UODO (Poland) - ZSPR.421.19.2019: Difference between revisions
No edit summary |
m (Ar moved page UODO - ZSPR.421.19.2019 to UODO (Poland) - ZSPR.421.19.2019) |
Latest revision as of 10:02, 17 November 2023
UODO (Poland) - ZSPR.421.19.2019 | |
---|---|
Authority: | UODO (Poland) |
Jurisdiction: | Poland |
Relevant Law: | Article 31 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 09.03.2020 |
Published: | 26.03.2020 |
Fine: | 4,673 EUR |
Parties: | Vis Consulting Sp. z o.o. |
National Case Number/Name: | ZSPR.421.19.2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Polish |
Original Source: | UODO (in PL) |
Initial Contributor: | n/a |
The President of the Personal Data Protection Office in Poland (UODO) imposed a fine of approx. 4600 EUR (PLN 20 000) on a telemarketing company for a violation of the controller's obligation to cooperate with the supervisory authority under Article 31 GDPR.
English Summary
Facts
The President of the UODO decided to conduct inspection activities at a company Vis Consulting Sp. z o.o. which provides telemarketing services to other companies - one of which was a subject of a decision issued earlier by the UODO. The supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.
When arrived at the company's registered address, the UODO’s inspectors did not find any representatives of the Vis Consulting Sp. z o.o. After the back-and-forth communication between the UODO representatives and the company's proxy, the latter informed the UODO on the phone that the inspection cannot take place.
Dispute
On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.
The President of the UODO had to make a decision about the company's compliance with Article 31 GDPR.
Holding
The President of the UODO decided that Vis Consulting Sp. z o.o. in no way wished to cooperate with the supervisory authority.
The UODO concluded that the company deliberately thwarted the inspection and thus prevented the President of the UODO from performing statutory tasks under Article 58(1)(e) and (f) GDPR. The situation gives rise to the suspicion that the Company's thwarting of the inspection was aimed at preventing the UODO from collecting evidence of unlawful processing of personal data by the company.
Thus the company infringed the provisions of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied.
In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years.
The Public Prosecutor’s Office has lodged an indictment against the President of the Company to the court.
Comment
Share your comments here!
Further Resources
UODO's press release here (in EN).
Share blogs or news articles here!
English Translation of the Decision
Below you can find the English translation of the decision (see PDF for Original)
DECISION CP.421.19.2019 Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) and (f) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended), following an ex officio procedure initiated in the case of Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, 29 lok. 9, the President of the Office for Personal Data Protection, stating that Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, infringed the provisions of Article 31 and Article 58(1)(e) and (f) of the General Data Protection Regulation by not providing access to personal data and other information and premises, resulting in preventing the President of the Office for Personal Data Protection from carrying out control activities necessary for the performance of his tasks, imposes on Vis Consulting Sp. z o.o. in liquidation, seated in Katowice at 29 Zygmunta Krasińskiego Street 9, a fine of PLN 20,000 (say: twenty thousand zlotys), which is equivalent to EUR 4,673,56, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as at 28 January 2020. Justification Based on Article 58(1)(b), (e) and (f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2011, p. 1). 2016, p. 1 and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter referred to as the Regulation 2016/679, the President of the Office of Personal Data Protection has planned to carry out in Vis Consulting Sp. z o.o. with its registered office in Katowice at Zygmunta Krasińskiego 29 lok. 9 (hereinafter also referred to as the "Company") an inspection of compliance of data processing with the regulations on personal data protection. The audit was to be conducted from 29 July 2019 to 2 August 2019. By letter of [...] July 2019. (mark: [...]) Urząd Ochrony Danych Osobowych via Poczta Polska notified the Company of the date and scope of the planned inspection. The letter was delivered on [...] July 2019 to the registered office of Vis Consulting Sp. z o.o. (Katowice, ul. Zygmunta Krasińskiego 29, 9), indicated in the National Court Register. On [...] July 2019, in order to carry out control activities (ZSPR.421.19.2019), the controlling persons went to the place indicated in the National Court Register as the address of the Company, but the persons representing the Company were not there. It turned out that this address is the Office of [...] (hereinafter referred to as the "Office") run by [...]. As agreed, the Company sub-leases the commercial premises located in Katowice at 29 Zygmunta Krasińskiego Street, 9, for the so-called 'virtual office'. Only an employee of the Office was found in the premises in question. After presenting this person with the purpose of the arrival of the controlling persons, an employee of the Office, after checking the content of the electronic mail, in order to determine whether any message was received from the Company in this respect, informed that a letter dated [...] July 2019 was received from the Company signed by Mr. Paweł Kępka - President of the Board. From the content of the letter, it resulted that the Company terminates the lease agreement for premises no. 9 located in Katowice at 29 Zygmunta Krasińskiego Street and that as of [...] July 2019, this entity will not operate at the above mentioned address. A copy of the aforementioned letter was forwarded to the inspectors. Moreover, an employee of the Office informed the inspectors that after receiving the letter of [...] July 2019 from the Office of Personal Data Protection, regarding the notification of the planned control in the Company, the content of the letter in question in the form of a scan was transferred to the Company. In order to document the above mentioned findings, on [...] July 2019, the inspectors made an official note. In connection with the situation, the inspectors asked the employee of the Office to contact the Company in order to determine whether the inspection activities could be carried out. However, it was not possible to establish contact with the Company. Therefore, the inspector asked for a telephone number to the Company. An employee of the Office stated that it is only upon written request of the President of the Office for Personal Data Protection that he can provide information on this entity (including the telephone number). The Controllers left the telephone number to contact. On the same day, at approximately 2:00 p.m., a man who introduced himself as an "attorney [...]" called the Controller and said he was contacting on behalf of the Company, but did not know if the control could be carried out. In the course of the conversation, the above mentioned person has agreed that he will try to determine whether the inspection can take place by [...] July 2019. At the same time, on July [...], 2019, the President of the Office for Personal Data Protection sent a request to the e-mail address of the Office to provide a copy of the lease agreement for the premises in question and to provide contact information to the Company. On [...] July 2019 the Controllers went again to the Company's address, but also on that day the persons representing the Company were not present. Therefore, no control activities took place. An employee of the Office provided the inspectors with a copy of the sublease agreement for the premises in question. At 11.00 a.m., a person representing himself as "advocate [...]" called the inspectors and informed them that the inspection would not take place. In this connection, by letter dated [...] August 2019, the mark: [...] The President of the Office for the Protection of Personal Data initiated ex officio administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's compliance with the provisions on personal data protection. The above mentioned correspondence was returned with the note "out of date address". Based on the financial statements for the period from 1 January 2018 to 31 December 2018. (available on the website of the Ministry of Justice with the address: ekrs.ms.gov.pl), it was established that in the aforementioned period, the Company's net revenue from sales and equalised with them amounted to PLN 426 261.14. After reviewing all the evidence gathered in the case the President of the Office for Personal Data Protection weighed the following: According to the information contained in the National Court Register, on July 30, 2019, a resolution was passed to dissolve the Company and put it into liquidation. On 23 August 2019, the District Court in Katowice - Wschód, 8th Commercial Division made an entry in the National Court Register on placing the Company in liquidation. Since then, the Company has been operating under the name of Vis Consulting Sp. z o.o. in liquidation. Pursuant to Article 57(1)(a) of Regulation 2016/679, each supervisory authority on its territory shall monitor and enforce the application of Regulation 2016/679. In addition, pursuant to Article 58(1)(e) and (f) of Regulation 2016/679, the supervisory authority shall be entitled to access all the premises of the controller and the processor, including the equipment and means of data processing, in accordance with the procedures laid down in EU or Member State law. It should be noted that in accordance with Article 58(6) of Regulation 2016/679, each Member State may provide in its legislation that its supervisory authority has, in addition to the powers laid down in Union or Member State law, the following powers in paragraphs 1, 2 and 3, also other powers. As provided for in Article 31 of Regulation 2016/679, the controller and processor and, where applicable, their representatives, shall cooperate with the supervisory authority upon request in the performance of its tasks. Pursuant to Article 78 paragraph 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "the Act", the President of the Office for the Protection of Personal Data shall carry out the control of compliance with the provisions on personal data protection. Pursuant to Art. 79 sec. 1 point 1 of the Act, the control is carried out by an employee of the Office authorised by the President of the Office. As stipulated in Art. 84 sec. 1 of the Act, the inspector has the right to: a) enter the land and buildings, premises or other premises between 600 and 2200 hours; b) inspect documents and information directly related to the subject matter of the inspection; c) inspect places, objects, devices, carriers and IT or ICT systems used for data processing; d) demand written or oral explanations and question a person as a witness to the extent necessary to establish the facts; e) have expert opinions and opinions drawn up. The fact that the President of the Office for Personal Data Protection has planned to carry out an inspection in the Company in connection with the findings made during the inspection carried out in V is of significant importance in this case. Sp. z o.o. sp. k. with its registered office in [...]. In the course of the audit conducted in the above mentioned entity, it was established that it conducts telemarketing activities. In connection with this activity it processes personal data (landline and mobile phone numbers) by means of an ICT system provided by the Company. The system in question is used on the basis of a cooperation agreement on the outsourcing of telemarketing services. The agreement was concluded with the Company [...] February 2017. An important issue is that V. Sp. z o.o. sp. k. does not have its own database, and all telephone connections are generated only by the IT system made available by the Company. The content of the aforementioned agreement shows, among other things, that the Company has a technical solution - an ICT system in the form of a computer program, the use of which allows for making telephone calls to fixed and mobile phone numbers according to the location criterion. Moreover, in this agreement it is also indicated that the functionality of the system in question prevents V. Sp. z o.o. sp. k. from accessing any information, including the dialed telephone number. Moreover, in this agreement, the Company declares that in case of using any personal data for the purpose of performing the above-mentioned agreement, it will administer "the above-mentioned data in accordance with the applicable provisions of Polish law". In § 3 point 2 of the aforementioned agreement there is a provision with the following content: "VIS declares that in case of any claims by third parties against V. [...] related to the functionality of the SYSTEM [...], releases V. from this liability to the extent permitted by the applicable law and undertakes to cover all costs related to the protection of V. against such claims". Due to the fact that V. Sp. z o.o. sp. k. does not have access to personal data processed in this system (i.e. to information about telephone numbers dialled), the President of the Office for Personal Data Protection considered it necessary to carry out control activities also in the Company (i.e. in the entity which, on the basis of the established agreement, is considered to be the data controller). The aim of the inspection was to examine the legality of personal data processing using the system in question. The fact that it was impossible to carry out the inspection in the Company made it significantly more difficult for the President of the Office for Personal Data Protection to examine the process of personal data processing by V. Sp. z o.o. sp. k. The evidence gathered in the case indicates that the actions taken by the persons representing the Company definitely prove the lack of cooperation with the President of the Office for Personal Data Protection. To confirm the above position, the following circumstances should be recalled: 1) after receiving information about the planned control of the President of the Office for Personal Data Protection (letter of [...] July 2019), on [...] July 2019. (two days before the commencement of the planned control), the Company sent a motion to the lessor to terminate the lease agreement for the premises located in Katowice at 29 Zygmunta Krasińskiego Street (address of the Company indicated in the National Court Register); 2) both [...] July 2019 and [...] July 2019. The Company has thwarted the control activities as no person authorised to represent the Company in the course of the control has been found at the Company's address; 3) On 30 July 2019, a resolution was adopted on dissolution of the Company and commencement of liquidation proceedings (this information is contained in the National Court Register). To sum up, it should be stated that the Company's activities referred to above undoubtedly prove that it does not fulfil its obligations related to the processing of personal data or at least intentionally avoids submitting to the control of the supervisory authority which is the President of the Office for Personal Data Protection. Thus, it should be considered that by preventing the President of the Office for the Protection of Personal Data from carrying out the inspection, the Company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679. It should be pointed out that in accordance with Article 31 of Regulation 2016/679, the controller and the processor and, where applicable, their representatives shall cooperate with the supervisory authority upon request in the performance of its tasks. The obligation to cooperate includes ensuring that the supervisory authority is able to obtain from the controller (and the processor) access to all personal data and all information necessary for the performance of its tasks (Article 58(1)(e) of Regulation 2016/679), to obtain access to any premises of the controller and the processor, including the processing equipment and means in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f) of Regulation 2016/679). This obligation for the controller to cooperate is in fact correlated with the tasks of the supervisory authority as formulated in Article 57 of Regulation 2016/679 and the powers stemming from Article 58 of Regulation 2016/679. The President of the Office for the Protection of Personal Data, acting on the basis of Article 108 par. 1 of the Act on the Protection of Personal Data, notified the District Prosecutor's Office in [...] of a suspicion of committing an offence consisting in thwarting control activities by the Company. On [...] January 2020, the Office for Personal Data Protection received a notification (file ref. [...]) from the District Prosecutor's Office [...] [...] of sending a bill of indictment against [...] [...] [...], accused of committing an offence under Article 108 of the Act on Personal Data Protection. Moreover, in view of the above findings, the President of the Office for the Protection of Personal Data, exercising his powers under Article 83 of the Regulation 2016/679, states that in the case under consideration, there are prerequisites for imposing an administrative fine on the Company. Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In accordance with Article 83 of Regulation 2016/679 - laying down general conditions for the imposition of administrative fines - each supervisory authority shall ensure that the administrative fines referred to in paragraphs 4, 5 and 6 of this Article are effective, proportionate and dissuasive in each individual case (paragraph 1). In accordance with Article 83(2)(b) of Regulation 2016/679, the authority shall pay due attention to the intentional or unintentional nature of the breach in each individual case when deciding whether to impose an administrative pecuniary sanction and when setting the amount of the administrative sanction. Pursuant to Article 83(2)(k) of Regulation 2016/679, the authority shall, in determining whether to impose an administrative penalty payment and in fixing the amount of the administrative penalty payment, pay due attention in each individual case to any other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided, whether directly or indirectly related to the infringement. The President of the Office for the Protection of Personal Data has taken into account the following aggravating circumstances when deciding on the administrative fine to be imposed on the Company and when determining its amount, in accordance with 83(2)(a-k) of Regulation 2016/679: (1) The infringement found in this case is of considerable gravity and seriousness, as the Company's lack of cooperation with the President of the Office for the Protection of Personal Data has made it impossible for that body to carry out checks on the Company's compliance with the provisions on personal data protection. The Company's action is reprehensible. By its failure to do so, the Company prevented the President of the Office for the Protection of Personal Data from making very important findings (concerning the legality of personal data processing), the results of which would undoubtedly have a significant impact on the assessment of the evidence collected in the course of another inspection, which was carried out by the President of the Office for the Protection of Personal Data in V. Sp. z o.o. sp. k. (nature, seriousness and time of the infringement). The Company deliberately thwarted the inspection, and thus prevented the President of the Office for Personal Data Protection from performing the statutory tasks under Article 58(1)(e) and (f) of Regulation 2016/679. This situation gives rise to a suspicion that the Company's thwarting of the inspection was aimed at preventing the President of the Office for Personal Data Protection from collecting evidence that the processing of personal data by the Company is unlawful (intentional or unintentional nature of the infringement). The other prerequisites for the administrative fine indicated in Art. 83 par. 2 letter c - k, due to the subject matter of the proceedings shall not apply in these proceedings. Consequently, they did not affect the assessment of the infringement and the level of the administrative penalty imposed. In determining the amount of the administrative penalty payment, the President of the Office for the Protection of Personal Data did not see any mitigating circumstance affecting the final penalty. The fixing of the amount of the financial penalty imposed also required the definition of the objectives which that penalty would achieve. It should be pointed out that the financial penalty imposed on the Company in connection with the lack of cooperation with the President of the Office for the Protection of Personal Data is of repressive nature (it is to cause the Company to incur a financial penalty for the avoidance of control) and preventive (it is to prevent future violations of law by the Company, but also by other entities). In addition, the financial penalty imposed on the Company is also of a deterrent nature and is related to the prevention of violations. The penalty is designed to deter both the Company and others from recidivism. In addition, the President of the Office for the Protection of Personal Data can undoubtedly not accept situations in which entities by thwarting control activities prevent the implementation of his statutory tasks. Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date. In the opinion of the President of the Office for the Protection of Personal Data, the penalty payment applied meets, in the established circumstances of this case, the conditions referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the established breach resulting from Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679, which is undoubtedly a lack of cooperation with the supervisory authority in the exercise of its statutory powers, including the prevention of control activities. Under those provisions, an infringement of the obligation of the controller referred to in Article 31 of Regulation 2016/679 is subject to an administrative fine of up to EUR 10 000 000 and, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable. An infringement of the obligations of the controller referred to in points (e) and (f) of Article 58(1) of Regulation 2016/679 shall be punishable by an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being that which the President of the Office for the Protection of Personal Data pursuant to Article 83(3) of Regulation 2016/679 considers to be the most serious infringement and the amount of the fine imposed by this Decision shall not exceed that amount. In view of the above, the President of the Office for Personal Data Protection has decided as set out in the operative part of this Decision. The Decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for the Protection of Personal Data (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees. Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the case of postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for the Protection of Personal Data shall calculate interest on the unpaid amount on an annual basis, using the reduced rate of interest for delay, announced on the basis of art. 56d of the Act of August 29th, 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application. Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to the administrative court shall suspend the execution of the decision on the administrative fine.