UODO (Poland) - DKN.5112.14.2022
From GDPRhub
| UODO - DKN.5112.14.2022 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 30(1) GDPR Article 35(1) GDPR Article 35(7) GDPR Article 38(3) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 18.12.2024 |
| Published: | |
| Fine: | 576220 PLN |
| Parties: | n/a |
| National Case Number/Name: | DKN.5112.14.2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (Poland) (in PL) |
| Initial Contributor: | w.p. |
The DPA found, that a financial institution did not guarantee its DPO's independence. In addition, the institution failed to properly document its credit scoring activities. Thus the DPA imposed a total fine of ca. €132,000 (PLN 576,220).
English Summary
Facts
A financial institution (the controller) processed personal data regarding loans applied for by their clients or potential clients (data subjects). To assess data subjects’ creditworthiness, the controller relied on profiling. For this purpose, the controller processed inter alia name, surname, national identification number (PESEL), source of income and information on financial obligations. The profiling resulted in credit scoring, used by the controller to make a decision about a loan application.
The Polish DPA (UODO carried out an ex officio inspection of controller’s profiling. The inspection purpose was to verify the processing compliance with the GDPR.
The inspection raised doubts over controller’s DPO position. A person appointed as the DPO was also employed as a consultant within a department responsible for data security. That department was also managing controller’s personal data processing. Within controller’s structure, the DPO was under direct authority of a director of the data security department.
Moreover, the DPA found no data protection impact assessment to be carried out for controller’s profiling. Also, controller’s record of processing activates was lacking profiling.
Thus, the DPA initiated proceedings against the controller.
Holding
The DPA found violation of Article 38(3) GDPR, Article 30(1) GDPR, Article 35(1) GDPR and Article 35(7) GDPR.
The controller didn’t guarantee DPO’s independence. Although, controller’s policies provided for the DPO should directly report to their highest management body (the board), the factual structure was different. The DPO was simultaneously employed within the data security department. Consequently, they were subordinate to the director of that department, not the board.
Furthermore, the controller didn’t properly maintain the record of processing activities. Because the profiling served the credit scoring, it was necessary to include its accurate description in the record. Otherwise, the record was ineffective, since it didn’t contain crucial processing of the controller.
Additionally, the controller didn’t perform data protection impact assessment under Article 35 GDPR covering the profiling at stake. The DPA found that due to the risk posed by the profiling and its functionality, it was one of controller’s duties to perform data protection impact assessment.
For the violations of Article 38(3) GDPR, the controller was fined PLN 261,918 (approximately €60,000). In addition, the DPA imposed a fine of PLN 314,302 (approximately €72,000) for violation of Article 30(1) GDPR, Article 35(1) GDPR and Article 35(7) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
On the basis of Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2024, item 572) and Article 7 par. 1 and 2, Article 60, Article 90, Article 101 and Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) and Article 57 par. 1 letters a) and h), Article 58 par. 2 letter i), Article 83 par. 1-3 and Article 83 par. 4 letter a) in conjunction with Article 30 par. 1, Article 35 par. 1 and par. 7 and Article 38 par. 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4.5.2016, p. 1, as amended), hereinafter referred to as "Regulation 2016/679", after conducting administrative proceedings initiated ex officio in the case of infringement of the provisions on personal data protection by C. S.A. with its registered office in D. at ul. (...), President of the Personal Data Protection Office1) finding infringement by C. S.A. with its registered office in D. at ul. (...) of the provision of Art. 38 sec. 3 of Regulation 2016/679, consisting in the failure of C. S.A., as the controller, to ensure that the data protection officer reports directly to the controller's top management and does not receive instructions regarding the performance of his/her tasks,
imposes on C. S.A. with its registered office in D. at ul. (...), an administrative fine in the amount of PLN 261,918.00 (in words: two hundred sixty-one thousand nine hundred eighteen zlotys);
2) finding a violation by C. S.A. with its registered office in D. at ul. (...) of the provisions:a) Art. 30 sec. 1 of Regulation 2016/679, consisting in the failure to include profiling in the description of data processing processes (activities) contained in the register of data processing activities maintained by C. S.A.;b) Art. 35 sec. 1 and sec. 7 of Regulation 2016/679, consisting in failure to assess the impact on the protection of personal data in relation to data processing activities consisting in their profiling,
imposes on C. S.A. with its registered office in D. at ul. (...), an administrative fine in the amount of PLN 314,302.00 (in words: three hundred fourteen thousand three hundred and two zlotys).
Justification
The President of the Personal Data Protection Office, hereinafter referred to as the "President of the Personal Data Protection Office", on the basis of art. 78 sec. 1, art. 79 sec. 1 point 1 and art. 84 sec. 1 points 1-4 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the "Act", in connection with art. 57 sec. 1 letters a) and h) and art. 58 sec. 1 letters b) and e) of Regulation 2016/679, in order to verify the compliance of data processing with the provisions on the protection of personal data, carried out inspection activities at C. S.A. with its registered office in D. at ul. (...), hereinafter referred to as "C. S.A." (file reference number: DKN (...)).
The President of the UODO carried out inspection activities at C. S.A. from (…) to (…). The scope of the inspection covered the processing of personal data of customers and potential customers of C. S.A. by C. S.A. in connection with their profiling, by determining, among other things: 1) The scope and type of personal data processed. 2) The purpose and duration of personal data processing. 3) Have procedures concerning profiling been developed at C. S.A.? 4) Has C. S.A. for the purpose of assessing creditworthiness and analysing credit risk, makes decisions based on automated processing, including profiling, of personal data - also subject to banking secrecy - provided that the person concerned by the automated decision is provided with the right to receive appropriate explanations as to the grounds for the decision taken, to obtain human intervention in order to make a new decision and to express his or her own position, in accordance with art. 105a sec. 1a of the Act of 29 August 1997 - Banking Law (Journal of Laws of 2024, item 1646). 5) Has C. S.A. appointed a data protection officer (art. 37 of Regulation 2016/679). 6) Does C. S.A. keep a register of personal data processing activities and does it include activities consisting in profiling personal data (art. 30 sec. 1 of Regulation 2016/679). 7) Does C. S.A. assesses the impact on the protection of personal data, as referred to in Article 35 of Regulation 2016/679, in particular in relation to data processing activities consisting in their profiling.8) Principles of operation of IT systems used to process personal data, in particular their profiling.
The factual circumstances established by the inspectors of the Personal Data Protection Office are described in the inspection report, which was signed by the person authorised to represent C. S.A. Based on the evidence collected during the inspection, the President of the Personal Data Protection Office made the following findings regarding the factual circumstances:
I. Facts.
1. C. S.A. processes personal data, including profiling them, also in connection with automated decision-making related to the consideration of credit applications submitted by potential clients or clients of C. S.A. and the conclusion by C. S.A. of agreements regarding the provision of credit services. Profiling of data of customers and potential customers of C. S.A. takes place solely for the purpose of determining their creditworthiness.2.C. S.A. also assesses the risk of money laundering and the application of security measures in the R.3 system. C. S.A. processes data of potential customers and clients in the following scope: first name, last name, residential and correspondence address, PESEL number, date of birth, e-mail address, telephone number, country of tax residence, marital status, gender, number of children and their dates of birth, series and number of identity document, source of property values, citizenship, address details of the customer's employer, data on credit obligations. Within the scope of data obtained as a result of profiling, C. S.A. processes such data as: the scoring result, i.e. the credit risk score and the risk category defined by C. S.A.4. As of the date of the inspection by the President of the UODO, the function of the data protection inspector (hereinafter referred to as the IOD) at C. S.A. was held by Mr. SJ. The indicated person held the above-mentioned function from 24 June 2020, based on the resolution of the Management Board of C. S.A. No. (…)/(…). While performing the above-mentioned function, SJ was not directly subordinated to the management board of C. S.A., which is the “top management of the administrator” within the meaning of art. 38 paragraph 3 of Regulation 2016/679. The content of the employment contract concluded on 14 September 2017 with C. S.A. by SJ, who was performing the function of IOD at the time of the inspection, shows that he was employed first in the position of (…) and then, pursuant to annex no. (…) of 25 March 2020, in the position of specialist for (…) in the Team for (…), and then in the Department (…) of C. S.A.5. From the content of the employment contract attached to the above-mentioned employment contract of the job description of the specialist for (...) in the Department of (...) C. S.A. it results that the SJ IOD, who is simultaneously employed as a specialist for (...) in the Team for (...) (later the Department of (...)), "reports to" the Director of the Department of (...), to whom he is officially subordinate. In the opinion of the President of the UODO, there is no doubt that the obligation to "report", included in the job description of the SJ in the Department of (...), confirms the direct official subordination of the SJ, who was the IOD in C. S.A. at the time of the inspection, to the Director of the aforementioned department. It also follows from the above that the SJ was directly subordinate to the Director of the Department of (...) also within the scope of the IOD function performed by him, especially since the Director of the aforementioned Department, due to his tasks, performed duties in C. S.A. also related to the management (creation) of data processing processes. In this situation, there is no doubt that the subject of "reporting" by SJ to the Director of the Department (...) were also issues inherently related to the processes of processing personal data by C. S.A.6. In accordance with the content of § (...) C. S.A., it is the Director of the Department (...) who reports directly to the "top management of the controller", referred to in art. 38 sec. 3 of Regulation 2016/679 (i.e. in the case of C. S.A. – to the management board), and not the specialist for (...), who, in accordance with the content of the above-mentioned employment contract and the organizational regulations of C. S.A., reports directly to the Director of the Department (...). Furthermore, in accordance with (...) C. S.A., the scope of the Department's tasks (...) includes, among others, the creation, updating and implementation of the Policy (...) C. S.A., (...) etc.7. In turn, pursuant to § (…) of the (…) Policy in force at C. S.A. on the date of the inspection by the President of the UODO, Mr. SJ, as the data protection inspector, was officially subordinated within the C. S.A. organisation directly to the member of the management board responsible for the area of personal data protection, i.e. Ms. PK, who, on the date of the inspection, was a member of the management board responsible for (…). 8. The scope of SJ's basic duties as a specialist for (…) included creating and implementing procedures and policies regarding (…) at C. S.A., monitoring the application of the above-mentioned procedures and policies, as well as specifying requirements in the scope of (…) in C. S.A.'s IT systems and the processes operating at C. S.A. in this respect. In turn, the most important duties of SJ as data protection officer included conducting employee training, participating in legislative processes with regard to personal data protection issues, supporting the implementation of technical and organizational measures serving the security of personal data, handling personal data protection breaches, conducting external correspondence concerning personal data, including within the scope of exercising the rights of data subjects. 9. In accordance with the content of resolution of the Management Board of C. S.A. No. (…)/(…) of June 24, 2020, Mr. KN, employed during the inspection as the Director of the Department (…) on the basis of an employment contract of March 15, 2021, together with annex No. (…) of December 20, 2021, was appointed deputy IOD. KN, as the Director of the Department (…), was SJ's superior within the scope of the duties performed by him as part of his position as a specialist for (…) in the above-mentioned organizational unit of C. S.A.10. C. S.A. maintains a register of processing activities, which specifies: personal data set, processing activity, form of data processing, personal data controller, purposes of personal data processing in the set/as part of the processing activity, information fields/scope of data, description of the categories of data subjects, categories of personal data, source of personal data, legal basis for data processing in the set as part of the processing activity, IT systems used to process personal data, expected date of deletion or storage of individual categories of data, general description of technical and organizational security measures, categories of recipients to whom personal data have been or will be disclosed (including recipients in third countries) and the name of the third country/documentation of appropriate security measures. As at the date of the inspection, the aforementioned register did not include any separate activities involving personal data profiling.11. C. S.A. carried out an assessment of the impact on data protection for the credit assessment process of customers applying for credit products (car loan, credit card, line of credit, loan) offered by C. S.A. to individual customers. At C. S.A., no separate data protection impact assessment was carried out for data processing activities involving profiling.
In connection with the above findings, on August 4, 2023, the President of the UODO initiated ex officio administrative proceedings regarding the possibility of C. S.A., as the controller, violating the obligations arising from the provisions of art. 30 sec. 1, art. 35 sec. 1 and sec. 7 and art. 38 sec. 3 of Regulation 2016/679.
In response, C. S.A., in a letter dated August 22, 2023, responded in writing to the identified violations of the provisions on the protection of personal data, which were the subject of the administrative proceedings, listed in the notification of initiation of the proceedings, indicating that, in his opinion, SJ acting as the IOD was subordinate in the C. S.A. organization directly to a member of the C. S.A. management board. responsible for the area of personal data protection, i.e. PK, who held the position of a member of the management board responsible for (...). C. S.A. indicated that the location of the IOD position in the Department (...) "has only an administrative dimension, i.e. it relates exclusively to employee matters (e.g. acceptance of leave) and payroll (determination of financial conditions)". Furthermore, C. S.A. explained that the IOD is an independent entity in the performance of its functions. As proof of the above, C. S.A. attached to the explanations a printout of an e-mail message sent between the IOD and a member of the management board of C. S.A., concerning the acceptance of the control plan and the report for the previous year on its implementation, which, in the opinion of C. S.A., indicates the actual subordination of the IOD directly to a member of the management board of C. S.A. C. S.A. also indicated that, for the avoidance of doubt, it had initiated the process of changing the classification of the IOD within the structures of C. S.A., by placing the Data Protection Inspector directly under a member of the management board. In turn, in a letter dated November 29, 2023, C. S.A. explained that it had changed the content of the organizational regulations and the organizational structure in such a way that the position of the DPO was separated in the organizational structure of C. S.A. C. S.A. indicated that after the changes, the position of the DPO was organizationally subordinated directly to a member of the management board of C. S.A.
C. S.A. also indicated in a letter dated August 22, 2023 that, taking into account the results of an audit on personal data protection carried out by an external company, even before the inspection carried out by the supervisory authority in May 2022, it had begun working on changing the method of recording processing activities in the register of processing activities from business operational processes to individual types of personal data processing activities in C. S.A. C. S.A. stated that "the currently applicable (...) register of processing activities describes individual processing activities carried out in C. S.A., including profiling." In addition, C. S.A. attached to the explanations contained in the letter dated August 22, 2023, the currently applicable register of processing activities, the content of which included the processing activity in the form of data profiling as part of the creditworthiness assessment (scoring) of C. S.A. customers.
In the letter dated August 22, 2023, C. S.A. also explained that the assessment of the effects of the planned processing operations submitted during the inspection concerned the credit assessment process, an inseparable element of which is the scoring process, i.e. the assessment of the customer based on the criteria specified by C. S.A. In C. S.A.'s opinion, the above assessment "may be classified as profiling", even though the functional description of the creditworthiness assessment in the impact assessment does not contain the wording "profiling". C. S.A. pointed out that it took into account scoring and its result as a factor subject to the assessment of the impact on data protection in the credit assessment process, i.e. internal documentation, procedure (...) and the "Policy (...)" procedure. Additionally, reference was made to the "Procedure (...)".
At the same time, C. S.A. indicated in a letter dated 22 August 2023 that "in response to the comments of the President of the Personal Data Protection Office indicated in the letter dated 4 August 2023", C. S.A. specified the content of the impact assessment in the scope of processing operations related to the assessment of creditworthiness (including the scoring process), by clearly indicating the activity in the form of profiling. C. S.A. attached to the letter a printout of the modified content of the description of the impact assessment.
II. In this factual situation, after reviewing all the evidence collected in the case, the President of the Personal Data Protection Office considered the following:
II.1. Violation of Article 38 sec. 3 of Regulation 2016/679.
In accordance with Art. 38 sec. 3 of Regulation 2016/679, the controller and the processor shall ensure that the data protection officer does not receive instructions regarding the performance of these tasks. He or she shall not be dismissed or penalized by the controller or the processor for fulfilling his or her tasks. The data protection officer shall report directly to the highest management of the controller or the processor.
During the inspection, it was established that C. S.A., contrary to the provisions of Art. 38 sec. 3 of Regulation 2016/679, did not apply organizational measures to ensure that the DPO reports directly to the highest management of the controller and did not receive instructions regarding the performance of his or her tasks. The evidence collected clearly shows that in its internal documentation it included organizational solutions that did not meet the requirements specified in the above-mentioned provision of Regulation 2016/679 (employment contract of 14 September 2017 with an annex, organizational regulations before the amendment after the inspection by the President of the Personal Data Protection Office).
Thus, in view of the fact that on the date of the inspection the data protection officer was employed in the Department (...) of C. S.A. as a specialist for (...) and carried out the orders of his direct superior, i.e. the Director of the aforementioned Department, who was not a person from the "top management of the administrator", it should be stated that C. S.A. violated Article 38 paragraph 3 of Regulation 2016/679. The violation of the above provision also results from the fact that C. S.A. as the controller, in view of the factual circumstances established above (described in points 5-9), did not ensure that the data protection officer did not receive instructions regarding the performance of these tasks. It should be recognised that the full subordination of the data protection officer to the Director of the Department (...) excludes the possibility of ensuring that the officer did not receive instructions regarding the performance of his tasks, all the more so because the department in which he worked was substantively responsible for issues that were also within the spectrum of the duties of the data protection officer, i.e. primarily for information security at C. S.A.. Taking the above into account, it should be stated that from a logical point of view it is impossible for the data protection officer, working in the organisational unit of C. S.A. responsible for information security, and therefore personal data, not to receive instructions from the head of that unit, also within the substantive scope covering issues for which that officer is responsible. For this reason, the explanations of C. S.A. about the alleged actual subordination of the DPO directly to a member of the management board of C. S.A., supported by individual e-mail messages sent by these persons to each other, is unconvincing.
It should be noted that by resolution of the Management Board of C. S.A. No. (…)/(…) the data protection inspector of C. S.A., employed on the day of the inspection as the Director of the Department (…) of C. S.A. and being at the same time the direct superior of the SJ, was appointed to the function of deputy data protection inspector of the KN, employed in the aforementioned department as a specialist for (…). The above-described situation should also be assessed as a violation of the provisions of art. 38 sec. 3 of Regulation 2016/679, because it is difficult to assume that the data protection inspector of C. S.A., in a situation where a person who is at the same time his direct superior has been appointed as his deputy, does not receive instructions regarding the performance of tasks from the Director of the Department (…).
In view of the above, once again, the explanations of C. S.A. in the above-mentioned scope, contained in the letter dated 4 August 2023 addressed to the President of the UODO, should be considered unreliable, in which C. S.A. referred, among other things, to the electronic correspondence attached to the letter indicating, in its opinion, the actual independence of the IOD, despite his formal employment in the C. S.A. organization as subordinate to the Director of the Department (...). Referring to these explanations of C. S.A., it should be stated that the above-mentioned correspondence cannot be considered evidence of the IOD's direct subordination to the highest management of C. S.A., since the content of all documents, starting from the employment contracts concluded with C. S.A. by SJ, who on the date of the inspection held the function of IOD and SC, employed as the Director of the Department (...), and ending with the internal procedures of C. S.A. and its organizational structure, demonstrates the official subordination of the IOD to a person who is not a member of the management board of C. S.A. It should therefore be stated that the explanations of C. S.A. in the above-mentioned scope do not contribute anything new to the case and do not constitute an argument against the accusation raised by the President of the UODO regarding the IOD not being subordinate to the highest management of C. S.A. It should be emphasized that the appointment of SJ to perform the function of the IOD in the above-mentioned factual circumstances, and above all in view of the fact that he was employed in the Department (...) and made a subordinate of the director of this unit, is in contradiction with the written, post-audit explanations of C. S.A. regarding the "actual" independence of the IOD and subordination exclusively to the management board of C. S.A. and the content of § (...) in force at C. S.A. as of the date of the inspection of the Policy (...), according to which SJ as the IOD was subordinate in the C. S.A. organization directly to the member of the management board responsible for the area of personal data protection. This means that the Policy (...), in view of the above-mentioned circumstances and the manner of employment of the IOD in C. S.A., was not implemented in this respect in C. S.A., as a result of which C. S.A. did not meet the requirements of Article 38 paragraph 3 of Regulation 2016/679.
C. S.A. argues in its explanations that SJ was subordinate to the director of the Department (...) only "organizationally", but in the performance of the IOD's duties he was "actually" subordinate only to the member of the management board of C. S.A. However, the above explanations of C. S.A. cannot be considered authoritative and factual. The one accepted by C. S.A. regulation § (…) of the Policy (…) cannot be merely a declaration that is not supported by the actual state of affairs established during the inspection. Therefore, since the aforementioned regulation adopts the principle that the IOD is directly subordinate to the member of the management board responsible for the sphere of data protection, such a declaration must be consistently followed by actions that confirm it. The above-mentioned circumstances of employment by C. S.A. SJ, i.e. his employment in the Department (…) as a subordinate of the director of this unit and the appointment of the latter to perform the function of deputy SJ as IOD, as well as the substantive scope of the tasks performed by the Department (…), contradict the provision of § (…) in force in C. S.A. Policy (…), according to which the IOD is directly subordinate to a member of the management board.
In other words, there cannot be a situation, as in the case at hand, where the controller, i.e. C. S.A., introduces certain organizational measures, such as the (...) policy, in which it declares the independence of the DPO in the performance of his duties, including his exclusive and direct subordination to the top management (i.e. in the case at hand, the management board of C. S.A.), and at the same time actually applies organizational and legal solutions, such as employment contracts together with the definition of the scope of duties therein, from which it follows that they are in conflict with the provisions of the policy and, consequently, with the content of art. 38 sec. 3 of Regulation 2016/679. It should be recalled that in the case at hand, in conflict with the requirements of § (...) of the (...) Policy and art. 38 sec. 3 of Regulation 2016/679 is the content of the employment contract concluded with SJ on 14 September 2017, in accordance with which he was employed first in the position of (...), then, pursuant to annex No. (...) of 25 March 2020, in the position of specialist for (...), and then – as of the date of the inspection – in the Department of (...) of C. S.A. Therefore, it follows from the content of the job description of the specialist for (...) in the Department of (...) of C. S.A. attached to the aforementioned employment contract, it follows that the IOD of SJ, who is simultaneously employed in the position of specialist for (...) in the Team for (...) (later the Department of (...)), “reports to” the Director of the Department of (...), to whom he is officially subordinate. The above term indicates that the aforementioned the person was obliged to provide the Director of the Department (...) with information on the tasks performed by him, including those related to the function of the data protection officer. It follows clearly from all the duties performed by the SJ and the Director of the Department (...) as of the date of the inspection and the tasks of the aforementioned department that its director was also responsible for the sphere of data processing processes taking place at C. S.A. The above is related to the fact that the SJ, who was subordinate to the Director of the Department (...), performing the function of the DPO, had to be subordinate to him also in the scope of performing this function. Such a situation completely excludes the requirement of the DPO being subordinate to the highest management of the administrator, in accordance with Article 38 paragraph 3 of Regulation 2026/679.
It should also be noted that C. S.A., by appointing SJ to perform the function of IOD and at the same time employing him as a specialist for (...) in the Department (...) as a subordinate of the director of this unit and by appointing the aforementioned director to perform the function of deputy SJ as IOD, did not comply with the provisions of its applicable Policy (...), to which it was obliged under art. 24 sec. 1 and sec. 2 of Regulation 2016/679, according to which, taking into account the nature, scope, context and purposes of processing as well as the risk of violation of the rights and freedoms of natural persons of varying likelihood and severity, the controller shall implement appropriate technical and organisational measures to ensure that processing takes place in accordance with this Regulation and to be able to demonstrate it. These measures shall be reviewed and updated, as necessary (sec. 1). Where proportionate to the processing activities, the measures referred to in sec. 1, include the implementation by the controller of appropriate data protection policies (par. 2).
Taking into account all the circumstances of the case indicated above, and above all the formal organization of SJ's work (including when performing the duties of the IOD), the substantive scope of his duties as the IOD and specialist for (...) in the Department (...) and the scope of tasks of the Department (...) of C. S.A., and finally referring to life experience in similar situations, it should be stated that C. S.A.'s explanations, in which he proves that in fact SJ, in the scope of performing the duties of the IOD, was directly and exclusively subordinate to a member of the management board, are unconvincing and are not consistent with the established factual circumstances. In this situation, the provisions of the employment contract concluded with C. S.A. by the SJ, acting as the IOD on the date of the inspection, were in conflict with the content of § (...) of the (...) Policy and art. 38 sec. 3 of Regulation 2016/679, making him both formally and factually directly subordinate to a person who was not a member of the top management of C. S.A. (the Director of the Department (...)).
In connection with the above, C. S.A. cannot explain that the above-described situation is consistent with the requirements of Art. 38 sec. 3 of Regulation 2016/679 and § (...) of the Policy (...), because, according to C. S.A., this is a "formal" solution, not a factual one. The President of the UODO cannot therefore accept C. S.A.'s explanation as credible that the proof of the IOD's subordination to the top management of C. S.A. is the declaration of the latter as the controller, that, although formally, among other things on the basis of an employment contract, SJ was officially subordinate to the Director of the Department (...), in fact C. S.A. “did not make full use” of the formal provisions of this agreement and de facto SJ, as the IOD, was directly and exclusively subordinate to the management board of C. S.A. The contradiction between the provisions of the employment contract and the provision of art. 38 sec. 3 of Regulation 2016/679 and § (...) of the (...) Policy of C. S.A. determines that the President of the UODO must find that C. S.A. did not ensure that the IOD was directly subordinate to the top management of C. S.A. as the controller. The official subordination of C. S.A. to the Director of the Department (...), i.e. an internal unit of C. S.A., whose tasks also included activities relating to the sphere of information security in C. S.A., and therefore personal data protection, is also equivalent to the fact that SJ, contrary to the requirement of art. 38 sec. 3 of Regulation 2016/679, received instructions on the performance of the IOD's tasks from the Director of the Department (...). The aforementioned subordination, by the nature of the employment relationship, in which the employee is obliged to follow the orders of the superior, determines the receipt by the SJ of instructions that are also significant for the manner in which he performs the function of the IOD in C. S.A.
In order to confirm the above argument, reference should be made to the content of the Guidelines of the Article 29 Data Protection Working Party on Data Protection Officers ("DPOs"), amended and adopted on 5 April 2017. In accordance with the content of the aforementioned document, "The controller and the processor are responsible for compliance with data protection regulations and must be able to demonstrate compliance. In the event that the controller or processor makes a decision that is inconsistent with the provisions of the GDPR and the recommendations of the DPO (i.e. the data protection officer - note by the President of the UODO), the DPO should be able to clearly present his or her dissenting opinion to the highest management and decision-makers. Article 38(3) provides that <The data protection officer shall report directly to the highest management of the controller or processor.> This direct reporting line ensures that the highest management (e.g. board members) are aware of the DPO's advice and recommendations as part of the DPO's task of informing and advising the controller or processor. Another example of direct reporting line is the preparation of an annual report to the highest management on the activities carried out by the DPO."[1]
II.2. Infringement of Article 30 sec. 1 and art. 35 sec. 1 and sec. 7 of Regulation 2016/679.
1. Under art. 30 sec. 1 of Regulation 2016/679, each controller and, where applicable, the controller's representative, shall maintain a register of personal data processing activities for which they are responsible. That register shall include all of the following information: (a) the name and contact details of the controller and any joint controllers, and, where applicable, the controller's representative and the data protection officer; (b) the purposes of processing; (c) a description of the categories of data subjects and the categories of personal data; (d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations; (e) where applicable, transfers of personal data to a third country or an international organisation, including the name of that third country or international organisation, and in the case of transfers referred to in art. 49 sec. 1 second subparagraph, documentation of appropriate safeguards; f) if possible, planned deadlines for deletion of individual categories of data; g) if possible, a general description of the technical and organisational security measures referred to in art. 32 sec. 1.
In view of the above, the infringement by C. S.A. of the provision of art. 30 sec. 1 of Regulation 2016/679 results from the fact, established during the inspection and proceedings, that C. S.A., although it maintains the above register, does not include in the description of the data processing processes (activities) related to their profiling. This fact was confirmed by C. S.A. in the explanations provided during the inspection, indicating that in the register of processing activities it records products, not activities or processes on personal data, and profiling is an element of granting a credit product, included in the register of processing activities. Similar explanations by C. S.A. submitted in the content of the letter dated 4 August 2023, addressed after the inspection to the President of the Personal Data Protection Office.
However, it should be noted that profiling, specified in Article 4 point 4 of Regulation 2016/679, is a specific form of automated data processing, as a result of which personal data - in the case of C. S.A. - are used to assess the economic situation of natural persons, i.e. its clients. It should be noted that the register of processing activities is a document that is to describe in a transparent, specific and exhaustive manner the data processing processes taking place at the controller. The lack of the above-mentioned features of the register of processing activities makes it ineffective and even useless, considering the fact that its content is to serve, among other things, the supervisory authority, in the event of its inspection, to obtain information without leaving any doubts as to the processing processes actually taking place at the controller.
In view of the above, it should be pointed out that C. S.A. should have also included profiling in the register of processing activities it maintained as a specific form and at the same time an important stage of processing customer data in the broadly understood process of granting them loans. The description of the processing activity related to profiling should be included in the register of processing activities due to the specificity of profiling in data processing, i.e. the use of automated technical devices (means) and the creation of new information about natural persons, including such information, the disclosure of which could lead to negative consequences for them (such as stigmatization, discrimination related to the potential access to information on the property status, i.e. creditworthiness of C. S.A. customers, for unauthorised persons). This, in turn, is of significant importance due to the potential risk of violating the rights or freedoms of data subjects.
For the reasons indicated above, the clear indication in the content of the register of processing activities of the activity consisting in profiling the data of C. S.A. customers serves data security and is necessary to ensure the transparency and specificity of this document. The above-mentioned view is also confirmed by the literature on the subject. As A. Mednis points out, "It should therefore be assumed that activities are distinguished by the purposes of processing. At the same time, in accordance with the GIODO guidelines, in cases of major differences in the remaining criteria listed in Art. 30 sec. 1 of the GDPR, activities should be distinguished that serve the same purpose but differ in terms of the categories of persons affected by the processing, the categories of data and the method of processing. This is of particular importance in the case of profiling and making automated decisions. The exceptional nature of both activities and their specification in the GDPR mean that they should be distinguished in the register"[2]. In this situation, the failure of C. S.A. to distinguish profiling in the content of the register of processing activities constitutes a violation of Art. 30 sec. 1 of Regulation 2016/679.2. In accordance with Article 35(1) of Regulation 2016/679, where a type of processing – in particular using new technologies – by reason of its nature, scope, context and purposes is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to commencing processing, assess the impact of the planned processing operations on the protection of personal data. A single assessment may be carried out for similar data processing operations involving a similar high risk. In turn, according to Article 35(7) of Regulation 2016/679, the above-mentioned assessment shall include at least: (a) a systematic description of the planned processing operations and the purposes of processing, including, where applicable, the legitimate interests pursued by the controller; (b) an assessment of whether the processing operations are necessary and proportionate in relation to the purposes; (c) an assessment of the risk to the rights and freedoms of data subjects, referred to in paragraph 1; and (d) the measures planned to address the risk, including safeguards and security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
As established during the inspection, C. S.A. did not carry out a personal data protection impact assessment in relation to data processing activities in the form of profiling.
Taking the above into account, it should be stated that the lack of a data protection impact assessment in connection with the profiling of customer data by C. S.A. constitutes a violation of Article 35 paragraph 1 and paragraph 7 of Regulation 2016/679. Furthermore, the assessment of the impact of the planned personal data processing operations by C. S.A., submitted during the inspection, does not meet the requirement contained in Article 35 paragraph 7 lit. a) Regulation 2016/679, i.e. it does not include in the systematic description of the planned processing operation in the form of data profiling in order to determine the creditworthiness of C. S.A. customers.
It should be noted that profiling as a form of data processing indicated in Art. 4, point 4 of Regulation 2016/679, in particular in the case of entities such as C. S.A. and the circumstances of data processing, should be expressly included in the content of the impact assessment due to the aforementioned specificity of profiling in data processing and the risks associated with it, i.e. the use of automated technical devices (means) and the creation of new information about natural persons, including such information, the disclosure of which could lead to negative consequences for them (stigmatization, discrimination related to the potential availability to unauthorized persons of information on the property status, i.e. the creditworthiness of C. S.A. customers).
Therefore, due to the risks associated with data processing through profiling and the risk of violating the rights or freedoms of data subjects in connection therewith, a clear demonstration of profiling as part of the risk analysis and the content of the impact assessment for processing is necessary to ensure the security of such data. Although, as evidence collected during the inspection shows, C. S.A. does not issue decisions on granting credit in an automated manner, which, in the light of the wording of art. 35 sec. 3 letter a) of Regulation 2016/679, which is an extension of the regulation of art. 35 sec. 1, would explicitly oblige it to prepare an impact assessment for profiling activities, it should be noted, however, that the list of cases indicated in the above provision, in which the controller is obliged to carry out a data protection impact assessment, is not closed, so this provision does not exclude that carrying out the assessment in question is also obligatory in other cases.
To the above. The issue is also addressed on p. 8 of the WP29 Guidelines (WP251rev.01) on automated individual decision-making and profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, last amended and adopted on 6 February 2018, by stating that “Decisions that are not entirely automated may also involve profiling. For example, before granting a mortgage loan, a bank may take into account the result of a creditworthiness assessment (scoring) of the borrower, with human intervention still taking place before any decision is taken with respect to the individual concerned.”
Furthermore, on p. 29 of the aforementioned In the Guidelines, the WP29 states that "Article 35(3)(a) refers to assessments involving profiling and decisions 'based' on automated processing, not 'solely' on automated processing. In the WP29 opinion, Article 35(3)(a) will apply to decision-making, including profiling, which produces legal effects or similarly significantly affects the data subject, which is not based wholly on automated processing, as well as decision-making based on automated processing as set out in Article 22(1). (...) The controller can still envisage a 'model' for decision-making based on profiling by significantly increasing the level of human intervention so that the model is no longer a wholly automated decision-making process, although the processing may still pose risks to the fundamental rights and freedoms of individuals." In such a case, the controller must ensure that it is able to address those risks and meet the requirements described in Chapter III of these Guidelines.”
In the opinion of the President of the UODO, profiling practiced by C. S.A. is a case in which, if only due to the large scale of this activity, its scope, context and objectives, should be covered by a data protection impact assessment. As indicated in the subject literature[3], "the cited provision (art. 35 sec. 3 of Regulation 2016/679 – note by the President of the UODO) imposes an obligation to carry out an assessment if we are dealing with the sequence of <profiling + automated decisions>, however, this does not mean that profiling itself (i.e. when its effect is not automated decisions) is not subject to assessment. It is subject to assessment on the basis of the general principles expressed in art. 35 sec. 1 of the GDPR, i.e. if stage 1 (i.e. risk analysis – note by the President of the UODO) confirms a high probability of violation of rights and freedoms as a result of the planned profiling. The operations listed in art. 35 sec. 3 GDPR should be treated as examples. This is confirmed by the WP 248 Guidelines (Article 29 Working Party – note by the President of the UODO): <As the expression "in particular" in the introductory sentence of Article 35 paragraph 3 GDPR indicates, the examples listed do not constitute an exhaustive list. There may be "high-risk" processing operations that are not included in the list but pose an equally high risk. These processing operations should also be subject to data protection impact assessments>. The criteria for considering the risk to be high include an assessment or scoring, including profiling and forecasting, in particular based on <aspects relating to the performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of the data subject> (recitals 71 and 91 of the preamble to the GDPR). The Article 29 Working Party 29 cites as an example a financial institution checking its customers against a credit reference database or an anti-money laundering/combating terrorism financing database or a fraud database.”
It should also be remembered that in the Communique of the President of the Personal Data Protection Office of 7 June 2019 on the list of types of personal data processing operations requiring an assessment of the effects of processing on their protection (Journal of Laws of 8 July 2019, item 666), issued on the basis of art. 54 paragraph 1 point 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) in connection with art. 35 paragraph 4 and paragraph 6 of Regulation 2016/679, the President of the UODO indicated, among others, the following as personal data processing operations requiring an assessment of the effects of processing: evaluation or assessment, including profiling and prediction (behavioural analysis) for purposes causing negative legal, physical, financial effects or other inconvenience to natural persons, carried out by "banks, other financial institutions authorized to grant loans, lending institutions in the process of assessing creditworthiness."
In view of the above, it should be pointed out that C. S.A., by failing to include profiling as a separate activity in its risk analysis and in the data processing impact assessment, violated Article 35 paragraphs 1 and 7 of Regulation 2016/679.
It should be noted that C. S.A.'s explanation contained in its letter of 4 August 2023 that the impact assessment carried out by C. S.A. as of the date of the inspection also refers to profiling should not be taken into account, even though the functional description of the creditworthiness assessment in the impact assessment does not contain the wording "profiling". It is impossible to agree with such argumentation of C. S.A., in light of the above argument contained in the justification of this decision. The content of the document containing the assessment of the impact on processing activities should be clear and transparent, and the supervisory authority, when carrying out inspection activities, should not be forced to "guess" what content lies behind the description of the aforementioned assessment. The specificity of the profiling process, in the light of the above comments, Guidelines WP 248 of the Article 29 Working Party, the communication of the President of the UODO of 7 June 2019 and the referred to subject literature, requires the controller to treat this form of processing in a clear and specific manner when formulating the risks associated with it, and as a result the effects on processing. Hence, formulating risks and effects collectively for the entire service process, in principle, may be correct and compliant with the provisions of Regulation 2016/679, however, in the case of profiling operations related to the granting of loans by C. S.A., due to its specificity described above, it is an action inconsistent with Article 35 sec. 1 and sec. 7 of Regulation 2016/679, because in this way the actual risks and effects associated with profiling are "blurred", camouflaging them, as it were, behind a general description of the credit service.
III. Conduct subject to administrative fines.
The administrative proceedings conducted by the President of the UODO serve to control the compliance of data processing with the provisions on the protection of personal data and are aimed at issuing an administrative decision in order to apply the remedial powers specified in Art. 58 sec. 2 of Regulation 2016/679.
In accordance with Art. 58 sec. 2 letter i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of the measures referred to in Art. 58 sec. 2 of Regulation 2016/679, an administrative pecuniary penalty under Article 83 of Regulation 2016/679, depending on the circumstances of the specific case. Taking into account the identified violations of the provisions of Regulation 2016/679, the President of the UODO, exercising his authority specified in the aforementioned provision, found that in the case in question there were grounds for imposing an administrative pecuniary penalty on the Company. In accordance with the content of Article 83 paragraph 2 of Regulation 2016/679, administrative pecuniary penalties are imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58 paragraph 2 letters a)-h) and letter j) of Regulation 2016/679.
According to Article 83 paragraph 4 letters 1) a) of Regulation 2016/679, infringements of the provisions shaping the obligations of the controller and the processor referred to in Art. 8, 11, 25 to 39 and 42 and 43, shall be subject to, in accordance with par. 2, an administrative pecuniary penalty of up to EUR 10 000 000, and in the case of an undertaking – of up to 2% of its total annual global turnover in the previous financial year, whichever is higher. It should be noted that the President of the UODO, when imposing an administrative pecuniary penalty in this case for an infringement of Art. 30 par. 1 and Art. 35 par. 1 and 7 of Regulation 2016/679 (unrelated to the infringement of Art. 38 par. 3 of Regulation 2026/679), also took into account the content of Art. 83 par. 3 of Regulation 2016/679, according to which if the controller or processor intentionally or negligently, within the same or related processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount of the fine for the most serious infringement.
In connection with the finding in this case of an infringement of three provisions of Regulation 2016/679 (Article 30 paragraph 1, Article 35 paragraph 1 and paragraph 7, Article 38 paragraph 3), the President of the UODO is entitled to apply one or more corrective measures specified in Article 58 paragraph 2 of Regulation 2016/679. Among these powers of the supervisory authority is the power to apply, in addition to or instead of other measures referred to in this provision, an administrative fine under Article 83, depending on the circumstances of the specific case. The circumstances of this case, in particular the seriousness of the identified infringements, which will be discussed in the following parts of the justification, indicate that it will be appropriate and necessary to exercise this power. The sanction provided by the legislator for the infringement of the provisions shaping the obligations of the controller (including the infringement of the provisions of Article 30 paragraph 1, Article 35 paragraph 1 and paragraph 7, Article 38 paragraph 3 of Regulation 2016/679) is – in accordance with Article 83 paragraph 4 letter a) of Regulation 2016/679 – an administrative pecuniary penalty of up to EUR 10,000,000, and in the case of an undertaking – of up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher. When setting specific sanctions for the infringements identified in this case, the President of the UODO used the guidelines contained in the EDPB Guidelines 04/2022 on the calculation of administrative pecuniary fines under the GDPR (version 2.1) adopted on 24 May 2023, hereinafter referred to as "Guidelines 04/2022". The first step of the methodology for calculating administrative pecuniary fines adopted therein is to "identify the processing operations in a given case and assess the application of Article 83(3) of the GDPR" (see paragraph 17 of the Guidelines 04/2022). Expanding on this guidance in paragraph 24 of its guidelines, the EDPB recommends first determining: a) whether the circumstances indicate a single conduct or multiple conducts subject to sanction; b) in the case of a single conduct, whether this conduct constitutes a single infringement or multiple infringements; c) in the case of a single conduct that constitutes multiple infringements, whether the attribution of one infringement excludes the attribution of another infringement or whether they should be attributed in parallel.
The interpretation of the concept of "single conduct" is contained – in reference to Article 83(3) of Regulation 2016/679, which refers to "the same or related processing operations" – in paragraph 28 of the EDPB guidelines. According to it, "[t]he term 'related' refers to the principle according to which one conduct may consist of several parts which are implemented as a result of a single act of will and are contextually (in particular as regards the identity of the data subject, the purpose and nature of the processing), spatially and temporally so closely linked that from an objective point of view they can be considered as one coherent conduct".
Referring the above provisions of Regulation 2016/679 and the guidelines contained in Guidelines 04/2022 to the circumstances of this case, the President of the UODO stated the following:
1. The President of the UODO found that the actions of C. S.A. concerning the profiling of the personal data of its current and potential customers (or in principle the failure to take such actions - required by the provisions of Regulation 2016/679) constitute "one coherent conduct" within the meaning presented by the EDPB. The above. the conduct consists in: failing to assess the effects of profiling the personal data of current and future clients of C. S.A. for data protection (constituting an infringement of art. 35 sec. 1 and 7 of Regulation 2016/679) and failing to include this type of processing operations in the register of personal data processing activities (constituting an infringement of art. 30 sec. 1 of Regulation 2016/679). In the opinion of the President of the UODO, both of these omissions by C. S.A. are the result of a single act of will by C. S.A. which C. S.A. accepted a priori – which results from the so-called “product” approach to processing processes in the C. S.A. organisation. – that the profiling operation is only one of the elements of the credit product and one of the types of processing of personal data that make up this product (alongside, for example, the operation of obtaining personal data, making this personal data available to other entities within the banking system, using it for marketing purposes or finally deleting it). What is also important, C. S.A. – also a priori – considered (since it decided not to conduct a separate assessment of the effects of profiling on data protection) that this type of processing does not stand out from other types of processing operations that make up the credit product in terms of the level of risk of violating the rights or freedoms of persons whose data were profiled.
That the processing operations consisting in profiling, which are the subject of both of the considered infringements of the provisions of Regulation 2016/679 (Article 30 paragraph 1 and Article 35 paragraphs 1 and 7), are the same operations within the meaning of Article 83 paragraph 3 Regulation 2016/679, indicates – apart from covering them with a single act of will of C. S.A. – also the context in which they are performed. In the opinion of the President of the UODO, they are united by:a) the purpose of processing – preparing an assessment of the creditworthiness of customers or potential customers of C. S.A., i.e. their ability to fulfil their obligations towards C. S.A.;b) the nature of processing – obtaining personal data from the data subject, from the banking system and other sources; then combining them and making on their basis – in an almost entirely automatic manner and beyond the control of the data subjects – an assessment of their creditworthiness;c) the level of risk – higher than in the case of other processing operations performed as part of a credit product – which results from the nature of the profiling operation indicated above;d) the identity of persons whose data are profiled – the processing concerns all current and potential customers using the procedures (...) of C. S.A.
Considering that: firstly, C. S.A.'s actions (its omissions) related to profiling constitute one coherent conduct (which results from their inclusion in one act of will and the context of processing covered by this act of will), and secondly, this conduct violates two provisions of Regulation 2016/679 (Article 30 paragraph 1 and Article 35 paragraph 1 and paragraph 7), it should be stated that none of these identified infringements excludes the attribution of the other to C. S.A. In particular, none of them constitutes a "qualified type" of the second of these infringements, is not "subordinate" to the other and does not constitute a staged form of the second infringement (preparation, attempted commission) - see Subsection 3.1.1 of Guidelines 04/2022.
The above results primarily from the fact that the purposes of the two violated provisions and the legal interests they protect are different. The provision of Article 35 paragraph 1 of Regulation 2016/679 defines the first – fundamental – step towards creating an effective personal data protection system by the controller, adequate to the level of risks. It therefore aims – by obliging the controller to assess the effects of processing on data protection – to ensure directly and directly the proper protection of the personal data of the persons concerned. On the other hand, the provision of Article 30 paragraph 1 of Regulation 2016/679 does not refer directly to the protection of the rights and interests of persons whose data are processed by the controller. Its purpose is to provide the supervisory authority with the information it needs to perform one of its tasks – the correct assessment of the risks related to the data processing operations performed by the controller and the assessment of the adequacy of the data protection security measures implemented by it.
The above therefore allows us to assign C. S.A. both infringements “in parallel” – neither of them excludes the attribution of the other to C. S.A. In this situation, the provision of Article 83 paragraph 3 of Regulation 2016/679 will apply to both of these infringements.
2. The actions of C. S.A. leading to the infringement of Article 38 paragraph 3 of Regulation 2016/679 do not constitute its single conduct – together with its omissions considered above leading to the infringement of Article 30 paragraph 1 and Article 35 paragraphs 1 and 7 of Regulation 2016/679. This is evidenced by the following circumstances:a) in contrast to the conduct of C. S.A. constituting an infringement of Article 30 paragraph 1 and Article 35 paragraphs 1 and 7 of Regulation 2016/679, its conduct resulting in the infringement of Article 38 sec. 3 of Regulation 2016/679 did not consist in omission but in action, i.e. in adopting a resolution of the Management Board of C. S.A. of 24 June 2020 on appointing an employee of the Department (...) of C. S.A. to the position of IOD (without changing his position in the structure of C. S.A.);b) unlike the conduct of C. S.A. related to profiling, the actions of C. S.A. resulting in the infringement of Art. 38 sec. 3 of Regulation 2016/679 did not directly concern any processing operations performed in C. S.A.; it is true that the infringement of the status of IOD and his position independent of the controller may indirectly adversely affect the proper security of data processing and the proper protection of the rights, freedoms and interests of persons whose data are processed, but this is not a direct and automatic impact;c) the decision of C. S.A. on the position of the IOD in its structure was independent of the act of will of C. S.A. leading to the violation of Art. 30 sec. 1 and Art. 35 sec. 1 and 7 of Regulation 2016/679; it concerned a different area of regulation of Regulation 2016/679 (the purpose and motivation of this conduct were different), it was also undertaken in a different temporal context (June 2020, while the omission related to profiling operations had already occurred since January 2019).
At this point, it should be indicated that the only reason for the violation of Art. 38 sec. 3 of the Regulation is considered – alongside the two previous ones – in one proceeding (and assessed in one decision of the President of the UODO) is the circumstance of its finding during an inspection, the purpose of which was – in accordance with the plan of sectoral inspections of the President of the UODO for 2022 – to examine in banking sector entities “the processing of personal data in the scope of profiling personal data of customers and potential customers and the method of informing persons applying for a loan about the credit assessment performed”. As stated in Guidelines 04/2022, such a situation excludes the application of the limitation of the total amount of the imposed administrative fine to the (maximum) amount of the fine for the most serious infringement, resulting from Art. 83 sec. 3 of Regulation 2016/679 (see sec. 45 of Guidelines 04/2022).
3. To sum up the above:
a) The President of the UODO found in this case two infringements carried out by C. S.A. – by one conduct – infringement of the provisions of Regulation 2016/679 (Article 30 paragraph 1 and Article 35 paragraphs 1 and 7). In relation to both of these infringements, the provision of Article 83 paragraph 3 of Regulation 2016/679 was applied, and – in connection with the fact that both infringements are punishable (in abstracto) by the same penalty under Article 83 paragraph 4 of Regulation 2016/679 (up to EUR 10 000 000 or up to 2% of the annual turnover) – both infringements should be attributed the same seriousness. The consequence of this is that it is impossible to impose a penalty for both of these infringements that is higher than the maximum penalty for one of them (EUR 10,000,000 – due to the need to adopt the so-called “static maximum penalty” in relation to C. S.A. – see point 5 on pages 38-39 of the justification for this decision).
b) by separate conduct (not concerning the same processing operations and not connected in any way with the processing operations concerned by the previous two infringements), C. S.A. violated another provision of Regulation 2016/679 – Art. 38 sec. 3. Due to this separate nature of C. S.A.’s conduct, the President of the UODO did not consider it together with the previous infringements and did not include the amount of the penalty imposed for them in the total amount of the penalty imposed on C. S.A. for the infringement of Art. 30 sec. 1 and Art. 35 sec. 1 and 7 of Regulation 2016/679). The provision of art. 83 sec. 3 of Regulation 2016/679 does not apply to this infringement – it does not in any way concern the processing operations that are the subject of infringements related to profiling the data of current and potential customers of C. S.A.
IV.1. Infringement of art. 38 sec. 3 of Regulation 2016/679 – grounds for the assessment of an administrative fine (art. 83 sec. 2 of Regulation 2016/679).
In connection with the above, when deciding to impose an administrative fine for the infringement by C. S.A. of art. 38 sec. 3 of Regulation 2016/679, the President of the UODO – in accordance with the content of art. 83 sec. 2 lit. a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a) of Regulation 2016/679) – the nature of the infringement is an aggravating circumstance for C. S.A. due to the fact that, as a professional entity whose significant part of its business activity is large-scale data processing involving a relatively high risk of violating the rights or freedoms of data subjects, it was obliged to exercise special diligence in order to entrust the DPO with the duties in a proper manner.
The European legislator in Article 38 paragraph 3 of Regulation 2016/679, therefore, included the obligation for the DPO to be directly subordinate to the highest management of the controller, because it considered that, due to the nature and importance of this function for data security, it is significant and requires full substantive independence and a far-reaching independence in the organizational hierarchy of the controller. C. S.A., by failing to meet the above requirement, clearly weakened the security of the processed data and betrayed the basic obligations of the controller established in the provisions of Regulation 2016/679.
The violation of the regulations, related to the appointment of the DPO in a way that did not ensure his direct subordination to the highest management of the controller and the failure to receive instructions on the performance of the DPO's tasks (violation of Art. 38 sec. 3 of Regulation 2016/679), is of significant importance due to the type of data processed by C. S.A. data (e.g. data on the financial situation of data subjects, PESEL number, etc.), the method of processing (use of IT systems, profiling) and the large scale of processing. Ensuring the independence of the IOD in an institution such as C. S.A., taking into account the above circumstances of processing, i.e. taking into account the nature, scope and scale of data processing by C. S.A., translates into the security of these data and, as a result, the rights and freedoms of persons whose data are processed, including the method of their implementation. It should also be emphasized that the IOD's direct subordination to the highest management of the controller and the lack of instructions regarding the performance of tasks serves to ensure the independence of the IOD, which is also to guarantee the effective and proper performance by him of the tasks assigned to him in Art. 39 of Regulation 2016/679.
Additionally, as it results from the evidence collected during the investigation conducted against C. S.A. control, the infringement of the provisions of Regulation 2016/679 regarding the data protection officer took place continuously and intentionally from the date of appointment by C. S.A. SJ to perform the function of the IOD, i.e. from 24 June 2020 (based on the resolution of the Management Board of C. S.A. No. (…)/(…)), until at least 22 August 2023. In written explanations from C. S.A. dated the abovementioned date, it informed the President of the UODO that changes aimed at eliminating the infringement had only just been initiated. It should therefore be stated that the infringement was long-term, as it took place for over 3 years.
The infringement of the provision of Article 38 paragraph 3 of Regulation 2016/679 established by this decision is not affected by the criterion of the number of injured data subjects and the extent of the damage they suffered, since no injured persons were identified in the case in question. It should also be noted that the aforementioned infringement was not directly related to the processing of personal data by C. S.A., so that damage to natural persons in the case in question did not and could not have occurred due to the nature, gravity and duration of the above-mentioned infringement of the provisions of Regulation 2016/679, the above-mentioned premise considered in its entirety should be assessed as aggravating.
b) the intentional nature of the infringement of the provisions of Regulation 2016/679 by C. S.A. (Article 83 paragraph 2 letter b of Regulation 2016/679) – the evidence collected during the inspection and the explanations given by C. S.A. in the letter dated 22 August 2023 indicate that C. S.A. consciously appointed the DPO in a way that did not ensure his direct subordination to the controller's top management (violation of Article 38 paragraph 3 of Regulation 2016/679). The action in the above-mentioned scope, due to the content of the employment contracts concluded with SJ and KN, bore the characteristics of an intentional act, i.e. the circumstances of the case indicate that C. S.A. was aware of the above-mentioned omissions and the potential consequences resulting from them, affecting compliance with Article 38 paragraph 3 of Regulation 2016/679, but consented to their potential occurrence. It should be noted that the content of all the above-mentioned documents indicates that C. S.A. was also aware of the incorrect organization of the IOD's work, which is why the intentional nature of the infringement of the provisions of Regulation 2016/679 is beyond doubt.
The EDPB Guidelines 04/2022 indicate that "the intentional or unintentional nature of the infringement (Article 83 paragraph 2 letter b) of the GDPR) should be assessed taking into account the objective elements of conduct collected based on the factual circumstances of the case." The EDPB emphasized that it is generally accepted that "intentional infringements showing contempt for the law are more serious than unintentional ones." In the case of an intentional infringement, it is likely that the supervisory authority will assign greater weight to this factor.
c) relevant previous infringements of the provisions of Regulation 2016/679 by the controller (Article 83 paragraph 2 letter e of Regulation 2016/679) - when deciding on the imposition and amount of an administrative fine, the supervisory authority is obliged to take into account any previous infringements of Regulation 2016/679. The EDPB in Guidelines 04/2022 explicitly states: "The existence of previous infringements may be considered an aggravating factor when calculating the amount of the fine. The weighting given to this factor should be determined taking into account the nature and frequency of the previous infringements. However, the absence of previous infringements cannot be considered a mitigating circumstance, as compliance with the provisions [of Regulation 2016/679] is the norm". And although, as the above-mentioned point out, guidelines, "greater importance should be given to infringements concerning the same subject matter, because they are closer to the infringement that is the subject of the current proceedings, in particular where the controller or processor has previously committed the same infringement (repeated infringements)" (point 88 of the guidelines), however, "all previous infringements may constitute information about the controller's or processor's general approach to compliance with the provisions of Regulation 2016/679".
The supervisory authority has already found in previously issued administrative decisions that C. S.A. has violated the following provisions on personal data protection:1) in the decision of 29 September 2022 (ref. (...))) infringement of the provision of art. 6 sec. 1 of Regulation 2016/679, the President of the UODO issued a warning to C. S.A.;2) in the decision of 8 May 2023 (ref. (...))) infringement of the provision of art. 15 sec. 1 lit. c of Regulation 2016/679, the President of the UODO ordered C. S.A. to fulfil the information obligation;3) in the decision of 9 May 2023 (reference number (...)), infringement of the provision of Art. 15 sec. 1 letter a of Regulation 2016/679, the President of the UODO ordered C. S.A. to fulfil the information obligation;4) in the decision of 14 November 2022 (...)), infringement of the provision of Art. 15 sec. 1 letter c and Art. 12 sec. 3 of Regulation 2016/679, the President of the UODO ordered C. S.A. to fulfil the information obligation and issued it with a warning;5) in the decision of 1 February 2024 (reference number (...)), infringement of the provision of Art. 6 sec. 1 of Regulation 2016/679, the President of the UODO issued a warning to C. S.A.;6) in the decision of (...) (ref. (...)) infringement of the provision of art. 33 sec. 1 of Regulation 2016/679, the President of the UODO imposed on C. S.A. an administrative fine in the amount of (...) zlotys.
The above-mentioned earlier infringements indicate a generally disregarding approach of C. S.A. to the issue of data protection, and the remedial measures previously applied to it in the above-mentioned cases, including twice in May 2023, when the President of the UODO ordered C. S.A. to adapt the personal data processing operations to the provisions of Regulation 2016/679 due to the infringement of art. 15 sec. 1 letter c) of Regulation 2016/679 and art. 15 sec. 1 letter a) Regulation 2016/679, or in connection with decisions admonishing C. S.A. for violating the provisions of Art. 6 sec. 1 of Regulation 2016/679, as was the case in cases referenced (…) and (…), fully justify the imposition of a financial penalty in these proceedings, as well as its amount.
It is not without significance that the last decision for violating the provisions of Regulation 2016/679, in which the supervisory authority imposed an administrative fine on C. S.A., was issued (…), i.e. relatively recently preceding the issuance of this decision. The above circumstance should be referred to the content of Guidelines 04/2022, according to which "The time at which the earlier infringement took place should be taken into account, taking into account that the longer the time between that infringement and the infringement that is the subject of the currently ongoing proceedings, the less significance that earlier infringement has. Consequently, the longer the infringement took place, the less significance should be attributed to it by supervisory authorities" (point 84 of the Guidelines). Therefore, the above circumstance should have an impact on the final decision of the supervisory authority and the amount of the administrative fine imposed. In view of the above, in the present case it should be considered that there are grounds to treat the ground of Article 83 paragraph 2 letter e) of Regulation 2016/679 as aggravating.
When deciding to impose an administrative fine for an infringement of Article 38 paragraph 3 of Regulation 2016/679, the President of the UODO also took into account the following circumstance of the case, which had a mitigating effect on the amount of the administrative fine imposed:
- the degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its possible negative effects (Article 83 paragraph 2 letter f of Regulation 2016/679) - during the inspection, C. S.A. provided complete and specific explanations in connection with its subject matter and the identified infringements of the provisions on the protection of personal data. Moreover, after the inspection by the President of the UODO, C. S.A. took actions and measures aimed at improving the state of compliance with the provision of Article 38 paragraph 3 of Regulation 2016/679, in connection with the infringement thereof identified during the inspection. The above was manifested in the separation of the IOD position in the organizational structure of C. S.A. and the change in the content of the Organizational Regulations of C. S.A. (written explanations of C. S.A. of November 29, 2023). For the above reason, the degree of cooperation of C. S.A. with the supervisory authority in order to eliminate the violation and mitigate its possible negative effects should be assessed as satisfactory, and therefore it constitutes a mitigating factor in determining the amount of the administrative fine.
Other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the violation of the provision of Article 38 paragraph 1 found in this case 3 Regulation 2016/679, were considered neutral by the President of the UODO in his assessment, i.e. having neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine, i.e.:
a) actions taken by C. S.A. to minimize the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679) - the evidence collected during the inspection and administrative proceedings shows that the actions (omissions) of C. S.A. did not cause any damage to data subjects;
b) the degree of liability of C. S.A., taking into account the technical and organizational measures implemented by it under Article 25 and 32 of Regulation 2016/679 (Article 83 paragraph 2 letter d of Regulation 2016/679) – the violation of the provision of Article 38 paragraph 3 of Regulation 2016/679 is not related to the technical and organizational measures applied by C. S.A., referred to in Article 25 and 32 of Regulation 2016/679, therefore the premise indicated in Article 83 paragraph 2 letter d) of Regulation 2016/679 has no aggravating or mitigating effect on the amount of the imposed administrative pecuniary penalty in the case at hand;
c) the categories of personal data concerned by the breach (Article 83 paragraph 2 letter g of Regulation 2016/679) – due to the fact that the breach consisting in failure to ensure the independence of the data protection officer in the organizational structure of C. S.A. is not directly related to the breach of protection of any personal data (and their categories), this premise by its nature cannot be applied to the assessment of this breach;
d) the manner in which the supervisory authority learned of the breach, in particular whether and to what extent the controller or processor reported the breach (Article 83 paragraph 2 letter h of Regulation 2016/679) – the supervisory authority learned of the breach of the provisions of Regulation 2016/679 as a result of conducting inspection activities.The above fact should be assessed as neutral for the decision;
e) if the controller concerned had previously been subject to measures referred to in Article 58 paragraph 2 in the same case – compliance with these measures (Article 83 paragraph 2 letter i of Regulation 2016/679) – before issuing this decision, the President of the UODO had not applied any measures listed in Article 58 paragraph 2 of Regulation 2016/679 to C. S.A. in the case at hand, and therefore C. S.A. was not obliged to take any action related to their application, and which actions, assessed by the supervisory authority, could have an aggravating or mitigating effect on the assessment of the established infringement;
f) application of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83 paragraph 2 letter j of Regulation 2016/679) – C. S.A., as of the date of the decision, did not apply approved codes of conduct or approved certification mechanisms referred to in the provisions of Regulation 2016/679. However, their adoption, implementation and application is not – as provided for in the provisions of Regulation 2016/679 – obligatory for controllers, therefore the circumstance of their non-application cannot be considered to the detriment of C. S.A. in this case. On the other hand, the circumstance of adoption and application of such instruments as means guaranteeing a higher than standard level of protection of personal data processing could be considered to its advantage, however, in the case at hand such a circumstance did not occur; g) financial benefits achieved directly or indirectly in connection with the infringement or losses avoided (Article 83 paragraph 2 letter k of Regulation 2016/679) – during the audit, no impact of the infringement of the provisions of Regulation 2016/679 on the financial benefits achieved or losses avoided by C. S.A. was found. Therefore, there is no basis to treat this circumstance as aggravating C. S.A. The finding that there were measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed clearly negatively. On the other hand, the failure of C. S.A. to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance which, by its nature, cannot be mitigating for C. S.A. This interpretation is confirmed by the very wording of the provision of Article 83 paragraph 2 letter k. k) Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - incurred by the entity committing the infringement;
h) other aggravating or mitigating factors applicable to the circumstances of the case (Article 83 paragraph 2 letter k of Regulation 2016/679) - the President of the UODO, in a comprehensive examination of the case, did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the administrative fine imposed.
IV.2. Infringement of Article 38 paragraph 3 of Regulation 2016/679 - determining the amount of the administrative fine.
It is necessary to indicate that when determining the amount of the administrative fine for the infringement of Article 38 paragraph 3 of Regulation 2016/679, the President of the UODO applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the guidelines presented in this document:
1) The President of the UODO categorized the infringement of the provision of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). Infringement of the provision of Art. 38 sec. 3 of Regulation 2016/679 belongs - in accordance with Art. 83 sec. 4 letter a) of Regulation 2016/679 - to the category of infringements punishable by a penalty of up to EUR 10,000,000 or up to 2% of the total annual turnover of the enterprise in the previous financial year. It should therefore be stated that in the light of the classification of infringements of the provisions of Regulation 2016/679 adopted by the European legislator and the penalties provided for in connection therewith, the infringement of Article 38 paragraph 3 of Regulation 2016/679 is one of those of lesser gravity.
2) The President of the UODO assessed the infringement of Article 38 paragraph 3 of Regulation 2016/679 found in this case as an infringement of medium level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account from among those listed in Article 83 paragraph 2 Regulation 2016/679, which concern the subject of the infringements (they constitute the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. It should be noted that considering their combined impact on the assessment of the infringement found in this case, taken as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is medium. The consequence of the above is the adoption – as the starting amount for calculating the penalty – of a value ranging from 10% to 20% of the maximum amount of the penalty that may be imposed on C. S.A., i.e. – taking into account the limit specified in Article 83 paragraph 4 of Regulation 2016/679 – from EUR 1,000,000 to EUR 2,000,000 (see: Subchapter 4.2.4 of Guidelines 04/2022). The President of the UODO considered the amount of EUR 1,000,000.00 (equivalent to PLN 4,365,300.00) to be an adequate starting amount justified by the circumstances of this case.
3) The President of the UODO adjusted the starting amount, corresponding to the average seriousness of the identified infringement, to the turnover of C. S.A. as a measure of its size and economic power (see Chapter 4.3 of Guidelines 04/2022). In accordance with Guidelines 04/2022, in the case of undertakings whose annual turnover, as in the present case, is between EUR 50 million and EUR 100 million, the supervisory authority may consider further calculating the amount of the fine on the basis of a value between 8% and 20% of the starting amount. Considering that the turnover (revenue) of C. S.A. in the last financial year (from 1 April 2023 to 31 March 2024) amounted to PLN 430,699,360.00, i.e. EUR 98,664,320.89 (at the average EUR exchange rate of 29 January 2024), the President of the Personal Data Protection Office considered it appropriate to adjust the amount of the penalty to be calculated to a value corresponding to 20% of the starting amount, i.e. to EUR 200,000.00 (equivalent to PLN 873,060.00).
4) The President of the Personal Data Protection Office assessed the impact on the established infringement of the other circumstances (apart from those included above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The premises referred to in Article 83 paragraph 2 letters c), d), g), h), i), j), k) of Regulation 2016/679 – as indicated above – did not have an impact, neither attenuating nor aggravating, on the assessment of the infringement and, consequently, on the amount of the penalty. Due to the existence of one mitigating circumstance in the case (the degree of cooperation in eliminating the infringement) and one aggravating circumstance (relevant previous infringements), the President of the UODO, assessing their combined impact on the assessment of the infringement, considered that it would be justified to further reduce the amount of the fine established taking into account C. S.A.'s turnover (item 3 above); the reduction to EUR 120,000.00 (the equivalent of PLN 523,836.00) would be adequate to the combined impact of both of these premises on the assessment of the infringement. The President of the UODO emphasises that the most significant (mitigating) impact on this assessment was the elimination of the infringement by C. S.A. before the issuance of this decision; this fact should be emphasised and appreciated, because the purpose of these proceedings and the remedial measures applied by the President of the UODO is primarily to bring the personal data processing by C. S.A. into compliance with the law. 5) Despite the fact that the amount of the fine determined in accordance with the above principles does not exceed the legally defined maximum fine, the President of the UODO considered that it requires additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives on the assessment of the fine (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine in the amount equivalent to EUR 120,000.00 would be an effective penalty (due to its severity, it would allow to achieve its repressive purpose, which is to punish for unlawful conduct) and a deterrent (effectively discouraging both C. S.A. and other controllers from committing future infringements of the provisions of Regulation 2016/679). However, such a penalty would be – in the opinion of the President of the Personal Data Protection Office – a disproportionate penalty due to its excessive severity. The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A penalty is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of a specific case"[4]. Therefore, taking into account the proportionality of the penalty, the President of the Personal Data Protection Office further reduced the amount of the penalty for the infringement of Article 38 paragraph 3 of Regulation 2016/679 – to 50% of the amount obtained after taking into account aggravating and mitigating circumstances (see point 4 above), i.e. to EUR 60,000.00 (the equivalent of PLN 261,918.00). In his opinion, such a determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is a threshold above which further increases in the amount of the penalty will not increase its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the penalty could be at the expense of its effectiveness and deterrent nature, as well as the coherent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities on the EU and EEA internal market.
IV.3. Infringement of art. 30 sec. 1 and art. 35 sec. 1 and sec. 7 of Regulation 2016/679 – grounds for imposing an administrative fine (art. 83 sec. 2 of Regulation 2016/679).
In turn, when deciding to impose an administrative fine for the infringement by C. S.A. of the provisions of art. 30 sec. 1 and art. 35 sec. 1 and sec. 7 of Regulation 2016/679, the President of the UODO imposed one fine due to the fact that the infringement of both of the above provisions concerns the same conduct of C. S.A. as a controller, related to one data processing operation, i.e. profiling. Thus, the President of the UODO – pursuant to art. 83 sec. 2 lit. a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a of Regulation 2016/679) – infringement of the provisions related to:
- failure to include profiling operations in the description of data processing processes (activities) contained in the data processing conducted by C. S.A. in the register of data processing activities (infringement of art. 30 sec. 1 of Regulation 2016/679) and - failure to include in the assessment of the impact on data protection data processing activities consisting in their profiling (infringement of art. 35 sec. 1 and sec. 7 of Regulation 2016/679),
is of significant importance due to the type of data processed by C. S.A. (e.g. data on the financial situation of data subjects, PESEL number, etc.), the method of processing (use of IT systems, profiling) and the large scale of processing. Moreover, the nature of the processing (profiling) is in this case an aggravating circumstance for C. S.A. due to the fact that the processing technique (automation, use of IT systems) and specific risks for data subjects resulting from the use of this technique require the controller to be particularly responsible and sensitive to the issues of protecting the processed data. An additional aggravating circumstance is the commercial nature of the processing, related to the achievement of profit by C. S.A. The requirements for the proper application of the processing measures referred to in Regulation 2016/679 are higher for an entity processing data for the purpose of achieving economic benefits, and therefore generally having significant financial and organizational resources, due to the greater technical, financial and operational capabilities of such an entity. Profiling is therefore characterized by a relatively high degree of reduction of human participation in the process, which causes an increased risk of losing control over it, along with all its consequences, such as excessive processing, loss of confidentiality, integrity and availability of data. It should be remembered that the profiling process creates completely new personal data, in relation to the "initial" data, on the basis of which automated IT systems (often with the participation of artificial intelligence) assess, e.g. the creditworthiness of bank customers.
The above-mentioned the data concerns very vital, important life interests of data subjects, which is why the lack of specific consideration of profiling in the register of processing activities and when conducting the impact assessment may reduce the security of such data by improperly taking into account the above operations when selecting technical and organizational measures to ensure such security. In such circumstances, it may happen that even the controller itself, i.e. C. S.A., may not be fully aware of the risks associated with performing profiling operations, which may result in a problem with selecting the appropriate organizational and technical measures for the security of processing. The above, in turn, translates directly into an increase in the level of risk of violating the rights or freedoms of data subjects (whose data is processed).
An incorrectly prepared register of processing activities (without taking into account profiling operations), as well as an incorrectly prepared assessment of the effects of processing, were in force at C. S.A. from 15 January 2019, i.e. from the date of acceptance of the impact assessment by the management board of C. S.A., which the President of the UODO adopted as the starting date of the validity of the above-mentioned documents, until August 2023 (written explanations from C. S.A. of 22 August 2023 together with information on their modification). The infringement of art. 30 sec. 1 and art. 35 sec. 1 and sec. 7 of Regulation 2016/679 was therefore long-term, because until the moment of its deletion it lasted for approx. 4.5 years.
The infringement of the provisions of Regulation 2016/679 established by this decision is not affected by the criterion of the number of injured data subjects and the extent of the damage they suffered, because in the case at hand no injured persons were found to exist. However, due to the nature, gravity and duration of the above-mentioned infringement, the indicated premise considered in its entirety should be assessed as aggravating.
b) the unintentional nature of the infringement of the provisions of Regulation 2016/679 by C. S.A. (Article 83 paragraph 2 letter b of Regulation 2016/679) - it follows from the evidence collected during the inspection and from the explanations of C. S.A. contained in the letter of 22 August 2023 that the omissions of C. S.A. in the scope of not including profiling in the description of the data processing processes (activities) contained in the data processing conducted by C. S.A. in the register of data processing activities (infringement of art. 30 sec. 1 of Regulation 2016/679) and the failure to take into account in the data protection impact assessment data processing activities consisting in profiling (infringement of art. 35 sec. 1 and sec. 7 of Regulation 2016/679), due to the content of the aforementioned documents and the methodology of their creation (the so-called product approach to the description of processing processes in the register of activities and in the processing impact assessment) indicates that they were the result of an unintentional action related to the lack of awareness of the obligation to clearly include data profiling in their content. However, the above does not change the fact that C. S.A., as a professional entity, for which data processing is an essential element of its business activity, should have been aware and knowledge in the above-mentioned scope, and the aforementioned infringement constituted negligence. For this reason, the unintentional nature of the infringement of art. 30 sec. 1 and art. 35 sec. 1 and sec. 7 of Regulation 2016/679 does not exempt C. S.A. from liability under the above-mentioned title and also acts as a burden when determining the amount of the administrative fine.
c) categories of personal data concerned by the infringement (Article 83 sec. 2 letter g of Regulation 2016/679) – personal data processed by C. S.A. cover a fairly wide range of data categories. They include: first name, last name, residential and correspondence address, PESEL number, date of birth, e-mail address, telephone number, country of tax residence, marital status, gender, number of children and their dates of birth, series and number of identity document, source of property values, citizenship, address details of the client's employer and data on credit obligations. Furthermore, in the scope of data obtained as a result of profiling C. S.A. processes data such as: scoring result, i.e. credit risk score and risk category defined by C. S.A.
It should also be noted that among the personal data processed by C. S.A. is also the PESEL registration number. Although it does not belong to the category of special data referred to in art. 9 sec. 1 of Regulation 2016/679, it should be emphasized that unauthorized disclosure of the PESEL registration number together with the name and surname, which unambiguously identify a natural person, may in particular have a real and negative impact on the protection of the rights or freedoms of that person. As indicated by the Provincial Administrative Court in Warsaw in its judgment of 1 July 2022 (reference number II SA/Wa 4143/21, Legalis No. 2760091), "[i]n the event of a breach of data such as first name, last name and PESEL number, it is possible to steal or falsify the identity by means of third parties obtaining, to the detriment of the persons whose data has been breached, loans from non-bank institutions or fraudulent insurance or insurance funds, which may result in negative consequences related to an attempt to attribute responsibility for such fraud to the data subjects." As indicated in the Guidelines 04/2022 (p. 22), "As regards the requirement to take into account the categories of personal data concerned by the breach (Article 83(2)(g) of the GDPR), the GDPR clearly indicates the types of data that are subject to special protection and therefore a more stringent response when imposing fines. This applies at least to the types of data covered by Articles 9 and 10 of the GDPR and to data not covered by these articles, the dissemination of which immediately causes damage or discomfort to the data subject (e.g. location data, private communication data, national identification numbers or financial data such as transaction records or credit card numbers). Generally speaking, the more such categories of data are concerned by the breach or the more sensitive the data is, the more weight the supervisory authority may attach to this factor." It should therefore be considered that the PESEL registration number, i.e. an eleven-digit numeric symbol that uniquely identifies a natural person, containing, among other things, date of birth and gender designation, which are closely linked to the private sphere of a natural person and are also subject, as a national identification number, to protection under Article 87 of Regulation 2016/679, are data of a special nature and as such require equally special protection.
In the case at hand, the above-mentioned circumstances are therefore aggravating for the decision and the amount of the penalty, because they are related to the issue of C. S.A.'s failure to include profiling operations in the register of processing activities and in the assessment of the impact on processing. In other words, the categories of data processed by C. S.A. had an impact in this case on C. S.A.'s infringement of the provisions of Article 30 paragraph 1 and Article 35 paragraphs 1 and 7 of Regulation 2016/679 and on the seriousness of this infringement, because in the framework of profiling operations they are of significant importance for the broadly understood security of data and the risk of violating the rights or freedoms of data subjects. Therefore, the above criterion in this case should be considered aggravating for the decision and the amount of the administrative pecuniary penalty imposed on C. S.A. d) relevant previous infringements of the provisions of Regulation 2016/679 by the controller (Article 83 paragraph 2 letter e of Regulation 2016/679) – in the scope of the above-mentioned premise, reference should be made to the argumentation presented in point IV.1., in relation to the allegation of infringement of Article 38 paragraph 3 of Regulation 2016679.
When deciding to impose an administrative fine for infringement of Article 30 paragraph 1 and Article 35 paragraphs 1 and 1. 7 of Regulation 2016/679, the President of the UODO took into account the following circumstance of the case, which had a mitigating effect on the amount of the administrative fine imposed: - the degree of cooperation with the supervisory authority in order to eliminate the infringement and mitigate its possible negative effects (Article 83 paragraph 2 letter f of Regulation 2016/679) - during the inspection, C. S.A. provided complete and specific explanations, and in addition, in the post-inspection explanations in writing, first a plan of corrective actions and then their implementation. After the inspection by the President of the UODO, C. S.A. presented a modified register of processing activities and a changed content of the assessment of the impact of processing. In both of the above-mentioned documents, the operation of data processing in the form of profiling was taken into account separately and clearly. The above circumstance should therefore be considered mitigating in the case at hand.
Other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the infringement of the provision of Article 38 paragraph 3 of Regulation 2016/679 found in this case, were deemed by the President of the UODO to be neutral in his assessment, i.e. having neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine, i.e.:
a) actions taken by C. S.A. in order to minimize the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679) – the evidence collected during the inspection and administrative proceedings shows that the actions (omissions) of C. S.A. constituting an infringement of the provisions of Article 30 paragraph 1 and Article 35 paragraphs 1 and 1 7 of Regulation 2016/679, did not cause damage to the data subjects;
b) the degree of liability of C. S.A., taking into account the technical and organizational measures implemented by it under Art. 25 and 32 of Regulation 2016/679 (Art. 83 par. 2 letter d) – in the scope of the above-mentioned premise, reference should be made to the argumentation presented in point IV.1. above, in relation to the allegation of infringement of Art. 38 par. 3 of Regulation 2016/679
c) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor reported the infringement (Art. 83 par. 2 letter h of Regulation 2016/679) – in the scope of the above-mentioned premise, it is necessary to refer to the arguments presented in point IV.1. above, in relation to the allegation of infringement of Article 38 paragraph 3 of Regulation 2016/679.
d) if the controller concerned has previously been subject to the measures referred to in Article 58 paragraph 2 in the same case – compliance with those measures (Article 83 paragraph 2 letter i of Regulation 2016/679) – in relation to the aforementioned premise, it is necessary to refer to the arguments presented in point IV.1. above, in relation to the allegation of infringement of Article 38 paragraph 3 of Regulation 2016/679.
e) application of approved codes of conduct under Article 40 or approved certification mechanisms under Article 42 (Article 83 sec. 2 letter j of Regulation 2016/679) – in the scope of the aforementioned premise, reference should be made to the arguments presented in point IV.1 above, in relation to the allegation of infringement of Article 38 sec. 3 of Regulation 2016/679.
f) financial benefits obtained directly or indirectly in connection with the infringement or losses avoided (Article 83 sec. 2 letter k of Regulation 2016/679) – in the scope of the aforementioned premise, reference should be made to the arguments presented in point IV.1 above, in relation to the allegation of infringement of Article 38 sec. 3 of Regulation 2016/679.
g) other aggravating or mitigating factors applicable to the circumstances of the case [Article 83 sec. 2 let. k) of Regulation 2016/679] – the President of the UODO, in a comprehensive consideration of the case, did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the imposed administrative fine.
IV.4. Infringement of art. 30 sec. 1 and art. 35 sec. 1 and sec. 7 of Regulation 2016/679 – determination of the amount of the administrative fine.
It is necessary to indicate that when determining the amount of the administrative fine for the infringement of art. 30 sec. 1 and art. 35 sec. 1 and sec. 7 of Regulation 2016/679, the President of the UODO applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the guidelines set out in this document:
1) The President of the UODO categorized the violations of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). Infringements of the provisions of Article 30 paragraph 1 and Article 35 paragraphs 1 and 7 of Regulation 2016/679 belong – in accordance with Article 83 paragraph 4 letter a) of Regulation 2016/679 – to the category of violations punishable by a penalty of up to EUR 10,000,000 or up to 2% of the total annual turnover of the undertaking in the previous financial year. It should therefore be stated that in the light of the classification of violations of the provisions of Regulation 2016/679 adopted by the European legislator and the penalties provided for in connection therewith, the violation of the above provisions of Regulation 2016/679 are among those of lesser importance.
2) The President of the UODO assessed the infringement of Article 30 paragraph 1 and Article 35 paragraph 1 and paragraph 7 of Regulation 2016/679 found in this case as an infringement of medium level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account from among those listed in Article 83 paragraph 2 Regulation 2016/679, which concern the subject of the infringements (they constitute the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. It should be noted that considering their combined impact on the assessment of the infringement found in this case, taken as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is medium. The consequence of this is the adoption – as the starting amount for calculating the fine – of a value ranging from 10% to 20% of the maximum amount of the fine that may be imposed on C. S.A., i.e. – taking into account the limit specified in Article 83 paragraph 4 of Regulation 2016/679 – from EUR 1,000,000 to EUR 2,000,000 (see Subchapter 4.2.4 of Guidelines 04/2022). The President of the UODO considered the amount of EUR 1,200,000.00 (equivalent to PLN 5,238,360.00) to be an adequate starting amount justified by the circumstances of this case.
3) The President of the UODO adjusted the starting amount, corresponding to the average seriousness of the identified infringement, to the turnover of C. S.A. as a measure of its size and economic power (see Chapter 4.3 of Guidelines 04/2022). In accordance with Guidelines 04/2022, in the case of undertakings whose annual turnover, as in the present case, is between EUR 50 million and EUR 100 million, the supervisory authority may consider further calculating the amount of the fine on the basis of a value between 8% and 20% of the starting amount. Considering that the turnover (revenue) of C. S.A. in the last financial year (from 1 April 2023 to 31 March 2024) amounted to PLN 430,699,360.00, i.e. EUR 98,664,320.89 (at the average EUR exchange rate of 29 January 2024), the President of the UODO considered it appropriate to adjust the amount of the penalty to be calculated to the value corresponding to 20% of the starting amount, i.e. to the amount of EUR 240,000.00 (equivalent to PLN 1,047,672.00).
4) The President of the UODO assessed the impact on the established infringement of the remaining circumstances (apart from those taken into account above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022). These circumstances, which may have an aggravating or mitigating effect on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the subjective side of the infringement, i.e. to the entity itself that is the perpetrator of the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The premises referred to in Article 83 paragraph 2 letters c), d), h), i), j), k) of Regulation 2016/679 – as indicated above – did not have an impact, neither mitigating nor aggravating, on the assessment of the infringement and, consequently, on the amount of the penalty. Due to the existence of one mitigating circumstance in the case (the degree of cooperation in eliminating the infringement) and one aggravating circumstance (relevant previous infringements), the President of the UODO, assessing their combined impact on the assessment of the infringement, considered it justified to further reduce the amount of the fine determined taking into account C. S.A.’s turnover (item 3 above); after taking into account the combined impact of both of the above-mentioned premises on the assessment of the infringement, the President of the UODO considered it appropriate to reduce it to EUR 144,000.00 (equivalent to PLN 628,603.20). The President of the UODO emphasises that this assessment was most significantly (mitigatingly) influenced by the elimination of the infringement by C. S.A. before the issuance of this decision; this fact should be emphasised and appreciated, because the purpose of these proceedings and the remedial measures applied by the President of the UODO is, first and foremost, to bring the personal data processing by C. S.A. into compliance with the law.
5) The President of the UODO stated that the amount of the administrative fine for the infringement of Article 30 paragraph 1 and Article 35 paragraph 1 and paragraph 7 of Regulation 2016/679 determined in the manner presented above does not exceed – pursuant to Article 83 paragraph 3 of Regulation 2016/679 – the legally defined maximum amount of the fine provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022). Both infringements – Article 30 paragraph 1 and Article 35 paragraph 1 and paragraph 7 of Regulation 2016/67 – are subject to the same penalty, so both should be assigned the same seriousness. As indicated above, they are subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise – up to 2% of its total annual global turnover from the previous financial year, whichever is higher. The President of the UODO determined that the "dynamic maximum amount" for this infringement and for this perpetrator of the infringement, expressed as a percentage (2%) of its turnover, would be EUR 1,973,286.42, and therefore the "static maximum amount" for the infringement in question of EUR 10,000,000 should be applied in this case – as a higher one. The amount of EUR 144,000 indicated above clearly does not exceed EUR 10,000,000. 6) Despite the fact that the amount of the fine determined in accordance with the above principles does not exceed the legally defined maximum fine, the President of the UODO considered that it requires additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives on the assessment of the fine (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine of EUR 144,000 would be an effective penalty (due to its severity, it would allow to achieve its repressive purpose, which is to punish for unlawful conduct) and a deterrent (effectively discouraging both C. S.A. and other controllers from committing future infringements of the provisions of Regulation 2016/679). However, such a penalty would be - in the opinion of the President of the UODO - disproportionate due to its excessive severity. The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see point 137 and point 139 of Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of hardship determined by taking into account the circumstances of a specific case"[5]. Therefore, taking into account the proportionality of the penalty, the President of the UODO further reduced the amount of the penalty for the infringement of Art. 30 sec. 1 and Art. 35 sec. 1 and sec. 7 of Regulation 2016/679 - to 50% of the amount obtained after taking into account aggravating and mitigating circumstances (see point 4 above), i.e. to the amount of EUR 72,000.00 (the equivalent of PLN 314,302.00). In the opinion of the President of the UODO, such a determination of the final amount of the imposed fine will not reduce its effectiveness and deterrent nature. This amount is a threshold above which further increases in the amount of the fine will not increase its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the fine could be at the expense of its effectiveness and deterrent nature, as well as the consistent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities on the EU and EEA internal market.
When deciding whether to impose an administrative fine and when setting its amount, the President of the UODO considered the serious nature of the infringement of the provisions of Regulation 2016/679, including in particular Article 30 paragraph 1 and Article 35 paragraph 1, to be the most important. 1 and 7 of Regulation 2016/679, by failing to include profiling in the description of data processing processes (activities) contained in the register of data processing activities maintained by C. S.A. and by failing to assess the impact on personal data protection in relation to data processing activities consisting in profiling.
The requirement to maintain a register of processing activities (Article 30 paragraph 1 of Regulation 2016/679) and the requirement to assess the impact on data processing (Article 35 paragraph 1 of Regulation 2016/679) boils down to including in the above-mentioned activities and documents the actual processing processes (operations) taking place at a given controller. By creating the register of processing activities and conducting the impact assessment, C. S.A. "hid" the profiling operation in the description of other processes (e.g. related to granting loans). Such action is permissible in many cases (so-called product approach to the content of the register and risk assessment), however, due to the specificity of profiling described above in the decision and the related threats to the rights or freedoms of data subjects, such action was in the present case inconsistent with the above provisions of Regulation 2016/679.
V. Summary.
Pursuant to art. 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in art. 83 of Regulation 2016/679, is calculated in złoty at the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average euro exchange rate on 28 January - at the average euro exchange rate announced in the exchange rate table of the National Bank of Poland closest after that date. In 2024, the average euro exchange rate was announced by the National Bank of Poland as of 29 January 2024 at 1 EUR = 4.3653 PLN (https://nbp.pl/archiwum-kursow/tabela-nr-020-a-nbp-2024-z-dnia-2024-01-29/).
Taking the above into account, the President of the UODO, on the basis of art. 83 sec. 3 and art. 83 sec. 4 lit. a) Regulation 2016/679 in conjunction with Art. 103 of the Act on Personal Data Protection, for the infringements described in the operative part of this decision, imposed on C. S.A. – applying the average euro exchange rate announced by the National Bank of Poland on 29 January 2024 (EUR 1 = PLN 4.3653) – administrative pecuniary penalties:a) in the amount of PLN 261,918 (in words: two hundred sixty-one thousand nine hundred eighteen zlotys), which is the equivalent of EUR 60,000.00, for the infringement of Art. 38 sec. 3 of Regulation 2016/679;b) in the amount of PLN 314,302 (in words: three hundred fourteen thousand three hundred two zlotys), which is the equivalent of EUR 72,000.00, for the infringement of Art. 30 sec. 1 and Art. 35 sec. 1 and 7 of Regulation 2016/679;
i.e. in the total amount of PLN 576,220 (which is the equivalent of EUR 132,000).
In the opinion of the President of the Personal Data Protection Office, the administrative fines imposed in the total amount of PLN 576,220 (in words: five hundred seventy-six thousand two hundred twenty zlotys) fulfil, in the established circumstances of this case, the functions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. they are effective, proportionate and dissuasive in this individual case.
It should be considered that the fines will be effective if their imposition leads to C. S.A. processing the personal data of its customers while simultaneously meeting the requirements regulated by the regulations that C. S.A. violated, and moreover, that it will be able to demonstrate compliance with the provisions and principles resulting from them that it has previously violated.
Referring to the amount of the administrative fines imposed on C. S.A., the President of the UODO considered that they are proportionate both to the gravity of the violations of the provisions of Regulation 2016/679 found in this case and to the financial situation of C. S.A. and will not constitute an excessive burden for it. The financial report sent to the President of the UODO by C. S.A., which also contains information on the amount of income earned (loss incurred) in the period from 1 April 2023 to 31 March 2024, shows that the revenue from C. S.A.'s activities in this period amounted to PLN 430,699,360 (in words: four hundred thirty million six hundred ninety-nine thousand three hundred sixty zlotys), therefore the amount of administrative fines imposed in this case constitutes approximately 0.13% of the revenues achieved by C. S.A. in the period for which C. S.A. presented financial data. At the same time, it is worth emphasizing that:
1) the amount of the fine imposed for the infringement of Art. 38 sec. 3 of Regulation 2016/679 (PLN 261,918.00) is only approximately 0.6% of the maximum amount of the fine that the President of the UODO could – applying, in accordance with Art. 83 sec. 4 lit. a) Regulation 2016/679, the maximum threshold of EUR 10,000,000 (PLN 43,653,000.00 – according to the average euro exchange rate of 29 January 2024 – PLN 4.3653) – to impose on C. S.A. for this infringement;
2) the amount of the penalty imposed for the infringement of Art. 30 sec. 1 and Art. 35 sec. 1 and sec. 7 of Regulation 2016/679 (PLN 314,302.00) is only approx. 0.72% of the maximum amount of the penalty that the President of the UODO could – applying, in accordance with Art. 83 sec. 4 lit. a) Regulation 2016/679, the maximum threshold of EUR 10,000,000 (PLN 43,653,000.00 – according to the average euro exchange rate of 29 January 2024 – PLN 4.3653) – impose on C. S.A. for this infringement.
The deterrent nature of the administrative fines imposed is related to preventing future infringements of the provisions of Regulation 2016/679 and attaching greater importance to the performance of C. S.A.'s tasks as a data controller. The fines are intended to deter both C. S.A. from repeating infringements of these provisions and other entities involved in data processing. When imposing administrative fines for violating the provisions on personal data protection by this decision, the President of the UODO took into account both aspects: firstly – the repressive nature (C. S.A. violated the provisions of Regulation 2016/679), secondly – the preventive nature (both C. S.A. and other entities participating in the processing of personal data will be more attentive and diligent in fulfilling their obligations under Regulation 2016/679). In other words, in the opinion of the President of the UODO, the administrative fines will fulfill a repressive function, as they will constitute a response to C. S.A.'s violation of the provisions of Regulation 2016/679, but also a preventive function, as C. S.A. itself will be effectively discouraged from violating the provisions on personal data protection in such a way in the future.
The purpose of the imposed penalties is to oblige C. S.A. to properly perform its obligations under Regulation 2016/679 and, consequently, to conduct data processing in accordance with applicable legal provisions. It should be emphasized that the penalties will be effective if their imposition leads to C. S.A. adapting its data processing processes to a state compliant with the law. The application of administrative fines in this case is also necessary considering that C. S.A. ignored the obligation to appoint a Data Protection Officer in a manner ensuring his direct reporting to the highest management of C. S.A. as the controller, and also violated the obligation to keep a register of processing activities and to assess the effects on processing in a reliable manner that transparently reflects the essence of data processing processes.
In the opinion of the President of the UODO, the applied administrative fines fulfil, in the established circumstances of this case, the functions referred to in Article 83 sec. 1 of Regulation 2016/679, i.e. they are effective, proportionate and dissuasive in this individual case. In connection with the above, it should be indicated that administrative fines in the total amount of PLN 576,220.00 meet the conditions referred to in Article 83 paragraph 1 of Regulation 2016/679 due to the seriousness of the established infringement of the provisions of Regulation 2016/679.
In this factual and legal situation, the President of the Personal Data Protection Office decided as in the verdict.
[1] Guidelines of the Article 29 Data Protection Working Party on Data Protection Officers ("DPOs"), amended and adopted on 5 April 2017, p. 16.
[2] A. Mednis "Personal Data Protection Law in Relation to Profiling of Natural Persons", Ed. Presscom sp. z o.o., Wrocław 2019, pp. 300-301.
[3] A. Mednis "Personal data protection law regarding profiling of natural persons", Presscom sp. z o.o. Publishing House, Wrocław 2019, p. 292.
[4] (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to art. 83 [in:] P. Litwiński (ed.) General regulation on the protection of personal data. Personal data protection act. Selected sectoral provisions. Commentary).
[5] P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to art. 83 [in:] P. Litwiński (ed.) General regulation on personal data protection. Personal data protection act. Selected sectoral provisions. Commentary
