefore a working group was established whose task was to analyze the event and develop mechanisms to prevent similar situations from occurring in the future. "(...) As a result, work of this group: 1) a "Standard" was developed for the process of sending paper documentation, including: a. preparation of the shipment / packaging method - use of (...). The label (...) has the following content: "(...)"b. control of the "Standard" at three levels: i) control on the courier's side - (...),ii) control carried out by (...),iii) control on the G side - (...),c. reaction to events (detected irregularities). 2) an alert check was carried out on the correctness of sending the parcels with G documentation. As a result of this check, the following post-control activities were established: - Instructions for sending parcels for Bank Branches were prepared, - e-mails were sent to each branch that incorrectly sent the parcel with information on how to correctly send the parcel with documentation to G., - involvement of direct control employees - during visits to branches, they instruct branch employees how to properly send parcels with documentation, 3) talks were initiated with the courier regarding the communication process, including in particular: i) required times and methods of reaction to reported irregularities / identified events,ii) communication tools,iii) documenting explanations / statements.
 
In connection with the explanations provided so far in the matter, in a letter of October 6, 2022, the President of the Personal Data Protection Office additionally asked the Administrator to: 1) indicate the exact scope of personal data contained in the banking documentation covered by the personal data protection breach in question; 2) explanation , or in relation to the disclosed personal data of Santander Bank Polska S.A. customers. is the sole controller of personal data; alternatively, if personal data whose administrators are also other entities were disclosed, the Bank notified them about this personal data protection breach.
 
In a letter of October 20, 2022, the Bank requested an extension of the deadline for responding to the above letter until October 27, 2022. In the response of October 27, 2022, the Administrator indicated that the documentation covered by the breach in question included the following categories of personal data : surnames and first names, dates of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, usernames and/or passwords, data on earnings and/or assets, series and numbers of ID cards, telephone numbers , information about banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, information about property insurance policies, i.e., among others policy numbers, dates of issue, insured amounts, insurance premiums, information regarding the insured property. At the same time, the Bank indicated that the banking documentation covered by the personal data protection breach in question did not contain the data referred to in Art. 9 or art. 10 of Regulation 2016/679. Moreover, the banking documentation covered by the personal data protection breach in question included two insurance policies issued for property insurance contracts of the bank's clients. In the scope of these insurance contracts, the data administrator are insurance companies that were not notified by the Bank about the personal data protection breach.
 
In the absence of reporting a personal data protection breach to the President of the Personal Data Protection Office and in the absence of notification of a personal data breach of the persons affected by the breach, on December 8, 2022, the President of the Personal Data Protection Office initiated administrative proceedings ex officio against the Bank regarding the possibility of a violation by the Bank of Art. 33 section 1 and art. 34 section 1 and 2 of Regulation 2016/679.
 
When initiating administrative proceedings, the President of the Personal Data Protection Office called on the Bank to indicate, among others: on what basis did the administrator decide that there was a breach of the protection of personal data of Santander Bank Polska S.A. customers? does not require reporting to the supervisory authority and results in no need to notify the persons affected by the breach. At the same time, the President of the Personal Data Protection Office requested the submission of a risk analysis for this violation.
 
In response to the notification of the initiation of administrative proceedings in the case in question, in a letter dated December 19, 2022, the Bank sent additional explanations, in which it indicated that the breach of the protection of personal data of the Bank's customers, which occurred as a result of the theft of a shipment containing the Bank's documentation during its transport in courier company, and then abandoning an open parcel in a gated housing estate in K., was entered into the Personal Data Breach Register of Santander Bank Polska S.A., under number (...). The assessment of the risk of violating the rights and freedoms of the data subject was set at a low level, and this assessment was influenced by the following circumstances: the parcel was found by one identified person shortly after its loss by the courier; The bank verified that no documents were missing; the person who found the documents took them directly to the police station; this person admitted that he did not copy the documents.
 
As a result of this assessment, this incident was not reported to the President of the Personal Data Protection Office. At the same time, the Bank did not decide to notify the persons affected by this violation.
 
After reviewing all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:
 
In accordance with the definition contained in Art. 4 point 12 of Regulation 2016/679, "personal data protection breach" is a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
 
Art. 33 section 1 and 3 of Regulation 2016/679 states that in the event of a personal data protection breach, the controller shall, without undue delay - whenever possible, no later than 72 hours after discovering the breach - report it to the competent supervisory authority in accordance with Art. 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours is accompanied by an explanation of the reasons for the delay. The notification referred to in section 1, must at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data entries affected by the breach; b) contain the name and contact details of the data protection officer or another contact point from which more information can be obtained; c) describe the possible consequences of a personal data breach; d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.
 
In turn, pursuant to Art. 34 section 1 of Regulation 2016/679, in a situation where there is a high risk of violating the rights and freedoms of natural persons, the controller is obliged to notify the data subject about the breach without undue delay. Article 34 section 2 of Regulation 2016/679 states that a proper notification should: 1) describe the nature of the personal data breach in clear and plain language; 2) contain at least the information and measures referred to in Art. 33 section 3 lit. b), c) and d) of Regulation 2016/679, i.e.: a) name and surname and contact details of the data protection officer or designation of another contact point from which more information can be obtained; b) description of the possible consequences of a personal data protection breach; c) a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.
 
From the analysis of the above The provisions therefore indicate that depending on the level of risk of violating the rights and freedoms of natural persons, the controller has different obligations towards the supervisory authority and the data subjects. If, as a result of the analysis, the administrator finds that the risk of violating the rights and freedoms of natural persons is low, he is not obliged to report the violation to the President of the Personal Data Protection Office. The indicated violation must only be entered in the internal register of violations. If a risk of violating the rights and freedoms of natural persons is identified, the controller is obliged to report the data protection breach to the President of the Personal Data Protection Office, as well as to place an entry in the internal register of violations. The occurrence of a high risk of violating the rights and freedoms of natural persons, in addition to an entry in the register of violations, requires the administrator to take appropriate actions, both towards the supervisory authority (reporting a data protection breach), but also towards the data subjects. In the case of personal data protection breaches that may result in a high risk of violating the rights and freedoms of the data subject, Regulation 2016/679 introduces an additional obligation for the controller to immediately notify the data subject, unless the controller has taken preventive measures before the breach or remedial measures have been taken after the breach. occurrence of an infringement (Article 34(3) of Regulation 2016/679).
 
As follows from the above, if the administrator detects a personal data protection breach, it is first necessary to analyze the risk of violating the rights and freedoms of natural persons. The administrator is released from the obligation to notify the supervisory authority about a violation if the conducted examination shows that there is at most a low probability of a risk of violating the rights and freedoms of natural persons. However, it should be taken into account that the supervisory authority will be able to ask the controller to justify the decision not to report the breach, therefore the conclusions from the analysis should be recorded in the internal record of breaches. It is worth recalling that the European Data Protection Board (EDPB) Guidelines No. 9/2022[1], adopted on March 28, 2023, include recommendations on reporting personal data protection breaches to the supervisory authority.
 
It should be emphasized that the assessment of the risk of violating the rights and freedoms of a natural person should be made from the perspective of the person at risk, and not the interests of the administrator. This is particularly important because, based on a personal data breach notification, an individual can assess for themselves whether they believe a security incident may result in negative consequences for them and take appropriate remedial action. Also, based on the information provided by the controller regarding the description of the nature of the breach and the measures taken or proposed to remedy the breach, an individual may assess whether, after a personal data breach, the data controller still guarantees the proper processing of his or her personal data in a manner that ensures their security. . Failure to notify a natural person about a breach of personal data protection in the event of a high risk of violating his or her rights or freedoms deprives him or her not only of the opportunity to respond appropriately to the breach, but also of the opportunity to independently assess the breach, which concerns his or her personal data and may cause serious consequences for him or her. . However, failure to report a personal data protection breach deprives the supervisory authority of the opportunity to respond appropriately to the breach, which consists not only in assessing the risk of breach to the rights and freedoms of a natural person, but also, in particular, in verifying whether the controller has applied appropriate measures to remedy the breach and minimize negative consequences. effects on data subjects, as well as whether it has applied appropriate security measures to minimize the risk of a recurrence of the breach.
 
Reporting personal data protection breaches by controllers is therefore an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights and freedoms of data subjects and - if such a risk occurred - whether they have provided appropriate information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfillment of the conditions specified in Art. 34 section 3 lit. a) and b) of Regulation 2016/679. The President of the Personal Data Protection Office verifies the assessment made by the controller and may - if the controller has not notified the data subjects - request such notification from the controller. Reports of personal data protection breaches allow the supervisory authority to respond appropriately to limit the effects of such breaches, as the controller is obliged to take effective actions to ensure the protection of natural persons and their personal data, which will, on the one hand, allow for control of the effectiveness of existing solutions and, on the other hand, the assessment of modifications and improvements to prevent irregularities similar to those covered by the infringement. However, notifying natural persons about a breach provides them with the opportunity to provide them with information on the risks associated with the breach and to indicate the actions they can take to protect themselves against the potential negative effects of a personal data breach (this allows the individual to independently assess the breach in the context of the breach). the possibility of materializing negative consequences for such a person and making a decision to apply or not to apply remedial actions).
 
Santander Bank Polska S.A. Due to the scale and scope of its activities, i.e. the provision of various types of financial services, it processes personal data of a very large number of customers with whom it concludes contracts for the provision of banking services. In the case under consideration, personal data of the Bank's Customers included in the banking documentation in the scope of: name and surname, date of birth, bank account number, address of residence or stay, PESEL registration number, e-mail address, username and/or password, earnings data and/or owned property, series and number of ID card, telephone number, information about banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, and also information about property insurance policies, i.e. incl. policy numbers, date of issue, sum insured, insurance premiums, and information regarding the insured property were read by an unauthorized person. In addition, data related to the conclusion of contracts and their content were disclosed. It is also unclear whether other people had read the documents before the person who delivered the documents in question to the police station, as they were in a publicly accessible place. Therefore, there is no doubt that data subjects can be easily identified based on the disclosed data.
 
Consequently, the very assessment of the breach carried out by the controller in terms of the risk of violating the rights and freedoms of natural persons is necessary to determine whether there has been a data protection breach resulting in the need to notify the President of the Personal Data Protection Office (Article 33(1) and (3) of Regulation 2016/679) and the persons affected by the infringement (Article 34(1) and (2) of Regulation 2016/679) should, as it should be emphasized once again, be made from the perspective of the person affected by the infringement. Accidental disclosure of personal data, even to one identified person, may lead to an increase in the scale of the breach and thus the risk of violating the rights and freedoms of the data subject. At the same time, the Administrator did not demonstrate, in accordance with the principle of accountability referred to in Art. 5(1) 2 of Regulation 2016/679 that the person who found the parcel may be considered the so-called trusted recipient. The explanations provided by the Bank in a letter of September 16, 2022 show that it refrained from reporting the violation in question to the supervisory authority because "the parcel was found by one identified person shortly after it was lost by the courier." The risk assessment was based on the belief that the person who came into possession of the shipment with the Bank's documents is the so-called "honest finder" because "it was verified that no documents were missing", "the person who found the documents took them directly to the police station" and "the person admitted that he did not copy the documents." Taking the above into account, in the opinion of the Administrator, "the assessment of the risk of violating the rights and freedoms of the data subject has been set at a low level."
 
For a better illustration of cases of personal data protection violations resulting in accidental disclosure of data to an unauthorized person, please refer to Guidelines 9/2022, which indicates a case of data confidentiality violation involving the mistaken disclosure of personal data to a third party or other recipient in a situation where when these data are accidentally sent to the wrong department of the organization or to the supplier organization whose services the administrator uses. The administrator then has grounds to consider the unauthorized recipient as trusted because he or she remains in permanent relations with such an entity, knows its procedures and can trust the recipient enough to reasonably expect that the recipient will not mistakenly read the sent data or gain access to the them, as well as fulfill the order to send them back. Even in a situation where the data has been accessed, the administrator can still trust the recipient that he will not take any inappropriate actions and will return the data immediately to the administrator. As the EDPB further points out, in the case described above, the controller may take into account the fact that the recipient is a trusted person in the risk assessment carried out following the breach. However, this is certainly not the case in this case. A third party who, quite accidentally, found a parcel with banking documentation containing very detailed personal data of the Bank's Customers, does not remain in any relationship with the Bank that would allow it to be assumed that it is a trusted recipient, in accordance with the above position of the EDPB.
 
Referring to the above, it should be noted that it is also irrelevant that the data was made available to only one identified person, rather the fact that the parcel was found by one identified person is important. As previously mentioned, the Bank is not sure how many people could have had access to the abandoned parcel, because, as it states, it was stolen during transport by a courier company, which should sufficiently influence the proper assessment of the incident in question, adequate to the circumstances. security, including assessment of the risk of violating the rights and freedoms of natural persons. Even if the wrong recipient is a person known to the Administrator (e.g. his client who reports an error), there is no guarantee that the intentions of this person will not change. The above assessment is also not influenced by the fact of obtaining a declaration from the wrong recipient about keeping the Bank's Customers' data confidential, or, as was the case in this case, by admitting that the person did not copy the documents. It is not certain whether, before submitting the declaration, the person did not make a copy or record the personal data contained in the documentation in another way, e.g. by writing it down. The Bank also has no way of actually verifying that the unauthorized recipient has not transferred the Bank's Customers' data to third parties or has a copy of this data. The Provincial Administrative Court in Warsaw expressed a similar opinion, in its judgment of January 21, 2022, ref. no. no. II SA/Wa 1353/21, indicated that "(...) there is no certainty that before these activities, the person did not make, for example, a photocopy or did not record the personal data contained in the content of the document in another way, e.g. writing down. The mere performance of the activities indicated in the declarations submitted by a third party - an unauthorized recipient - does not guarantee that the intentions of such a person will not change now or in the future, and the possible consequences of using such categories of data may be significant for the persons whose data were subject to the breach. . It should be emphasized once again that a declaration made by an unauthorized person does not mean that the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons and does not exclude the assumption that there is a high risk of violating the rights and freedoms of data subjects. .
 
As indicated in Guidelines 9/2022, a breach of personal data protection may potentially cause a number of negative consequences for the natural persons whose data is subject to the breach. The possible effects of a violation of the EDPB include: physical damage, material or non-material damage. Examples of such damages include, but are not limited to: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal information and significant economic or social harm. In this case, there is no doubt that due to the scope of data covered by the personal data protection breach in question, including PESEL registration numbers along with names and surnames, there is a high probability of the above-mentioned damages occurring.
 
First of all, it should be emphasized that the personal data protection breach concerned the PESEL registration number, i.e. an eleven-digit numerical symbol that clearly identifies a natural person, containing, among others: date of birth and gender, and is therefore closely related to the private sphere of the natural person and is subject to also, as a national identification number, exceptional protection under Art. 87 of Regulation 2016/679 - being data of a special nature and requiring special protection. The PESEL number serves as data identifying each person and is commonly used in contacts with various institutions and in legal circles. The PESEL number together with the name and surname clearly identifies a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person. Moreover, it should be taken into account that as a result of the personal data protection breach in question, these registration numbers along with the name and surname of the Bank's clients were made available to at least one unauthorized person, which may be sufficient to "impersonate" the subject of these data. and incurring, on behalf of and to the detriment of, such an entity, e.g., monetary liabilities (see: https://www.bik.pl/poradnik-bik/wyluzenie-kredytu-tak-dzialaja-oszusci - where a case is described in which: "Only the name , name and PESEL number were enough for fraudsters to extort several loans worth tens of thousands of zlotys. Nothing else was correct: neither the ID card number nor the address). emphasize - 158 people also concerned a huge range of other data identifying these people, such as contact details (which, as is commonly accepted, include the address of residence or stay, telephone number and e-mail address), date of birth, bank account numbers, series and numbers of ID cards , usernames and/or passwords, data regarding earnings and/or owned assets, or the content of the contracts regarding banking products (names of the contracts, dates of their conclusion, details of these products) and a number of information related to property insurance policies (including policy numbers, dates of issue, insured amounts, insurance premiums, information regarding the insured property). A key factor in risk assessment is the type and sensitivity of personal data exposed as a result of the breach. Guidelines 9/2022 emphasize that a collection of various personal data is usually more sensitive than individual data.
 
It is worth citing one of the examples included in the Guidelines of the European Data Protection Board 01/2021[2] (case no. 14, p. 31), relating to the situation of "sending highly confidential personal data by mistake". In the above-mentioned case guidelines, the social security number, which is the equivalent of the PESEL number used in Poland, was disclosed. In this case, the EDPB had no doubt that the disclosed data in the scope of: name and surname, e-mail address, postal address, social security number indicate a high risk of violating the rights and freedoms of natural persons ("involvement of their [victims'] social security number social media, as well as other, more basic personal data, further increases the risk, which can be described as high). The EDPB recognizes the importance of national identification numbers (in this case the PESEL number), at the same time emphasizing that this type of personal data protection breach, which includes data such as: name and surname, e-mail address, correspondence address and social security number, requires the implementation of actions, i.e.: notification of the supervisory authority and notification of the breach to data subjects.
 
The European Data Protection Board has no doubt that an individually assigned number uniquely identifying a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve a high risk of violating the rights and freedoms of natural persons.
 
The EDPB also points out in other examples provided in Guidelines 01/2021 that data that uniquely identifies a natural person may result in a high risk of violating rights or freedoms. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by the attacker to guess customer passwords or to conduct a spear phishing campaign aimed at bank customers. For these reasons, the data breach has been deemed likely to result in a high risk to the rights and freedoms of all data subjects. Therefore, material (e.g. financial losses) and intangible (e.g. identity theft or fraud) damage may occur.”
 
The Provincial Administrative Court in Warsaw did not have similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violating the rights and freedoms of natural persons), in its judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, stated that "There is no doubt that the examples of damage mentioned in the guidelines may occur in the case of persons whose personal data - in some cases, including the PESEL registration number or the series and number of the ID card - have been recorded on shared recordings. Not without significance for such an assessment is the possibility of identifying persons whose data were subject to the breach, based on the disclosed data. Further, in the cited ruling, the Court indicated that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases also the PESEL registration number or the series and number of the ID card, determines the that there is a high risk of violating the rights and freedoms of natural persons.” When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of July 1, 2022 issued in the case with reference number file II SA/Wa 4143/21. In justification of this judgment, the Court stated that: "It should be agreed with the President of the Personal Data Protection Office that the loss of confidentiality of the PESEL number in combination with personal data, such as: name and surname, registered address, bank account numbers and the identification number assigned to the Bank's clients - CIF number , involves a high risk of violating the rights and freedoms of natural persons. In the event of a breach of data such as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects. Therefore, in the case in question, the Bank should have acted without undue delay, pursuant to Art. 34 section 1 GDPR, to notify data subjects about a personal data breach so as to enable them to take the necessary preventive measures” (my emphasis). It is also worth mentioning the judgment of August 31, 2022, ref. no. No. II SA/Wa 2993/21, in which the Provincial Administrative Court in Warsaw emphasized that "(...) the authority correctly assumed that there was a high risk of violating the rights and freedoms of persons affected by the violation in question due to the possibility of easy, based on the disclosed data , identification of persons whose data was subject to the breach. These data include name and surname, correspondence address, telephone number, and PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify data subjects about the breach without undue delay. The Provincial Administrative Court in Warsaw expressed a similar opinion in its judgments of November 15, 2022, ref. no. no. II SA/Wa 546/22, of June 21, 2023, ref. no. no. II SA/Wa 150/23 and of November 6, 2023, ref. no. no. II SA/Wa 996/23.
 
In the light of the above, it is also worth mentioning the judgment of the Supreme Administrative Court in Warsaw of December 6, 2023, ref. no. No. III OSK 2931/21, which stated: "The President of the Personal Data Protection Office correctly determined that the data was shared, among others. in the field of names and surnames, as well as PESEL numbers of natural persons, i.e. relatively permanent and unchangeable data, the disclosure of which may always pose a risk of negative consequences for the above-mentioned. people. Similarly, residential addresses are personal data whose unauthorized disclosure creates a high risk of negative legal consequences, regardless of the fact that the addresses were disclosed several years after their update.
 
From the latest infoDOK report[3] (which is prepared as part of the social Information Campaign of the DOCUMENTS RESTRICTED System, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation) , it shows that in the third quarter of 2023 alone, there were 2,587 attempts to extort loans and credits for a total amount of PLN 104.1 million. Throughout 2021, there were 8,096 loan fraud attempts for a total amount of PLN 336.6 million, and in 2022, there were 8,079 loan fraud attempts.
 
Moreover, according to court decisions, judgments in loan fraud cases are not uncommon and have been issued by Polish courts in similar cases for a long time. As an example, we can mention the judgment of the District Court in Łęczyca of July 27, 2016 (reference number I C 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). . In justification of the above-mentioned judgment, the Court stated that:
 
"The evidentiary proceedings conducted and the analysis of the documents attached by the plaintiff result in the unambiguous conclusion that in the case under consideration the defendant was not a party to the loan agreement concluded on May 5, 2014. Although the PESEL number of the defendant J. R. was used when concluding the agreement, but the indicated place of residence does not correspond to the place of residence of the defendant. The defendant J. R. never lived in Warsaw. The loan amount was transferred to an account that was not owned by the defendant. On the date of conclusion of the loan agreement, the ID card no. (...) expired on March 15, 2014. The mobile phone number indicated in the loan agreement and its annexes does not match the actual telephone numbers used and used by the defendant.
 
In another case (I C 693/16), the District Court in Zgierz ruled in its judgment of November 4, 2016: "The defendant's personal data in the form of his name and surname and PESEL number, which were consistent with the defendant's data, did not prove that On December 17, 2014, the defendant submitted a declaration of will to conclude a loan agreement. It cannot be ruled out that a person who unauthorizedly gained access to the defendant's personal data concluded a loan agreement on his account with (...) sp. z o.o. S.K.A. with its registered office in W. In the present case, the defendant demonstrated that he has never lived at the address indicated in the loan agreement and that the telephone number and e-mail address used to register on the website and submit the loan application belonged to him.
 
There are still many cases related to loan fraud, where unknown people usually only have their name and surname and the correct PESEL number (the other data is false), which is confirmed by the judgments issued by courts in these cases. Below are some examples:
 
Judgment of the District Court for Łódź-Widzew in Łódź of August 13, 2020 in the case with reference number file II C 1145/19, in which a third party unknown to the defendant illegally took possession of his PESEL number and ID card number, and the remaining address details - indicated in the loan agreement - were false - "In the opinion of the Court, the evidence offered by the defendant - especially documents from the files of a criminal case pending before the District Court in Tarnowskie Góry with file reference number VI K 383/16 - prove that the loan agreement of November 8, 2014 was concluded by a third party using some of Z. A.'s personal data. She provided a false address residence, where the defendant has never lived, and the loan amount was transferred to a bank account that did not belong to Z. A. [...] and the ID card number provided in this agreement was an ID number that the defendant no longer used on the date of concluding the loan agreement, as this evidence had expired approximately 8 months previously”;
 
Judgment of the District Court in Pisz of August 21, 2020, ref. no. file I C 260/20 - "[...] The court found that when concluding the contract in question, the defendant's data was used in an unauthorized manner and entered as the borrower's data, although the defendant was not a party to the contract. The defendant's position is confirmed by the notification he submitted about committing the crime of fraud to his detriment, as well as by the fact that the prosecutor's office is conducting proceedings in this case against the person indicated by the defendant. As an aside, it should be noted that also in the proceedings for payment pending before this court, ref. no. files I C 1/19 and I C 482/19, where E. M. also acted as a defendant, and where financial obligations were incurred in his name and surname in the same circumstances as in the present proceedings, final judgments were also issued dismissing the claim. In the court's opinion, the circumstances of concluding the contract for the reason that the first name and surname of the borrower and his PESEL number are the same, and there is a discrepancy as to the remaining data resulting from the content of the defendant's ID card, i.e. the series and number of this document, the address of residence, taking into account the fact that criminal trial in relation to a person who allegedly impersonated the defendant in order to conclude distance contracts and incur financial obligations in various institutions, clearly indicate that it was not the defendant who concluded the loan agreement no. (...) with the plaintiff's legal predecessor;
 
Judgment of the District Court in Puławy of April 7, 2022 in the case with reference number file I C 475/19, in which the Court clearly admitted that "[...] evidence enabling the verification of the defendant as a party to the contract in question is not the mere indication of his personal data: name, surname, PESEL number, as well as the series and number of the ID card in the content contract - in particular when the loan is concluded via an online platform, so obviously the lender is not able to directly verify the identity of the other party, and the contract itself is not confirmed by the borrower's signature.
 
It should also be borne in mind that the Administrator's performance of his obligation under Art. 34 section 1 of Regulation 2016/679 may not be made dependent on the existence of a violation of the rights and freedoms of natural persons whose data are affected by the personal data protection breach. The same applies to the obligation arising from Art. 33 section 1 of Regulation 2016/679 as stated by the Provincial Administrative Court in Warsaw in the judgment of September 22, 2021 issued in the case with reference number II SA/Wa 791/21: "It should be emphasized that the possible consequences of the event do not have to materialize. In the content of art. 33 section 1 of Regulation 2016/679 indicates that the very occurrence of a breach of personal data protection, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons. natural persons” (this Court ruled similarly in the previously cited judgment of July 1, 2022, issued in the case with reference number II SA/Wa 4143/21 and in the judgments of August 31, 2022, reference number II SA/Wa 2993/21, of November 15, 2022, ref. no. II SA/Wa 546/22 and of April 26, 2023, ref. no. II SA/Wa 1272/22). When applying the provisions of Regulation 2016/679, the purpose of this regulation (expressed in Article 1(2)) should be taken into account, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. In turn, the protection of natural persons with regard to the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - including in the event of a personal data protection breach - these values should be taken into account in the first place.
 
It is worth emphasizing that when assessing the risk of violating the rights and freedoms of natural persons, which determines, among others, reporting a personal data protection breach, the probability factor and the importance of potential negative effects should be taken into account jointly. A high level of any of these factors affects the overall grade, which determines the completion of, among others: the obligation specified in Art. 33 section 1 of Regulation 2016/679. Bearing in mind that due to the scope of personal data disclosed, in the analyzed case there was a possibility of serious negative consequences for data subjects, the importance of the potential impact on the rights and freedoms of natural persons should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. Thus, it should be stated that in connection with the breach in question, there was a high risk of violating the rights and freedoms of data subjects, which consequently determines the obligation to report a personal data protection breach to the supervisory authority.
 
In Guidelines 9/2022, the EDPB, indicating the factors that should be taken into account when assessing the risk, refers to recitals 75 and 76 of Regulation 2016/679, which suggest that the administrator should take into account both the probability of occurrence and the seriousness of the threat to the rights or freedoms of the person whose data applies. In the event of a personal data protection breach, the controller should focus on the risk of the breach resulting from the breach on a natural person. Therefore, when assessing the risk to an individual arising from a personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence. Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk for natural persons. The risk of violating the rights and freedoms of a natural person in accordance with Guidelines 9/2022 will be greater when the consequences of the violation are more serious, as well as when the likelihood of their occurrence increases. The guidelines indicate that in case of any doubts, the administrator should report a violation, even if such caution might prove excessive.
 
To summarize the above considerations, it should be stated that in the case in question there is a high risk of violating the rights and freedoms of persons affected by the breach, which in turn results in the Bank's obligation to report the personal data protection breach to the supervisory authority, in accordance with Art. 33 section 1 of Regulation 2016/679, which must include the information specified in Art. 33 section 3 of Regulation 2016/679 and notifying persons about the infringement, in accordance with Art. 34 section 1 of Regulation 2016/679, which must include the information specified in Art. 34 section 2 of Regulation 2016/679. A bank that, due to the nature of its activities, processes personal data on a massive scale should be aware of the legal obligations related to identifying a personal data protection breach. Informing the Administrator about his obligations in the field of personal data protection, as well as advising the Administrator, are also the tasks of the data protection officer appointed at the Bank. The Bank should also have knowledge in this area due to a previously issued decision imposing an administrative fine for violating Art. 34 section 1 of Regulation 2016/679, consisting in failure to notify data subjects about a personal data protection breach without undue delay (decision of January 19, 2022, ref. (...)), especially since the Administrator's complaint against this decision was dismissed by the judgment of the Provincial Administrative Court in Warsaw of November 15, 2022 (reference number II SA/Wa 546/22).
 
Referring to the Administrator's obligation specified in Art. 34 section 2 of Regulation 2016/679, the President of the Personal Data Protection Office stated that the Administrator (taking into account the nature of the breach and the categories of data affected) should indicate to data subjects the most likely negative consequences of the breach of their personal data. Certainly, in the event of a breach of data such as names, surnames and PESEL registration numbers, it is necessary to point out, first of all, possible identity theft or falsification by third parties obtaining, to the detriment of the persons whose data was breached, loans from non-bank institutions or insurance fraud or insurance funds, which may result in negative consequences related to an attempt to attribute responsibility to the data subject for committing such fraud. The description of possible consequences should reflect the risk of violating the rights and freedoms of that person, so as to enable him to take the necessary preventive actions.


In a situation where, as a result of a breach of personal data protection, there is a high risk of violating the rights and freedoms of natural persons, the administrator is obliged to implement all appropriate technical and organizational measures to immediately determine the breach of personal data protection and quickly inform the supervisory authority, as well as the persons whose data applies. The administrator should fulfill this obligation as quickly as possible.
The President of the Personal Data Protection Office, hereinafter referred to as the President of the Personal Data Protection Office, on [...] May 2020, received a notification of a personal data breach made by Sułkowicki Ośrodek Kultury with its seat in Sułkowice at ul. 1 Maja70 (hereinafter referred to as "SOK" or "Administrator"), registered under the file number [...], informing about a breach of personal data protection of 30 people - employees and former employees of the Administrator. SOK (in accordance with its statute constituting an appendix to Resolution No. XII / 72/2015 of the City Council in Sułkowice of September 30, 2015) is an organizational unit of the commune established to carry out its own obligatory tasks in the field of culture.


Recital 85 of the preamble to Regulation 2016/679 explains: "In the absence of an appropriate and rapid response, a breach of personal data protection may result in physical harm, material or non-material damage to natural persons, such as loss of control over one's personal data or restriction of rights, discrimination, theft or falsification of identity, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, immediately upon becoming aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay, where practicable and no later than 72 hours after becoming aware of it, unless the controller can demonstrate, in accordance with the principle of accountability, that it is unlikely that that the breach may result in a risk of violating the rights and freedoms of natural persons. If a report cannot be made within 72 hours, the report should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually, without further undue delay.
In the course of the investigation, conducted in connection with the reported breach of personal data protection, it was found that SOK entrusted the processing of personal data with the above-mentioned persons to Mr K. G. running a business under the name of [...] with a place of business in T. No. [...], hereinafter referred to as "[...]" or "Processor", without entering into a written entrustment agreement and without verification of the processor, whether it provides sufficient guarantees of the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. As established, the Administrator commissioned the above-mentioned the entity: keeping accounting books, records and preparing reports (in the area of finance, taxes and the Social Insurance Institution), processing personal data with the necessary attachments, storing documentation (VAT records, records of fixed assets, VAT declarations) - thus entrusting him with the processing of personal data of employees and former employees of the Administrator in the form of: names and surnames, parents' names, dates of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, data on earnings and / or property, mother's family names, series and numbers ID cards, phone numbers, and health data. In addition, SOK explained in its letters of […] November and […] December 2021 and […] April 2022 that 'There has been no entrustment agreement with the processor. The processor was asked for information, clarification and return / sharing of the processed data, but to no avail "," No contracts with SOK were concluded with the company [...]. (...) It is highly probable that Mrs. G., on the authority of the then Director, performed such activities using the ZUS Płatnik program outside the seat, transferring the database or the new database she created "," (...) (the administrator) does not have any documents confirming the start and termination of cooperation with the company [...] (...) "and" (...) (the administrator) does not have any documents confirming the verification of the terms of cooperation with the company [...] (...) ".


In turn, recital 86 of the preamble to Regulation 2016/679 states: "The controller should, without undue delay, inform the data subject about a breach of personal data protection if it may result in a high risk to the rights and freedoms of that person, so as to enable that person to take necessary preventive actions. Such information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimize potential adverse effects. Information should be provided to data subjects as soon as reasonably possible, in close cooperation with the supervisory authority, respecting instructions provided by that authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimize an immediate risk of harm will require immediate information to data subjects, while the implementation of appropriate measures against the same or similar data protection breaches may justify subsequent information.
Attached to the letter of [...] November 2021, the Administrator presented letters of [...] June 2020, addressed, inter alia, to to the Director of SOK in 2015 - 2019, acting as Director of SOK in 2019-2020, chief accountant of SOK in 2017-2019 (p. B. G.) and chief accountant of SOK in 2019-2020, asking for information "on what legal and factual basis this company [note: [... ]] kept the documentation of the Center, whether a civil law contract was concluded with this company, what was the scope of this contract and what was the scope of the company's obligations towards the Sułkowice Cultural Center ”. The administrator also indicated in a letter dated [...] December 2021 that attempts to obtain explanations from Ms B. G. (who was described as a representative or employee of [...]) were unsuccessful.


By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights and freedoms against the negative effects of the breach. Article 34 section 1 and 2 of Regulation 2016/679 is intended not only to ensure the most effective possible protection of the fundamental rights and freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5(1) 1 letter a) Regulation 2016/679 (see Witold Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfillment of the obligation specified in Art. 34 of Regulation 2016/679 is intended to provide data subjects with quick and transparent information about a breach of the protection of their personal data, together with a description of the possible consequences of the personal data protection breach and the measures they can take to minimize its possible negative effects. Acting in accordance with the law and demonstrating concern for the interests of data subjects, the controller should have provided data subjects with the best possible protection of personal data without undue delay. To achieve this goal, it is necessary to provide at least the information listed in Art. 34 section 2 of Regulation 2016/679, which the Bank did not fulfill. Therefore, by deciding not to notify the supervisory authority and the data subjects about the breach, the controller in practice deprived data subjects of reliable information about the breach of personal data protection and the possibility of counteracting potential damage, provided without undue delay.
In view of the above, in a letter of [...] May 2022, the President of the Personal Data Protection Office (UODO) initiated ex officio administrative proceedings against the Administrator regarding the breach by Sułkowicki Ośrodek Kultury, as the data controller, of obligations under Art. 28 sec. 1, 3 and 9 of Regulation 2016/679 (letter reference [...]).


Consequently, it should be stated that the Administrator did not report a personal data protection breach to the supervisory authority in fulfillment of the obligation under Art. 33 section 1 of Regulation 2016/679 and failed to notify data subjects without undue delay of a breach of data protection, in accordance with Art. 34 section 1 of Regulation 2016/679, which means a violation of these provisions by the Administrator.
The administrator did not respond in writing to the above-mentioned notifications about the initiation of administrative proceedings.


It should be noted here that in accordance with Art. 34 section 4 of Regulation 2016/679, if the controller has not yet notified the data subject of a personal data breach, the supervisory authority - taking into account the likelihood that the personal data breach will result in a high risk - may require him to do so or may determine, that one of the conditions referred to in section 3. In turn, according to the content of Art. 58 section 2 lit. e) of Regulation 2016/679 states that each supervisory authority has the corrective power to order the controller to notify the data subject about a data protection breach.
After reviewing all the evidence gathered in the case, the President of UODO considered the following.


Pursuant to Art. 58 section 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Art. 58 section 2 of Regulation 2016/679, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Bank based on Art. 83 section 4 lit. a) of Regulation 2016/679, which states, among others, that violation of the administrator's obligations referred to in Art. 33 and 34 of Regulation 2016/679, is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher.
The President of the Personal Data Protection Office is an authority competent for the protection of personal data (Article 34 (1) of the Personal Data Protection Act) and a supervisory authority within the meaning of the provisions of Regulation 2016/679 (Article 34 (2) of the Personal Data Protection Act).


Pursuant to the content of Art. 83 section 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 section 2 lit. a) - h) and letters j) Regulation 2016/679. When deciding to impose an administrative fine on the Bank, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in this case and having an aggravating effect on the amount of the administrative fine imposed:
Pursuant to Art. 57 sec. 1 of Regulation 2016/679, without prejudice to other tasks specified under this regulation, each supervisory authority on its territory monitors and enforces the application of Regulation 2016/679 (point a) and conducts proceedings on the application of this regulation (point h). An instrument for the implementation of the tasks referred to in Art. 57 of the Regulation 2016/679, there are in particular the remedial powers granted pursuant to Art. 58 sec. 2 of the Regulation 2016/679 - incl. to apply, in addition to or in place of the measures referred to in this paragraph, an administrative fine under Article 83, depending on the circumstances of the specific case (point i).


1. The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679). In this case, a violation of the provisions of Art. 33 section 1 of Regulation 2016/679 (consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach) and Art. 34 section 1 of Regulation 2016/679 (consisting in failure to notify data subjects about a personal data protection breach without undue delay). They are related to an event involving the disclosure of personal data of the Bank's clients in the scope of: names and surnames, date of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, usernames and/or passwords, earnings data and/or owned property, series and number of ID cards, telephone number, information about banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, information about property insurance policies, i.e., among others policy numbers, dates of issue, sums insured, insurance premiums, information regarding the insured property, as a result of the theft of a parcel containing the Bank's documentation during its transport at a courier company, and then abandoning the open parcel in a public place, as a result of which the documentation was read unauthorized person (at least one). This event is of significant importance and serious nature, as it may lead to material or non-material damage to persons whose data has been breached, and the probability of its occurrence is high. Due to a personal data protection breach involving the loss of a shipment containing banking documentation, information covered by banking secrecy was unlawfully disclosed, which further increases the seriousness of the breach and indicates the possibility of negative consequences of the event for the data subjects.
Pursuant to Art. 28 sec. 1 of Regulation 2016/679, if the processing is to be carried out on behalf of the controller, he or she uses only the services of such processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of this Regulation and protects the rights of data subjects. Pursuant to Art. 28 sec. 3 of Regulation 2016/679, processing by the processor takes place on the basis of a contract or other legal instrument, which are governed by Union law or the law of a Member State and are binding on the processor and the controller, determine the subject and duration of processing, nature and purpose of processing, type of personal data and the categories of data subjects, the obligations and rights of the controller. This contract or other legal instrument provides in particular that the processor:


Additionally, the fact that the infringement consisting in failure to notify persons about a breach of the protection of their personal data concerned the personal data of many persons, as it concerned 158 persons, should be considered an aggravating circumstance, and although in the present case there is no evidence that the persons whose data were an unauthorized person has gained access, they have suffered property damage, the very violation of the confidentiality of their data constitutes non-material damage (harm) to them. Individuals whose data was obtained in an unauthorized manner may at least feel fear of losing control over their personal data, identity theft or identity fraud, discrimination, or finally financial loss. As indicated by the District Court in Warsaw in its judgment of August 6, 2020, ref. no. file XXV C 2596/19, fear, and therefore the loss of safety constitutes real non-pecuniary damage involving the obligation to repair it. In turn, the Court of Justice of the EU, in its ruling of December 14, 2023, in the case of Natsionalna agentia za prihodite (C-340/21), emphasized that "Art. 82 section 1 GDPR must be interpreted as meaning that the data subject's fear of possible misuse of personal data by third parties as a result of a breach of that regulation may in itself constitute "non-pecuniary damage" within the meaning of that provision. .
a) processes personal data only on a documented instruction of the controller - which also applies to the transfer of personal data to a third country or an international organization - unless such an obligation is imposed on it by Union law or the law of the Member State to which the processor is subject; in this case, before the processing begins, the processor informs the controller of this legal obligation, unless the law prohibits the provision of such information due to important public interest;
b) ensures that persons authorized to process the personal data have committed themselves to secrecy or are under an appropriate statutory obligation of secrecy;
(c) take all measures required under Art. 32;
d) complies with the terms of use of the services of another processor, referred to in paragraph 1. 2 and 4;
e) taking into account the nature of the processing, as far as possible helps the controller, through appropriate technical and organizational measures, to fulfill the obligation to respond to the data subject's requests in the exercise of his rights set out in Chapter III;
f) assists the controller in fulfilling the obligations set out in art. 32-36;
g) upon termination of the provision of processing services, depending on the controller's decision, deletes or returns to him any personal data and deletes any existing copies thereof, unless Union law or the law of a Member State requires the storage of personal data;
(h) provide the administrator with all information necessary to demonstrate compliance with the obligations set out in this Article, and enable and contribute to the performance of, and contributes to, audits, including inspections, by the administrator or an auditor authorized by the administrator.


The President of the Personal Data Protection Office also considers the long duration of the Bank's violation of the provisions of Regulation 2016/679 to be an aggravating circumstance, because it should be emphasized that the violation that is the basis for these proceedings continues and the violation itself is continuous. The bank has still not reported the breach, which is justified by the low risk of violating the rights and freedoms of the affected natural persons; it also did not notify people about the breach of the protection of their personal data. In turn, the Administrator received information about a breach of personal data protection, i.e. the discovery of abandoned documents of the Bank's clients, on November 24, 2018, so over the years, the risk of violating the rights and freedoms of persons affected by the breach could have materialized, and why could they not counteract due to the Bank's failure to fulfill the obligation to report a personal data protection breach to the President of the Personal Data Protection Office and the obligation to notify data subjects about it.
In connection with the obligation set out in the first subparagraph a. (h) the processor shall immediately inform the controller if he or she considers the instructions to be given to it infringe this Regulation or other Union or Member State law on data protection.


2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679). In accordance with the Guidelines of the Article 29 Working Party on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, approved by the EDPB on May 25, 2018), intentionality "includes both knowledge and intentional action in connection with the characteristics of the prohibited act." The bank made a conscious decision not to notify the President of the Personal Data Protection Office or the data subjects about the violation. There is no doubt that the Bank, when processing personal data on a mass scale, must have knowledge in the field of personal data protection, including knowledge of the consequences of identifying a personal data protection breach resulting in a high risk of violating the rights and freedoms of natural persons (and this knowledge may be required not only from administrator but also from the data protection officer appointed by him). Undoubtedly, the decision of the President of the Personal Data Protection Office of January 19, 2022 (described below, in point 3), to which the Bank's complaint was dismissed by the judgment of the Provincial Administrative Court in Warsaw, is also a source of knowledge for the Bank regarding obligations related to personal data protection violations. of November 15, 2022 (reference number II SA/Wa 546/22). Imposed of the above-mentioned decision, an administrative fine together with an extensive justification in which the President of the Personal Data Protection Office cited the applicable provisions and guidelines, contains the necessary information about the Administrator's obligations related to the identified personal data protection breach. It can therefore be concluded that the Administrator, being aware of his responsibility, neglected his obligations related to the data protection breach and neglected to report the personal data protection breach to the President of the Personal Data Protection Office and to notify data subjects about the breach. Finally, the very initiation of these proceedings by the President of the Personal Data Protection Office regarding the obligation to report a personal data protection breach to the supervisory authority and to notify data subjects about the breach should at least raise doubts for the Administrator as to the validity of the position he has adopted.
On the other hand, pursuant to Art. 28 sec. 9 of Regulation 2016/679, the contract or other legal act referred to in para. 3 and 4, shall be in writing, including electronic form.


3. Any relevant previous violations on the part of the controller or processor (Article 83(2)(e) of Regulation 2016/679). When deciding on the imposition and amount of an administrative fine, the supervisory authority is obliged to pay attention to any previous violations Regulation 2016/679. The EDPB in its Guidelines 04/2022[4] on the calculation of administrative fines under the GDPR adopted on May 24, 2023, clearly states: "The existence of previous violations may be considered an aggravating factor when calculating the amount of the fine. The weight given to this factor should be determined taking into account the nature and frequency of previous violations. However, the absence of previous infringements cannot be considered as a mitigating circumstance since compliance with the provisions of [Regulation 2016/679] is the norm' (point 94 of the Guidelines).
The collected evidence shows that the Sułkowicki Cultural Center, entrusting the processing of employees' personal data, did not conclude a written entrustment agreement with the entity processing this data, which was K. G. running a business under the name of [...] with the place of business in T. No. [...] , containing the elements indicated in art. 28 sec. 3 of the Regulation 2016/679. When assessing this state of affairs, we should start with explaining the function performed by these two entities and their mutual relationship.


The President of the Personal Data Protection Office had already conducted administrative proceedings against the Bank (described further in this point) regarding the breach of the obligation arising from Art. 34 section 1 of Regulation 2016/679 due to failure to notify data subjects about a personal data protection breach without undue delay. By decision of January 19, 2022, ref. no. (…), the President of the Personal Data Protection Office imposed an administrative fine on the Bank in the amount of PLN 545,748 for violating this provision of Regulation 2016/679. The above decision, as mentioned in point 2, was upheld by the judgment of the Provincial Administrative Court in Warsaw of November 15, 2022, dismissing the Bank's complaint (due to the submission of a cassation appeal by the Bank, the case is currently awaiting resolution by the Supreme Administrative Court) . The repeated violation of the provisions of Regulation 2016/679 by failing to notify data subjects about a breach of personal data protection without undue delay, and also by failing to notify the President of the Office of Personal Data Protection about a detected breach of personal data protection, proves the Bank's disregard for the obligations related to the processing of personal data, downplaying the incident and not recognizing its effect on Data Subjects. The violation of the provisions of Regulation 2016/679, which is the subject of these proceedings, and is not, as indicated, a one-off case, deserves a negative assessment, which is reflected in the imposition of an administrative fine on the Bank.
Pursuant to Art. 4 point 7 of Regulation 2016/679, "controller" means a natural or legal person, public authority, unit or other entity that alone or jointly with others sets the purposes and methods of processing personal data, and if the purposes and methods of such processing are specified in law Union or Member State law, the controller may also be designated under Union law or the law of a Member State, or specific criteria for its designation may be laid down. On the other hand, "processor" means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller (Article 4 (8) of Regulation 2016/679).


According to EDPB Guidelines 04/2022 "Although all previous infringements may constitute information about the controller's or processor's general approach to compliance with the provisions of the GDPR, greater importance should be attached to infringements relating to the same subject matter, as they are closer to the infringement that is the subject of the current proceedings, in particular where the controller or processor has previously committed the same infringement (repeated infringements)(paragraph 88 of the Guidelines). “In the first place, account must be taken of the time at which the earlier infringement occurred, given that the longer the time between that infringement and the infringement that is the subject of the ongoing proceedings, the less significant is the earlier infringement” (point 84 of the Guidelines). Due to the fact that the supervisory authority has already investigated Santander Bank Polska S.A. proceedings regarding violation of Art. 34 section 1 of Regulation 2016/679, which resulted in the issuance of a decision imposing an administrative fine, this circumstance should undoubtedly be considered as having an aggravating effect on the amount of the administrative fine imposed.
The fact that in the analyzed situation there was no contract for entrusting the processing of personal data within the meaning of art. 28 sec. 3 of the Regulation 2016/679 does not deprive Sułkowicki Ośrodek Kultury, or […], of the status of, respectively: controller and processor. It follows from Guidelines 07/2020 that "The concepts of controller (...) and processor are functional concepts in the sense that their purpose is to allocate obligations in accordance with the real roles of the parties and autonomous concepts in the sense that they should be interpreted mainly in accordance with with EU data protection law ”. In the case at hand, there is no doubt that the Sułkowice Cultural Center was the administrator of the personal data of its former and current employees that it processed. Responsibility for the selection of the processor should be assigned to the SOK, as it is the controller that entrusts the processing of personal data to a natural or legal person of his choice - in Guidelines 07/2020 (describing who can be the controller), it is indicated that "In practice, however, it is usually an organization as such, and not a natural person in the organization (e.g. CEO, employee or board member), acts as an administrator within the meaning of the GDPR ”. Therefore, from the point of view of the subject matter of this proceeding, it is irrelevant which of the persons included in the organization (ie SOK) and why decided to establish cooperation - even informal - with [...].


Moreover, in other administrative decisions issued, the supervisory authority found a violation of the provisions on the protection of personal data by the Administrator: - in the decision of December 17, 2020 (reference number (...)) violation of the provisions of Art. 6(1) 1 and art. 21 section 3 in connection with Art. 12 section 3 of Regulation 2016/679; - in the decision of April 22, 2021 (reference number (...)), violation of the provision of Art. 6(1) 1 in connection with joke. 5(1) 1 letter f of Regulation 2016/679; - in the decision of June 29, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of June 30, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of July 7, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of August 19, 2022 (reference number (...)), violation of the provision of Art. 15 section 1 in connection with joke. 12 section 3 of Regulation 2016/679; - in the decision of August 30, 2022 (reference number (...)), violation of the provision of Art. 15 section 1 in connection with joke. 12 section 3 of Regulation 2016/679; - in the decision of September 28, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of November 10, 2022 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of November 18, 2022 (reference number (...)), violation of the provision of Art. 12 section 3 in connection with joke. 15 section 3 of Regulation 2016/679; - in the decision of January 9, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of August 22, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 in connection with joke. 21 section 2 and section 3 of Regulation 2016/679; - in the decision of September 22, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of December 8, 2023 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of January 23, 2024 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679; - in the decision of January 30, 2024 (reference number (...)), violation of the provision of Art. 6(1) 1 of Regulation 2016/679.
Due to the fact that pursuant to Art. 5 sec. 1 lit. a) and f) of Regulation 2016/679, personal data must be processed lawfully, fairly and in a transparent manner for the data subject ("lawfulness, fairness and transparency") and in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures ("integrity and confidentiality"), very important from the point of view of the data controller is the entity entrusted with the processing of this data. Art. 5 sec. 2 of Regulation 2016/679 provides that the controller is responsible for the processing of personal data in accordance with these principles and must be able to demonstrate compliance with them ("accountability") - therefore it is so important from his point of view to thoroughly investigate which entity (and on which basis) entrusts the processing of personal data. This thought is expressed directly in Art. 28 sec. 1 of Regulation 2016/679, according to which, if the processing is to be carried out on behalf of the administrator, he uses only the services of such processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of this Regulation and protects the rights of persons whose data relate to. Moreover, Guideline 07/2020 states that "The elements to be taken into account may be: professional knowledge of the processor (eg technical knowledge in the field of security measures and data protection breaches); the reliability of the processor; the processor's resources and the application by the processor of an approved code of conduct or certification mechanism "that:" The processor's reputation in the marketplace may also be an important factor that controllers should consider "and that» The controller is (...) responsible for assessing the adequacy of the guarantees provided by the processor and should be able to prove that he took all the elements provided for in the GDPR seriously. Guarantees "provided" by the processor are those that the processor is able to demonstrate to the satisfaction of the controller, as they are the only guarantees that the controller can effectively take into account when assessing compliance with its obligations. Often this will require the exchange of relevant documentation (e.g. privacy policy, terms of service, record of processing activities, document management policy, information security policy, reports from external data protection audits, internationally recognized certificates such as ISO 27000 standards). The controller's assessment of whether the guarantees are sufficient is a form of risk assessment, which largely depends on the type of processing entrusted to the processor and must be made on a case-by-case basis, taking into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedom of natural persons ”. In the present case, however, there are no indications that the controller took these elements into account.


The violations described above, which resulted in the supervisory authority applying corrective measures, including the final penalty imposed on the Administrator, are also important. The supervisory authority notices a connection between previously identified violations and currently analyzed violations, such as a similar modus operandi of the Bank, consisting in intentional failure to provide authorized entities with specific personal data and information, which occurred, for example, in the case of a violation of Art. 15 section 1 and art. 34 section 1 of Regulation 2016/679, or even the frequency of violations of personal data protection provisions committed by the Administrator. As can be seen from the list of decisions issued by the President of the Personal Data Protection Office presented above, at the turn of the last 4 months, the supervisory authority has already issued 3 decisions in which it applied to Santander Bank Polska S.A. corrective agent.
The fact described in a letter dated [...] December 2021 by the Administrator that the representative or employee of [...] was (at the time of the infringement) Mrs. B. G. - employed as the chief accountant in the Administrator's organization in 2017-2019 is irrelevant with from the point of view of the Administrator's compliance with the obligations arising from art. 28 sec. 1 of Regulation 2016/679. Any personal ties do not constitute in this case the basis for a reliable assessment of the Processor's competences. As mentioned above, Guidelines 07/2020 clearly indicate which elements should be taken into account by the controller when assessing the processor.


Therefore, issuing numerous warnings and then imposing a financial penalty in the case with reference number (…), justifies not only the imposition of a financial sanction in these proceedings, but also its high level.
Only after a sufficiently in-depth examination of the competences and adequacy of the selected processor (which is - as indicated above - also an element of the risk assessment related to the processing of personal data), the controller may proceed to conclude an appropriate entrustment agreement. In Guidelines 07/2020 it was emphasized that "All processing personal data by the processor must be governed by an agreement or other legal act under Union or Member State law concluded between the controller and the processor, as required by Art. 28 sec. 3 GDPR. Such a legal act shall be in writing, including electronic form (…). Therefore, unwritten contracts (irrespective of their degree of detail or effectiveness) cannot be considered sufficient to meet the requirements of Art. 28 GDPR ". Guidelines 07/2020 also clearly indicate the consequences of failure to maintain the appropriate form of concluding a contract:" As the regulation clearly establishes an obligation to conclude a contract in writing, where no other relevant legal act is in force, its absence is a violation of the GDPR "- while it was also noted that “(…) it can be considered that the controller-processor relationship continues in the absence of a written data processing agreement. However, this would be a violation of Art. 28 sec. 3 GDPR ".


Due to the above, in the present case it should be considered that there are grounds for treating the premise of Art. 83 section 2 lit. e) Regulation 2016/679 as aggravating.
Although Art. 28 sec. 1 of Regulation 2016/679 mainly indicates the obligations of the administrator wishing to entrust the processing of personal data to another entity, Guidelines 07/2020 indicate that "Both the administrator and the processor are responsible for ensuring the conclusion of a contract or other legal act regulating the processing (...) ". The contract is at least a two-sided legal act, and the seriousness of entrusting the processing of personal data requires the involvement of all parties. Meanwhile, on the basis of the evidence collected in the case at hand, it cannot be stated that the Administrator and the Processor have made even informal arrangements that included the elements listed in Art. 28 sec. 3 of the Regulation 2016/679.


4. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). In this case, the President of the Personal Data Protection Office found the Bank's cooperation with him unsatisfactory. This assessment concerns the Administrator's reaction to the letters of the President of the Personal Data Protection Office informing about the obligations of the administrator in connection with a data protection breach, and finally to the initiation of administrative proceedings regarding the obligation to report a personal data protection breach and notify data subjects about the breach. Actions that were correct in the opinion of the President of the Personal Data Protection Office (reporting the violation to the President of the Personal Data Protection Office and notifying the persons affected by the violation) were not taken by the Bank even after the President of the Personal Data Protection Office initiated administrative proceedings in the matter.
Once the controller has carefully selected the appropriate processor, and then the contract is concluded, it should not be forgotten that the administrator's obligations to entrust the processing of personal data to an entity that meets the requirements set out in art. 28 sec. 1 of the Regulation 2016/679 shall last at least as long as the period of entrustment. As indicated in the above-mentioned of the guidelines »The obligation to use only the services of processors" providing sufficient guarantees "in Art. 28 sec. 1 GDPR is an ongoing obligation. It does not end when the contract or other legal act is concluded by the controller and the processor. Rather, the controller should verify the processor's guarantees at appropriate intervals, including through audits and inspections where appropriate (…) .


5. Categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679). The personal data disclosed do not belong to the special categories of personal data referred to in Art. 9(1) 1 of Regulation 2016/679, nor the data indicated in Art. 10 of Regulation 2016/679, however, the fact that the abandoned documentation included a wide range of them in the form of: name and surname, date of birth, bank account number, address of residence or stay, PESEL registration number, e-mail address, username and/or password, data on earnings and/or owned assets, ID card series and number, telephone number, information on banking products, loans, bank accounts, i.e. names of contracts, dates of their conclusion, details of these products, and also information on property insurance policies , i.e., among others policy numbers, date of issue, insurance sum, insurance premium, information regarding the insured property, this involves a high risk of violating the rights and freedoms of natural persons. PESEL number, i.e. an eleven-digit numerical symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender designation and control number, and therefore closely related to the private sphere of the natural person and is also subject, as a national identification number, to exceptional protection under Art. 87 of Regulation 2016/679, is data of a special nature and requires special protection. There is no other such specific data that would clearly identify a natural person. It is not without reason that the PESEL number serves as a data identifying each person and is commonly used in contacts with various institutions and in legal circles. The PESEL number together with the name and surname clearly identifies a natural person, in a way that allows the negative effects of the violation (e.g. identity theft, loan fraud) to be attributed to that specific person.
As can be seen from the above considerations, the decision to whom the controller would be entrusted with the processing of personal data cannot be made unreasonably. The consequences of taking a hasty decision, lack of an appropriate form or content of the entrustment agreement, or neglect of the obligation of the administrator to constantly verify the guarantees referred to in art. 28 sec. 1 of Regulation 2016/679, because they may directly affect natural persons whose personal data has been entrusted to the processor. Meanwhile, when applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1 (2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in connection with the processing of personal data, it is one of the fundamental rights (first sentence of recital 1). In case of any doubts, e.g. as to the performance of obligations by administrators - not only in a situation where there has been a breach of personal data protection, but also when deciding on entrusting the processing of personal data to other entities - these values should be taken into account in the first place. These rights are consistently protected by the requirements of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679, hence their violation must be associated with a response of the supervisory authority appropriate to specific circumstances.


In this context, it is worth recalling the EDPB guidelines 04/2022, which states: "Regarding the requirement to take into account the categories of personal data affected by the breach (Article 83(2)(g) [Regulation 2016/679]), in [ Regulation 2016/679] clearly indicates the types of data that are subject to special protection, and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Art. 9 and 10 [Regulation 2016/679] and data not covered by these articles, the dissemination of which immediately causes harm or inconvenience to the data subject (e.g. location data, private communications data, national identification numbers or financial data, such as transactions or credit card numbers). Generally speaking, the more such categories of data are affected by a breach or the more sensitive the data are, the more weight a supervisory authority can assign to such a factor. The amount of data relating to each data subject also matters, because with the amount of data relating to each data subject, the scale of violations of the right to privacy and personal data protection increases.
In the case at hand, there is nothing to indicate that the Administrator has checked whether the Processing Entity provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of the data subjects. In a letter dated [] April 2022, SOK indicated that it did not have any documents confirming the verification of the terms of cooperation with […]. It is also irrelevant who specifically made the decision to entrust the processing of this data, as the Administrator is responsible for the selection of the processor. Therefore, it should be consistently assumed that the Administrator did not meet the requirements set out in Art. 28 sec. 1 of Regulation 2016/679, which results in its breach of this provision.


It is worth pointing out once again the emerging case law in this area, for example in the judgment of November 15, 2022, ref. no. II SA/Wa 546/22 the Provincial Administrative Court in Warsaw indicated: "It was also obvious that the authority, when determining the penalty, had to take into account the fact that the breach concerned highly sensitive data (including PESEL, address, health data)" . This view was also shared by the above-mentioned The court in its judgment of June 21, 2023 in case no. no. II SA/Wa 150/23, where the Provincial Administrative Court in Warsaw indicated: "To sum up, the Court is of the opinion that the disclosure of the PESEL number indicates a high risk of violating the rights and freedoms of natural persons."
The explanations provided by the Administrator show that (despite the failure to fulfill the obligations under Article 28 (1) of Regulation 2016/679), the processing of data was actually entrusted [...]. In the notification addressed to the data subjects of the violation (which was made in accordance with Article 34 of Regulation 2016/679), the SOK, describing the violation, indicated that: " , taxes and ZUS) to an external entity. The processing of personal data was entrusted without concluding an appropriate contract for entrusting the processing of personal data. Documentation (VAT registers, fixed assets register, VAT declarations) was stored by an external entity. There was a possibility of a personal data breach by an external entity or employees (former or current). SOK is not in possession of a single document in any possible form regarding settlements with ZUS in the period September 2017-December 2018. This is due to the complete inability to perform actions resulting from ZUS calls to explain the irregularities of the prepared documentation, calculate contributions and establish public and public liabilities. legal SOK, as well as the complete impossibility of making paper documents available at the request of the ZUS inspector. All documents (the entire database) for the period September 2017-December 2018, based on the assurances obtained, were handled outside the seat of SOK and on private equipment without authorization and appropriate security. " Moreover, from the explanations provided by the Administrator in a letter dated [...] November 2021, it follows directly that no entrustment agreement has been concluded with the Processor, and asking him for information, explanations and return or sharing of the processed data turned out to be ineffective. To some extent, the administrator restored the data to which he lost access as a result of entrusting their processing [...] - in a letter of [...] December 2021, however, he indicated that only information from the Social Insurance Institution was available.


When determining the amount of the administrative fine, the President of the Personal Data Protection Office found no grounds to take into account mitigating circumstances affecting the final penalty. All the conditions listed in Art. 83 section 2 lit. a)-j) of Regulation 2016/679, in the opinion of the supervisory authority, constitute either aggravating or only neutral conditions. Also applying the premise specified in Art. 83 section 2 lit. k) of Regulation 2016/679 (requiring account to be taken of any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found.
The information that the entrustment agreement had not been concluded was repeated by the Administrator in a letter of [...] December 2021, and in the explanations dated [...] April 2022, he additionally indicated that he did not have any documents confirming the commencement and completion of cooperation with […]. The fact that in the case in question there was a breach of the obligation to conclude a sub-processing agreement in an appropriate form (i.e. the obligation referred to in Article 28 (9) of Regulation 2016/679) and with appropriate content (which is specified in Article 28 (3) of the Regulation 2016/679) is therefore indisputable. From the information provided by the Administrator that the breach concerned data for the period from September 2017 to December 2018, it can be concluded that the cooperation between SOK and the Processor could end on [...] December 2018 at the earliest - while it could have ended at the latest. it should be completed on [...] June 2020, when Mr. K. G., running a business under the name of [...], died (according to the information contained in the Central Register and Information on Economic Activity of the Republic of Poland). The date of termination of cooperation determined in this way may also be associated with the end of the infringement of the provisions of Regulation 2016/679 - taking into account the fact that data availability was only partially restored. In turn, when this collaboration could have started remains unclear. Due to the fact that as a result of providing the Data Processor, the Administrator has lost the availability of data resulting from settlements with ZUS from September 2017 to December 2018, it can be assumed that the violation of the provisions of Regulation 2016/679 lasted from [...] May 2018, when the provisions of that regulation became applicable.


Other circumstances indicated below, referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the Personal Data Protection Office to be neutral in his opinion, i.e. having neither an aggravating nor mitigating effect on the amount of the administrative fine imposed:
In the present case, it should be emphasized that one of the consequences of the Administrator's failure to fulfill the obligations under Art. 28 sec. 1, 3 and 9 of Regulation 2016/679, it is impossible to regain access to all personal data entrusted to the Processor.


1. Actions taken by the controller to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679). Based on the evidence collected in the case, no such actions were found to have been taken by the Controller.
Bearing in mind the above findings, the President of the Personal Data Protection Office, exercising his powers specified in art. 58 sec. 2 lit. i) Regulation 2016/679, pursuant to which each supervisory authority has the power to apply, in addition to or instead of other remedial measures provided for in Art. 58 sec. 2 lit. a) -h) and lit. (j) of that Regulation, an administrative fine pursuant to Article 83 sec. 4 lit. a) of Regulation 2016/679, having regard to the circumstances established in the proceedings in question, stated that in the case under consideration there were premises justifying the imposition of an administrative fine on the Administrator.


2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 (Article 83(2)(d) of Regulation 2016/679. Violation of the provisions of Regulation 2016/679 assessed in these proceedings (failure to report a personal data protection breach to the President of the Personal Data Protection Office and failure to notify about a personal data breach of data subjects) has no connection with the technical and organizational measures used by the administrator.
Pursuant to Art. 83 sec. 4 lit. a) Regulation 2016/679, breach of the provisions on the obligations of the controller and the processor referred to in art. 8, 11, 25-39 as well as 42 and 43 are subject to, in accordance with sec. 2 an administrative fine of up to EUR 10,000,000, and in the case of a company - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher.


3. The manner in which the supervisory authority learned about the breach (Article 83(2)(h) of Regulation 2016/679). The President of the Personal Data Protection Office was not informed about the breach of personal data protection that is the subject of this case in accordance with the procedure for such situations specified in art. 33 of Regulation 2016/679. About the occurrence of the breach in question related to the event involving the disclosure of personal data of the Bank's clients, as a result of the theft of a parcel containing banking documentation relating to 158 people during its transport in a courier company, and then abandoning the open parcel in a public place, as a result of which the documentation was reviewed unauthorized person, the President of the Personal Data Protection Office obtained information from a message on the website (...), which described the incident of "leakage of bank customer documents", which "were found in a cardboard box scattered in a gated housing estate in K." Failure to report a personal data protection breach to the supervisory authority and to notify data subjects about the personal data protection breach is the sole subject of these proceedings, and in the circumstances of the facts under consideration, the supervisory authority assumed that it would not treat this condition as an aggravating circumstance.
In the present case, an administrative fine against SOK was imposed for violation of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679 on the basis of the above-mentioned Art. 83 sec. 4 lit. a) of Regulation 2016/679, while taking into account the content of art. 102 paragraph. 2 of the PDPA, from which it follows that the President of the Personal Data Protection Office may impose, by way of a decision, administrative fines of up to PLN 10,000 on public finance sector entities referred to in Art. 9 point 13 of the Act of 27 August 2009 on public finances (Journal of Laws of 2022, item 1634, as amended) - ie state and local government cultural institutions. Joke. 102 paragraph. 3 of the Act on 2, the President of the Personal Data Protection Office (UODO) imposes on the basis and under the conditions specified in Art. 83 of the Regulation 2016/679.


4. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679). Before issuing this decision, the President of the Personal Data Protection Office did not apply to the Administrator any measures listed in Art. 58 section 2 of Regulation 2016/679, therefore the Administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.
When deciding to impose an administrative fine on the Administrator, the President of the Personal Data Protection Office pursuant to Art. 83 sec. 2 lit. a-k of the regulation 2016/679 - took into account the following circumstances of the case, aggravating and affecting the size of the imposed financial penalty:


5. Application of approved codes of conduct under Art. 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 (Article 83(2)(j) of Regulation 2016/679). The administrator does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for in Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.
1. The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing, the number of data subjects affected and the extent of the damage suffered by them (Article 83 (2) (a) of Regulation 2016/679) - with In the imposition of a penalty, the fact that the provisions of Regulation 2016/679 were breached in this case, imposing on the controller one of his basic and key obligations for the security of the processed personal data: verification of the processor and conclusion of the entrustment agreement in an appropriate form and with appropriate content. Moreover, the consequence of violating the provisions of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679 was a breach of the confidentiality and availability of data of thirty former and current employees of the Administrator. This breach indirectly harms the interests of employees, whose specific SOK should protect, and may also have negative consequences in the light of the provisions of other areas of law (labor law, social security or accounting regulations). When considering the aspect of the purpose of processing, it should be noted that the personnel service of employment contracts requires special diligence, and there is an imbalance between the SOK (employer) and data subjects (employees). The violation of the above-mentioned provisions is of considerable importance and seriousness, also because it may cause material or non-material damage to the data subject, and the likelihood of their occurrence cannot be excluded. In addition, the risk arising from the wide range of data covered by the breach should be taken into account. It should be emphasized that there is still a risk of unlawful use of their personal data in relation to the persons whose data has been violated, because nothing is known about the organizational and technical measures applied by [...] to ensure the security of processing entrusted data, and also, the data to which the Administrator lost access as a result of the entrustment in question was not returned. Data subjects entrusted with the violation of the requirements of Art. 28 sec. 1 of Regulation 2016/679, therefore, they may still suffer material damage, and the very breach of data confidentiality is also non-pecuniary damage (harm). The data subject may, at the very least, feel the fear of losing control of their personal data, of identity theft or identity fraud, and finally of financial loss. In addition, the violation in question involves the loss of control over the data that is potentially needed by its entities (e.g. data on acquired employee rights) - proper verification of the Processor allows you to reduce the risk of entrusting the data to an entity that may not return it.


6. Financial benefits or avoided losses obtained directly or indirectly in connection with the breach (Article 83(2)(k) of Regulation 2016/679). The President of the Personal Data Protection Office did not find that the Administrator obtained any financial benefits or avoided any such benefits in connection with the breach. precipitate. Therefore, there are no grounds to treat this circumstance as aggravating the Administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - obtained on the part of the entity committing the infringement.
Although, on the basis of the evidence collected in the case, it is difficult to precisely determine the duration of the violation, it should be assumed that the duration of the violation was relatively long. As shown above, its starting date should be the date of application of the provisions of Regulation 2016/679 (ie […] May 2018). The breach could end at the earliest by the end of December 2018, and at the latest with the death of Mr. K. G. - the Processing Entity ([...] June 2020) - taking into account the fact that SOK still has not regained the availability of some data.


The President of the Personal Data Protection Office does not notice any other aggravating or mitigating factors applicable to the circumstances of this case.
When assessing the premise of Art. 83 sec. 2 lit. and Regulation 2016/679, which has a generally aggravating impact on the penalty, it should also be noted that the Administrator conducts a non-profit, socially useful activity, and local government cultural institutions have been treated by the legislator in a special way by reducing art. 102 paragraph. 2 uodo of the maximum amount of an administrative fine up to the amount of PLN 10,000. The scope of processing is small (local) and concerns a relatively small number of people - hence the number of injured persons is also small. Moreover, no material damages were found (no non-pecuniary damages were reported either) - as indicated above, however, there is still a risk of their occurrence in this case.


In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in the established circumstances of this case fulfills the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.
2. Intentional or unintentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679) - it does not follow from the evidence collected in this case that the disclosure of personal data [...] without proper verification of this entity and without concluding a contract of entrustment in the form provided for by law and with appropriate content, took place as a result of actions aimed at the violation of Regulation 2016/679. But the fact that the controller's intentional act (knowledge and will to infringe) has not been proven does not in this case amount to assuming that this premise should not be assessed as aggravating. The degree of negligence shown by the Administrator when entrusting the Processing Entity with the processing of personal data of SOK employees is gross - it proves the lack of compliance with the basic principles of personal data protection resulting from ignorance or disregard of the provisions of Regulation 2016/679.


Taking into account the administrative fine imposed on the Bank by the previous decision of the President of the Office for Personal Data Protection (reference number (...)), it should be assumed that its amount was not effective, therefore the President of the Personal Data Protection Office decided to increase the amount of the penalty imposed by this decision. The penalty will be effective if its imposition will result in the Bank, which processes personal data professionally and on a mass scale, in the future fulfilling its obligations in the field of personal data protection, in particular in the scope of reporting personal data protection breaches to the President of the Personal Data Protection Office and notifying about breach of the protection of personal data of persons affected by the breach.
3. The degree of the Administrator's responsibility, taking into account technical and organizational measures implemented pursuant to art. 25 and 32 (Article 83 (2) (d) of Regulation 2016/679) - the findings made by the President of the Personal Data Protection Office allow the conclusion that the Administrator has not complied with the obligations set out in Art. 28 sec. 1 of Regulation 2016/679 (regarding the verification whether the Processor provided sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of this Regulation and protects the rights of data subjects), and also did not conclude a processing agreement in the form prescribed by law (Art. 28 (9) of Regulation 2016/679) and on the information referred to in art. 28 sec. 3 of the Regulation 2016/679 in content. As a result of informally entrusting the processing of personal data, not only their confidentiality was lost, but also their availability (to some extent) was lost, for which the Administrator is responsible. It is also impossible to state that entrusting the processing of personal data was in accordance with the organizational measures introduced by the Administrator (procedures or regulations constituting the obligation to verify the processor and specifying the manner of concluding contracts for entrusting the processing of personal data), which would ensure compliance with the requirements of art. 28 of Regulation 2016/679.


In the opinion of the President of the Personal Data Protection Office, the administrative fine will fulfill a repressive function as it will be a response to the Bank's violation of the provisions of Regulation 2016/679. It will also have a preventive function; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the Bank and other data controllers that it is reprehensible to ignore the obligations of controllers related to the occurrence of a personal data protection breach, which are aimed at preventing its negative and often painful effects for the persons affected by the breach, as well as removing these effects or at least limiting them.
4. The categories of personal data concerned by the infringement (Article 83 (2) (g) of Regulation 2016/679) - personal data the processing of which has been entrusted in a manner that does not meet the requirements of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679, have a wide scope (first and last names, parents' names, dates of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, data on earnings and / or property , mother's maiden names, series and numbers of identity cards, telephone numbers, as well as data of a specific category within the meaning of Article 9 of Regulation 2016/679: health data), which also entails a high risk of violating the rights or freedoms of individuals affected by the violation. It should be emphasized that, in particular, the unauthorized disclosure of such a category of data as a PESEL number (in combination with a first and last name) may have a real and negative impact on the protection of the rights or freedoms of natural persons. PESEL number, i.e. an eleven-digit numeric symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender (and a control number), and therefore closely related to the private sphere of a natural person and also subject to exceptional protection as a national identification number art. 87 of Regulation 2016/679 is a data of a special nature and requires such special protection.


Pursuant to the content of Art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "PDA", the equivalent of the amounts expressed in euros referred to in Art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28 each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the next exchange rate table of the National Bank of Poland after this date.
When determining the amount of the administrative fine imposed on SOK, the President of the Personal Data Protection Office took into account the following premises as mitigating circumstances:


Taking the above into account, the President of the Personal Data Protection Office, pursuant to Art. 83 section 4 lit. a) in connection with Art. 103 of the Personal Data Protection Act, for the violation described in the operative part of this decision, imposed on the Bank - applying the average euro exchange rate of January 29, 2024 (1 EUR = PLN 4.3653) - an administrative fine in the amount of PLN 1,440,549 (which is equivalent of EUR 330,000).
1. Actions taken by the controller to minimize the damage suffered by the data subjects (Article 83 (2) (c) of Regulation 2016/679) - SOK did not receive information about material damage to persons affected by the infringement. It should be pointed out that immediately after the disclosure of the breach of personal data protection, before the commencement of administrative proceedings, SOK took steps to clarify the circumstances of entrusting data processing [...] and to regain the availability of lost personal data. The decision indicated as an aggravating circumstance that data subjects may still suffer material damage, and the breach of confidentiality itself is also a non-pecuniary damage (harm), but taking measures to regain data availability should be assessed as a mitigating circumstance - these are actions taken to minimize the damage suffered by the data subjects.


In the opinion of the President of the Personal Data Protection Office, the fine imposed in the amount of PLN 1,440,549 (in words: one million four hundred and forty thousand five hundred and forty nine zlotys) meets the conditions referred to in Art. 83 section 1 of Regulation 2016/679 due to the seriousness of the identified violation in the context of the basic objective of Regulation 2016/679 - protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. Referring to the amount of the administrative fine imposed on the Bank, the President of the Office of Personal Data Protection concluded that it is proportional to the financial situation of the Administrator and will not constitute an excessive burden for him.
2. Relevant previous violations of the provisions of Regulation 2016/679 (Article 83 (2) (e) of Regulation 2016/679) - until the moment of issuing this decision, the President of the Personal Data Protection Office found no violations of the provisions of Regulation 2016/679 by the Administrator;


From the "Annual Report of Santander Bank Polska S.A." presented by the Administrator. for 2022" shows that the Bank's total revenues (i.e. interest, commissions and dividends) in 2022 amounted to PLN 13,061,886,000, therefore the amount of the administrative fine imposed in this case is approx. 0.01% wt. amount of proceeds. At the same time, it is worth emphasizing that the amount of the imposed penalty of PLN 1,440,549 is only 0.55% of the maximum amount of the penalty that the President of the Personal Data Protection Office could - applying in accordance with Art. 83 section 4 of Regulation 2016/679, a maximum penalty of up to 2% of the total annual turnover from the previous financial year (i.e. PLN 261,237,720) - imposed on the Bank for the violations found in this case.
3. The degree of cooperation with the supervisory authority in order to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of the Regulation 2016/679) - SOK has independently undertaken a number of actions aimed at, inter alia, regaining access to lost data - and thus: mitigating its possible negative effects.


The amount of the penalty was set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of violation of the administrator's obligations, but on the other hand, it does not result in a situation in which the need to pay a financial penalty will result in negative consequences, in the form of a significant reduction in employment or significant decline in the Bank's turnover. According to the President of the Personal Data Protection Office, the Bank should and is able to bear the consequences of its negligence in the field of data protection, as evidenced by the Bank's Annual Report, sent to the President of the Personal Data Protection Office on January 5, 2024.
4. Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly due to the infringement or avoided losses (Article 83 (2) (k) of Regulation 2016/679) - the President of the Personal Data Protection Office did not state in in the course of these proceedings that, by committing the infringement of the punishable SOK, it obtained any financial benefits or avoided any financial losses.


At the same time, the President of the Personal Data Protection Office, pursuant to Art. 83 section 3 of Regulation 2016/679 decided to impose one penalty for two violations attributed to the Administrator in the proceedings with reference number DKN.5131.59.2022. The source of both violations is the same event, i.e. the loss of a shipment of banking documents containing data of the Bank's customers, and the subsequent decision of the Bank not to report this fact to the President of the Personal Data Protection Office and not to notify about the breach of personal data protection of data subjects. These events are so contextually, spatially and temporally related that, in accordance with the EDPB Guidelines No. 4/2022 on the calculation of administrative fines under the GDPR, they should be treated as one behavior of the controller, leading to the imposition of one fine (point 28 of the Guidelines). .
The fact of applying to the Administrator in this case by the President of the Personal Data Protection Office of sanctions in the form of an administrative fine, as well as its amount, was not affected by other sanctions indicated in art. 83 sec. 2 of Regulation 2016/679 circumstances, that is:


Finally, it is necessary to point out that when determining the amount of the administrative fine in this case, the President of the Personal Data Protection Office applied the methodology adopted by the European Data Protection Board in Guidelines 04/2022 regarding the calculation of administrative fines under the GDPR adopted on May 24, 2023. In accordance with the provisions presented in this document instructions:
1. The way in which the supervisory authority learned about the breach (Article 83 (2) (h) of Regulation 2016/679) - the President of the Personal Data Protection Office found a breach of the provisions of Regulation 2016/679 as a result of the notification of the breach of personal data protection made by the Administrator, however in connection with with the fact that by making this notification, the Administrator only fulfilled the legal obligation imposed on him, there are no grounds to recognize that this circumstance constitutes a mitigating circumstance for him. In accordance with the Guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679 Wp. 253 "The supervisory authority may become aware of a breach as a result of investigations, complaints, press articles, anonymous indications or notification by the data controller. Pursuant to the regulation, the controller is obliged to notify the supervisory authority of a breach of personal data protection. Mere compliance with this obligation by an administrator cannot be interpreted as a weakening / mitigating factor ”.


1. The President of the Personal Data Protection Office categorized the violations of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The violations of both provisions of Regulation 2016/679 (Article 33(1) and Article 34(1)) found in this case include - in accordance with Art. 83 section 4 lit. a) of Regulation 2016/679 - to the category of infringements punishable by the lower of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 10,000,000 or up to 2% of the enterprise's total annual turnover in the previous financial year). Therefore, they were considered in abstracto (in isolation from the individual circumstances of a specific case) by the EU legislator as less serious than the violations indicated in Art. 83 section 5 of Regulation 2016/679).
2. Compliance with previously applied measures in the same case, referred to in Art. 58 sec. 2 of Regulation 2016/679 (Article 83 (2) (i) of Regulation 2016/679) - in this case, measures referred to in Art. 58 sec. 2 of Regulation 2016/679.


2. The President of the Personal Data Protection Office assessed the violations identified in this case as violations of low seriousness (see Chapter 4.2 of Guidelines 04/2022). As part of this assessment, the following conditions were taken into account, among those listed in Art. 83 section 2 of Regulation 2016/679, which concern the subject matter of the infringements (constituting the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83(2)(a) of Regulation 2016/679), intentional or unintentional nature of the breaches (Article 83(2)(b) of Regulation 2016/679) and the categories of personal data affected by the breaches (Article 83(2)(g) of Regulation 2016/679). A detailed assessment of these circumstances is presented above. It should be noted here that consideration of their combined impact on the assessment of the violations identified in this case, treated as a whole, leads to the conclusion that their level of seriousness, also in concreto, is low (in the scale of the seriousness of violations presented in point 60 of Guidelines 04/2022). The consequence of this is that - as the starting amount for calculating the penalty - a value ranging from 0 to 10% of the maximum amount of penalty that can be imposed on the Bank. Considering that the provision of Art. 83 section 4 of Regulation 2016/679 obliges the President of the Personal Data Protection Office to adopt as the maximum penalty for violations indicated in this provision the amount of EUR 10,000,000 or - if this value is higher than EUR 10,000,000 - an amount constituting 2% of the Company's turnover in the previous financial year, The President of the Personal Data Protection Office decided that the so-called dynamic maximum penalty amount - EUR 59,844,162 - resulting from the application of a 2% indicator applied to the Bank's turnover for 2022, the value of which amounted to EUR 2,992,208,096 (equivalent to PLN 13,061,886,000). Having a range from EUR 0 to EUR 59,844,162, the President of the Personal Data Protection Office adopted, as adequate and justified by the circumstances of the case, the starting amount for calculating the amount of the penalty of EUR 2,393,766,000 (representing 4% of the dynamic maximum amount of the penalty).
3. Application of approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of Regulation 2016/679 (Article 83 (2) (j) of Regulation 2016/679) - the administrator does not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679.


3. Pursuant to the advice of the European Data Protection Board presented in point 66 of Guidelines 04/2022 (in relation to enterprises with an annual turnover exceeding EUR 500 million), the President of the Personal Data Protection Office did not consider it justified to use the possibility of reducing the amount adopted based on the assessment of the seriousness of the violation. output, which these guidelines (in Section 4.3) provide for enterprises of smaller size and economic strength. The EDPB points out that in the case of large entities (and the Bank is undoubtedly one of them in this case, as evidenced by its turnover) "the size of the enterprise is already reflected in the dynamic statutory maximum amount" (point 66 of Guidelines 04/2022) .
Taking into account all the above-mentioned circumstances, the President of the Personal Data Protection Office decided that the imposition of an administrative fine on the Controller is necessary and justified by the weight, nature and scope of the alleged infringement of the provisions of Regulation 2016/679. It should be stated that any other remedy provided for in Art. 58 sec. 2 of Regulation 2016/679, and in particular stopping at an admonition (Article 58 (2) (b) of Regulation 2016/679), would not be proportionate to the identified irregularities in the processing of personal data and would not guarantee that the abovementioned the entity will not commit a similar negligence in the future.


4. The President of the Personal Data Protection Office assessed the impact of the other circumstances specified in Art. 83 section 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer - as assumed by Guidelines 04/2022 - to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its behavior before, during and after the infringement. occurrence. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement is presented above. The President of the Personal Data Protection Office found (which was justified in the part of the justification for the decision presented above) that the aggravating circumstances in this case, and therefore additionally increasing the penalty imposed by this decision, are the relevant previous violations on the part of the Bank found by the President of the Personal Data Protection Office (Article 83 section 2(e) of Regulation 2016/679), as well as the degree of cooperation of the Bank with the President of the Personal Data Protection Office in order to eliminate the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). The remaining premises (from Article 83(2)(c), d), h), i), j), k) of Regulation 2016/679) - as indicated above - had no impact, neither mitigating nor aggravating, on the assessment violations and, consequently, the penalty. Therefore, due to the existence of additional aggravating circumstances related to the subjective side of the violations (assessment of the Bank's conduct before and after the violations), the President of the Personal Data Protection Office found it justified to increase the amount of the penalty determined on the basis of the assessment of the seriousness of the violations (point 2 above). In the opinion of the President of the Personal Data Protection Office, its increase to EUR 2,600,000 is adequate to the impact of these premises on the assessment of violations.
In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed on the Sułkowice Cultural Center based in Sułkowice in the amount of PLN 2,500 (in words: two thousand five hundred zlotys), under the established circumstances of this case, performs the functions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case. At this point, the content of Art. 102 paragraph. 2 of the Personal Data Protection Act, which results in the limitation of the amount (up to PLN 10,000) of the fine that may be imposed on a unit of the public finance sector, referred to in Art. 9 point 13 of the aforementioned Act of 27 August 2009 on Public Finance.


5. The President of the Personal Data Protection Office stated that the amount of the administrative fine determined in the manner presented above does not exceed - pursuant to Art. 83 section 3 of Regulation 2016/679 - the legally defined maximum penalty for the most serious violation (see Chapter 6 of Guidelines 04/2022). In the case of both violations of the provisions of Regulation 2016/679 found in this case, the legally determined maximum penalty amount (dynamic) is the same - as indicated above in point 2, EUR 59,844,162, i.e. 2% of the Bank's turnover achieved in 2022 Therefore, both violations have the same seriousness, and the above-mentioned penalty amount of EUR 2,600,000 clearly does not exceed the maximum penalty provided for each of them individually.
In the opinion of the President of the Personal Data Protection Office, the penalty imposed on the Controller is proportional to the seriousness of the breach in the context of the basic objective of Regulation 2016/679 - protection of the fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data.


6. Even though the amount of the penalty determined in accordance with the above principles does not exceed the legally defined maximum penalty, the President of the Personal Data Protection Office found that it requires additional correction due to the principle of proportionality mentioned in Art. 83 section 1 of Regulation 2016/679 as one of the three sentencing directives (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine of EUR 2,600,000 would be an effective penalty (due to its severity, it would allow achieving its repressive goal, which is to punish illegal behavior) and deterrent (effectively discouraging both the Company and other administrators from committing future violations of the provisions of Regulation 2016 /679). However, such a penalty would be - in the opinion of the President of the Personal Data Protection Office - a disproportionate penalty both in relation to the gravity of the identified violations (which in abstracto and in concreto is low - see points 1 and 2 above), and because it is excessive - in relation to this gravity. – ailment. The principle of proportionality requires, among other things, that the measures adopted by the administrative authority do not go beyond what is appropriate and necessary to achieve legitimate objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 […] ; Comment on Article 83 [in:] P. Litwiński (ed.) General Data Protection Regulation. Selected sectoral regulations. Therefore, taking into account the proportionality of the penalty, the President of the Personal Data Protection Office further reduced the amount of the penalty - to EUR 330,000 (equivalent to PLN 1,440,549). In his opinion, such determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is the threshold above which a further increase in the amount of the penalty will not result in an increase in its effectiveness and deterrent nature. On the other hand, reducing the fine to a greater extent could be at the expense of its effectiveness and dissuasive nature, as well as coherent - in relation to other supervisory authorities and the EDPB - understanding, application and enforcement of Regulation 2016/679, and the principle of equal treatment of entities on the market internal EU and EEA.
At the same time, in the opinion of the President of the Personal Data Protection Office, the penalty in this amount will be effective (it will achieve the goal of punishing the Administrator for a serious infringement with serious consequences) and dissuasive in the future (it will cause the Administrator, in order to avoid further sanctions, to pay due attention to the processing of personal data through and with the help of The Processing Entity).


In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.
Summarizing the above, in the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in this case meets the conditions (the penalty functions) referred to in Art. 83 sec. 1 of Regulation 2016/679, due to the seriousness of the infringement found in the context of the basic requirements and principles of Regulation 2016/679.


[1] Above the guidelines updated and supplemented the Article 29 Working Party Guidelines on the reporting of personal data breaches in accordance with Regulation 2016/679 (Wp250 rev.01), adopted on October 3, 2017.
Bearing in mind the above, the President of the Personal Data Protection Office resolved as in the operative part of this decision.


[2] Guideline 01/2021 of the European Data Protection Board on examples for notification of personal data breaches adopted on 14 December 2021, version 2.0 (hereinafter "Guideline 01/2021").
[1] Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor included in the GDPR (Version 2.0, adopted on July 7, 2021), hereinafter referred to as Guidelines 07/2020;


[3] https://www.zbp.pl/getmedia/2d3304db-34e6-4929-94cc-b9390456ff7a/infodok-2023-07-09-wydanie-55-sklad-231023-gk08
2022-09-16
</pre>
</pre>

Latest revision as of 09:46, 25 April 2024

UODO - DKN.5131.29.2022
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 28(1) GDPR
Article 28(3) GDPR
Article 28(9) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.09.2022
Published:
Fine: 529 EUR
Parties: Sułkowice Cultural Center
National Case Number/Name: DKN.5131.29.2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: n/a
Looking for decision DKN.5131.59.2022 (a bank failing to notify about a data breach, from the 25.04.2024 newsletter)? Due to a technical error it is here, we apologize for any inconvenience

The Polish DPA fined a cultural organisation €529 for not concluding a written agreement under Article 28 GDPR with its processor.

English Summary

Facts

In May 2020, the Polish DPA received a notification of personal data breach caused by the Sułkowice Cultural Centre (the controller). The data breach affected 30 persons, including employees of the controller. The DPA initiated an investigation, in which it found that the controller entrusted the processing of personal data to an entity (the processor) without entering into a written data processing agreement. Moreover, they did not verify whether the processor provides sufficient guarantees of the implementation of appropriate technical and organisational measures in accordance with the GDPR.

The processor was responsible for keeping accounting books and records as well as preparing reports. Therefore, they were entrusted with the processing of employee's and former employee's personal data, including names, dates of birth, bank account numbers, residence addresses, personal identification number (PESEL), email addresses, data on earnings and/or property, the mother's family names, series and numbers of ID cards, telephone numbers, and health data.

Since the Polish DPA was not able to obtain information on any contract concluded between the controller and the processor with regards to the above-discussed processing operations, the DPA initiated ex officio administrative proceesings against the controller.

Holding

First, the Polish DPA reiterated Article 28(1) GDPR, which prescribes that sufficient guarantees to implement appropriate technical and organisational measures must exist whenever the controller mandates data processing activities to be carried out on their behalf. Moreover, in line with Article 28(3) GDPR, a data processing agreement must be concluded between the controller and the processor, which stipulates the conditions of processing. Additionally, Article 28(9) GDPR requires the agreement to be in writing, including in electronic form.

Second, the DPA clarified the roles of the entities involved in processing. As the employer and main administrator, the Cultural Centre was considered to be the controller. Meanwhile, the entity entrusted with keeping accouting records should be the processor as they were only processing data on the controller's behalf. Hence, it was the responsibility of the controller to fulfill the requirements of Article 28 GDPR.

The DPA concluded that the controller failed to comply with Article 28(1)(3) and (9) GDPR by not concluding a written agreement with the processor. It imposed a €529 fine on the controller for this violation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT
THE SECURITY OFFICE
PERSONAL DATA

Warsaw, September 7, 2022

DECISION

DKN.5131.29.2022

Based on Article. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended), art. 7 sec. 1, art. 60 and art. 102 paragraph. 2 and sec. 3 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "uodo", as well as art. 57 sec. 1 lit. a) and h), art. 58 sec. 2 lit. i), art. 83 sec. 1 and 2 and article. 83 sec. 4 lit. a) in connection with Art. 28 sec. 1, 3 and 9 of the Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general on data protection) (Journal of Laws UE L 119 of May 4, 2016, p. 1, Journal of Laws UE L 127 of May 23, 2018, p. 2 and EU Official Journal L 74 of March 4, 2021, p. 35), hereinafter referred to as: "Regulation 2016/679", after conducting the administrative proceedings initiated ex officio regarding the infringement by Sułkowicki Ośrodek Kultury with its seat in Sułkowice at ul. May 1, 70 provisions on the protection of personal data, President of the Office for Personal Data Protection

finding an infringement by the Sułkowice Cultural Center with its seat in Sułkowice at ul. 1 Maja 70, the provisions of art. 28 sec. 1, 3 and 9 of Regulation 2016/679, consisting in entrusting Mr. K. G. running a business under the name of [...] with the processing of personal data without a written entrustment agreement and without verifying whether the processing entity provides sufficient guarantees for the implementation of appropriate technical and organizational measures to the processing complied with the requirements of Regulation 2016/679 and protected the rights of data subjects, it is imposed on the Sułkowicki Cultural Center with its seat in Sułkowice at ul. On May 1, 70, an administrative fine in the amount of PLN 2,500 (say: two thousand five hundred zlotys).

Justification

The President of the Personal Data Protection Office, hereinafter referred to as the President of the Personal Data Protection Office, on [...] May 2020, received a notification of a personal data breach made by Sułkowicki Ośrodek Kultury with its seat in Sułkowice at ul. 1 Maja70 (hereinafter referred to as "SOK" or "Administrator"), registered under the file number [...], informing about a breach of personal data protection of 30 people - employees and former employees of the Administrator. SOK (in accordance with its statute constituting an appendix to Resolution No. XII / 72/2015 of the City Council in Sułkowice of September 30, 2015) is an organizational unit of the commune established to carry out its own obligatory tasks in the field of culture.

In the course of the investigation, conducted in connection with the reported breach of personal data protection, it was found that SOK entrusted the processing of personal data with the above-mentioned persons to Mr K. G. running a business under the name of [...] with a place of business in T. No. [...], hereinafter referred to as "[...]" or "Processor", without entering into a written entrustment agreement and without verification of the processor, whether it provides sufficient guarantees of the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of Regulation 2016/679 and protects the rights of data subjects. As established, the Administrator commissioned the above-mentioned the entity: keeping accounting books, records and preparing reports (in the area of finance, taxes and the Social Insurance Institution), processing personal data with the necessary attachments, storing documentation (VAT records, records of fixed assets, VAT declarations) - thus entrusting him with the processing of personal data of employees and former employees of the Administrator in the form of: names and surnames, parents' names, dates of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, data on earnings and / or property, mother's family names, series and numbers ID cards, phone numbers, and health data. In addition, SOK explained in its letters of […] November and […] December 2021 and […] April 2022 that 'There has been no entrustment agreement with the processor. The processor was asked for information, clarification and return / sharing of the processed data, but to no avail "," No contracts with SOK were concluded with the company [...]. (...) It is highly probable that Mrs. G., on the authority of the then Director, performed such activities using the ZUS Płatnik program outside the seat, transferring the database or the new database she created "," (...) (the administrator) does not have any documents confirming the start and termination of cooperation with the company [...] (...) "and" (...) (the administrator) does not have any documents confirming the verification of the terms of cooperation with the company [...] (...) ".

Attached to the letter of [...] November 2021, the Administrator presented letters of [...] June 2020, addressed, inter alia, to to the Director of SOK in 2015 - 2019, acting as Director of SOK in 2019-2020, chief accountant of SOK in 2017-2019 (p. B. G.) and chief accountant of SOK in 2019-2020, asking for information "on what legal and factual basis this company [note: [... ]] kept the documentation of the Center, whether a civil law contract was concluded with this company, what was the scope of this contract and what was the scope of the company's obligations towards the Sułkowice Cultural Center ”. The administrator also indicated in a letter dated [...] December 2021 that attempts to obtain explanations from Ms B. G. (who was described as a representative or employee of [...]) were unsuccessful.

In view of the above, in a letter of [...] May 2022, the President of the Personal Data Protection Office (UODO) initiated ex officio administrative proceedings against the Administrator regarding the breach by Sułkowicki Ośrodek Kultury, as the data controller, of obligations under Art. 28 sec. 1, 3 and 9 of Regulation 2016/679 (letter reference [...]).

The administrator did not respond in writing to the above-mentioned notifications about the initiation of administrative proceedings.

After reviewing all the evidence gathered in the case, the President of UODO considered the following.

The President of the Personal Data Protection Office is an authority competent for the protection of personal data (Article 34 (1) of the Personal Data Protection Act) and a supervisory authority within the meaning of the provisions of Regulation 2016/679 (Article 34 (2) of the Personal Data Protection Act).

Pursuant to Art. 57 sec. 1 of Regulation 2016/679, without prejudice to other tasks specified under this regulation, each supervisory authority on its territory monitors and enforces the application of Regulation 2016/679 (point a) and conducts proceedings on the application of this regulation (point h). An instrument for the implementation of the tasks referred to in Art. 57 of the Regulation 2016/679, there are in particular the remedial powers granted pursuant to Art. 58 sec. 2 of the Regulation 2016/679 - incl. to apply, in addition to or in place of the measures referred to in this paragraph, an administrative fine under Article 83, depending on the circumstances of the specific case (point i).

Pursuant to Art. 28 sec. 1 of Regulation 2016/679, if the processing is to be carried out on behalf of the controller, he or she uses only the services of such processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of this Regulation and protects the rights of data subjects. Pursuant to Art. 28 sec. 3 of Regulation 2016/679, processing by the processor takes place on the basis of a contract or other legal instrument, which are governed by Union law or the law of a Member State and are binding on the processor and the controller, determine the subject and duration of processing, nature and purpose of processing, type of personal data and the categories of data subjects, the obligations and rights of the controller. This contract or other legal instrument provides in particular that the processor:

a) processes personal data only on a documented instruction of the controller - which also applies to the transfer of personal data to a third country or an international organization - unless such an obligation is imposed on it by Union law or the law of the Member State to which the processor is subject; in this case, before the processing begins, the processor informs the controller of this legal obligation, unless the law prohibits the provision of such information due to important public interest;
b) ensures that persons authorized to process the personal data have committed themselves to secrecy or are under an appropriate statutory obligation of secrecy;
(c) take all measures required under Art. 32;
d) complies with the terms of use of the services of another processor, referred to in paragraph 1. 2 and 4;
e) taking into account the nature of the processing, as far as possible helps the controller, through appropriate technical and organizational measures, to fulfill the obligation to respond to the data subject's requests in the exercise of his rights set out in Chapter III;
f) assists the controller in fulfilling the obligations set out in art. 32-36;
g) upon termination of the provision of processing services, depending on the controller's decision, deletes or returns to him any personal data and deletes any existing copies thereof, unless Union law or the law of a Member State requires the storage of personal data;
(h) provide the administrator with all information necessary to demonstrate compliance with the obligations set out in this Article, and enable and contribute to the performance of, and contributes to, audits, including inspections, by the administrator or an auditor authorized by the administrator.

In connection with the obligation set out in the first subparagraph a. (h) the processor shall immediately inform the controller if he or she considers the instructions to be given to it infringe this Regulation or other Union or Member State law on data protection.

On the other hand, pursuant to Art. 28 sec. 9 of Regulation 2016/679, the contract or other legal act referred to in para. 3 and 4, shall be in writing, including electronic form.

The collected evidence shows that the Sułkowicki Cultural Center, entrusting the processing of employees' personal data, did not conclude a written entrustment agreement with the entity processing this data, which was K. G. running a business under the name of [...] with the place of business in T. No. [...] , containing the elements indicated in art. 28 sec. 3 of the Regulation 2016/679. When assessing this state of affairs, we should start with explaining the function performed by these two entities and their mutual relationship.

Pursuant to Art. 4 point 7 of Regulation 2016/679, "controller" means a natural or legal person, public authority, unit or other entity that alone or jointly with others sets the purposes and methods of processing personal data, and if the purposes and methods of such processing are specified in law Union or Member State law, the controller may also be designated under Union law or the law of a Member State, or specific criteria for its designation may be laid down. On the other hand, "processor" means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller (Article 4 (8) of Regulation 2016/679).

The fact that in the analyzed situation there was no contract for entrusting the processing of personal data within the meaning of art. 28 sec. 3 of the Regulation 2016/679 does not deprive Sułkowicki Ośrodek Kultury, or […], of the status of, respectively: controller and processor. It follows from Guidelines 07/2020 that "The concepts of controller (...) and processor are functional concepts in the sense that their purpose is to allocate obligations in accordance with the real roles of the parties and autonomous concepts in the sense that they should be interpreted mainly in accordance with with EU data protection law ”. In the case at hand, there is no doubt that the Sułkowice Cultural Center was the administrator of the personal data of its former and current employees that it processed. Responsibility for the selection of the processor should be assigned to the SOK, as it is the controller that entrusts the processing of personal data to a natural or legal person of his choice - in Guidelines 07/2020 (describing who can be the controller), it is indicated that "In practice, however, it is usually an organization as such, and not a natural person in the organization (e.g. CEO, employee or board member), acts as an administrator within the meaning of the GDPR ”. Therefore, from the point of view of the subject matter of this proceeding, it is irrelevant which of the persons included in the organization (ie SOK) and why decided to establish cooperation - even informal - with [...].

Due to the fact that pursuant to Art. 5 sec. 1 lit. a) and f) of Regulation 2016/679, personal data must be processed lawfully, fairly and in a transparent manner for the data subject ("lawfulness, fairness and transparency") and in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures ("integrity and confidentiality"), very important from the point of view of the data controller is the entity entrusted with the processing of this data. Art. 5 sec. 2 of Regulation 2016/679 provides that the controller is responsible for the processing of personal data in accordance with these principles and must be able to demonstrate compliance with them ("accountability") - therefore it is so important from his point of view to thoroughly investigate which entity (and on which basis) entrusts the processing of personal data. This thought is expressed directly in Art. 28 sec. 1 of Regulation 2016/679, according to which, if the processing is to be carried out on behalf of the administrator, he uses only the services of such processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of this Regulation and protects the rights of persons whose data relate to. Moreover, Guideline 07/2020 states that "The elements to be taken into account may be: professional knowledge of the processor (eg technical knowledge in the field of security measures and data protection breaches); the reliability of the processor; the processor's resources and the application by the processor of an approved code of conduct or certification mechanism "that:" The processor's reputation in the marketplace may also be an important factor that controllers should consider "and that» The controller is (...) responsible for assessing the adequacy of the guarantees provided by the processor and should be able to prove that he took all the elements provided for in the GDPR seriously. Guarantees "provided" by the processor are those that the processor is able to demonstrate to the satisfaction of the controller, as they are the only guarantees that the controller can effectively take into account when assessing compliance with its obligations. Often this will require the exchange of relevant documentation (e.g. privacy policy, terms of service, record of processing activities, document management policy, information security policy, reports from external data protection audits, internationally recognized certificates such as ISO 27000 standards). The controller's assessment of whether the guarantees are sufficient is a form of risk assessment, which largely depends on the type of processing entrusted to the processor and must be made on a case-by-case basis, taking into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedom of natural persons ”. In the present case, however, there are no indications that the controller took these elements into account.

The fact described in a letter dated [...] December 2021 by the Administrator that the representative or employee of [...] was (at the time of the infringement) Mrs. B. G. - employed as the chief accountant in the Administrator's organization in 2017-2019 is irrelevant with from the point of view of the Administrator's compliance with the obligations arising from art. 28 sec. 1 of Regulation 2016/679. Any personal ties do not constitute in this case the basis for a reliable assessment of the Processor's competences. As mentioned above, Guidelines 07/2020 clearly indicate which elements should be taken into account by the controller when assessing the processor.

Only after a sufficiently in-depth examination of the competences and adequacy of the selected processor (which is - as indicated above - also an element of the risk assessment related to the processing of personal data), the controller may proceed to conclude an appropriate entrustment agreement. In Guidelines 07/2020 it was emphasized that "All processing personal data by the processor must be governed by an agreement or other legal act under Union or Member State law concluded between the controller and the processor, as required by Art. 28 sec. 3 GDPR. Such a legal act shall be in writing, including electronic form (…). Therefore, unwritten contracts (irrespective of their degree of detail or effectiveness) cannot be considered sufficient to meet the requirements of Art. 28 GDPR ". Guidelines 07/2020 also clearly indicate the consequences of failure to maintain the appropriate form of concluding a contract:" As the regulation clearly establishes an obligation to conclude a contract in writing, where no other relevant legal act is in force, its absence is a violation of the GDPR "- while it was also noted that “(…) it can be considered that the controller-processor relationship continues in the absence of a written data processing agreement. However, this would be a violation of Art. 28 sec. 3 GDPR ".

Although Art. 28 sec. 1 of Regulation 2016/679 mainly indicates the obligations of the administrator wishing to entrust the processing of personal data to another entity, Guidelines 07/2020 indicate that "Both the administrator and the processor are responsible for ensuring the conclusion of a contract or other legal act regulating the processing (...) ". The contract is at least a two-sided legal act, and the seriousness of entrusting the processing of personal data requires the involvement of all parties. Meanwhile, on the basis of the evidence collected in the case at hand, it cannot be stated that the Administrator and the Processor have made even informal arrangements that included the elements listed in Art. 28 sec. 3 of the Regulation 2016/679.

Once the controller has carefully selected the appropriate processor, and then the contract is concluded, it should not be forgotten that the administrator's obligations to entrust the processing of personal data to an entity that meets the requirements set out in art. 28 sec. 1 of the Regulation 2016/679 shall last at least as long as the period of entrustment. As indicated in the above-mentioned of the guidelines »The obligation to use only the services of processors" providing sufficient guarantees "in Art. 28 sec. 1 GDPR is an ongoing obligation. It does not end when the contract or other legal act is concluded by the controller and the processor. Rather, the controller should verify the processor's guarantees at appropriate intervals, including through audits and inspections where appropriate (…) ”.

As can be seen from the above considerations, the decision to whom the controller would be entrusted with the processing of personal data cannot be made unreasonably. The consequences of taking a hasty decision, lack of an appropriate form or content of the entrustment agreement, or neglect of the obligation of the administrator to constantly verify the guarantees referred to in art. 28 sec. 1 of Regulation 2016/679, because they may directly affect natural persons whose personal data has been entrusted to the processor. Meanwhile, when applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1 (2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in connection with the processing of personal data, it is one of the fundamental rights (first sentence of recital 1). In case of any doubts, e.g. as to the performance of obligations by administrators - not only in a situation where there has been a breach of personal data protection, but also when deciding on entrusting the processing of personal data to other entities - these values should be taken into account in the first place. These rights are consistently protected by the requirements of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679, hence their violation must be associated with a response of the supervisory authority appropriate to specific circumstances.

In the case at hand, there is nothing to indicate that the Administrator has checked whether the Processing Entity provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of Regulation 2016/679 and protects the rights of the data subjects. In a letter dated […] April 2022, SOK indicated that it did not have any documents confirming the verification of the terms of cooperation with […]. It is also irrelevant who specifically made the decision to entrust the processing of this data, as the Administrator is responsible for the selection of the processor. Therefore, it should be consistently assumed that the Administrator did not meet the requirements set out in Art. 28 sec. 1 of Regulation 2016/679, which results in its breach of this provision.

The explanations provided by the Administrator show that (despite the failure to fulfill the obligations under Article 28 (1) of Regulation 2016/679), the processing of data was actually entrusted [...]. In the notification addressed to the data subjects of the violation (which was made in accordance with Article 34 of Regulation 2016/679), the SOK, describing the violation, indicated that: " , taxes and ZUS) to an external entity. The processing of personal data was entrusted without concluding an appropriate contract for entrusting the processing of personal data. Documentation (VAT registers, fixed assets register, VAT declarations) was stored by an external entity. There was a possibility of a personal data breach by an external entity or employees (former or current). SOK is not in possession of a single document in any possible form regarding settlements with ZUS in the period September 2017-December 2018. This is due to the complete inability to perform actions resulting from ZUS calls to explain the irregularities of the prepared documentation, calculate contributions and establish public and public liabilities. legal SOK, as well as the complete impossibility of making paper documents available at the request of the ZUS inspector. All documents (the entire database) for the period September 2017-December 2018, based on the assurances obtained, were handled outside the seat of SOK and on private equipment without authorization and appropriate security. " Moreover, from the explanations provided by the Administrator in a letter dated [...] November 2021, it follows directly that no entrustment agreement has been concluded with the Processor, and asking him for information, explanations and return or sharing of the processed data turned out to be ineffective. To some extent, the administrator restored the data to which he lost access as a result of entrusting their processing [...] - in a letter of [...] December 2021, however, he indicated that only information from the Social Insurance Institution was available.

The information that the entrustment agreement had not been concluded was repeated by the Administrator in a letter of [...] December 2021, and in the explanations dated [...] April 2022, he additionally indicated that he did not have any documents confirming the commencement and completion of cooperation with […]. The fact that in the case in question there was a breach of the obligation to conclude a sub-processing agreement in an appropriate form (i.e. the obligation referred to in Article 28 (9) of Regulation 2016/679) and with appropriate content (which is specified in Article 28 (3) of the Regulation 2016/679) is therefore indisputable. From the information provided by the Administrator that the breach concerned data for the period from September 2017 to December 2018, it can be concluded that the cooperation between SOK and the Processor could end on [...] December 2018 at the earliest - while it could have ended at the latest. it should be completed on [...] June 2020, when Mr. K. G., running a business under the name of [...], died (according to the information contained in the Central Register and Information on Economic Activity of the Republic of Poland). The date of termination of cooperation determined in this way may also be associated with the end of the infringement of the provisions of Regulation 2016/679 - taking into account the fact that data availability was only partially restored. In turn, when this collaboration could have started remains unclear. Due to the fact that as a result of providing the Data Processor, the Administrator has lost the availability of data resulting from settlements with ZUS from September 2017 to December 2018, it can be assumed that the violation of the provisions of Regulation 2016/679 lasted from [...] May 2018, when the provisions of that regulation became applicable.

In the present case, it should be emphasized that one of the consequences of the Administrator's failure to fulfill the obligations under Art. 28 sec. 1, 3 and 9 of Regulation 2016/679, it is impossible to regain access to all personal data entrusted to the Processor.

Bearing in mind the above findings, the President of the Personal Data Protection Office, exercising his powers specified in art. 58 sec. 2 lit. i) Regulation 2016/679, pursuant to which each supervisory authority has the power to apply, in addition to or instead of other remedial measures provided for in Art. 58 sec. 2 lit. a) -h) and lit. (j) of that Regulation, an administrative fine pursuant to Article 83 sec. 4 lit. a) of Regulation 2016/679, having regard to the circumstances established in the proceedings in question, stated that in the case under consideration there were premises justifying the imposition of an administrative fine on the Administrator.

Pursuant to Art. 83 sec. 4 lit. a) Regulation 2016/679, breach of the provisions on the obligations of the controller and the processor referred to in art. 8, 11, 25-39 as well as 42 and 43 are subject to, in accordance with sec. 2 an administrative fine of up to EUR 10,000,000, and in the case of a company - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher.

In the present case, an administrative fine against SOK was imposed for violation of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679 on the basis of the above-mentioned Art. 83 sec. 4 lit. a) of Regulation 2016/679, while taking into account the content of art. 102 paragraph. 2 of the PDPA, from which it follows that the President of the Personal Data Protection Office may impose, by way of a decision, administrative fines of up to PLN 10,000 on public finance sector entities referred to in Art. 9 point 13 of the Act of 27 August 2009 on public finances (Journal of Laws of 2022, item 1634, as amended) - ie state and local government cultural institutions. Joke. 102 paragraph. 3 of the Act on 2, the President of the Personal Data Protection Office (UODO) imposes on the basis and under the conditions specified in Art. 83 of the Regulation 2016/679.

When deciding to impose an administrative fine on the Administrator, the President of the Personal Data Protection Office pursuant to Art. 83 sec. 2 lit. a-k of the regulation 2016/679 - took into account the following circumstances of the case, aggravating and affecting the size of the imposed financial penalty:

1. The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing, the number of data subjects affected and the extent of the damage suffered by them (Article 83 (2) (a) of Regulation 2016/679) - with In the imposition of a penalty, the fact that the provisions of Regulation 2016/679 were breached in this case, imposing on the controller one of his basic and key obligations for the security of the processed personal data: verification of the processor and conclusion of the entrustment agreement in an appropriate form and with appropriate content. Moreover, the consequence of violating the provisions of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679 was a breach of the confidentiality and availability of data of thirty former and current employees of the Administrator. This breach indirectly harms the interests of employees, whose specific SOK should protect, and may also have negative consequences in the light of the provisions of other areas of law (labor law, social security or accounting regulations). When considering the aspect of the purpose of processing, it should be noted that the personnel service of employment contracts requires special diligence, and there is an imbalance between the SOK (employer) and data subjects (employees). The violation of the above-mentioned provisions is of considerable importance and seriousness, also because it may cause material or non-material damage to the data subject, and the likelihood of their occurrence cannot be excluded. In addition, the risk arising from the wide range of data covered by the breach should be taken into account. It should be emphasized that there is still a risk of unlawful use of their personal data in relation to the persons whose data has been violated, because nothing is known about the organizational and technical measures applied by [...] to ensure the security of processing entrusted data, and also, the data to which the Administrator lost access as a result of the entrustment in question was not returned. Data subjects entrusted with the violation of the requirements of Art. 28 sec. 1 of Regulation 2016/679, therefore, they may still suffer material damage, and the very breach of data confidentiality is also non-pecuniary damage (harm). The data subject may, at the very least, feel the fear of losing control of their personal data, of identity theft or identity fraud, and finally of financial loss. In addition, the violation in question involves the loss of control over the data that is potentially needed by its entities (e.g. data on acquired employee rights) - proper verification of the Processor allows you to reduce the risk of entrusting the data to an entity that may not return it.

Although, on the basis of the evidence collected in the case, it is difficult to precisely determine the duration of the violation, it should be assumed that the duration of the violation was relatively long. As shown above, its starting date should be the date of application of the provisions of Regulation 2016/679 (ie […] May 2018). The breach could end at the earliest by the end of December 2018, and at the latest with the death of Mr. K. G. - the Processing Entity ([...] June 2020) - taking into account the fact that SOK still has not regained the availability of some data.

When assessing the premise of Art. 83 sec. 2 lit. and Regulation 2016/679, which has a generally aggravating impact on the penalty, it should also be noted that the Administrator conducts a non-profit, socially useful activity, and local government cultural institutions have been treated by the legislator in a special way by reducing art. 102 paragraph. 2 uodo of the maximum amount of an administrative fine up to the amount of PLN 10,000. The scope of processing is small (local) and concerns a relatively small number of people - hence the number of injured persons is also small. Moreover, no material damages were found (no non-pecuniary damages were reported either) - as indicated above, however, there is still a risk of their occurrence in this case.

2. Intentional or unintentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679) - it does not follow from the evidence collected in this case that the disclosure of personal data [...] without proper verification of this entity and without concluding a contract of entrustment in the form provided for by law and with appropriate content, took place as a result of actions aimed at the violation of Regulation 2016/679. But the fact that the controller's intentional act (knowledge and will to infringe) has not been proven does not in this case amount to assuming that this premise should not be assessed as aggravating. The degree of negligence shown by the Administrator when entrusting the Processing Entity with the processing of personal data of SOK employees is gross - it proves the lack of compliance with the basic principles of personal data protection resulting from ignorance or disregard of the provisions of Regulation 2016/679.

3. The degree of the Administrator's responsibility, taking into account technical and organizational measures implemented pursuant to art. 25 and 32 (Article 83 (2) (d) of Regulation 2016/679) - the findings made by the President of the Personal Data Protection Office allow the conclusion that the Administrator has not complied with the obligations set out in Art. 28 sec. 1 of Regulation 2016/679 (regarding the verification whether the Processor provided sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of this Regulation and protects the rights of data subjects), and also did not conclude a processing agreement in the form prescribed by law (Art. 28 (9) of Regulation 2016/679) and on the information referred to in art. 28 sec. 3 of the Regulation 2016/679 in content. As a result of informally entrusting the processing of personal data, not only their confidentiality was lost, but also their availability (to some extent) was lost, for which the Administrator is responsible. It is also impossible to state that entrusting the processing of personal data was in accordance with the organizational measures introduced by the Administrator (procedures or regulations constituting the obligation to verify the processor and specifying the manner of concluding contracts for entrusting the processing of personal data), which would ensure compliance with the requirements of art. 28 of Regulation 2016/679.

4. The categories of personal data concerned by the infringement (Article 83 (2) (g) of Regulation 2016/679) - personal data the processing of which has been entrusted in a manner that does not meet the requirements of Art. 28 sec. 1, 3 and 9 of Regulation 2016/679, have a wide scope (first and last names, parents' names, dates of birth, bank account numbers, addresses of residence or stay, PESEL registration numbers, e-mail addresses, data on earnings and / or property , mother's maiden names, series and numbers of identity cards, telephone numbers, as well as data of a specific category within the meaning of Article 9 of Regulation 2016/679: health data), which also entails a high risk of violating the rights or freedoms of individuals affected by the violation. It should be emphasized that, in particular, the unauthorized disclosure of such a category of data as a PESEL number (in combination with a first and last name) may have a real and negative impact on the protection of the rights or freedoms of natural persons. PESEL number, i.e. an eleven-digit numeric symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender (and a control number), and therefore closely related to the private sphere of a natural person and also subject to exceptional protection as a national identification number art. 87 of Regulation 2016/679 is a data of a special nature and requires such special protection.

When determining the amount of the administrative fine imposed on SOK, the President of the Personal Data Protection Office took into account the following premises as mitigating circumstances:

1. Actions taken by the controller to minimize the damage suffered by the data subjects (Article 83 (2) (c) of Regulation 2016/679) - SOK did not receive information about material damage to persons affected by the infringement. It should be pointed out that immediately after the disclosure of the breach of personal data protection, before the commencement of administrative proceedings, SOK took steps to clarify the circumstances of entrusting data processing [...] and to regain the availability of lost personal data. The decision indicated as an aggravating circumstance that data subjects may still suffer material damage, and the breach of confidentiality itself is also a non-pecuniary damage (harm), but taking measures to regain data availability should be assessed as a mitigating circumstance - these are actions taken to minimize the damage suffered by the data subjects.

2. Relevant previous violations of the provisions of Regulation 2016/679 (Article 83 (2) (e) of Regulation 2016/679) - until the moment of issuing this decision, the President of the Personal Data Protection Office found no violations of the provisions of Regulation 2016/679 by the Administrator;

3. The degree of cooperation with the supervisory authority in order to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of the Regulation 2016/679) - SOK has independently undertaken a number of actions aimed at, inter alia, regaining access to lost data - and thus: mitigating its possible negative effects.

4. Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly due to the infringement or avoided losses (Article 83 (2) (k) of Regulation 2016/679) - the President of the Personal Data Protection Office did not state in in the course of these proceedings that, by committing the infringement of the punishable SOK, it obtained any financial benefits or avoided any financial losses.

The fact of applying to the Administrator in this case by the President of the Personal Data Protection Office of sanctions in the form of an administrative fine, as well as its amount, was not affected by other sanctions indicated in art. 83 sec. 2 of Regulation 2016/679 circumstances, that is:

1. The way in which the supervisory authority learned about the breach (Article 83 (2) (h) of Regulation 2016/679) - the President of the Personal Data Protection Office found a breach of the provisions of Regulation 2016/679 as a result of the notification of the breach of personal data protection made by the Administrator, however in connection with with the fact that by making this notification, the Administrator only fulfilled the legal obligation imposed on him, there are no grounds to recognize that this circumstance constitutes a mitigating circumstance for him. In accordance with the Guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679 Wp. 253 "The supervisory authority may become aware of a breach as a result of investigations, complaints, press articles, anonymous indications or notification by the data controller. Pursuant to the regulation, the controller is obliged to notify the supervisory authority of a breach of personal data protection. Mere compliance with this obligation by an administrator cannot be interpreted as a weakening / mitigating factor ”.

2. Compliance with previously applied measures in the same case, referred to in Art. 58 sec. 2 of Regulation 2016/679 (Article 83 (2) (i) of Regulation 2016/679) - in this case, measures referred to in Art. 58 sec. 2 of Regulation 2016/679.

3. Application of approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of Regulation 2016/679 (Article 83 (2) (j) of Regulation 2016/679) - the administrator does not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679.

Taking into account all the above-mentioned circumstances, the President of the Personal Data Protection Office decided that the imposition of an administrative fine on the Controller is necessary and justified by the weight, nature and scope of the alleged infringement of the provisions of Regulation 2016/679. It should be stated that any other remedy provided for in Art. 58 sec. 2 of Regulation 2016/679, and in particular stopping at an admonition (Article 58 (2) (b) of Regulation 2016/679), would not be proportionate to the identified irregularities in the processing of personal data and would not guarantee that the abovementioned the entity will not commit a similar negligence in the future.

In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed on the Sułkowice Cultural Center based in Sułkowice in the amount of PLN 2,500 (in words: two thousand five hundred zlotys), under the established circumstances of this case, performs the functions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case. At this point, the content of Art. 102 paragraph. 2 of the Personal Data Protection Act, which results in the limitation of the amount (up to PLN 10,000) of the fine that may be imposed on a unit of the public finance sector, referred to in Art. 9 point 13 of the aforementioned Act of 27 August 2009 on Public Finance.

In the opinion of the President of the Personal Data Protection Office, the penalty imposed on the Controller is proportional to the seriousness of the breach in the context of the basic objective of Regulation 2016/679 - protection of the fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data.

At the same time, in the opinion of the President of the Personal Data Protection Office, the penalty in this amount will be effective (it will achieve the goal of punishing the Administrator for a serious infringement with serious consequences) and dissuasive in the future (it will cause the Administrator, in order to avoid further sanctions, to pay due attention to the processing of personal data through and with the help of The Processing Entity).

Summarizing the above, in the opinion of the President of the Personal Data Protection Office, the administrative fine imposed in this case meets the conditions (the penalty functions) referred to in Art. 83 sec. 1 of Regulation 2016/679, due to the seriousness of the infringement found in the context of the basic requirements and principles of Regulation 2016/679.

Bearing in mind the above, the President of the Personal Data Protection Office resolved as in the operative part of this decision.

[1] Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor included in the GDPR (Version 2.0, adopted on July 7, 2021), hereinafter referred to as Guidelines 07/2020;

2022-09-16