UODO (Poland) - DKE.561.25.2020

From GDPRhub
Revision as of 09:54, 20 June 2021 by ARapcewicz (talk | contribs)
UODO (Poland) - DKE.561.25.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 31 GDPR
Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Article 83(4)(a) GDPR
Article 83(5)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 19.03.2021
Published:
Fine: 22739 PLN
Parties: n/a
National Case Number/Name: DKE.561.25.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Decyzje Prezesa UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish supervisory authority imposed a fine of EUR 5,000 for failing to cooperate with the DPA by providing access to all personal data and information necessary for the authority to investigate a complaint about irregularities in the processing of the complainant's personal data. The authority stressed that the fine will send a clear signal both to the company and to others that letters from the supervisory authority should not be ignored. Disregarding duties related to cooperation with the supervisory authority, in particular obstructing access to information necessary for the performance of its tasks, constitutes a breach of great gravity and as such is subject to financial sanctions.

English Summary

Facts

The Polish DPA received a complaint from an individual about irregularities in the processing of his or her personal data. As part of the administrative proceedings initiated in order to examine the complaint, the supervisory authority asked the company Funeda sp. z o.o. to respond to the content of the complaint and to answer specific questions regarding the case.

The DPA called the company twice to provide explanations necessary for the examination of the case. Despite receiving the correspondence, the company has not replied to the letters addressed to it. In connection with the failure to provide information in the case, the supervisory authority initiated proceedings to impose an administrative fine. The company, despite being correctly notified by the supervisory body and instructed on its right to express its opinion on the collected evidence and materials and its claims, also in this case failed to take any actions aimed at clarifying the matter. It should be mentioned that the Office for Personal Data Protection has repeatedly made attempts to contact the company by phone and e-mail based on data from the website. To the date of the decision, the company has not contacted the DPA.

Dispute

Holding

The Polish DPA found that the company had breached the GDPR by the lack of cooperation with the authority in the performance of the supervisory authority's tasks and imposed a fine on the company.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.


        
            
                
                THE CHAIRMAN OF PERSONAL DATA
            
            
                Warsaw, 19
                March
                2021
            
        
        
            DECISION
                    
        DKE.561.25.2020
        Based on Article. 104 § 1 of the Act of June 14, 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended) and Art. 7 sec. 1 and sec. 2, art. 60, art. 101, art. 101a paragraph. 2, art. 103 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) in connection with Art. 31, art. 58 sec. 1 lit. a) and lit. e) and art. 58 sec. 2 lit. i) in connection with Art. 83 sec. 1-3 and art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) Regulation of the European Parliament and the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection ) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting an ex officio administrative procedure to impose on Funeda Spółka z oo [...] an administrative fine, President of the Personal Data Protection Office,
finding a breach by Funeda Spółka z o.o. [...], the provisions of Art. 31 and art. 58 sec. 1 lit. a) and lit. e) Regulation 2016/679, consisting in the lack of cooperation with the President of the Office for Personal Data Protection in the performance of his tasks and failure to provide access to all personal data and all information necessary for the President of the Office for Personal Data Protection to perform his tasks, i.e. for consideration complaints of Mr. R. Ż. about irregularities in the processing of his personal data,
imposes on Funeda Spółka z o.o. [...] an administrative fine in the amount of PLN 22,739.50 (in words: twenty two thousand seven hundred and thirty-nine zlotys 50/100).
SUBSTANTIATION
The Office for Personal Data Protection received a complaint from Mr. R. Ż., Hereinafter referred to as the "Complainant", about irregularities in the processing of his personal data by Funeda Sp. z o.o. [...], hereinafter referred to as the "Company", consisting in providing the complainant's personal data to B. S.A., hereinafter referred to as B. and C. Sp. z o.o., hereinafter referred to as C., without a legal basis and failure to fulfill the obligation pursuant to art. 15 of the Regulation 2016/679. The President of the Personal Data Protection Office, hereinafter referred to as the "President of the Personal Data Protection Office", as part of the administrative procedure initiated to consider the submitted complaint (reference number [...]), in a letter of [...] August 2020, asked the Company for an opinion to the content of the complaint and to answer the following specific questions about the case:

from what source, on what legal basis (please indicate specific legal provisions) and for what purpose and scope the Company obtained the complainant's personal data;
whether the Company is currently processing or processing the complainant's personal data, and if so, for what purpose, on what legal basis and what these data are (indicate specific legal provisions and submit a copy of the documents on the basis of which the Company processes or processed the complainant's personal data);
if and when, on what legal basis (please indicate specific legal provisions), for what purpose and scope the Company provided the Complainant's personal data to B. and C. (if the Company concluded an agreement with these entities entrusting the processing of personal data, a copy of it should be sent) and until when the complainant's personal data will be processed way (please indicate specific date);
whether the Complainant submitted a request to the Company pursuant to Art. 15 GDPR, and if so, when and how the Company responded to the above (please submit correspondence on this matter between the Company and the Complainant);
whether the Company informed the Complainant about the transfer of his personal data to E. Closed-End Investment Fund Non-standard Securitization Fund - if so, when and how (please submit correspondence in this matter to the Complainant), if not - on what legal basis the performance was waived information obligation in the above scope.

The letter was delivered to the Company [...] on August 2020, which was confirmed on the confirmation of receipt of the letter-post item. The company did not respond to the above-mentioned writing. Therefore, on [...] September 2020, a letter was sent to the Company with another summons to immediately provide explanations on the matter. In the letter, the Company was informed that failure to respond to the requests of the President of the Personal Data Protection Office may result - in accordance with Art. 83 sec. 5 lit. e) in connection with with art. 58 sec. 1 lit. a) Regulation 2016/679 - imposing an administrative fine on the Company. This letter was delivered to the Company [...] on September 2020.
Due to the failure by the Company to provide the information necessary to settle the case no. [...], initiated by the complainant's complaint, the President of the Personal Data Protection Office initiated against the Company - pursuant to Art. 83 sec. 5 lit. e) Regulation 2016/679, due to the breach by the Company of art. 31 and art. 58 sec. 1 letter a) of the Regulation 2016/679 - administrative proceedings to impose an administrative fine on the Company (reference number DKE.561.25.2020. [...]). The Company was informed about the initiation of the procedure in a letter of [...] December 2020, which was delivered to the Company on [...] December 2020. The Company was also requested by this letter - in order to determine the basis for the penalty, pursuant to Art. 101a paragraph. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) - to present the Company's financial statements for 2019 or - in the absence thereof - a statement on the amount of turnover and financial result achieved by the Company in 2019. The Company did not respond to the above-mentioned writing.
The company did not provide the information necessary to consider the case in the proceedings with reference number [...] as well as did not respond to the letter informing about the initiation of proceedings, ref. no. DKE.561.25.2020. [...] on imposing an administrative fine on the Company and informing about the possibility of expressing an opinion on the evidence gathered in the matter. As part of the procedure, attempts were made to contact the Company by phone and e-mail many times on the basis of the data contained on the website [...] (memo on the actions taken). Until the date of this decision, the Company has not contacted the Office.
The company operates in the field of granting loans.
After considering all the evidence collected in the case, the President of UODO considered the following.
Pursuant to Art. 57 sec. 1 lit. a) Regulation 2016/679, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of art. 51 of the Regulation 2016/679 - monitors and enforces the application of this regulation on its territory. As part of his competences, the President of the Personal Data Protection Office examines, inter alia, Complaints brought by data subjects shall investigate these complaints to the appropriate extent and inform the complainant of the progress and the outcome of these proceedings within a reasonable time (Article 57 (1) (f)). In order to enable the performance of such defined tasks, the President of the Personal Data Protection Office has a number of specified in Art. 58 sec. 1 of Regulation 2016/679, the rights in the scope of conducted proceedings, including the right to order the administrator and the processor to provide all information needed to perform its tasks (Article 58 (1) (a)) and the right to obtain access from the administrator and the processor to all personal data and all information necessary for the performance of its tasks (Article 58 (1) (e)). Failure to comply with the provisions of Regulation 2016/679, consisting in failure to provide access by the administrator or processor to the data and information referred to above, resulting in violation of the authority's rights specified in art. 58 sec. 1 (including the right to obtain data and information necessary to perform its tasks), and is subject - in accordance with art. 83 sec. 5 lit. e) in fine of Regulation 2016/679 - an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year, with the higher amount being applicable. It should be indicated that the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Art. 31 of Regulation 2016/679.
Referring the above-mentioned provisions of Regulation 2016/679 to the actual state of affairs established in this case, and described at the beginning of this decision, it should be stated that the Company - the complainant's personal data administrator - as a party to the proceedings conducted by the President of the Personal Data Protection Office (UODO) no. [...], breached its obligation to cooperate with the President of the Personal Data Protection Office, because it did not provide the information necessary for the data protection authority to perform its tasks, thus preventing it from accessing information and personal data necessary for the substantive resolution of the above-mentioned complaint case. The above is additionally justified by the fact that the Company in no way tried to justify the fact that there was no response to the requests for explanations, and did not contact the Office for Personal Data Protection in the matter. The above-described activity of the Company constitutes a violation of Art. 31 and art. 58 sec. 1 lit. a) and lit. e) Regulation 2016/679.
In the proceedings with reference number [...] The President of UODO twice called on the Company to provide explanations necessary to consider the case. Despite the receipt of the correspondence, the company has not yet replied to the letters sent by the President of the Personal Data Protection Office. The above state of affairs was not changed by the initiation of proceedings with reference number DKE.561.25.2020. [...] on imposing an administrative fine on the Company. The company, despite being properly notified by the supervisory body, and also informed about its right to comment on the collected evidence and materials as well as requests, did not take any steps to explain its inactivity or justify the lack of cooperation with the President of the Personal Data Protection Office in connection with which did not allow the data protection authority to fully and thoroughly consider the complaint of the data subject.
At the same time, in the event of a breach by the Entrepreneur of the provisions of Art. 31 and art. 58 sec. 1 lit. a) and lit. e) Regulation 2016/679, pursuant to art. 83 sec. 3 GDPR, according to which, if the controller or processor intentionally or unintentionally infringes several provisions of this Regulation in the same or related processing operations, the total amount of the administrative fine does not exceed the amount of the penalty for the most serious breach, the President of the Office for Personal Data Protection determined the total amount an administrative fine of an amount not exceeding that for the most serious of these infringements. In the presented facts, the most serious breach is the failure by the Company to provide access to any personal data and any information necessary for the President of the Personal Data Protection Office to perform its tasks, i.e. violation of the provisions of Art. 58 sec. 1 lit. a) and lit. e) Regulation 2016/679. The seriousness of this violation is evidenced by the fact that preventing the obtaining of information that the President of the Personal Data Protection Office (UODO) requested and requests from the Company not only prevents thorough consideration of the case, but also results in excessive and unjustified prolongation of the proceedings, which is contrary to the basic principles governing administrative proceedings specified in art. 12 sec. 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended), the principles of insight and speed of proceedings.
Bearing in mind the above findings, the President of the Personal Data Protection Office states that in the present case there are premises justifying the imposition on the Company - pursuant to Art. 83 sec. 5 lit. e) in fine of Regulation 2016/679 - an administrative fine in connection with the lack of cooperation and failure to provide access to any information and personal data necessary for the President of the Personal Data Protection Office to perform his tasks, i.e. to resolve the case No. [...].
Pursuant to art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. It refers in each case to a number of circumstances listed in points a) to k) of the above-mentioned provision. When deciding to impose an administrative fine on the Company and determining its amount, the President of the Personal Data Protection Office (UODO) took into account the following circumstances aggravating the assessment of the infringement:
1.1. Nature, gravity and duration of the infringement (Article 83 (2) (a) of Regulation 2016/679).
The breach liable to an administrative pecuniary penalty in the present case undermines the system aimed at protecting one of the fundamental rights of a natural person, which is the right to the protection of his personal data, or more broadly, to the protection of his privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are supervisory authorities with tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the performance of these tasks, supervisory authorities have been equipped with a number of control powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors have been imposed, correlated with the powers of supervisory authorities, with specific obligations, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to information necessary for the performance of their tasks. The actions of the Company in the present case, consisting in impeding and preventing access to information requested by the President of the Personal Data Protection Office, and resulting in hindering and unjustified prolongation of the proceedings conducted by him, should therefore be considered as detrimental to the personal data protection system, and therefore of great importance and reprehensibility character. The significance of the breach is additionally increased by the fact that the breach by the Company was not an incidental event. The company's operation was continuous and long-lasting. It runs from the expiry of the 7-day deadline set in the first letter for the submission of explanations, ie from [...] August 2020 - until the date of this decision.
1.2. Intentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679).
In the opinion of the President of the Personal Data Protection Office, the Company lacks the will to cooperate in providing the authority with all information necessary to resolve the case, in the course of which the authority requested it. This is evidenced in particular by the lack of any reply to the letters of the President of the Personal Data Protection Office addressed to the Company. It should be emphasized that the Company at no stage of the proceedings with reference number [...] as well as in the present proceedings, ref. no. DKE.561.25.2020. [...] made no attempt to justify such an action. Considering that the Company is an entity professionally involved in legal and economic transactions, it should also be assumed that it was (and is still) aware that its action of not providing information (with the knowledge that it is pending before the President UODO administrative proceedings with reference number [...], to which the Company is a party), constitutes a breach of the basic obligations of the Company, in particular the obligations arising from Regulation 2016/679.
1.3. Lack of cooperation with the supervisory authority to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679.
In the course of these proceedings (DKE.561.25.2020. [...]) regarding the imposition of an administrative fine, the Company has not submitted any explanations regarding the case with reference number [...], which makes it difficult for the President of UODO to issue a decision in this matter.
The other premises of the administrative fine specified in Art. 83 sec. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement made by the President of the Personal Data Protection Office (including: any relevant prior infringements by the controller, the manner in which the supervisory authority learned about the infringement, compliance with the measures previously applied in the same case , the use of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (relating to the controller's relationship with the supervisory authority and not the controller's relationship with the data subject), could not be taken into account in the present case (in including: the number of injured persons and the extent of the damage suffered by them, actions taken by the administrator to minimize the damage suffered by data subjects, the degree of responsibility of the administrator, taking into account the technical and organizational measures implemented by him, categories of personal data affected by the infringement zenie).
Pursuant to the wording of art. 83 sec. 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of the Personal Data Protection Office, the penalty imposed on the Company in these proceedings meets these criteria. It will discipline the Company to properly cooperate with the President of the Personal Data Protection Office, both in the further course of the proceedings with ref. No. [...] as well as in any possible other future proceedings with the participation of the Company before the President of the Personal Data Protection Office. The fine imposed by this decision is - in the opinion of the President of the Personal Data Protection Office - proportional to the severity of the breach found and to the possibility of the Company incurring it without major detriment to its activities. Moreover, this penalty will have a deterrent function; will be a clear signal for both the Company and other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of the Personal Data Protection Office that disregarding the obligations related to cooperation with him (in particular, obstructing access to information necessary for the performance of his tasks) is a violation of significant and as such will be subject to financial sanctions. It should be pointed out here that the imposition of an administrative fine on the Company is - in view of the current proceedings of the Company as a party to the proceedings [...] - necessary; is the only measure at the disposal of the President of the Personal Data Protection Office, which will enable access to information necessary in the conducted proceedings.
In view of the failure by the Company to present the financial data requested by the President of the Personal Data Protection Office for 2019, when determining the amount of the administrative fine in this case, the President of the Personal Data Protection Office took into account, pursuant to Art. 101a paragraph. 2 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the estimated size of the Company and the specificity, scope and scale of its operations.
Pursuant to art. 103 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Art. 83 of the Regulation 2016/679, are calculated in PLN according to the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table on January 28 of each year, and if the National Bank of Poland does not announce the average EUR exchange rate on January 28 in a given year - according to the average euro exchange rate announced in the table of exchange rates of the National Bank of Poland that is closest after that date.
Bearing in mind the above, the President of the Personal Data Protection Office, pursuant to art. 83 sec. 5 lit. e) of Regulation 2016/679, in connection with Art. 103 of the Act on the Protection of Personal Data of 2018, for the violation described in the sentence of this decision, imposed on the Company an administrative fine in the amount of PLN 22,739.50 (equivalent to EUR 5,000), according to the average EUR exchange rate announced by the National Bank of Poland in the table courses as of January 28, 2021
Considering the above, the President of the Personal Data Protection Office adjudicated as in the conclusion of this decision.
The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warsaw).
A proportionate fee should be filed against the complaint, pursuant to Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Art. 74 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine.
In the proceedings before the Provincial Administrative Court, the party has the right to apply for the right of assistance, which includes exemption from court costs and the appointment of an attorney, legal advisor, tax advisor or patent attorney. The right to assistance may be granted at the request of a party submitted prior to the initiation of the proceedings or in the course of the proceedings. The application is free of court fees.
Pursuant to Art. 105 sec. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from the date the ruling of the administrative court becomes legally binding, to the bank account of the Personal Data Protection Office at NBP, O / O Warsaw, no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 sec. 2 of the aforementioned Act, the President of the Personal Data Protection Office may, upon a justified request of the punished entity, postpone the date of payment of the administrative fine or divide it into installments.
In the event of postponing the payment of the administrative fine or dividing it into installments, the President of the Personal Data Protection Office shall charge interest on the unpaid amount on an annual basis, using a reduced rate of late payment interest, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2020, item 1325, as amended), from the day following the date of submitting the application.
        
              
              
        
        
            2021-05-24