UODO (Poland) - ZSPR.421.19.2019: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 17: Line 17:
|Type:||n/a
|Type:||n/a
|-
|-
|Outcome:||Violation
|Outcome:||Fine
|-
|-
|Decided:||9. 3. 2020
|Decided:||9. 3. 2020
Line 25: Line 25:
|Fine:||4673 EUR
|Fine:||4673 EUR
|-
|-
|Parties:||Vis Consulting Sp. z o.o. in liquidation  
|Parties:||Vis Consulting Sp. z o.o. in liquidation
|-
|-
|National Case Number:||ZSPR.421.19.2019
|National Case Number:||ZSPR.421.19.2019
Line 39: Line 39:
|}
|}


The President of the Personal Data Protection Office in Poland (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.
The President of the Personal Data Protection Office in Poland (UODO) imposed a fine of approx. 4600 EUR (PLN 20 000) on a telemarketing company for a violation of the controller's obligation to cooperate with the supervisory authority under Article 31 GDPR.


==English Summary==
==English Summary==
===Facts===
===Facts===
The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company.   
The President of the UODO decided to conduct inspection activities at a company Vis Consulting Sp. z o.o. which provides telemarketing services to other companies - one of which was a subject of a decision issued earlier by the UODO. The supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.
 
When arrived at the company's registered address, the UODO’s inspectors did not find any representatives of the Vis Consulting Sp. z o.o. After the back-and-forth communication between the UODO representatives and the company's proxy, the latter informed the UODO on the phone that the inspection cannot take place.   


===Dispute===
===Dispute===
1) What is the applicable provision?
On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.
 
2) Does the company fulfill its obligation of information towards all data subjects?
 
3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email?


4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR?
The President of the UODO had to make a decision about the company's compliance with Article 31 GDPR.


===Holding===
===Holding===


The President of UODO found that
The President of the UODO decided that Vis Consulting Sp. z o.o. in no way wished to cooperate with the supervisory authority.   


1) The applicable provision is the Art. 14 GDPR since the data controller collects the personal data from public sources.
The UODO concluded that the company deliberately thwarted the inspection and thus prevented the President of the UODO from performing statutory tasks under Article 58(1)(e) and (f) GDPR. The situation gives rise to the suspicion that the Company's thwarting of the inspection was aimed at preventing the UODO from collecting evidence of unlawful processing of personal data by the company.


2) No, the company completed its obligation only in relation to 682'439 natural persons conducting business activity, whose personal data has been processed by the company's IT "N system", in relation to which the company had an electronic address.
Thus the company infringed the provisions of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.


3) No, the mere placement of the information on the company's website cannot be considered as sufficiently fulfilling the obligation mentioned in the Art. 14 GDPR.
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied.  


4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the company '''is being in possession of address data of natural persons conducting one-man business activity''' (currently or in the past) and also, in addition to that, t'''he telephone numbers''' in reference to a fraction of these persons, in its IT system. However, it is necessary at this point to mention that as opposed to the above mentioned natural persons, '''the situation of shareholders''' or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) '''the telephone/address data are not included''', and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.  
In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years.  


Finally, the fact that the company justified the non-fulfillment of the obligation resulting from Art. 14 GDPR with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the company. In the assessment of the President of UODO, the liability towards these data subjects lies with the company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the GDPR. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of company's finances – which cannot be considered as a valid argument in the light of the requirements of the GDPR.
The Public Prosecutor’s Office has lodged an indictment against the President of the Company to the court.


==Comment==
==Comment==
Line 81: Line 79:


<pre>
<pre>
1
DECISION
Warsaw, 15 March 2019
CP.421.19.2019
DECISION
 
ZSPR.421.3.2018
Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) and (f) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended), following an ex officio procedure initiated in the case of Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, 29 lok. 9, the President of the Office for Personal Data Protection, stating that Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, infringed the provisions of Article 31 and Article 58(1)(e) and (f) of the General Data Protection Regulation by not providing access to personal data and other information and premises, resulting in preventing the President of the Office for Personal Data Protection from carrying out control activities necessary for the performance of his tasks,
Under Art. 104 § 1 of the Act of 14 June 1960 The Code of Administrative Procedure (Journal of Laws of 2018, item 2096, with amendments) and Art. 7(1) and (2), Art. 60 and Art. 101 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, with amendments) in connection with Art. 12(1), Art. 14(1)(3) and Art. 58(2)(d) and (i) and Art. 83(5)(b) of the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2), after having conducted administrative proceedings in the case of personal data processing by X. Sp. z o. o., the President of the Personal Data Protection Office
 
having established the breach by X. Sp. z o. o. (limited liability company) of the provisions of Art. 14 (1)-(3) of the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2), consisting in failure to provide the information contained in Art. 14 (1) and (2) of the above mentioned Regulation to all natural persons, whose personal data are processed by X. Sp. z o. o., who are currently conducting one-man business activity or conducted it in the past as well as to natural persons who suspended this type of activity:
imposes on Vis Consulting Sp. z o.o. in liquidation, seated in Katowice at 29 Zygmunta Krasińskiego Street 9, a fine of PLN 20,000 (say: twenty thousand zlotys), which is equivalent to EUR 4,673,56, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as at 28 January 2020.
1. orders X. Sp. z o. o. to fulfil the obligation to provide the information specified in Art. 14 (1) and (2) of the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2) to natural persons, whose personal data are processed by X. Sp. z o. o. , who are currently conducting one-man business activity or conducted it in the past as well as to natural persons who suspended this type of activity, to whom this information has not been provided – within three months from the date of receipt of the decision;
Justification
2. imposes on X. Sp. z o. o. an administrative fine in the amount of PLN 943 470 (in words: nine hundred forty three thousand four hundred seventy Polish Zloty) for the breach established in this decision.
 
STATEMENT OF REASONS
Based on Article 58(1)(b), (e) and (f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2011, p. 1). 2016, p. 1 and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter referred to as the Regulation 2016/679, the President of the Office of Personal Data Protection has planned to carry out in Vis Consulting Sp. z o.o. with its registered office in Katowice at Zygmunta Krasińskiego 29 lok. 9 (hereinafter also referred to as the "Company") an inspection of compliance of data processing with the regulations on personal data protection. The audit was to be conducted from 29 July 2019 to 2 August 2019.
From [] to […] September 2018 and from […] to […] September 2018 (reference no. […]) authorised employees of the Personal Data Protection Office performed an inspection at X. Sp. z o. o. (hereinafter referred to as: the „Company”), for the purpose of checking the compliance
 
2
By letter of [...] July 2019. (mark: [...]) Urząd Ochrony Danych Osobowych via Poczta Polska notified the Company of the date and scope of the planned inspection. The letter was delivered on [...] July 2019 to the registered office of Vis Consulting Sp. z o.o. (Katowice, ul. Zygmunta Krasińskiego 29, 9), indicated in the National Court Register.
of processing of personal data by the Company with the provisions on personal data protection, i.e. the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2), hereinafter referred to as: the „Regulation 2016/679” and the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, with amendments), hereinafter referred to as: the „Act”.
 
The inspection covered the processing by the Company of personal data obtained from publicly available sources, including public registers (among others the Register of Entrepreneurs of the National Court Register, Business Activity Central Register and Information Record, REGON Database of the Polish Central Statistical Office).
On [...] July 2019, in order to carry out control activities (ZSPR.421.19.2019), the controlling persons went to the place indicated in the National Court Register as the address of the Company, but the persons representing the Company were not there. It turned out that this address is the Office of [...] (hereinafter referred to as the "Office") run by [...]. As agreed, the Company sub-leases the commercial premises located in Katowice at 29 Zygmunta Krasińskiego Street, 9, for the so-called 'virtual office'. Only an employee of the Office was found in the premises in question. After presenting this person with the purpose of the arrival of the controlling persons, an employee of the Office, after checking the content of the electronic mail, in order to determine whether any message was received from the Company in this respect, informed that a letter dated [...] July 2019 was received from the Company signed by Mr. Paweł Kępka - President of the Board. From the content of the letter, it resulted that the Company terminates the lease agreement for premises no. 9 located in Katowice at 29 Zygmunta Krasińskiego Street and that as of [...] July 2019, this entity will not operate at the above mentioned address. A copy of the aforementioned letter was forwarded to the inspectors.
The President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, hereinafter referred to as: „President of UODO”) with the letter of […] January 2019 (number: […]), informed the Company of instituting ex officio administrative proceedings in the case of failure to fulfill the information obligation referred to in Art. 14 of the Regulation 2016/679 in relation to these natural persons conducting business activity in case of whom the Company did not have e-mail address in its database, whereby it concerns both entrepreneurs which are currently conducting business activity or suspended this type of activity and to entrepreneurs which do not conduct such activity, but conducted it in the past.
 
The President of UODO, on the grounds of collected evidence, established the following facts of the case.
Moreover, an employee of the Office informed the inspectors that after receiving the letter of [...] July 2019 from the Office of Personal Data Protection, regarding the notification of the planned control in the Company, the content of the letter in question in the form of a scan was transferred to the Company. In order to document the above mentioned findings, on [...] July 2019, the inspectors made an official note.
1. Within its activity the Company offers in particular commercial reports []. The object of the Company’s prevailing activity is other information related service activity, not classified elsewhere (PKD [Polish Economic Activity Classification] 63,99,Z). The scope of the Company’s activity includes as well inter alia issuing lists (such as address, telephone lists), data processing, websites management (hosting) and similar activity, as well as other counselling on conducting business activity and management ([]).
 
2. In the IT system called „N[]” (hereinafter referred to as: „N […] system”) the Company is processing personal data of natural persons conducting business activity, which were collected from publicly available sources, including public registers, inter alia from Business Activity Central Register and Information Record, REGON Database of the Polish Central Statistical Office, the Court and Commercial Gazette (Monitor Sądowy i Gospodarczy ([…]).
In connection with the situation, the inspectors asked the employee of the Office to contact the Company in order to determine whether the inspection activities could be carried out. However, it was not possible to establish contact with the Company. Therefore, the inspector asked for a telephone number to the Company. An employee of the Office stated that it is only upon written request of the President of the Office for Personal Data Protection that he can provide information on this entity (including the telephone number). The Controllers left the telephone number to contact. On the same day, at approximately 2:00 p.m., a man who introduced himself as an "attorney [...]" called the Controller and said he was contacting on behalf of the Company, but did not know if the control could be carried out. In the course of the conversation, the above mentioned person has agreed that he will try to determine whether the inspection can take place by [...] July 2019.
3. The database of „ N […] system” contains the data concerning ca. 3 590 000 natural persons conducting currently one-man business activity and natural persons who suspended such activity as well as 2 330 000 natural persons who conducted business activity in the past ([…]).
 
4. In „ N […] system” the Company is processing in particular address data (register address, correspondence address, operational address) pertaining to natural persons conducting business activity ([]).
At the same time, on July [...], 2019, the President of the Office for Personal Data Protection sent a request to the e-mail address of the Office to provide a copy of the lease agreement for the premises in question and to provide contact information to the Company.
3
 
5. On 27 April 2018, i.e. before the date on which the Regulation 2016/679 began to apply, the Company sent information on the processing of personal data called „[] – GDPR – information obligation” to all e-mail addresses available in the database of the N […] system assigned to entrepreneurs conducting one-man business activity ([…]). In the course of information campaign, the Company sent 902 837 e-mails ([…]).
On [...] July 2019 the Controllers went again to the Company's address, but also on that day the persons representing the Company were not present. Therefore, no control activities took place. An employee of the Office provided the inspectors with a copy of the sublease agreement for the premises in question. At 11.00 a.m., a person representing himself as "advocate [...]" called the inspectors and informed them that the inspection would not take place.
6. The Company placed as well on its website with the URL www.[…].pl, in the tab „Data and privacy”/”Information on personal data processing”, information on personal data processing by X. ([…]). The Company published also on its website www.[…].pl, in the tab „Data and privacy”/”Information on personal data processing”, at https://www.[…].pl/rodo/, a full information notice meeting the requirements of Art. 14 (1) and (2) of the Regulation 2016/679.
 
7. The Company decided not to fulfil the information obligation by sending SMS in relation to persons, whose data it obtained from publicly available sources (including natural persons conducting business activity), since it does not have telephone numbers in relation to each of those persons, and also due to high costs of such action. Due to high costs the Company did not decide either to fulfil this obligation by sending regular mail do persons whose data are processed by it , ([…]).
In this connection, by letter dated [...] August 2019, the mark: [...] The President of the Office for the Protection of Personal Data initiated ex officio administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's compliance with the provisions on personal data protection. The above mentioned correspondence was returned with the note "out of date address".
8. The Company’s explanations presented in the letter of […] February 2019 allow to conclude that the data processed by it are the data publicly available, collected in official public registers, the scope of these data is relatively narrow, and the risk to the rights and freedoms of data subjects related to their processing is law. In total the Company has 7 594 636 records of data concerning natural persons, including entrepreneurs conducting one-man business activity and persons being partners or members of bodies of companies, foundations or associations. The Company fulfilled the individual information obligation in relation to 682 439 persons in relation to whom it has e-mail addresses within the database record. In relation to 181 142 persons the Company has only cellular telephone numbers, and in relation to 6 490 226 it has only correspondence addresses, whereof 2 924 443 records concern not active business activities. The Company’s explanations allow to conclude that if it was supposed to fulfil the information obligation established in Art. 14 (1) and (2) of the Regulation 2016/679, individually in relation to all natural persons whose data are the subject of the proceedings, with the use of regular mail, the cost of such operation would amount to over PLN 33 749 175 (the amount obtained by multiplying the number of data subjects to whom the information notice was sent by e-mail by the cost of sending through the Polish Post Office (Poczta Polska) a registered letter (2nd class mail), without additional administrative costs), which constitutes […] of the Company’s turnover for the year 2018.
 
9. Moreover, the Company’s explanations allows to conclude that the fulfilment of the information obligation in its basic form (i.e. individual contact with each data subject) would cause on the Company’s side a „disproportionate effort”, referred to in Art. 14 (5)(b) of the Regulation 2016/679, understood as organisational burden (i.e. the need to delegate employees and physical resources – computers, office equipment – to realise exclusively this task) and financial burden (i.e. the cost of printing, preparing for mailing, including the cost of paper, toner, envelopes, stamps, handling of returned correspondence, possible remuneration for entities to which the Company could outsource the execution of this task), which would
Based on the financial statements for the period from 1 January 2018 to 31 December 2018. (available on the website of the Ministry of Justice with the address: ekrs.ms.gov.pl), it was established that in the aforementioned period, the Company's net revenue from sales and equalised with them amounted to PLN 426 261.14.
4
 
critically disturb the functioning of the Company to the extent which could imply the need to terminate conducting activity in Poland.
After reviewing all the evidence gathered in the case the President of the Office for Personal Data Protection weighed the following:
10. The company applies high-quality technological protection measures to personal data processed by it, , [] The company has implemented specific procedures and instructions for employees ensuring the security of data processing.
 
11. The company also referred to the decision of Inspector General for the Protection of Personal Data (GIODO) of 12 July 2016 (reference no. DIS/DEC-587/16/62309), in an analogous case in which, after the decision of the Supreme Administrative Court of 24 January 2013 (reference no. I OSK 1827/11) and the Voivodeship Administrative Court in Warsaw of 24 April 2013 (reference no. II SA/Wa 507/13), GIODO stated that the information obligation exists and the appropriate means for its implementation was to include the required information on the website of the company being the data controller. In the Company’s opinion, there are no indications that in this proceeding, the assessment made by the President of UODO would be different in this respect.
According to the information contained in the National Court Register, on July 30, 2019, a resolution was passed to dissolve the Company and put it into liquidation. On 23 August 2019, the District Court in Katowice - Wschód, 8th Commercial Division made an entry in the National Court Register on placing the Company in liquidation. Since then, the Company has been operating under the name of Vis Consulting Sp. z o.o. in liquidation.
12. The company attached to the letter of […] February 2019 the following: Management Board’s statement on net revenues from sales and equalized with them for 2018 in the amount of PLN 34,778,450.50, and the Company’s financial statements for the financial year from 1/01/2017 to 31/12/2017, which shows the amount of net revenues from sales and equalized with them: PLN 29,026,755.76.
 
After analysing the evidence collected in the case, the President of the Personal Data Protection Office states the following.
Pursuant to Article 57(1)(a) of Regulation 2016/679, each supervisory authority on its territory shall monitor and enforce the application of Regulation 2016/679. In addition, pursuant to Article 58(1)(e) and (f) of Regulation 2016/679, the supervisory authority shall be entitled to access all the premises of the controller and the processor, including the equipment and means of data processing, in accordance with the procedures laid down in EU or Member State law. It should be noted that in accordance with Article 58(6) of Regulation 2016/679, each Member State may provide in its legislation that its supervisory authority has, in addition to the powers laid down in Union or Member State law, the following powers
The President of UODO is the authority competent in matters of personal data protection (Art. 34 of the Act of 10 May 2018 on the Protection of Personal Data) and the supervisory authority within the meaning of Regulation 2016/679 (Art. 34 § 2 of the Act of 10 May 2018 on the Protection of Personal Data.)
in paragraphs 1, 2 and 3, also other powers. As provided for in Article 31 of Regulation 2016/679, the controller and processor and, where applicable, their representatives, shall cooperate with the supervisory authority upon request in the performance of its tasks.
With regard to Art. 57(1) of Regulation 2016/679, without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory monitor and enforce the application of this Regulation (a); conduct investigations on the application of this Regulation (h). The instruments for the implementation of tasks referred to Art. 57 of Regulation 2016/679 are in particular corrective powers granted by virtue of Art. 58(2), to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period (d) and the application, in addition to, or instead of, the measures referred to this point, of an administrative fine under Article 83, depending on the circumstances of the specific case (i).
 
According to Art. 14(1) of Regulation 2016/679, where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
Pursuant to Article 78 paragraph 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "the Act", the President of the Office for the Protection of Personal Data shall carry out the control of compliance with the provisions on personal data protection. Pursuant to Art. 79 sec. 1 point 1 of the Act, the control is carried out by an employee of the Office authorised by the President of the Office.
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
 
(b) the contact details of the data protection officer, where applicable;
As stipulated in Art. 84 sec. 1 of the Act, the inspector has the right to: a) enter the land and buildings, premises or other premises between 600 and 2200 hours; b) inspect documents and information directly related to the subject matter of the inspection; c) inspect places, objects, devices, carriers and IT or ICT systems used for data processing; d) demand written or oral explanations and question a person as a witness to the extent necessary to establish the facts; e) have expert opinions and opinions drawn up.
5
 
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
The fact that the President of the Office for Personal Data Protection has planned to carry out an inspection in the Company in connection with the findings made during the inspection carried out in V is of significant importance in this case. Sp. z o.o. sp. k. with its registered office in [...]. In the course of the audit conducted in the above mentioned entity, it was established that it conducts telemarketing activities. In connection with this activity it processes personal data (landline and mobile phone numbers) by means of an ICT system provided by the Company. The system in question is used on the basis of a cooperation agreement on the outsourcing of telemarketing services. The agreement was concluded with the Company [...] February 2017. An important issue is that V. Sp. z o.o. sp. k. does not have its own database, and all telephone connections are generated only by the IT system made available by the Company.
(d) the categories of personal data concerned;
 
(e) the recipients or categories of recipients of the personal data, if any;
The content of the aforementioned agreement shows, among other things, that the Company has a technical solution - an ICT system in the form of a computer program, the use of which allows for making telephone calls to fixed and mobile phone numbers according to the location criterion. Moreover, in this agreement it is also indicated that the functionality of the system in question prevents V. Sp. z o.o. sp. k. from accessing any information, including the dialed telephone number. Moreover, in this agreement, the Company declares that in case of using any personal data for the purpose of performing the above-mentioned agreement, it will administer "the above-mentioned data in accordance with the applicable provisions of Polish law". In § 3 point 2 of the aforementioned agreement there is a provision with the following content: "VIS declares that in case of any claims by third parties against V. [...] related to the functionality of the SYSTEM [...], releases V. from this liability to the extent permitted by the applicable law and undertakes to cover all costs related to the protection of V. against such claims".
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
 
However, as results from Art. 14(2) of Regulation 2016/679, in addition to the information referred in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
Due to the fact that V. Sp. z o.o. sp. k. does not have access to personal data processed in this system (i.e. to information about telephone numbers dialled), the President of the Office for Personal Data Protection considered it necessary to carry out control activities also in the Company (i.e. in the entity which, on the basis of the established agreement, is considered to be the data controller). The aim of the inspection was to examine the legality of personal data processing using the system in question.
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
 
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
The fact that it was impossible to carry out the inspection in the Company made it significantly more difficult for the President of the Office for Personal Data Protection to examine the process of personal data processing by V. Sp. z o.o. sp. k.
(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
 
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
The evidence gathered in the case indicates that the actions taken by the persons representing the Company definitely prove the lack of cooperation with the President of the Office for Personal Data Protection.
(e) the right to lodge a complaint with a supervisory authority;
 
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
To confirm the above position, the following circumstances should be recalled:
(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
 
Art. 14 (3) of the Regulation 2016/679 indicates when the controller shall provide the information referred to in paragraphs 1 and 2, i.e.:
1) after receiving information about the planned control of the President of the Office for Personal Data Protection (letter of [...] July 2019), on [...] July 2019. (two days before the commencement of the planned control), the Company sent a motion to the lessor to terminate the lease agreement for the premises located in Katowice at 29 Zygmunta Krasińskiego Street (address of the Company indicated in the National Court Register);
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
 
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
2) both [...] July 2019 and [...] July 2019. The Company has thwarted the control activities as no person authorised to represent the Company in the course of the control has been found at the Company's address;
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
 
Bearing in mind the findings made in this matter, it should be pointed out that the obligation referred to in Art. 14 of Regulation 2016/679, was completed by the Company only in relation
3) On 30 July 2019, a resolution was adopted on dissolution of the Company and commencement of liquidation proceedings (this information is contained in the National Court Register).
6
 
to 682 439 natural persons conducting business activity, whose personal data has been processed by the Company’s IT ‘N []’ system, in relation to which the Company had an electronic address (e-mail address) and sent electronic correspondence including ‘Information on the personal data processing’ (number on the day of findings made during inspection).
To sum up, it should be stated that the Company's activities referred to above undoubtedly prove that it does not fulfil its obligations related to the processing of personal data or at least intentionally avoids submitting to the control of the supervisory authority which is the President of the Office for Personal Data Protection. Thus, it should be considered that by preventing the President of the Office for the Protection of Personal Data from carrying out the inspection, the Company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679. It should be pointed out that in accordance with Article 31 of Regulation 2016/679, the controller and the processor and, where applicable, their representatives shall cooperate with the supervisory authority upon request in the performance of its tasks. The obligation to cooperate includes ensuring that the supervisory authority is able to obtain from the controller (and the processor) access to all personal data and all information necessary for the performance of its tasks (Article 58(1)(e) of Regulation 2016/679), to obtain access to any premises of the controller and the processor, including the processing equipment and means in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f) of Regulation 2016/679). This obligation for the controller to cooperate is in fact correlated with the tasks of the supervisory authority as formulated in Article 57 of Regulation 2016/679 and the powers stemming from Article 58 of Regulation 2016/679.
However, this obligation resulting from Art. 14 of the Regulation 2016/679 was not fulfilled by the Company in relation to the remaining natural persons conducting business activity and whose data are being processed in the N[] system, meaning the ones whose e-mail addresses were not at the Company’s disposal. The findings made by the President of UODO have shown that the Company had not fulfilled this obligation in relation to these natural persons whose e-mail addresses were not included in its database, and this applies to both entities currently conducting business activity (who did not “close” their operations, are currently active or have suspended their business activity), as well as to those who have ceased their business activity.
 
The Company has also placed on its website located at the address www.[...].pl, in the tab “Data and privacy”/”Information on personal data processing”, the information on the processing of personal data by the Company with regard to Art. 14(1)-(2) of the Regulation 2016/679.
The President of the Office for the Protection of Personal Data, acting on the basis of Article 108 par. 1 of the Act on the Protection of Personal Data, notified the District Prosecutor's Office in [...] of a suspicion of committing an offence consisting in thwarting control activities by the Company. On [...] January 2020, the Office for Personal Data Protection received a notification (file ref. [...]) from the District Prosecutor's Office [...] [...] of sending a bill of indictment against [...] [...] [...], accused of committing an offence under Article 108 of the Act on Personal Data Protection.
In the above context the President of UODO concludes that mere placement of the information necessitated by Art. 14(1)-(2) of the Regulation 2016/679 on the Company’s website, in the situation where address-related data (and at times even telephone numbers) of natural persons conducting one-man business activity are at the Company’s disposal, what might allow sending them by regular mail correspondence including information necessitated by the above rule (or conveying these via telephone contact) cannot be considered as sufficiently fulfilling by the Company the obligation mentioned in the Art. 14(1)-(3) of the Regulation 2016/679.
 
Circumstance excluding the possibility of fulfilling the obligation to provide information, as prefigured in the Art. 14(5)(b) of the Regulation 2016/679, i.e. excluding the application of Art. 14(1)-(4)of the Regulation 2016/679 when – and where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort, is not applicable in this case in relation to natural persons conducting business activity whose personal data are being processed by the Company in the N[…] system database.
Moreover, in view of the above findings, the President of the Office for the Protection of Personal Data, exercising his powers under Article 83 of the Regulation 2016/679, states that in the case under consideration, there are prerequisites for imposing an administrative fine on the Company.
In the assessment of the President of UODO, sending out information related to Art. 14 of the Regulation 2016/679 by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the Company is being in possession of address data of natural persons conducting one-man business activity (currently or in the past) and also, in addition to that, the telephone numbers in reference to a fraction of these persons, in its N[…] IT system. It is necessary at this point to mention that as opposed to the above mentioned natural persons, the situation of shareholders or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) the telephone/address data are not included, and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.
 
In the letter of […] February 2019 the Company presented a calculation of costs related to a potential dispatch of information mentioned in the Art. 14(1)-(2) of the Regulation 2016/679 by regular mail to natural persons whose data are being processed by the Company, using a
Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case.
7
 
registered letter (2nd class mail) the cost of which would be more than PLN 33 749 175 (making up for […] of the Company’s 2018 turnover).
In accordance with Article 83 of Regulation 2016/679 - laying down general conditions for the imposition of administrative fines - each supervisory authority shall ensure that the administrative fines referred to in paragraphs 4, 5 and 6 of this Article are effective, proportionate and dissuasive in each individual case (paragraph 1). In accordance with Article 83(2)(b) of Regulation 2016/679, the authority shall pay due attention to the intentional or unintentional nature of the breach in each individual case when deciding whether to impose an administrative pecuniary sanction and when setting the amount of the administrative sanction.
Meanwhile, from the established facts of the case it emerges that the Company is conducting its business activity on the Polish market for more than 25 years, and as of […] February 2019 it possesses in its database more than 7 594 636 records containing personal data of entrepreneurs and partners or members of bodies of companies, foundations or associations. From the clarifications submitted by the Company it also emerges that, as per the day of submission, the Company did not meet the individual obligation to provide information toward 6 671 368 persons in total. In relation to 181 142 persons the Company has only mobile telephone numbers at its disposal, which means that it is able to meet the obligation to provide information via this means of communication. When it comes to 6 490 226 persons, whose only contact details at the Company’s disposal are correspondence addresses, attention should be given to Art. 12(1) of the Regulation 2016/679. This rule provides for the controller, in the absence of data subject, to take appropriate measures to provide any information referred to in (inter alia) Art.14 of the Regulation 2016/679. In the assessment of the President of UODO this rule does not imply that the legislator imposed an obligation on the controller to send out this information via registered mail; it is only important for the controller to be able to prove by appropriate means that the obligation to provide information has been fulfilled towards the subjects whose personal data are being processed. The essence of fulfilling this obligation is a functional, proactive operation by the controller to provide the information defined in the Regulation 2016/679 to the data subject.
 
The obligation to provide information in a proactive manner is being emphasized by the Article 29 Working Party in the Guidelines on transparency under Regulation 2016/679 adopted on 29 November 2017 (as last revised and adopted on 11 April 2018). Independently from the above mentioned methods of fulfilling the obligation to provide information, in the assessment of the President of UODO, the Company is able to fulfil this obligation arbitrarily and in the context of Recital 171 of the Regulation 2016/679 where EU legislator stated that processing, which was already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force – it is the deadline of fulfilling the obligation that is decisive.
Pursuant to Article 83(2)(k) of Regulation 2016/679, the authority shall, in determining whether to impose an administrative penalty payment and in fixing the amount of the administrative penalty payment, pay due attention in each individual case to any other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided, whether directly or indirectly related to the infringement.
The personal data processed by the Company were gathered from sources of information available to the general public. The scope of data, with regard to all natural persons whose data are being processed, which are being processed by the Company for commercial purposes consists of (inter alia): first name, surname, PESEL number (personal identification number) (obtained from the National Court Register), and in relation to natural persons conducting business activity it includes inter alia the following data obtained from the Central Registry and Information on Economic Activity and REGON (National Business Registry) database of the Central Statistical Office: first name, surname, company name, registry address and other addresses, PKD (Polish Economic Activity Classification) activity code, telephone number (optional), e-mail address (optional), website address (optional), interdicts/powers/restrictions/licenses to conduct a certain kind of business activity, legal events in relation to the entity (accordingly to the scope of data outlined in the Appendix No. 63 – Case file No. 464).
 
8
The President of the Office for the Protection of Personal Data has taken into account the following aggravating circumstances when deciding on the administrative fine to be imposed on the Company and when determining its amount, in accordance with 83(2)(a-k) of Regulation 2016/679:
The President of UODO acknowledges therefore that the investigated case of the Company in question is not analogical to the one that was being subjected to scrutiny by the Supreme Administrative Court of Poland (NSA) in the judgment of 24 January 2013 (File Ref. No. I OSK 1827/11) neither in terms of the amount of data obtained by the Company from publicly available sources nor fulfilling the obligation to provide information. In the latter case the NSA stated that: “From the findings made by the authority it emerges that the complainant company as part of its commercial activities of providing information services, is processing data related to legal persons and organisational units not having legal personality, data of which are being disclosed in the National Court Register (the Court and Commercial Gazette). These data files also contain natural persons’ personal data in the scope of: first name, surname, PESEL number, assigned responsibility, year of birth. The Court and Commercial Gazette does not include data on the addresses of natural persons. In this situation the complainant company had legitimately called into question the imposition of the obligation to provide information issued by the authority without any recommendation on how to and by which means the controller should obtain these data.In contrast, in this case the Company has at its disposal a significantly broader scope of personal data, including correspondence addresses of natural persons and telephone numbers which means that it was able to fulfil the obligation to provide data, mentioned in the Art. 14 (1)-(2) of the Regulation 2016/679, towards natural persons whose data are being processed by it.
 
Considering the above findings, the President of UODO, drawing upon his power as defined in the Art. 58(2)(d) of the Regulation 2016/679, orders the Company – within three months from the date of receipt of this decision – to fulfil the obligation to provide information mentioned in the Art. 14(1)-(2) of the Regulation 2016/679 to these natural persons conducting business activity whose personal data it is processing, and to whom this information was not provided.
(1) The infringement found in this case is of considerable gravity and seriousness, as the Company's lack of cooperation with the President of the Office for the Protection of Personal Data has made it impossible for that body to carry out checks on the Company's compliance with the provisions on personal data protection. The Company's action is reprehensible. By its failure to do so, the Company prevented the President of the Office for the Protection of Personal Data from making very important findings (concerning the legality of personal data processing), the results of which would undoubtedly have a significant impact on the assessment of the evidence collected in the course of another inspection, which was carried out by the President of the Office for the Protection of Personal Data in V. Sp. z o.o. sp. k. (nature, seriousness and time of the infringement).
According to Art. 58 (2)(i) of the Regulation 2016/679, each supervisory authority shall have the right to impose an administrative fine pursuant to Article 83, in addition to, or instead of other corrective measures referred to in Article 58 (2) of this Regulation, depending on the circumstances of each individual case. The President of UODO hereby states that conditions justifying imposition of the fine on the Company have been met in the respective case. Pursuant to Art. 83 (2) of the Regulation 2016/679, administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred in points (a) to (h) and (j) of Art. 58 (2). When deciding whether to impose the fine and assessing the amount of it, the President of UODO, pursuant to Art. 83 (2)(a) to (k) of the Regulation 2016/679, has taken into account the following factors: 1. The Company failed to comply with the obligation to provide the information specified in Art. 14 (1) to (3) of the Regulation 2016/679 to natural persons, who are currently conducting one-man business activity or conducted such activity in the past (which applies to both entities who are currently active or have suspended their business activity, as well as to those who have ceased their business activity), this state of matters continues to the present date, which proves that it is not an one-off, limited in time event, it is also affecting a total of 6.671.368 data subjects – according to Company’s explanation dated […] February 2019 r. (the nature, gravity and duration of the infringement);
 
9
The Company deliberately thwarted the inspection, and thus prevented the President of the Office for Personal Data Protection from performing the statutory tasks under Article 58(1)(e) and (f) of Regulation 2016/679. This situation gives rise to a suspicion that the Company's thwarting of the inspection was aimed at preventing the President of the Office for Personal Data Protection from collecting evidence that the processing of personal data by the Company is unlawful (intentional or unintentional nature of the infringement).
2. The infringement identified in the present case is severe, as it relates to the fundamental rights and freedoms of the persons whose data are being processed by the Company, and it violates the fundamental principle of fairness and transparency with regard to personal data processing (Article 5 (1) (a) of the Regulation 2016/679). The Company did not meet the requirement to provide basic information regarding processing and rights of the data subjects related to such operations (referred to in Art. 15 to 21 of the Regulation 2016/679) which entails, inter alia, the risk of depriving these data subjects of the possibility to exercise their rights. The gravity of the breach is also increased by the fact that the Company, which processes personal data in a professional manner, as a part of its core business activity, for profit and on a very large scale (the number of data subjects affected by the violation is a total of 6 671 368), is burdened with a higher degree of responsibility and requirements than an entity, which processes personal data as a part of its side activity, incidentally or on a small scale. Moreover, the infringement is ongoing, which constitutes an aggravating circumstance in this case (the nature, gravity and duration of the infringement); 3. The Company made an informed decision, motivated by the desire to avoid any additional financial outlays, not to fulfill the obligation laid down in Art. 14 (1) to (3) of the Regulation 2016/679, towards natural persons who are currently conducting one-man business activity (including entrepreneurs who are currently active or have suspended their business) or were conducting such activity in the past, ‘due to millions in costs’ ([...]), which only confirms that the Company breached the above mentioned provisions intentionally (intentional or negligent nature of the infringement); 4. No damage for data subjects as a result of the breach identified was established in the course of the proceedings, however, further processing of personal data without the awareness of data subjects affected, certainly prevents or restricts them from exercising their rights, e.g. the right to obtain the erasure of data, the right to the rectification of data or to object to processing of personal data (12 630 data subjects have exercised this right as per [...] September 2018 - [...]). As a consequence, non-fulfillment of the obligation to provide information leads to Company's privileged position in exercising its rights in relation to the rights of data subjects, whose data constitute a significant part of the Company's business activity. Reference should be made to the standpoint of Supreme Administrative Court presented in its judgment of 16 December 2004 (file ref. no. OSK 829/04), in which the Court expressed the view that the protection of one’s interests cannot be ensured at the expense of violating the rights of others, which can be directly or indirectly inferred from many provisions of the Constitution of the Republic of Poland, e.g. from Art. 2, Art. 32 (1) and Art. 83 (actions taken to mitigate the damage suffered by data subjects); 5. The identified infringement is not related to the implementation nor quality of organisational and technical measures applied by the Company – pursuant to Art. 25 and 32 of the Regulation 2016/679 – therefore, there is no need to determine the degree of the Company's responsibility in this context (the degree of responsibility of the controller taking into account organisational and technical measures); 6. No previous violations of the provisions of the Regulation 2016/679 committed by the Company were identified which would be relevant for the proceedings; 7. Both during the inspection and in the course of the administrative proceedings, the Company cooperated with the President of UODO – within the specified time limit it sent
 
10
The other prerequisites for the administrative fine indicated in Art. 83 par. 2 letter c - k, due to the subject matter of the proceedings shall not apply in these proceedings. Consequently, they did not affect the assessment of the infringement and the level of the administrative penalty imposed.
written explanations, replied to the letter of the President of UODO and submitted relevant documents to confirm its explanations. However, this cooperation was solely aimed at ensuring the proper conduct of the proceedings, as the Company did not intend to remedy the infringement identified during the inspection, or mitigate its adverse effects (the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement); 8. Personal data of natural persons conducting business activity (currently or in the past), which are being processed by the Company, come from publicly available sources of information and include: name, surname, company name, register address and other addresses, PKD activity code, telephone number (optional), e-mail address (optional), website address (optional), interdicts/powers/restrictions/licenses to conduct a certain kind of business activity, legal events in relation to the entity (accordingly to the scope of data outlined in the Appendix No. 63 – Case file No. 464). The Company indicated that it also has at its disposal: e-mail addresses, personal correspondence addresses and telephone numbers of natural persons (the categories of personal data affected by the infringement). The breach established in this case does not concern special categories of personal data referred to in Art. 9 of the Regulation 2016/679 (the Company does not process such data); 9. The President of UODO obtained the information on the Company’s failure to fulfill the obligation laid down in Art. 14 (1) and (2) of the Regulation 2016/679, during an ex officio inspection carried out at the Company’s headquarters (the manner in which the infringement became known to the supervisory authority); 10. Measures referred to in Art. 58 (2) of the Regulation 2016/679 have not previously been ordered against the Company with regard to the same subject-matter (compliance with such measures imposed on the controller in the same subject-matter); 11. The Company does not adhere to the approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or to the approved certification mechanism pursuant to Art. 42 of the Regulation 2016/679 (adherence to approved codes of conduct or certification mechanism); 12. The fact that the Company justified the non-fulfillment of the obligation resulting from Art. 14 (1) - (3) of the Regulation 2016/679 with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the Company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the Company. In the assessment of the President of UODO, the liability towards these data subjects lies with the Company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the Regulation 2016/679. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the Company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of Company's finances – which cannot be considered as a valid argument in the light of the requirements of the Regulation 2016/679. It should also be pointed out that the Company gains financial resources within its business activity, the object of which is providing personal data of natural persons to its clients (i.e. inter alia business entities, including persons conducting one-man business activity or public bodies),
 
11
In determining the amount of the administrative penalty payment, the President of the Office for the Protection of Personal Data did not see any mitigating circumstance affecting the final penalty.
perceived as separate controllers with regard to the products offered by the Company. In the “N [...] system”, the Company also stores data of persons who no longer conduct business activity because, as it follows from the inspection findings "(...), the Company's clients ask if there are entities, who have ceased their business activity, among their suppliers. The information on inactive clients is a part of the Company's product that consists in providing business information."([...]). In the assessment of the President of UODO, the additional aggravating factor in this case is the motivation that the Company was driven by when deciding that the sufficient form of providing information referred to in Art. 14 (1) and (2) of the Regulation 2016/679 to entrepreneurs whose e-mail addresses the Company did not have was publishing such information on its website. The Company does not conceal the fact that this choice was motivated by a constant calculation of financial outlays related to direct ways of reaching persons, whose data the Company was processing, and thus the desire to avoid additional costs. Yet the Company is fully aware that the appropriate form of providing data subjects with the required information, guaranteeing adequate level of protection to their rights and freedoms is direct contact initiated by the Company. The above is confirmed by the fact that such contact was chosen as first with regard to entrepreneurs whose e-mail addresses the Company had at its disposal (in this case, however, direct contact did not involve any real financial costs). The resignation from direct contact, due to financial expenses, should be assessed negatively, especially as operations on personal data are the object of the Company’s core, purely commercial, professional, long-term activity. The Company, as a professional entity performing this type of operations, should be required to shape the business side of its activity in a manner, which would allow to take into account all the costs necessary to ensure the compliance of its activities with the law (in this case, the provisions on the protection of personal data). According to Art. 83 (1) of the Regulation 2016/679 – setting out the general conditions for the imposition of administrative fines – each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of the infringement of this Regulation referred to in paragraphs 4, 5 and 6 of the above Article shall in each individual case be effective, proportionate and dissuasive. Deciding on whether to impose an administrative fine, as well as determining its amount, the President of UODO considered the intentional nature of the violation, i.e. the Company’s conscious decision not to comply with the obligation to provide information, to be the most important aggravating factor. It is also absolutely crucial that the Company’s decision had affected and still affects a large number of data subjects, towards whom the information obligation was not fulfilled. The following consequences of failure to fulfill this obligation are also significant: the lack of awareness regarding processing operations of data subjects, whose personal data are being processed and their lack of possibility to exercise their rights guaranteed by the provisions of the Regulation 2016/679. The duration of the infringement should also be assessed negatively, especially taking into account the date of entry into force of the Regulation 2016/679, as well as the date of the beginning of its application. What also matters in this particular case, is the fact that the breach – in accordance with Art. 83 (5) (b) of Regulation 2016/679 – pertains to one of the fundamental rights of natural persons, to which a higher maximum amount of the administrative fine shall apply.
 
12
The fixing of the amount of the financial penalty imposed also required the definition of the objectives which that penalty would achieve. It should be pointed out that the financial penalty imposed on the Company in connection with the lack of cooperation with the President of the Office for the Protection of Personal Data is of repressive nature (it is to cause the Company to incur a financial penalty for the avoidance of control) and preventive (it is to prevent future violations of law by the Company, but also by other entities). In addition, the financial penalty imposed on the Company is also of a deterrent nature and is related to the prevention of violations. The penalty is designed to deter both the Company and others from recidivism.
In the assessment of the President of UODO, the imposed administrative fine, taking into account the established facts of this case, achieves its objectives referred to in Art. 83 (1) of the Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this particular case. The fine should be considered effective, if its imposition will lead the Company to adapt its data processing operations to full compliance with legal standards. The amount of the fine should be sufficiently high so that the Company, as the punished entity, is not able to include it in its business expenses. Moreover, the effectiveness of such measure needs to be connected with the financial ailment for the Company being a data controller, which would be indisputable for a purely commercial entity, the activities of which (including those related to the established infringement) are driven purely by the will to increase its profits or to avoid additional costs (redundant in its opinion) or financial outlays. The imposition of an administrative fine in the respective case is necessary, considering that the Company, being aware of the breach, did not undertake or even declare the will to take any actions to remedy this infringement. In the assessment of the President of UODO, the fine imposed on the Company is proportionate to the breach established in this case, in particular considering the gravity of the breach, the number of data subjects affected and the duration of the infringement. The above is indicated by the President of UODO as a result of thorough and detailed consideration of all the criteria referred to in Art. 83 (2) of the Regulation 2016/679. The dissuasive character of the fine entails the prevention of infringements, by penalizing their perpetration. The purpose of the fine is to deter the Company as well as any other entities from similar infringements. Moreover, when imposing the administrative fine, the President of UODO has taken into consideration both of its aspects: firstly – the repressive nature of sanction, given the fact that the Company has violated the legal provisions, and secondly – its preventive nature, given the fact that the Company, as well as other controllers would be effectively discouraged from violating personal data protection law in the future. The objective of the fine imposed in this case is to lead the Company to fulfill the obligation resulting from Art. 14 (1) - (3) of the Regulation 2016/679, and as a consequence, to bring processing operations into compliance with the provisions on the protection of personal data. In the established facts of this case, i.e. the established breach of the obligation referred to in Art. 14 (1) - (3) the of Regulation 2016/679, Art. 83 (5)(b) of the Regulation 2016/679 will apply, according to which the infringements of the provisions on the rights of data subjects (including the right to obtain information referred to in Art. 14 (1) and (2) of that Regulation) shall be subject to an administrative fine up to EUR 20 000 000 and, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. With regard to Art. 103 of the Act, the equivalent of amounts expressed in Euro as referred to in Art. 83 of the Regulation 2016/679 shall be calculated in Polish Zlotys and converted at the average Euro exchange rate published by the National Bank of Poland in the exchange rate chart taking effect on 28 January of each year, and if in the given year the National Bank of Poland does not announce the average Euro exchange rate on 28 January - at the average Euro exchange rate published by the National Bank of Poland in the next exchange rate chart following that date.
 
13
In addition, the President of the Office for the Protection of Personal Data can undoubtedly not accept situations in which entities by thwarting control activities prevent the implementation of his statutory tasks.
The President of UODO, pursuant to Art. 83 (5) (b) of the Regulation 2016/679, in connection with Art. 103 of the Act, imposes on the Company for the infringement described in the operative part of this decision, an administrative fine in the amount of PLN 944 470 (equivalent to EUR 220 000) – using the average Euro exchange rate of 28 January 2019 (EUR 1 = PLN 4.885). In the assessment of the President of UODO, the imposed fine taking into account the established facts of the case meets the prerequisites referred to in Art. 83 (1) of the Regulation 2016/679, considering the gravity of the infringement identified in the context of the basic requirements and principles of the Regulation 2016/679 - fairness, transparency and the right to information. Referring to the principle of transparency – established in Art. 5 (1) (a) of the Regulation 2016/679, according to which data must be processed lawfully, fairly and in transparent manner in relation to the data subject – it should be pointed out that this particular principle is crucial to the fairness of personal data processing, especially in the context of significant extension (by virtue of the provisions of the Regulation 2016/679) of the obligations to provide data subjects with information regarding data processing and enabling data subjects to exercise their rights. One of the aspects of the information obligations arising from the principle of transparency is the formal aspect regarding fulfillment of the information obligation (including the one mentioned in Art. 14 of the Regulation 2016/679), as well as fulfilling it in appropriate time and form. The fulfillment of the information obligation pursuant to the principle of transparency is aimed at making data subjects aware of the risks, rules, safeguards and rights related to the processing of personal data, as well as of the methods of exercising these rights. Given the above, the President of Personal Data Protection Office ruled as stated in the operative part of this decision.
 
The decision is final. The party has the right to lodge a complaint to the Voivodeship Administrative Court (Wojewódzki Sąd Administracyjny) in Warsaw within 30 days from the receipt of this decision via the President of UODO (address: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw). With regard to the complaint a proportional filing fee, referred to in Art. 231 in relation to Art. 233 of the Act of 30 August 2002 on Proceedings before Administrative Courts (Journal of Laws of 2018, item 1302, consolidated text published on 5 July 2018), needs to be submitted. The party has the right to claim the right to receive help which includes court cost exemption and the appointment of an attorney, legal counsel, tax counsellor or patent attorney. The right to receive help might be awarded at the party’s request lodged before the start of the proceedings or with the proceedings underway. The request is free of court fees.
Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date.
According to Art. 105 (1) of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, with amendments) the administrative financial fine shall be paid within 14 days of the lapse of the deadline for lodging a complaint to the Voivodeship Administrative Court or of the day on which the ruling of the administrative court becomes final, into the UODO’s bank account at the NBP (the National Bank of Poland) O/O Warszawa (Warsaw branch) No. 28 1010 1010 0028 8622 3100 0000.
 
In the opinion of the President of the Office for the Protection of Personal Data, the penalty payment applied meets, in the established circumstances of this case, the conditions referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the established breach resulting from Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679, which is undoubtedly a lack of cooperation with the supervisory authority in the exercise of its statutory powers, including the prevention of control activities.
 
Under those provisions, an infringement of the obligation of the controller referred to in Article 31 of Regulation 2016/679 is subject to an administrative fine of up to EUR 10 000 000 and, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable.
 
An infringement of the obligations of the controller referred to in points (e) and (f) of Article 58(1) of Regulation 2016/679 shall be punishable by an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being that which the President of the Office for the Protection of Personal Data pursuant to Article 83(3) of Regulation 2016/679 considers to be the most serious infringement and the amount of the fine imposed by this Decision shall not exceed that amount.
 
In view of the above, the President of the Office for Personal Data Protection has decided as set out in the operative part of this Decision.
 
The Decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for the Protection of Personal Data (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.
 
Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the case of postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for the Protection of Personal Data shall calculate interest on the unpaid amount on an annual basis, using the reduced rate of interest for delay, announced on the basis of art. 56d of the Act of August 29th, 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.
 
Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to the administrative court shall suspend the execution of the decision on the administrative fine.
</pre>
</pre>

Revision as of 20:05, 6 April 2020

UODO - ZSPR.421.3.2018
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 31 GDPR
Type: n/a
Outcome: Fine
Decided: 9. 3. 2020
Published: 26.3.2020
Fine: 4673 EUR
Parties: Vis Consulting Sp. z o.o. in liquidation
National Case Number: ZSPR.421.19.2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Polish
Original Source: UODO (PL)

The President of the Personal Data Protection Office in Poland (UODO) imposed a fine of approx. 4600 EUR (PLN 20 000) on a telemarketing company for a violation of the controller's obligation to cooperate with the supervisory authority under Article 31 GDPR.

English Summary

Facts

The President of the UODO decided to conduct inspection activities at a company Vis Consulting Sp. z o.o. which provides telemarketing services to other companies - one of which was a subject of a decision issued earlier by the UODO. The supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.

When arrived at the company's registered address, the UODO’s inspectors did not find any representatives of the Vis Consulting Sp. z o.o. After the back-and-forth communication between the UODO representatives and the company's proxy, the latter informed the UODO on the phone that the inspection cannot take place.

Dispute

On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.

The President of the UODO had to make a decision about the company's compliance with Article 31 GDPR.

Holding

The President of the UODO decided that Vis Consulting Sp. z o.o. in no way wished to cooperate with the supervisory authority.

The UODO concluded that the company deliberately thwarted the inspection and thus prevented the President of the UODO from performing statutory tasks under Article 58(1)(e) and (f) GDPR. The situation gives rise to the suspicion that the Company's thwarting of the inspection was aimed at preventing the UODO from collecting evidence of unlawful processing of personal data by the company.

Thus the company infringed the provisions of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.

Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied.

In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years.

The Public Prosecutor’s Office has lodged an indictment against the President of the Company to the court.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Translation of the Decision

Below you can find the English translation of the decision (see PDF for Original)

 DECISION
CP.421.19.2019

Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) and (f) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended), following an ex officio procedure initiated in the case of Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, 29 lok. 9, the President of the Office for Personal Data Protection, stating that Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, infringed the provisions of Article 31 and Article 58(1)(e) and (f) of the General Data Protection Regulation by not providing access to personal data and other information and premises, resulting in preventing the President of the Office for Personal Data Protection from carrying out control activities necessary for the performance of his tasks,

imposes on Vis Consulting Sp. z o.o. in liquidation, seated in Katowice at 29 Zygmunta Krasińskiego Street 9, a fine of PLN 20,000 (say: twenty thousand zlotys), which is equivalent to EUR 4,673,56, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as at 28 January 2020.
Justification 

Based on Article 58(1)(b), (e) and (f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2011, p. 1). 2016, p. 1 and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter referred to as the Regulation 2016/679, the President of the Office of Personal Data Protection has planned to carry out in Vis Consulting Sp. z o.o. with its registered office in Katowice at Zygmunta Krasińskiego 29 lok. 9 (hereinafter also referred to as the "Company") an inspection of compliance of data processing with the regulations on personal data protection. The audit was to be conducted from 29 July 2019 to 2 August 2019.

By letter of [...] July 2019. (mark: [...]) Urząd Ochrony Danych Osobowych via Poczta Polska notified the Company of the date and scope of the planned inspection. The letter was delivered on [...] July 2019 to the registered office of Vis Consulting Sp. z o.o. (Katowice, ul. Zygmunta Krasińskiego 29, 9), indicated in the National Court Register.  

On [...] July 2019, in order to carry out control activities (ZSPR.421.19.2019), the controlling persons went to the place indicated in the National Court Register as the address of the Company, but the persons representing the Company were not there. It turned out that this address is the Office of [...] (hereinafter referred to as the "Office") run by [...]. As agreed, the Company sub-leases the commercial premises located in Katowice at 29 Zygmunta Krasińskiego Street, 9, for the so-called 'virtual office'. Only an employee of the Office was found in the premises in question. After presenting this person with the purpose of the arrival of the controlling persons, an employee of the Office, after checking the content of the electronic mail, in order to determine whether any message was received from the Company in this respect, informed that a letter dated [...] July 2019 was received from the Company signed by Mr. Paweł Kępka - President of the Board. From the content of the letter, it resulted that the Company terminates the lease agreement for premises no. 9 located in Katowice at 29 Zygmunta Krasińskiego Street and that as of [...] July 2019, this entity will not operate at the above mentioned address. A copy of the aforementioned letter was forwarded to the inspectors.

Moreover, an employee of the Office informed the inspectors that after receiving the letter of [...] July 2019 from the Office of Personal Data Protection, regarding the notification of the planned control in the Company, the content of the letter in question in the form of a scan was transferred to the Company. In order to document the above mentioned findings, on [...] July 2019, the inspectors made an official note.

In connection with the situation, the inspectors asked the employee of the Office to contact the Company in order to determine whether the inspection activities could be carried out. However, it was not possible to establish contact with the Company. Therefore, the inspector asked for a telephone number to the Company. An employee of the Office stated that it is only upon written request of the President of the Office for Personal Data Protection that he can provide information on this entity (including the telephone number). The Controllers left the telephone number to contact. On the same day, at approximately 2:00 p.m., a man who introduced himself as an "attorney [...]" called the Controller and said he was contacting on behalf of the Company, but did not know if the control could be carried out. In the course of the conversation, the above mentioned person has agreed that he will try to determine whether the inspection can take place by [...] July 2019.

At the same time, on July [...], 2019, the President of the Office for Personal Data Protection sent a request to the e-mail address of the Office to provide a copy of the lease agreement for the premises in question and to provide contact information to the Company.

On [...] July 2019 the Controllers went again to the Company's address, but also on that day the persons representing the Company were not present. Therefore, no control activities took place. An employee of the Office provided the inspectors with a copy of the sublease agreement for the premises in question. At 11.00 a.m., a person representing himself as "advocate [...]" called the inspectors and informed them that the inspection would not take place.

In this connection, by letter dated [...] August 2019, the mark: [...] The President of the Office for the Protection of Personal Data initiated ex officio administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's compliance with the provisions on personal data protection. The above mentioned correspondence was returned with the note "out of date address".

Based on the financial statements for the period from 1 January 2018 to 31 December 2018. (available on the website of the Ministry of Justice with the address: ekrs.ms.gov.pl), it was established that in the aforementioned period, the Company's net revenue from sales and equalised with them amounted to PLN 426 261.14.

After reviewing all the evidence gathered in the case the President of the Office for Personal Data Protection weighed the following:

According to the information contained in the National Court Register, on July 30, 2019, a resolution was passed to dissolve the Company and put it into liquidation. On 23 August 2019, the District Court in Katowice - Wschód, 8th Commercial Division made an entry in the National Court Register on placing the Company in liquidation. Since then, the Company has been operating under the name of Vis Consulting Sp. z o.o. in liquidation.

Pursuant to Article 57(1)(a) of Regulation 2016/679, each supervisory authority on its territory shall monitor and enforce the application of Regulation 2016/679. In addition, pursuant to Article 58(1)(e) and (f) of Regulation 2016/679, the supervisory authority shall be entitled to access all the premises of the controller and the processor, including the equipment and means of data processing, in accordance with the procedures laid down in EU or Member State law. It should be noted that in accordance with Article 58(6) of Regulation 2016/679, each Member State may provide in its legislation that its supervisory authority has, in addition to the powers laid down in Union or Member State law, the following powers
in paragraphs 1, 2 and 3, also other powers. As provided for in Article 31 of Regulation 2016/679, the controller and processor and, where applicable, their representatives, shall cooperate with the supervisory authority upon request in the performance of its tasks.

Pursuant to Article 78 paragraph 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "the Act", the President of the Office for the Protection of Personal Data shall carry out the control of compliance with the provisions on personal data protection. Pursuant to Art. 79 sec. 1 point 1 of the Act, the control is carried out by an employee of the Office authorised by the President of the Office.

As stipulated in Art. 84 sec. 1 of the Act, the inspector has the right to: a) enter the land and buildings, premises or other premises between 600 and 2200 hours; b) inspect documents and information directly related to the subject matter of the inspection; c) inspect places, objects, devices, carriers and IT or ICT systems used for data processing; d) demand written or oral explanations and question a person as a witness to the extent necessary to establish the facts; e) have expert opinions and opinions drawn up.

The fact that the President of the Office for Personal Data Protection has planned to carry out an inspection in the Company in connection with the findings made during the inspection carried out in V is of significant importance in this case. Sp. z o.o. sp. k. with its registered office in [...]. In the course of the audit conducted in the above mentioned entity, it was established that it conducts telemarketing activities. In connection with this activity it processes personal data (landline and mobile phone numbers) by means of an ICT system provided by the Company. The system in question is used on the basis of a cooperation agreement on the outsourcing of telemarketing services. The agreement was concluded with the Company [...] February 2017. An important issue is that V. Sp. z o.o. sp. k. does not have its own database, and all telephone connections are generated only by the IT system made available by the Company.

The content of the aforementioned agreement shows, among other things, that the Company has a technical solution - an ICT system in the form of a computer program, the use of which allows for making telephone calls to fixed and mobile phone numbers according to the location criterion. Moreover, in this agreement it is also indicated that the functionality of the system in question prevents V. Sp. z o.o. sp. k. from accessing any information, including the dialed telephone number. Moreover, in this agreement, the Company declares that in case of using any personal data for the purpose of performing the above-mentioned agreement, it will administer "the above-mentioned data in accordance with the applicable provisions of Polish law". In § 3 point 2 of the aforementioned agreement there is a provision with the following content: "VIS declares that in case of any claims by third parties against V. [...] related to the functionality of the SYSTEM [...], releases V. from this liability to the extent permitted by the applicable law and undertakes to cover all costs related to the protection of V. against such claims".

Due to the fact that V. Sp. z o.o. sp. k. does not have access to personal data processed in this system (i.e. to information about telephone numbers dialled), the President of the Office for Personal Data Protection considered it necessary to carry out control activities also in the Company (i.e. in the entity which, on the basis of the established agreement, is considered to be the data controller). The aim of the inspection was to examine the legality of personal data processing using the system in question.

The fact that it was impossible to carry out the inspection in the Company made it significantly more difficult for the President of the Office for Personal Data Protection to examine the process of personal data processing by V. Sp. z o.o. sp. k.

The evidence gathered in the case indicates that the actions taken by the persons representing the Company definitely prove the lack of cooperation with the President of the Office for Personal Data Protection.

To confirm the above position, the following circumstances should be recalled:

1) after receiving information about the planned control of the President of the Office for Personal Data Protection (letter of [...] July 2019), on [...] July 2019. (two days before the commencement of the planned control), the Company sent a motion to the lessor to terminate the lease agreement for the premises located in Katowice at 29 Zygmunta Krasińskiego Street (address of the Company indicated in the National Court Register);

2) both [...] July 2019 and [...] July 2019. The Company has thwarted the control activities as no person authorised to represent the Company in the course of the control has been found at the Company's address;

3) On 30 July 2019, a resolution was adopted on dissolution of the Company and commencement of liquidation proceedings (this information is contained in the National Court Register).

To sum up, it should be stated that the Company's activities referred to above undoubtedly prove that it does not fulfil its obligations related to the processing of personal data or at least intentionally avoids submitting to the control of the supervisory authority which is the President of the Office for Personal Data Protection. Thus, it should be considered that by preventing the President of the Office for the Protection of Personal Data from carrying out the inspection, the Company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679. It should be pointed out that in accordance with Article 31 of Regulation 2016/679, the controller and the processor and, where applicable, their representatives shall cooperate with the supervisory authority upon request in the performance of its tasks. The obligation to cooperate includes ensuring that the supervisory authority is able to obtain from the controller (and the processor) access to all personal data and all information necessary for the performance of its tasks (Article 58(1)(e) of Regulation 2016/679), to obtain access to any premises of the controller and the processor, including the processing equipment and means in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f) of Regulation 2016/679). This obligation for the controller to cooperate is in fact correlated with the tasks of the supervisory authority as formulated in Article 57 of Regulation 2016/679 and the powers stemming from Article 58 of Regulation 2016/679.

The President of the Office for the Protection of Personal Data, acting on the basis of Article 108 par. 1 of the Act on the Protection of Personal Data, notified the District Prosecutor's Office in [...] of a suspicion of committing an offence consisting in thwarting control activities by the Company. On [...] January 2020, the Office for Personal Data Protection received a notification (file ref. [...]) from the District Prosecutor's Office [...] [...] of sending a bill of indictment against [...] [...] [...], accused of committing an offence under Article 108 of the Act on Personal Data Protection.

Moreover, in view of the above findings, the President of the Office for the Protection of Personal Data, exercising his powers under Article 83 of the Regulation 2016/679, states that in the case under consideration, there are prerequisites for imposing an administrative fine on the Company.

Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case.

In accordance with Article 83 of Regulation 2016/679 - laying down general conditions for the imposition of administrative fines - each supervisory authority shall ensure that the administrative fines referred to in paragraphs 4, 5 and 6 of this Article are effective, proportionate and dissuasive in each individual case (paragraph 1). In accordance with Article 83(2)(b) of Regulation 2016/679, the authority shall pay due attention to the intentional or unintentional nature of the breach in each individual case when deciding whether to impose an administrative pecuniary sanction and when setting the amount of the administrative sanction.

Pursuant to Article 83(2)(k) of Regulation 2016/679, the authority shall, in determining whether to impose an administrative penalty payment and in fixing the amount of the administrative penalty payment, pay due attention in each individual case to any other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided, whether directly or indirectly related to the infringement.

The President of the Office for the Protection of Personal Data has taken into account the following aggravating circumstances when deciding on the administrative fine to be imposed on the Company and when determining its amount, in accordance with 83(2)(a-k) of Regulation 2016/679:

(1) The infringement found in this case is of considerable gravity and seriousness, as the Company's lack of cooperation with the President of the Office for the Protection of Personal Data has made it impossible for that body to carry out checks on the Company's compliance with the provisions on personal data protection. The Company's action is reprehensible. By its failure to do so, the Company prevented the President of the Office for the Protection of Personal Data from making very important findings (concerning the legality of personal data processing), the results of which would undoubtedly have a significant impact on the assessment of the evidence collected in the course of another inspection, which was carried out by the President of the Office for the Protection of Personal Data in V. Sp. z o.o. sp. k. (nature, seriousness and time of the infringement).

The Company deliberately thwarted the inspection, and thus prevented the President of the Office for Personal Data Protection from performing the statutory tasks under Article 58(1)(e) and (f) of Regulation 2016/679. This situation gives rise to a suspicion that the Company's thwarting of the inspection was aimed at preventing the President of the Office for Personal Data Protection from collecting evidence that the processing of personal data by the Company is unlawful (intentional or unintentional nature of the infringement).

The other prerequisites for the administrative fine indicated in Art. 83 par. 2 letter c - k, due to the subject matter of the proceedings shall not apply in these proceedings. Consequently, they did not affect the assessment of the infringement and the level of the administrative penalty imposed.

In determining the amount of the administrative penalty payment, the President of the Office for the Protection of Personal Data did not see any mitigating circumstance affecting the final penalty.

The fixing of the amount of the financial penalty imposed also required the definition of the objectives which that penalty would achieve. It should be pointed out that the financial penalty imposed on the Company in connection with the lack of cooperation with the President of the Office for the Protection of Personal Data is of repressive nature (it is to cause the Company to incur a financial penalty for the avoidance of control) and preventive (it is to prevent future violations of law by the Company, but also by other entities). In addition, the financial penalty imposed on the Company is also of a deterrent nature and is related to the prevention of violations. The penalty is designed to deter both the Company and others from recidivism.

In addition, the President of the Office for the Protection of Personal Data can undoubtedly not accept situations in which entities by thwarting control activities prevent the implementation of his statutory tasks.

Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date.

In the opinion of the President of the Office for the Protection of Personal Data, the penalty payment applied meets, in the established circumstances of this case, the conditions referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the established breach resulting from Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679, which is undoubtedly a lack of cooperation with the supervisory authority in the exercise of its statutory powers, including the prevention of control activities.

Under those provisions, an infringement of the obligation of the controller referred to in Article 31 of Regulation 2016/679 is subject to an administrative fine of up to EUR 10 000 000 and, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable.

An infringement of the obligations of the controller referred to in points (e) and (f) of Article 58(1) of Regulation 2016/679 shall be punishable by an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being that which the President of the Office for the Protection of Personal Data pursuant to Article 83(3) of Regulation 2016/679 considers to be the most serious infringement and the amount of the fine imposed by this Decision shall not exceed that amount.

In view of the above, the President of the Office for Personal Data Protection has decided as set out in the operative part of this Decision. 

The Decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for the Protection of Personal Data (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.

Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the case of postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for the Protection of Personal Data shall calculate interest on the unpaid amount on an annual basis, using the reduced rate of interest for delay, announced on the basis of art. 56d of the Act of August 29th, 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.

Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to the administrative court shall suspend the execution of the decision on the administrative fine.