UODO (Poland) - DKE.561.16.2020: Difference between revisions
ARapcewicz (talk | contribs) No edit summary |
No edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
The | The Polish DPA imposed a fine of €5000 on a company for failing to comply with the obligation to cooperate with the supervisory authority and not providing it with all information necessary to fulfil its tasks in the course of the proceedings. | ||
==English Summary== | ==English Summary== | ||
Line 56: | Line 56: | ||
===Facts=== | ===Facts=== | ||
The Office for Personal Data Protection received a complaint from a natural person about incorrect processing of his personal data by the fined company running a school. The indicated infringement consisted in processing the complainant's personal data concerning his name, surname, address of residence and PESEL (national identification) number without his knowledge and consent. | The Office for Personal Data Protection received a complaint from a natural person about incorrect processing of his personal data by the fined company running a school. The indicated infringement consisted in processing the complainant's personal data concerning his name, surname, address of residence and PESEL (national identification) number without his knowledge and consent. | ||
The authority initiated proceedings and sent a request for clarification to the company. However, the company did not provide the information necessary to resolve the complaint. The authority initiated proceedings to impose an administrative fine on the company. | The authority initiated proceedings and sent a request for clarification to the company. However, the company did not provide the information necessary to resolve the complaint. The authority initiated proceedings to impose an administrative fine on the company. | ||
The company has not responded in any way to the above correspondence. The company operates, among others, post-secondary schools, general secondary schools, primary schools and pre-school education establishments, activities supporting education, as well as advertising, market research and public opinion polling. | The company has not responded in any way to the above correspondence. The company operates, among others, post-secondary schools, general secondary schools, primary schools and pre-school education establishments, activities supporting education, as well as advertising, market research and public opinion polling. | ||
===Holding=== | ===Holding=== | ||
The DPA found that the company violated [[Article 31 GDPR]] and [[Article 58 GDPR#1a|Article 58(1)(a) GDPR]] by failing to cooperate with the President of the UODO in the performance of his tasks and by failing to provide all the information necessary for the DPA to perform its tasks, i.e. to consider a complaint about irregularities in the processing of his personal data, and imposed a fine of | The DPA found that the company violated [[Article 31 GDPR]] and [[Article 58 GDPR#1a|Article 58(1)(a) GDPR]] by failing to cooperate with the President of the UODO in the performance of his tasks and by failing to provide all the information necessary for the DPA to perform its tasks, i.e. to consider a complaint about irregularities in the processing of his personal data, and imposed a fine of €5000 on the company. | ||
==Comment== | ==Comment== |
Revision as of 10:21, 6 May 2021
UODO - DKE.561.16.2020 | |
---|---|
Authority: | UODO (Poland) |
Jurisdiction: | Poland |
Relevant Law: | Article 31 GDPR Article 58(1)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 05.01.2021 |
Published: | |
Fine: | 21397 PLN |
Parties: | n/a |
National Case Number/Name: | DKE.561.16.2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Polish |
Original Source: | Decyzje Prezesa UODO (in PL) |
Initial Contributor: | Agnieszka Rapcewicz |
The Polish DPA imposed a fine of €5000 on a company for failing to comply with the obligation to cooperate with the supervisory authority and not providing it with all information necessary to fulfil its tasks in the course of the proceedings.
English Summary
Facts
The Office for Personal Data Protection received a complaint from a natural person about incorrect processing of his personal data by the fined company running a school. The indicated infringement consisted in processing the complainant's personal data concerning his name, surname, address of residence and PESEL (national identification) number without his knowledge and consent.
The authority initiated proceedings and sent a request for clarification to the company. However, the company did not provide the information necessary to resolve the complaint. The authority initiated proceedings to impose an administrative fine on the company.
The company has not responded in any way to the above correspondence. The company operates, among others, post-secondary schools, general secondary schools, primary schools and pre-school education establishments, activities supporting education, as well as advertising, market research and public opinion polling.
Holding
The DPA found that the company violated Article 31 GDPR and Article 58(1)(a) GDPR by failing to cooperate with the President of the UODO in the performance of his tasks and by failing to provide all the information necessary for the DPA to perform its tasks, i.e. to consider a complaint about irregularities in the processing of his personal data, and imposed a fine of €5000 on the company.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Pursuant to Article 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7 (1) and (2), Article 60, Article 101, Article 101a (2), Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(a) in connection with Article 83(1)-(3) and Article 83(5)(e) of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 04.05.2016, p. 1, as amended by Official Journal of the EU L 127 of 23.05.2018, p. 2.) (hereinafter referred to as "Regulation 2016/679"), having conducted ex officio administrative proceedings concerning the imposition of an administrative fine on Anwara Sp. z o.o. with its registered office in Warsaw, Al. Jerozolimskie 81, the President of the Office for Personal Data Protection, having found that Anwara Sp. z o.o. with its registered office in Warsaw, Al. Jerozolimskie 81, violated the provisions of Art. 31 and Article 58 (1) (a) of Regulation 2016/679, consisting in the failure to cooperate with the President of the Office for Personal Data Protection in the performance of his tasks and in the failure to provide all information necessary for the President of the Office for Personal Data Protection to perform his tasks, i.e. to consider Mr. M. K.'s complaint about irregularities in the processing of his personal data imposes on Anwara Sp. z o.o. with its registered seat in Warsaw at Al. Jerozolimskie 81 an administrative fine in the amount of PLN 21 397 (in words: twenty-one thousand three hundred and ninety-seven zlotys). JUSTIFICATION The Office for Personal Data Protection received a complaint from Mr M. K., residing in W., hereinafter referred to as the "complainant", concerning irregularities in the processing of his personal data by Anwara Sp. z o.o., with its registered office in Warsaw at Al. Jerozolimskie 81 (formerly: Al. Solidarności 117/207), hereinafter referred to as the "Company", which runs the [...] school in W. The indicated infringement consisted in the processing of the complainant's personal data concerning his name, surname, address and PESEL number without his knowledge and consent. The President of the Office for Personal Data Protection, hereinafter also referred to as "the President of the Office for Personal Data Protection", within the framework of the administrative proceedings initiated to examine the complaint filed (under case No [...]), requested the Company, by letter dated [...] July 2020, to respond - within 7 days of the delivery of the request - to the content of the complaint and to answer the following detailed questions regarding the case whether, and if so on what basis, when and from what source the Company obtained the Complainant's personal data, in particular as regards the first name, surname, address of residence and PESEL number; whether, and if so on what basis (please indicate the specific provision of law), for what purpose, to what extent and in what file the Company currently processes the Complainant's personal data; whether the Complainant's personal data were made available to other entities (in particular the Bureau of Education of the City Hall of [...] W.), and if so, when, on what legal basis, for what purpose and to what extent, and for what entities the data were made available; whether the Complainant requested the Company to comply with its information obligations under Article 13, 14 or 15 of Regulation 2016/679, and if so, when and what was the content of the information provided; whether the Complainant asked the Company to delete his personal data and, if so, when and how the Company responded to the above. The letter in question was addressed to the address of the registered office of the Company as disclosed in the National Court Register, i.e. [...] - valid on the date of sending the correspondence. Despite duly delivering the letter to the Company on [...] July 2020, the Company did not reply to it. In connection with the above, by letter of [...] August 2020. The President of the Office for Harmonization in the Internal Market (OCCP) again summoned the Company to comment on the content of the complaint and to provide detailed explanations in the case, setting a 7-day deadline for response. The Company was also instructed that failure to send explanations in the aforementioned scope may result in the imposition of an administrative fine, pursuant to Article 83(5)(e) of Regulation 2016/679. Despite the delivery of the correspondence to the Company [...] August 2020, the Company did not respond in any way to the request formulated by the data protection authority. Due to the Company's failure to provide the information necessary to resolve the case under reference [...], initiated by the Complainant's complaint, the President of the DPA initiated ex officio against the Company - under Article 83(5)(e) of Regulation 2016/679, in connection with the Company's violation of Articles 31 and 58(1)(a) of Regulation 2016/679 - administrative proceedings to impose an administrative fine on the Company (under reference DKE.561.16.2020.[...]). The Company was informed of the initiation of the proceedings by letter dated [...] October 2020, duly delivered to the Company [...] October 2020. By that letter, the Company was also summoned - in order to determine the basis for the penalty assessment, pursuant to Article 101a(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) - to present the Company's financial statements for 2019 or, in the absence thereof, a statement of the turnover and financial result achieved by the Company in 2019. The Company has not responded in any way to the above correspondence, has not provided explanations in the case, nor has it presented data that would allow its financial standing to be determined. The Company operates, among other things, post-secondary schools, general secondary schools, primary schools and pre-school education establishments, activities supporting education and in the area of advertising, market research and public opinion polling. Having familiarized himself with all the evidence collected in the case, the President of the Office for the Protection of Personal Data stated as follows. Pursuant to Article 57(1)(a) of Regulation 2016/679, the President of the Office for Personal Data Protection - as a supervisory authority within the meaning of Article 51 of Regulation 2016/679 - monitors and enforces the application of the Regulation in its territory. Within the scope of its competences, the President of the DPA shall, inter alia, investigate complaints lodged by data subjects, conduct proceedings on such complaints to the extent appropriate, and inform the complainant of the progress and outcome of such proceedings within a reasonable period of time (Article 57(1)(f)). To enable the enforcement of the competences thus defined, the DPA President has a number of powers set out in Article 58(1) of Regulation 2016/679 with regard to the proceedings, including the power to order the controller and the processor to provide any information needed to fulfil its tasks (Article 58(1)(a)). A breach of Regulation 2016/679 by failing to provide the information referred to above, resulting in a breach of the powers of the supervisory authority set out in Article 58(1), shall in turn be subject, pursuant to Article 83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an undertaking, up to 4% of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable. It should also be pointed out that the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of Regulation 2016/679. Referring the provisions of Regulation 2016/679 cited above to the factual situation established in the present case and described at the beginning of the justification of this decision, it should be stated that the Company - the controller of personal data of the Complainant, Mr M. K. - as a party to the proceedings conducted by the President of the Office for Harmonization in the Internal Market (OCCP) with the reference [...], breached its obligation to provide the President of the Office for Harmonization in the Internal Market (OCCP) with access to the information necessary to perform its tasks - in this case, to resolve the merits of the aforementioned case. Such action of the Company constitutes a breach of Article 58(1)(a) of Regulation 2016/679. It should be noted that in the proceedings under reference [...], the President of the Office for Harmonization in the Internal Market (OCCP) called the Company twice to provide explanations necessary for the examination of the case. Each of the letters sent by the President of UODO, i.e. both the letter of [...] July 2020 and the letter of [...] August 2020 (duly delivered to the Company - respectively - [...] July 2020 and [...] August 2020) remained unanswered. (duly delivered to the Company on [...] July 2020 and [...] August 2020 respectively) remained unanswered. The above was not altered by the fact that the present proceedings for imposing an administrative fine were subsequently initiated. The Company, correctly notified by the supervisory authority of the intention to take action against it, as set out in Article 58(2)(i) of Regulation 2016/679, and moreover, instructed about its right - as a party to these proceedings - to comment on the collected evidence and materials and its claims, did not take any actions aimed at explaining the inaction on its part or justifying its lack of cooperation with the President of the Office for Competition and Consumer Protection. The persons authorised to represent the Company also failed to contact the Office for Personal Data Protection in order to indicate any doubts the Company might have had as to the scope of the information requested by the President of the Office for Personal Data Protection. The above-described conduct of the Company in the case with the reference [...], consisting in the failure to respond to the appeals of the President of the Office for Harmonisation in the Internal Market to submit explanations, indicates a lack of will to cooperate with the President of the Office for Harmonisation in the determination of the facts of the case and its proper resolution, or at least a flagrant disregard of its obligations concerning the cooperation with the President of the Office for Harmonisation in the performance of his tasks under Regulation 2016/679. It should be pointed out at this point that the failure to provide information that the President of the Office for Harmonization in the Internal Market requested and demands from the Company, and which is undoubtedly in its possession (i.e. information on the circumstances of the processing of the Complainant's personal data), stands in the way of a thorough examination of the case initiated by the complaint of Mr. M. K. The omission described above results also in an excessive and unjustified prolongation of the abovementioned proceedings, which is contrary to the basic principles governing administrative proceedings - set out in Article 12(1) of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, U. of 2020, item 256) principles of thoroughness and speed of proceedings. Taking into account the above findings, the President of the Office for Harmonization in the Internal Market (the President of the Office for Harmonization in the Internal Market (the President of the Office for Harmonization in the Internal Market) concludes that in the present case there were premises justifying the imposition of an administrative fine on the Company - pursuant to Article 83(5)(e) in fine of the Regulation 2016/679 - in connection with the Company's failure to provide all the information necessary for the President of the Office for Harmonization in the Internal Market to perform his tasks, i.e. to resolve the case with the reference [...]. Pursuant to the content of Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, attention shall be paid to a number of circumstances listed in points a) to k) of the aforementioned provision. When deciding to impose an administrative fine on the Company and determining the amount of the fine, the President of the Office for Harmonization in the Internal Market (OCCP) took into account the following circumstances having an aggravating effect on the assessment of the infringement: nature, gravity and duration of the breach (Article 83(2)(a) of Regulation 2016/679), as the Company's conduct, which bears the hallmarks of a breach of Articles 31 and 58(1)(a) of Regulation 2016/679, which is subject to an administrative fine, undermines the system aimed at protecting one of the fundamental rights of an individual, which is the right to protect his or her personal data, or more broadly, to protect his or her privacy. An important element of this system, which is framed by Regulation 2016/679, is the supervisory authorities, which are charged with the tasks of protecting and enforcing individuals' rights in this regard. In order to be able to perform these tasks, supervisory authorities have been equipped with a number of inspection powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors, correlated with the powers of supervisory authorities, have been imposed certain obligations, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to information necessary for the performance of their tasks. The Company's actions in this case, consisting in the failure to provide all the information requested by the President of the Office for Harmonization in the Internal Market and resulting in impeding and unjustifiably prolonging the proceedings conducted by the President of the Office for Harmonization in the Internal Market, should therefore be considered as undermining the entire system of personal data protection, and therefore very serious and reprehensible. The seriousness of the infringement is further increased by the fact that the infringement committed by the Company was not a one-off and incidental event. On the contrary, the Company's actions were continuous and long-term, which is undisputedly confirmed by the fact that the infringement identified in these proceedings has continued since the expiry of the time limit set for submitting explanations in the first letter from the President of the Office for Harmonization in the Internal Market, i.e. from [...] July 2020, until the present day. The willful nature of the infringement (Article 83(2)(b) of Regulation 2016/679), manifested by the unwillingness to cooperate with the supervisory authority in order to provide all the information necessary to resolve the case in the course of which the authority requested the Company to provide it. This is evidenced, in particular, by the lack of a response to the appeals of the President of the Office for Harmonisation in the Internal Market (the President of the Office for Harmonisation in the Internal Market) addressed to the Company and correctly delivered to the latter, asking it to provide explanations. It should be noted that the Company, as an entity professionally involved in the legal and economic activity, should be aware of its obligations, including those related to personal data protection law (which is undoubtedly the obligation of controllers or processors to cooperate with the President of the Office for Harmonisation in the Internal Market). The acquisition and processing of personal data is closely related to the subject of the Company's activity, which is, among others, running post-secondary schools, general secondary schools, primary schools and pre-school education establishments. Therefore, in the opinion of the President of the Office for Harmonisation in the Internal Market, the Company should be adequately aware of the obligations imposed on it in relation to the amount and category of personal data processed. It should also be noted that in the content of the letter of [...] August 2020. The President of the Office for Harmonization in the Internal Market (OCCP) included an instruction that the Company's failure to send explanations may result in imposing an administrative fine on it, pursuant to Article 83(5)(e) of Regulation 2016/679. Thus, the Company was fully aware of the negative consequences of its failure to provide explanations. Finally, it should be emphasised that the Company at no stage of the proceedings under case number [...], as well as in the course of the present proceedings, made no attempt to justify its conduct, which dictates that it should be interpreted as a deliberate action preventing the President of the Office for Competition and Consumer Protection from obtaining information necessary for the performance of its tasks, which constitutes a breach of the provisions of Regulation 2016/679. Failure to cooperate with the supervisory authority in order to remedy the breach and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679), as the Company did not submit any explanations in the course of the present proceedings for the imposition of an administrative fine, which would have allowed the determination of the reasons for its inaction or further proceedings in the case with the reference [...]. The other prerequisites for the assessment of the administrative financial penalty indicated in Article 83. 2 of Regulation 2016/679 did not have an impact (aggravating or mitigating) on the assessment of the breach by the President of the DPA (including: any relevant previous breaches by the controller, the manner in which the supervisory authority became aware of the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller with the supervisory authority and not the relationship of the controller with the data subject), could not be taken into account in the present case (including: the number of persons affected and the extent of the damage suffered by them, the measures taken by the controller to minimise the damage suffered by data subjects, the degree of responsibility of the controller taking into account the technical and organisational measures implemented by it, the categories of personal data affected by the breach). Pursuant to the wording of Article 83(1) of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of the Office for Harmonization in the Internal Market, the penalty imposed on the Company in the present proceedings meets these criteria. It will discipline the Company to properly cooperate with the President of the Office for Harmonization in the Internal Market, both in the further course of the proceedings marked [...], as well as in any other future proceedings with the participation of the Company before the President of the Office for Harmonization in the Internal Market. In the opinion of the President of the Office for Harmonization in the Internal Market, the penalty imposed by the decision is proportionate to the gravity of the infringement and to the Company's capacity to bear it without significant detriment to its business. The penalty will also fulfil a deterrent function; it will be a clear signal to the Company, which is obliged under the provisions of Regulation 2016/679 to cooperate with the President of the Office for Harmonisation in the Internal Market (OCCP), that disregarding obligations related to cooperation with the President of the OCCP (in particular, obstructing access to information necessary for the performance of the President's tasks) constitutes a breach of great significance and, as such, will be subject to financial sanctions. At this point, it should be pointed out that imposing an administrative fine on the Company is - in view of the Company's conduct so far as a party to the proceedings [...] - necessary; it is the only measure at the disposal of the President of the Office for Harmonization in the Internal Market (OCCP) which will make it possible to obtain access to information necessary in the conducted proceedings. In view of the Company's failure to present the financial data for 2019 requested by the President of the Office for Harmonisation in the Internal Market, when determining the amount of the administrative fine in the present case, the President of the Office for Harmonisation in the Internal Market took into account, pursuant to Article 101a(2) of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, item 1781), the estimated size of the Company and the specificity, scope and scale of its activity. Pursuant to the content of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as at 28 January each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the National Bank of Poland's table of exchange rates nearest to that date. In view of the foregoing, the President of the Office for Personal Data Protection, pursuant to Article 83(3) and Article 83(4)(a) and Article 83(5)(e) of Regulation 2016/679, in conjunction with Article 103 of the Personal Data Protection Act 2018, for the breaches described in the operative part of this decision, imposed on the Company - using the average Euro exchange rate of 28 January 2020 (1 EUR = 4.2794 PLN) - an administrative fine in the amount of 21,397 PLN (equivalent to 5,000 EUR), according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table on 28 January 2020. Taking into account the above, the President of the Office for Harmonization in the Internal Market (the "President of the Office") ruled as in the operative part of this decision. The decision is final. Pursuant to Article 53 § 1 of the Act of 30 August 2002. - Law on Proceedings before Administrative Courts (Journal of Laws of 2019, item 2325, as amended), a party has the right to lodge a complaint against the decision with the Voivodship Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw). The complaint shall be subject to a proportional entry, pursuant to Article 231 in connection with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the filing of a complaint by a party to an administrative court suspends the execution of a decision with regard to an administrative fine. In proceedings before the Voivodship Administrative Court, a Party has the right to apply for the right to assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right to assistance may be granted upon a motion of a Party filed before the initiation of proceedings or in the course of proceedings. The application is free of court fees. Pursuant to Article 105(1) of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, pos. 1781), the administrative fine shall be paid within 14 days from the lapse of the deadline for lodging a complaint to the Voivodship Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for Personal Data Protection in the NBP O/O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105(2) of the above-mentioned Act, the President of the Office for Personal Data Protection may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it into instalments. In the case of postponement of the date of payment of an administrative fine or spreading it into installments, the President of the Office for Personal Data Protection calculates interest on the unpaid amount on an annual basis, using a reduced rate of interest for default, announced on the basis of Article 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2020, item 1325), from the day following the date on which the application was filed.