UODO (Poland) - DKE.561.16.2021
UODO (Poland) - DKE.561.16.2021 | |
---|---|
Authority: | UODO (Poland) |
Jurisdiction: | Poland |
Relevant Law: | Article 31 GDPR Article 58(1)(e) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 01.12.2021 |
Fine: | 18192 PLN |
Parties: | Pactum Poland Sp. z o.o. |
National Case Number/Name: | DKE.561.16.2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Polish |
Original Source: | UODO (in PL) |
Initial Contributor: | Maciej Niezgoda |
The Polish DPA fined Pactum Poland Sp. z o.o. PLN 18,192 (approx. €3862) for failing to cooperate with the DPA by not providing access to personal data and other information necessary for the performance of the DPA's tasks, in violation of Article 31 GDPR.
English Summary
Facts
The DPA received a complaint from a data subject, regarding irregularities in the processing of his personal data by Pactum Poland Sp. z o.o. (the controller), which is a loan company. The DPA asked the controller several times to respond to the content of the complaint and to answer questions regarding the case. The DPA wanted to know from the controller, among other things, whether the controller is currently processing the data subject's data and, if so, on what legal basis and for which purpose. Moreover, the DPA wanted to know whether the company has properly informed the data subject before collecting his data and whether the controller has disclosed the data subject's data to a third party and, if so, on what legal basis. Despite receiving the numerous requests of the DPA, the controller did not respond to any of them.
As a result the DPA initiated ex officio proceedings against the controller for not complying with the requests of the DPA.
Holding
The DPA fined Pactum Poland Sp. z o.o. PLN 18,192 (approx. €3862) for failing to cooperate with the DPA by not providing access to personal data and other information necessary for the performance of the DPA's tasks under Article 58(1)(e) GDPR. The DPA also found that, by not answering the questions of the DPA, the controller violated its general obligation to cooperate with the DPA under Article 31 GDPR. In the DPA's view, the controller's failure to respond, indicates the controller's unwillingness to support the DPA in establishing the facts of the case and correctly resolving it, and a flagrant disregard of its obligation to cooperate with the DPA.
In view of the above, the DPA concluded that the requirements for imposing an administrative fine under Article 83(4)(a) and (5)(e) GDPR were met.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
PRESIDENT SECURITY OFFICE PERSONAL DATA Warsaw, December 1, 2021 DECISION DKE.561.16.2021 Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended), art. 7 section 1 and section 2, art. 60, art. 101, art. 101a paragraph. 2, art. 103 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), art. 83 sec. 1-3, art. 83 sec. 5 lit. e) in connection with Art. 31, art. 58 section 1 lit. e), art. 58 sec. 2 lit. i) Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection ) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting an ex officio administrative procedure to impose on Pactum Poland Sp. z o.o. with headquarters in Wrocław at ul. Długa 11 lok. 13 administrative fine, President of the Personal Data Protection Office, finding a breach by Pactum Poland Sp. z o.o. based in Wrocław, the provisions of art. 31 and art. 58 sec. 1 lit. e) Regulation 2016/679, consisting in the lack of cooperation with the President of the Personal Data Protection Office in the performance of his tasks and failure to provide access to personal data and other information necessary for the President of the Personal Data Protection Office to perform his tasks, imposes on Pactum Poland Sp. . z o.o. with headquarters in Wrocław at ul. Długa 11 lok. 13 an administrative fine in the amount of PLN 18,192 (say: eighteen thousand one hundred and ninety two zlotys). JUSTIFICATION The Office for Personal Data Protection received a complaint from Mr. S. M. (hereinafter referred to as the "Complainant") about irregularities in the processing of his personal data by Pactum Poland Sp. z o.o. with headquarters in Wrocław at ul. Długa 11 lok. 13, entered into the register of entrepreneurs of the National Court Register under number 0000296808, (hereinafter referred to as the "Company"). The President of the Personal Data Protection Office (hereinafter the "President of the Personal Data Protection Office"), as part of the administrative procedure initiated to consider the complaint (reference number [...]), in a letter of [...] July 2020, asked the Company to comment on the content of the complaint and to answer the following specific questions about the case: when (please indicate the exact date), from what source, on what legal basis (please indicate a specific legal provision / s), for what purpose and scope (please list the data categories), the Company obtained the Complainant's personal data; whether the Company is currently processing the Complainant's personal data, and if so, on what legal basis (please indicate a specific legal provision / s), for what purpose, to what extent and for how long the Company will process the Complainant's personal data; whether the Company fulfilled the information obligation towards the Complainant, and if so, when, in what form and to what extent; whether the Complainant asked the Company to stop processing his personal data or to fulfill the information obligation towards him, and if so, how the Company responded to the requests in question; whether the Company disclosed the Complainant's personal data to other entities, if so, to whom, when, on what legal basis (please indicate a specific legal provision, if the Company has entered into a personal data processing agreement, please send a copy thereof), for what purpose and scope. Letter of [...] July 2020, ref. No. [...] was directed to the address of the registered office of the Company disclosed in the National Court Register, ie ul. Długa 11, 53-657 Wrocław - valid on the date of posting the correspondence. The Office for Personal Data Protection received a return of the above-mentioned letters with the annotation "the return has not been made on time". Therefore, on [...] December 2020, a letter was sent to the Company with another summons to provide explanations immediately. The letter was collected by the Company on [...] January 2021. of the letter, the Company did not provide any reply to them. Thus, on [...] March 2021, the Company was again called upon to be heard. On [...] April 2021, the letter was returned to the personal data protection authority with the annotation "the return has not been made on time". Due to the fact that the Company did not collect this letter, by another letter of [...] May 2021, the Company was requested to provide explanations on the matter. The letter was also returned to the Office for Personal Data Protection with the annotation "the return has not been made on time. In letters from: [...] December 2020, [...] March 2021, from [...] May 2021, the Company was informed that the lack of an exhaustive response to the request of the President of the Personal Data Protection Office may result - in accordance with Art. 83 sec. 5 lit. e) in connection with joke. 58 sec. 1 lit. a) Regulation 2016/679 - imposing an administrative fine on the Company. As indicated above, the letter of [...] December 2020 was received by the Company, while the letters of: [...] July 2020, [...] March 2021 and [...] May 2021, after two notifications, returned to The Personal Data Protection Office with the annotation "the return has not been made on time", therefore they were considered delivered to the Company in accordance with Art. 44 § 4 in connection with Art. 45 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended) (hereinafter also: "k.p.a."). It should be noted here that the responsibility for failure to provide the President of the Personal Data Protection Office with the requested information rests with the Company. It is not changed by the fact that three out of four calls made by the supervisory body to the Company were not finally accepted by it. The duty of each organizational unit is to ensure such organization of receipt of letters that the course of correspondence is continuous and uninterrupted, and only by authorized persons. Negligence in this respect is a burden for this organizational unit (see, for example, the judgment of the Provincial Administrative Court in Gorzów Wielkopolski of October 18, 2018, file reference number II SAB / Go 90/18 - LEX No. 2576144). Due to the failure by the Company to provide the information necessary to settle the case with ref. No. [...], initiated by the complainant's complaint, the President of the Personal Data Protection Office (UODO) initiated ex officio against the Company - pursuant to Art. 83 sec. 5 lit. e) Regulation 2016/679, due to the breach by the Company of art. 31 and art. 58 sec. 1 letter a) and e) of Regulation 2016/679 - administrative proceedings to impose an administrative fine on the Company (reference number [...]). The Company was informed about the initiation of the procedure by letter of [...] July 2021, which on [...] August 2021 was returned to the sender with the note "return not received on time". The letter was also summoned to the Company - in order to establish the basis for the penalty, pursuant to Art. 101a paragraph. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) - to present the Company's financial statements for 2020 or - in the absence thereof - a statement on the amount of turnover and financial result achieved by the Company in 2020 Until the date of this decision, the Company has not provided the information necessary to consider the case no. […]. The company also did not respond to the letter informing about the initiation of the procedure, ref. No. [...] on the imposition of an administrative fine on the Company. After considering all the evidence collected in the case, the President of UODO considered the following. Pursuant to Art. 57 sec. 1 lit. a) Regulation 2016/679, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of art. 51 of Regulation 2016/679 - monitors and enforces the application of this regulation on its territory. As part of his competences, the President of the Personal Data Protection Office examines, inter alia, Complaints brought by data subjects shall investigate these complaints to the appropriate extent and inform the complainant of the progress and the outcome of these proceedings within a reasonable time (Article 57 (1) (t)). In order to enable the exercise of such competences, the President of the Personal Data Protection Office has a number of specified in Art. 58 sec. 1 of Regulation 2016/679, the rights in the scope of conducted proceedings, including the right to order the controller and the processor to provide any information necessary for the performance of its tasks (Article 58 (1) (a)). Violation of the provisions of the Regulation 2016/679, consisting in failure to provide the information referred to above, resulting in a breach of the powers of the supervisory authority specified in art. 58 sec. 1, is subject to - in accordance with art. 83 section 5 letter e) in fine of Regulation 2016/679 - an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year, with the higher amount applicable . It should also be indicated that the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Art. 31 of Regulation 2016/679. Referring the above-mentioned provisions of the Regulation 2016/679 to the actual state of affairs established in this case, and described at the beginning of this decision, it should be stated that the Company - the administrator of personal data of the Complainant, Mr SM, - as a party to the proceedings on reference number [...], breached its obligation to provide the supervisory authority with access to information necessary for the performance of its tasks - in this case, the substantive resolution of this case. Such activity of the Company constitutes a violation of Art. 58 sec. 1 lit. e) Regulation 2016/679. It should be noted that in the proceedings with reference number [...] The President of the Personal Data Protection Office called on the Company four times to provide explanations necessary to consider the case. All letters sent by the President of the Personal Data Protection Office, i.e. both the letter of [...] December 2020 received by the Company and the letters of: [...] July 2020, [...] March 2021, [...] May 2021, deemed delivered to the Company in accordance with Art. 44 § 4 of the Code of Administrative Procedure, remained unanswered. The above state of affairs was not changed by the subsequent initiation of the present proceedings for the imposition of an administrative fine. The company, properly notified by the supervisory body of its intention to undertake the measures specified in Art. 58 sec. 2 lit. i) of the Regulation 2016/679 of actions, and also informed about her - as a party to these proceedings - the right to comment on the collected evidence and materials as well as requests submitted, she did not take any steps to explain her inaction or justify the lack of cooperation with the President of the Personal Data Protection Office. Persons authorized to represent the Company did not contact the Office for Personal Data Protection in order to signal any doubts that the Company could have regarding the scope of information requested by the President of the Personal Data Protection Office. The above-described proceedings of the Company in the case no. [...], i.e. failure to reply to - contained in the letter received by the Company of [...] December 2020 - specific, not too complicated and not requiring specialist knowledge in the field of personal data protection, questions from the President of the Personal Data Protection Office, as well as failure to receive other requests from the President of the Personal Data Protection Office , indicates the lack of will of the Company to cooperate with the President of the Personal Data Protection Office in establishing the facts of the case and correctly resolve it, or at least blatantly disregarding the obligations regarding cooperation with the President of the Personal Data Protection Office as part of the performance of his tasks specified in Regulation 2016/679. It should be pointed out here that obstructing and preventing access to information requested and requested by the supervisory body from the Company, and which are undoubtedly in the possession of the Company (e.g. information on the current processing of the complainant's personal data by the Company, legal basis, purpose, the scope of this processing, possible disclosure of this data), prevents a thorough consideration of the case, and also results in excessive and unjustified prolongation of the procedure, which is contrary to the basic principles governing administrative proceedings - set out in Art. 12 sec. 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended), the principles of insight and speed of proceedings. In addition, the Company is obliged to cooperate with the supervisory body as part of its tasks, as provided for in Art. 31 of Regulation 2016/679. Bearing in mind the above findings, the President of the Personal Data Protection Office states that in the present case there are premises justifying the imposition on the Company - pursuant to Art. 83 sec. 5 lit. e) in fine and art. 83 sec. 4 lit. a) Regulation 2016/679 - an administrative fine in connection with the lack of cooperation with the supervisory body in the performance of its tasks (Article 31) and in connection with the Company's failure to provide access to information necessary for the President of the Personal Data Protection Office to perform its tasks (Art. 58 (1) (e)), that is until the decision in the case with reference number […]. At the same time, in view of the breach by the Company of two provisions of Regulation 2016/679 (Art. 31 and Art. 58 (1) (e), pursuant to Art. 83 sec. 3 of this legal act, according to which, if the controller or processor intentionally or unintentionally violates several provisions of this regulation in the same or related processing operations, the total amount of the administrative fine does not exceed the amount of the penalty for the most serious violation, the President of the Personal Data Protection Office determined the amount of the administrative a fine not exceeding the amount of the penalty for the most serious of these infringements. In the presented facts, the President of the Personal Data Protection Office found the most serious violation of the Company's failure to provide access to any information necessary to perform its tasks, i.e. violation of Art. 58 sec. 1 lit. e) Regulation 2016/679. The seriousness of this violation is evidenced by the fact that the lack of access to information that the President of the Personal Data Protection Office (UODO) has demanded and requests from the Company not only prevents a thorough examination of the case, but also results in excessive and unjustified prolongation of the proceedings, which is contrary to the basic principles governing administrative proceedings. - specified in art. 12 sec. 1 k.p.a. principles of insight and speed of proceedings. Pursuant to art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. It refers in each case to a number of circumstances listed in points a) to k) of the above-mentioned provision. When deciding to impose an administrative fine on the Company and determining its amount, the President of the Personal Data Protection Office took - among them - into account the following circumstances aggravating the assessment of the breach: Nature, gravity and duration of the infringement (Article 83 (2) (a) of Regulation 2016/679). The breach liable to an administrative pecuniary penalty in the present case undermines the system designed to protect one of the fundamental rights of a natural person, which is the right to the protection of his personal data, or more broadly, to the protection of his privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are supervisory authorities with tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the performance of these tasks, supervisory authorities have been equipped with a number of control powers, powers to conduct administrative proceedings and remedial powers. On the other hand, administrators and processors have been imposed specific obligations, correlated with the powers of supervisory authorities, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to information necessary for the performance of their tasks. The actions of the Company in the present case, consisting in the failure to provide any information requested by the President of the Personal Data Protection Office, and resulting in a hindrance and unjustified extension of the proceedings conducted by him, should therefore be considered as detrimental to the entire personal data protection system and, therefore, importance and reprehensible character. The significance of the breach is additionally increased by the fact that the breach by the Company was not a one-off and incidental event. On the contrary, the activities of the Company were continuous and long-lasting, which is undoubtedly confirmed by the fact that the infringement found in these proceedings lasts from the expiry of the deadline for submitting explanations, set out in the first letter of the President of the Personal Data Protection Office, i.e. from [...] July 2020, to now. Intentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679). In the opinion of the President of the Personal Data Protection Office on the part of the Company, there is a clear lack of will to cooperate in providing the authority with all information necessary to resolve the case, in the course of which the authority asked it to provide it. This is evidenced in particular by the lack of response to the requests of the President of the Personal Data Protection Office addressed to the Company, in particular to the request of [...] December 2020, which the Company received. Thus, the Company knew which authority sent the call to it and what information this authority asks the Company for. In connection with such action, the Company made a conscious decision not to provide the data protection authority with information. Even the instruction in the above-mentioned a letter imposing an administrative fine on the Company in the event of failure to respond to the request of the President of the Personal Data Protection Office (UODO) did not induce the Company to cooperate with him regarding the provision of information, therefore it is a lack of will to cooperate with the authority or, at least, deliberate, blatant disregard of its obligations related to this cooperation. It should be emphasized that the Company at no stage of the proceedings with reference number […], As well as in the present proceedings, did not make an attempt to justify such conduct. Considering that the Company is an entrepreneur, an entity professionally involved in legal and economic transactions, it should also be assumed that it was (and is still) aware that its action of not taking correspondence from the supervisory body (with the knowledge that it is before the President of the Office for Personal Data Protection, administrative proceedings (reference number [...] to which the Company is a party) constitute a breach of the basic obligations of the entrepreneur, in particular the obligations arising from Regulation 2016/679. Lack of cooperation with the supervisory authority to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679). In the course of these proceedings ([...]) regarding the imposition of an administrative fine, the Company did not provide any explanations that would allow for the determination of the reasons for its inactivity and for further proceedings in the case no. […]. The lack of any explanations on the part of the Company still makes it difficult for the President of the Personal Data Protection Office to issue a decision in the case no. […]. The other conditions for the assessment of an administrative fine specified in Art. 83 sec. 2 of the Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement made by the President of the Personal Data Protection Office (including: any relevant prior infringements by the controller, the manner in which the supervisory authority learned about the infringement, compliance with previously applied in the same case measures, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (relating to the controller's relationship with the supervisory authority and not the controller's relationship with the data subject), could not be taken into account in the present case ( including: the number of injured persons and the extent of the damage suffered by them, actions taken by the administrator to minimize the damage suffered by data subjects, the degree of administrator's liability taking into account the technical and organizational measures implemented by him, categories of personal data concerned ginseng). Pursuant to the wording of art. 83 sec. 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of the Personal Data Protection Office, the penalty imposed on the Company in these proceedings meets these criteria. It will discipline the Company to properly cooperate with the supervisory body, both in the further course of the proceedings with ref. No. [...], as well as in any possible other future proceedings with the participation of the Company before the President of the Personal Data Protection Office. The penalty imposed by this decision is - in the opinion of the President of the Personal Data Protection Office - proportional to the severity of the breach found and the possibility of incurring it by the Company without major detriment to its activities. This penalty will also have a deterrent function; will be a clear signal for both the Company and other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of the Personal Data Protection Office that disregarding the obligations related to cooperation with him (in particular, obstructing access to information necessary for the performance of his tasks) is a breach of major importance and as such will be subject to financial sanctions. It should be noted here that the imposition of an administrative fine on the Company is - in view of the proceedings of the Company to date, as a party to the proceedings [...] - necessary; is the only measure at the disposal of the President of the Personal Data Protection Office, which will enable access to information necessary in the conducted proceedings. Due to the fact that the Company did not present the financial data requested by the President of the Personal Data Protection Office for the year 2020, when determining the amount of the administrative fine in this case, the President of the Personal Data Protection Office took into account, pursuant to Art. 101a paragraph. 2 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the estimated size of the Company and the specificity, scope and scale of its operations. Pursuant to art. 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro, referred to in Art. 83 of Regulation 2016/679, are calculated in PLN according to the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table on January 28 of each year, and in the event that the National Bank of Poland does not announce the average EUR exchange rate on January 28 in a given year - according to the average euro exchange rate announced in the table of exchange rates of the National Bank of Poland that is closest after that date. Bearing in mind the above, the President of the Personal Data Protection Office, pursuant to art. 83 sec. 3 and art. 83 sec. 4 letter a) and art. 83 sec. 5 lit. e) of Regulation 2016/679, in connection with Art. 103 of the Act on the Protection of Personal Data of 2018, for the violations described in the sentence of this decision, imposed on the Company - using the average EUR exchange rate of January 28, 2021 (EUR 1 = PLN 4.5479) - an administrative fine in the amount of PLN 18,192 ( which is the equivalent of EUR 4,000), according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28, 2021. In view of the above, the President of the Personal Data Protection Office ruled as in the operative part of this decision. The decision is final. Pursuant to Art. 53 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended), the party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00-193 Warsaw). A proportional fee should be filed against the complaint, in accordance with Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Art. 74 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine. In the proceedings before the Provincial Administrative Court, the party has the right to apply for the right of assistance, which includes exemption from court costs and the appointment of an attorney, legal advisor, tax advisor or patent attorney. The right to assistance may be granted at the request of a party submitted prior to the initiation of the proceedings or in the course of the proceedings. The application is free of court fees. Pursuant to Art. 105 paragraph. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from the date the ruling of the administrative court becomes legally binding, to the bank account of the Personal Data Protection Office at NBP O / O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 paragraph. 2 of the above-mentioned Act, the President of the Personal Data Protection Office may, at a justified request of the punished entity, postpone the payment of the administrative fine or divide it into installments. In the event of postponing the payment of the administrative fine or dividing it into installments, the President of the Personal Data Protection Office shall charge interest on the unpaid amount on an annual basis, using a reduced rate of default interest, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2021, item 1540, as amended), from the day following the date of submitting the application. 2022-01-19