UODO (Poland) - DKE.561.20.2022

From GDPRhub
UODO - DKE.561.20.2022
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Type: Complaint
Outcome: Other Outcome
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: DKE.561.20.2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: DKE.561.20.2022 (in PL)
Initial Contributor: sh

The Polish DPA fined a controller €6,000 for non-compliance with a DPA's requests to respond to a data subject's complaint.

English Summary

Facts

The Polish DPA received a complaint from a data subject concerning irregularities in the processing of his data from a company (the controller).

The DPA summoned the controller to respond to the content of the complaint and to provide explanations and evidence to support them within 7 days from the date of delivery of the letter. The letter was returned to the sender and not received by the controller despite being addressed to the address of the registered office indicated in the Register of Entrepreneurs of the National Court Register. As the address was the one in the official registry, the DPA deemed them delivered to the Company and left them in the case file. The DPA sent a second summons with the same result.

The DPA was eventually able to establish telephone contact with the President of the controller's Management Board, who informed the DPA of a new address. A new letter of summons was sent but nonetheless remained without any response from the controller. Repeated attempts to contact the President of the Company's Management Board by telephone failed.

Holding

First, as a result of the controller's failure to provide the information necessary to resolve the case, the DPA initiated ex officio proceedings against the Company pursuant to Article 83(5)(e) GDPR.

Second, the DPA considered the non-compliance with the summons to breach breach of Article 58(1)(a) and (e) GDPR. The delay prevented the DPA from carrying out its tasks. The controller's liability for failing to provide the DPA with the information requested is in no way diminished by the fact that the controller in fact did not collect the correspondence addressed to it.

The DPA imposed a fine equivalent to €6,000. The controller has 30 days to appeal this decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Based on Article. 104 § l of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended) in connection with Art. 7(1) 1 and 2, art. 60, art. 101, art. 101a section 2 and art. 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and pursuant to Art. 58 section 2 lit. i), art. 83 section 1 and 2, art. 83 section 5 lit. e) in connection with Art. 58 section 1 letter a) and e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on data protection) (OJ EU L 119 of 04/05/2016, p. 1, as amended in OJ L 127 of 23/05/2018, p. 2, and in OJ L 74 of March 4, 2021, page 35), after ex officio administrative proceedings initiated to impose an administrative fine on K. S.A. with its registered office in K. at ul. (...), President of the Personal Data Protection Office,

stating a violation by K. S.A. with headquarters in K. ul. (…), provisions of Art. 58 section 1 letter a) and e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on data protection), consisting in failure to provide the President of the Personal Data Protection Office with access to information necessary to perform his tasks, imposes on K. S.A. with headquarters in K. ul. (…) an administrative fine in the amount of PLN 27,418 (say: twenty-seven thousand four hundred and eighteen zlotys).





Justification

Facts

The Personal Data Protection Office received a complaint from Mr. J. M. about irregularities in the process of processing his personal data by K. S.A. with its registered office in K. at ul. (...) (hereinafter referred to as the "Company"), consisting in disclosing the Complainant's personal data to unauthorized entities.

The President of the Office for Personal Data Protection (hereinafter referred to as the "President of the Personal Data Protection Office"), as part of the initiated administrative proceedings conducted to consider the complaint (under reference number DS.523.347.2022), in a letter of February 23, 2022, called on the Company to respond to the content of the complaint and submit explanations and provide evidence to confirm them within 7 days from the date of delivery of the letter. In the content of the above-mentioned letter, the President of the Personal Data Protection Office called on the Company to answer four questions important for the substantive resolution of the case with reference number DS.523.347.2022. The letter was notified twice and returned to the sender on March 24, 2022. The letter was not received by the Company despite being sent to the registered office address indicated in the Register of Entrepreneurs of the National Court Register (hereinafter referred to as "KRS"): ul. (…) K. (KRS number of the Company: (…)). Due to the above, the President of the Personal Data Protection Office - pursuant to Art. 44 § 4 in connection with joke. 45 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2022, item 2000), hereinafter referred to as "K.P.A." – deemed them delivered to the Company on March 15, 2022, left them in the case files.

In connection with the return of the above-mentioned letter and failure to respond, the President of the Personal Data Protection Office again, in a letter dated March 31, 2022, called on the Company to respond to the content of the complaint and provide explanations in the case with reference number DS.523.347.2022. The letter was notified twice and finally returned to the sender on April 26, 2022. Due to the above, the President of the Personal Data Protection Office - based on the provisions of Art. 44 § 4 in connection with joke. 45 k.p.a. – deemed them delivered to the Company on April 19, 2022 and left them in the case files. This call also remained unanswered by the Company.

In the content of the above letter, the President of the Personal Data Protection Office instructed the Company that the lack of a comprehensive answer to the questions presented in the request may result, due to the failure to provide access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks, in imposing on the Company - in accordance with Art. 83 section 5 lit. e) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation ) (OJ L 119 of 04/05/2016, p. 1, as amended in OJ L 127 of 23/05/2018, p. 2, and in OJ L 74 of 04/03. 2021, p. 35), hereinafter referred to as "Regulation 2016/679" - an administrative fine of up to EUR 20,000,000, and in the case of an enterprise, up to 4% of its total annual worldwide turnover from the previous financial year, whichever is higher. .

The above circumstances of the facts of the case were established by the President of the Personal Data Protection Office on the basis of all correspondence conducted with the Company during the proceedings with reference number DS.523.347.2022. The evidence collected in the case confirms attempts by the President of the Personal Data Protection Office to obtain access to information necessary to perform his tasks, i.e. consider the case with reference number DS.523.347.2022.

The company was registered in the National Court Register on June 27, 2011. Its main activity is the provision of financial intermediation services. The company operates a stationary office in K. at ul. (...) and offers its services online via the website https://www.(...).

According to the data disclosed in the National Court Register, the Company's registered office is located in K. at ul. (...). Despite the correct sending of letters to this address, the Company did not receive any correspondence from the Personal Data Protection Office and, consequently, did not provide explanations and did not present evidence during the proceedings with reference number DS.523.347.2022.



Procedure

Due to the Company's failure to provide information necessary to resolve the case with reference number DS.523.347.2022, the President of the Personal Data Protection Office initiated an ex officio action against the company - pursuant to Art. 83 section 5 lit. e) Regulation 2016/679 - proceedings (reference number DKE.561.20.2022) regarding the imposition of an administrative fine for violation of Art. 58 section 1 letter a) and e) of Regulation 2016/679.

Due to the fact that the Company did not receive letters sent to the address of its registered office, the employee of the Personal Data Protection Office in charge of the case contacted the President of the Management Board of the Company - D. K. on July 6, 2022. During the conversation, the President of the Management Board of the Company informed about the new address for delivery of the Company, i.e. K. ul. (…) and the ePUAP address:/(…)/(…). A memo was prepared for this interview.

Information on the initiation of proceedings to impose an administrative fine on the Company and on the collection of evidence sufficient to issue a decision in the case (ref. no. DKE.561.20.2022) was sent by the President of the Personal Data Protection Office in a letter of July 8, 2022 to the address determined during the telephone conversation with the President of the Management Board of the Company, i.e. K. (…). In this letter, the Company was informed that the submission of comprehensive explanations within 7 days in the proceedings with reference number DS.523.347.2022, requested by the President of the Personal Data Protection Office in letters of February 23, 2022 and March 31, 2022, may have a mitigating effect on the administrative fine imposed in these proceedings or may result in waiving its imposition. The company was also informed of the above-mentioned in a letter that failure to provide the President of the Personal Data Protection Office with all the information necessary to perform his tasks and failure to provide access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks, resulting in a violation of Art. 58 section 1 letter a) and e) of Regulation 2016/679, is subject - in the case of a controller or processor that is not an undertaking - to an administrative fine of up to EUR 20,000,000, and in the case of an undertaking - up to 4% of its total annual worldwide turnover from the previous financial year, whichever is higher. Moreover, in the letter in question, the President of the Personal Data Protection Office asked – pursuant to Art. 101a of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as: "u.d.o." - to submit, within 7 days from the date of receipt of the letter, the financial report for 2021 - or in the absence thereof - a statement on the amount of turnover and financial result achieved by the Company in 2021, in order to determine the basis for assessing the administrative fine. In addition, the Company was informed about the possibility of expressing its opinion - before issuing an administrative decision - regarding the collected evidence and materials as well as the submitted demands.

above the letter was delivered to the Company on July 12, 2022. The letter remained without any response from the Company.

Due to the Company's lack of reaction to the information about the initiation of these proceedings, the employee of the Office for Personal Data Protection in charge of the case again attempted to contact the President of the Company's Management Board, which ended in failure. An official note was prepared on this occasion on September 20, 2022. Telephone contact with the President of the Company's Management Board was established only on November 9, 2022. During this conversation, the President of the Company's Management Board was once again instructed that failure to respond to the requests of the President of the Personal Data Protection Office will result in the imposition of an administrative fine. The President of the Company's Management Board committed to providing appropriate explanations and evidence by November 11, 2022.

Until this decision is issued, the Company has not provided any information requested by the President of the Personal Data Protection Office necessary to perform his tasks.



After considering all the evidence collected in the case, the President of the Personal Data Protection Office concluded the following.

Law

Pursuant to Art. 57 section 1 letter a) Regulation 2016/679, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of Art. 51 of Regulation 2016/679 - monitors and enforces the application of this regulation on its territory. As part of his competences, the President of the Personal Data Protection Office considers, among others: complaints lodged by data subjects, conducts proceedings on these complaints to the appropriate extent and informs the complainant about the progress and results of these proceedings within a reasonable time (Article 57(1)(f) of Regulation 2016/679).

To enable the implementation of such specific tasks, the President of the Personal Data Protection Office has a number of powers specified in Art. 58 section 1 of Regulation 2016/679, powers in the scope of conducted proceedings, including the right to order the controller and the processor to provide all information needed to perform its tasks (Article 58(1)(a) of Regulation 2016/679) and the right to obtain from the controller and the processing entity access to all personal data and all information necessary to perform its tasks (Article 58(1)(e) of Regulation 2016/679).

Ordering the provision of information needed to carry out the tasks of the President of the Personal Data Protection Office, referred to in Art. 58 section 1 letter a) of Regulation 2016/679, is implemented by way of a summons regulated in Chapter 9 of the Code of Administrative Procedure.

Summons and other letters addressed to the parties to the proceedings by the public administration body are served according to the rules set out in Chapter 8 of the Code of Administrative Procedure. Pursuant to these regulations, organizational units and social organizations are delivered letters at their registered office to persons authorized to receive letters (Article 45 of the Code of Administrative Procedure). However, if it is impossible to deliver the letter, the postal operator stores the letter for a period of fourteen days at its facility (Article 44 § 1 of the Code of Administrative Procedure) - prior to posting a notice about leaving the letter along with information about the possibility of collecting it within seven days (Article 44 § 2 k.p.a.). If the shipment is not picked up on time, a second notice is left informing about the possibility of collecting the shipment within a period no longer than fourteen days from the date of the first notification (Article 44 § 3 of the Code of Administrative Procedure). If, despite being notified twice about the possibility of collecting the parcel at the post office, the addressee of the letter fails to collect it, Art. 44 § 4 of the Code of Administrative Procedure, which states that delivery is deemed to have been made after the lapse of the fourteen-day period, and the letter is left in the case file.

Pursuant to Art. 38 section 1 letter c) the Act of August 20, 1997 on the National Court Register (Journal of Laws of 2022, item 1683) (hereinafter referred to as: "U.K.R.S") legal persons to which its provisions apply, including joint-stock companies, are obliged to enter in the National Court Register, among others: its registered office and address. In the event of a change in these data, entities subject to entry in the National Court Register are obliged to report this change to the Register of Entrepreneurs pursuant to Art. 47 section 1 u.k.r.s. Based on Article. 17 section 1 of the Commercial Companies Code, it is presumed that the data entered in the Register of Entrepreneurs are true.

Violations of the provisions of Regulation 2016/679, consisting in the failure of the administrator or processor to provide access to personal data or information necessary for the supervisory authority to perform its tasks, resulting in a violation of the authority's rights specified in Art. 58 section 1, is subject to – in accordance with Art. 83 section 5 lit. e) in fine of Regulation 2016/679 - an administrative fine of EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year, whichever is higher.

When assessing whether, and if so, to what extent an administrative fine should be imposed, the supervisory authority is obliged to take into account the following circumstances (conditions for the penalty) specified in Art. 83 section 2 of Regulation 2016/679:

a)      the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them;

b)      the intentional or unintentional nature of the breach;

c)      actions taken by the controller or processor to minimize the damage suffered by data subjects;

d)      the degree of responsibility of the controller or processor, taking into account the technical and organizational measures implemented by them pursuant to Art. 25 and 32;

e)      any relevant prior breaches by the controller or processor;

f)       the degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects;

g)      the categories of personal data affected by the breach;

h)      how the supervisory authority learned about the breach, in particular whether and to what extent the controller or processor reported the breach;

i)       if the measures referred to in Art. were previously applied to the controller or processor concerned in the same case. 58 section 2 – compliance with these measures;

j)       application of approved codes of conduct under Art. 40 or approved certification mechanisms under Art. 42;

k)      any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly in connection with the breach or losses avoided.

Moreover - supervisory authority - in accordance with Art. 83 section 1 of Regulation 2016/679 - ensures that the administrative fines applied are effective, proportionate and dissuasive in each individual case (principles of penalty assessment).

In order to determine the basis for assessing the administrative fine, the entity against which the proceedings are pending is obliged - pursuant to Art. 101a section 1 u.d.o. – at the request of the President of the Personal Data Protection Office, provide him with the data necessary to determine this basis. However, in the event of failure to provide this data by the entity subject to the penalty, the President of the Personal Data Protection Office - in accordance with Article 101 a. 2 of the Act determines the basis for the assessment of the administrative fine in an estimated manner, taking into account the size of the entity, the specific nature of its business activities or generally available financial data regarding the entity.

Pursuant to the content of Art. 103 u.d.o. the equivalent of the amounts expressed in euro referred to in Art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table on January 28 each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the next exchange rate table of the National Bank of Poland after this date.

Legal assessment

Referring the above-mentioned provisions of Regulation 2016/679 to the facts established in this case, it should be stated that the Company - as a party to the proceedings conducted by the President of the Personal Data Protection Office with reference number DS.523.347.2022, breached the obligation arising from Art. 58 section 1 letter a) and e) of Regulation 2016/679, consisting in providing the President of the Personal Data Protection Office with all information necessary to perform his tasks and providing the President of the Personal Data Protection Office with access to all personal data and all information necessary to perform his tasks. Avoiding the above-mentioned obligations towards the President of the Personal Data Protection Office resulted in the inability to thoroughly examine the case, and also prolonged the proceedings, which is contrary to the basic principles governing administrative proceedings - specified in Art. 12 section 1 k.p.a. principles of thoroughness and speed of action.

In the proceedings with ref. no. DS.523.347.2022, in order to obtain information necessary for substantive resolution of the case, the President of the Personal Data Protection Office, pursuant to Art. 58 section 1 letter a) and e) of Regulation 2016/679 twice requested the Company to provide explanations. These letters addressed to the Company's registered office were not received despite two notifications, therefore they were considered delivered to the Company - in accordance with Art. 44 § 4 of the Code of Administrative Procedure in connection with Art. 45 of the Code of Administrative Procedure - on March 15, 2022 and April 19, 2022, respectively. As a consequence of the Company's failure to enter into correspondence, it did not provide the President of the Personal Data Protection Office with any information in the proceedings under ref. no. DS.523.347.2022.

The Company's liability for failure to provide the President of the Personal Data Protection Office with the information requested by him in the proceedings with reference number DS.523.347.2022 does not in any way diminish the fact that the Company did not actually receive the correspondence addressed to it, because in accordance with the justification of the judgment of the Provincial Administrative Court in Gorzów Wielkopolski of October 18, 2018, ref. no. no. II SAB/Go 90/18 (LEX no. 2576144) - "It is the duty of each organizational unit to ensure that the receipt of letters is organized in such a way that the correspondence takes place continuously and uninterrupted and only by authorized persons. Negligence in this respect is the responsibility of this organizational unit.

The Company, despite receiving on July 12, 2022, a letter of July 8, 2022 initiating proceedings to impose an administrative fine with reference number DKE.561.20.2022, did not respond to this letter and did not provide data enabling the determination of its financial situation in order to determine the basis for the penalty. It is worth emphasizing that the Company did not respond to the letters addressed to it, even though the President of the Company's Management Board was informed by telephone about the correspondence addressed to the Company and informed him about the possible liability of the Company.

Taking into account the above, the President of the Personal Data Protection Office stated that in this case there were circumstances justifying the imposition on the Company - pursuant to Art. 83 section 5 lit. e) Regulation 2016/679 - an administrative fine in connection with failure to provide the President of the Personal Data Protection Office with all information necessary to perform his tasks (Article 58(1)(a) of Regulation 2016/679) and failure to provide access to all information and personal data necessary for the President Personal Data Protection Office to carry out its tasks (Article 58(1)(e) of Regulation 2016/679).

Conditions and rules for assessing administrative fines

Pursuant to the content of art. 83 section 2Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, reference is made to a number of circumstances listed in points a) to k) of the above-mentioned provision. When deciding to impose an administrative fine on the Company in this case and determining its amount, the President of the Personal Data Protection Office took into account - among them - the following circumstances having an aggravating impact on the assessment of the violation:

The nature, gravity and duration of the violation (Article 83(2)(a) of Regulation 2016/679). The Company's behavior subject to an administrative fine, constituting a violation of Art. 58 section 1 letter a) and letter e) of Regulation 2016/679, violates the system aimed at protecting one of the fundamental rights of a natural person, which is the right to protect his or her personal data. An important element of this system, the framework of which is defined in Regulation 2016/679, are supervisory authorities, which are entrusted with tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the implementation of these tasks, supervisory authorities have been equipped with a number of control powers, powers enabling administrative proceedings and remedial powers. However, specific obligations have been imposed on administrators and processors, correlated with the powers of supervisory authorities, including the obligation to provide these authorities with access to personal data and information necessary to perform their tasks. The Company's behavior in this case, consisting in failure to provide the information requested by the President of the Personal Data Protection Office, resulting in the obstruction and unjustified extension of the proceedings conducted by him, should therefore be considered as detrimental to the entire system of personal data protection, and therefore of great importance and reprehensible nature. Moreover, the seriousness of the infringement is increased by the fact that it was not a one-off event. The company twice failed to receive and, consequently, did not respond to the calls sent to it in the proceedings with reference number DS.523.347.2022. When determining the duration of the violation, it should be considered long-term and continuous: the violation lasted from the date of expiry of the deadline set for the Company in the first request to provide explanations, i.e. from March 23, 2022, to the present. Until this decision is issued, the Company has not provided the President of the Personal Data Protection Office with the information he requested.

Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679). The President of the Personal Data Protection Office found the violation to be intentional. The Company received a letter informing about the initiation of these proceedings, and also about the obligation to provide the President of the Personal Data Protection Office with information in the proceedings, ref. no. DS.523.347.2022 and about the initiation of these proceedings, the President of the Company's Management Board was informed by phone by the employee handling the case. In the opinion of the President of the Personal Data Protection Office, avoiding providing explanations, despite the Company's knowledge of the ongoing proceedings, should be interpreted, at least from the moment of receiving the letter initiating these proceedings, as a conscious and deliberate action. This circumstance should be assessed negatively and considered aggravating in the context of determining the amount of the administrative penalty imposed.

Any relevant previous breaches by the controller or processor (Article 83(2)(e) of Regulation 2016/679). Working Party on Data Protection Article 29 in the Guidelines on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 adopted on October 3, 2017, referring to the condition mentioned in Art. 83 section 2(e) of Regulation 2016/679, indicates that "any type of infringement of the regulation, even if different from the one currently investigated by the supervisory authority, may be "relevant" for the assessment because it could indicate a general level of insufficient knowledge or disregarding data protection rules.” The President of the Personal Data Protection Office stated in the proceedings with reference number DKE.561.9.2020, conducted previously against the Company, violation of the provisions of Art. 31 and art. 58 section 1 letter e) Regulation 2016/679, consisting in lack of cooperation with the President of the Personal Data Protection Office in the performance of his tasks and failure to provide information necessary for the substantive resolution of the case with reference number ZSPR.440.571.2019, and ultimately issued a warning to the Company for this violation. When assessing the Company's conduct in these proceedings, it should be noted that the Company has once again ignored the obligation arising from Art. 58 section 1 letter e) Regulation 2016/679. Therefore, the President of the Personal Data Protection Office found the Company's attitude towards the principles of personal data protection to be completely disrespectful. This circumstance should therefore be treated as an aggravating factor when determining the amount of the administrative fine.

The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679). In the opinion of the President of the Personal Data Protection Office, the Company in the course of this proceeding with reference number DKE.561.20.2022 did not cooperate in any way with the President of the Personal Data Protection Office in order to remove the violation and mitigate its negative effects. In particular, despite being served with a letter initiating these proceedings, the Company did not provide any information in the proceedings no. DS.523.347.2022, which could be treated as an action to remove the violation and mitigate its possible negative effects. The fact that the Company did not undertake any cooperation with the President of the Personal Data Protection Office is another clear reason to apply sanctions against it in the form of an administrative fine.

In the opinion of the President of the Personal Data Protection Office, none of the conditions referred to in Art. 83 section 2 of Regulation 2016/679, does not support mitigating the amount of the imposed penalty - taking into account the above-mentioned aggravating circumstances.

Due to the specific nature of the violation, the following circumstances could not be taken into account in this case:

number of injured persons and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679) - in the event of a breach consisting in failing to provide the President of the Personal Data Protection Office with all information necessary to perform his tasks and failing to provide access to all personal data and all information necessary to perform its tasks, no damage to natural persons occurs;

actions taken by the administrator in order to minimize the damage suffered by data subjects (Article 83(2)(c) of Regulation 2016/679) - due to the fact that the breach in question does not cause damage to natural persons, the Company could not take any action to minimize harm;

the degree of responsibility of the administrator, taking into account the technical and organizational measures implemented by him (Article 83(2)(d) of Regulation 2016/679) - due to the fact that this violation is not related to the organizational and technical measures implemented by the Company in order to ensuring the protection of personal data and security of processing;

categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679) - due to the fact that the breach does not involve the breach of any personal data, this condition could not be taken into account.

Other circumstances referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were recognized by the President of the Personal Data Protection Office as neutral for the assessment of the infringement found in this case:

the manner in which the supervisory authority learned about the infringement (Article 83(2)(h) of Regulation 2016/679) The President of the Personal Data Protection Office became aware of the infringement found in this case while conducting proceedings with reference number Ds.523.347.2022, which showed that the Company did not provide the information necessary to resolve the case. This circumstance has neither an aggravating nor mitigating effect on the amount of the administrative fine imposed on the Company. It certainly cannot be taken into account in favor of the Company since it did not take any part in obtaining information about the violation by the President of the Personal Data Protection Office.

compliance with previously applied measures in the same case (Article 83(2)(i) of Regulation 2016/679) The President of the Personal Data Protection Office did not apply any measures to the Company in this case listed in Art. 58 section 2 of Regulation 2016/679 and did not monitor any possible activities of the Company related to their application, which could affect the assessment of the infringement.

application of approved codes of conduct or approved certification mechanisms (Article 83(2)(j) of Regulation 2016/679) The Company does not apply any codes of conduct or approved certification mechanisms. The use of such self-regulatory instruments by administrators is not obligatory, therefore the fact of their failure to use them cannot be treated as aggravating when assessing a violation. If the Company implemented and complied with an approved code of conduct or certification mechanism, the supervisory authority could consider this fact in its favor as a means of guaranteeing a higher than standard level of protection.

financial benefits or avoided losses achieved in connection with the infringement (Article 83(2)(k) of Regulation 2016/679) In these proceedings, the President of the Personal Data Protection Office did not find that the Company, due to its failure to provide the information necessary to resolve the case, obtained any benefits property or avoided losses. Therefore, there are no grounds to treat this circumstance as aggravating or mitigating.

other aggravating or mitigating factors (Article 83(2)(k) of Regulation 2016/679) After carefully examining the case, the President of the Personal Data Protection Office did not note any circumstances other than those described above that may affect the assessment of the violation and the amount of the administrative fine imposed.

Pursuant to the wording of Art. 83 section 1 of Regulation 2016/679, an administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. The definition adopted in the doctrine states that "A sanction is effective if it achieves the purpose for which it was introduced. A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of the particular case. A sanction is deterrent if it implements the considerations of individual and general prevention, in other words, it constitutes a clear signal of disapproval of the violation for society, as well as for the recipient of the sanction itself" (P. Litwiński (ed.) Regulation of the European Parliament and of the Council of the European Union 2016/679 of on April 27, 2016 [...] Commentary on Article 83 [in]; P. Litwiński (ed.) General Regulation on the Protection of Personal Data. Personal Data Protection Act. Selected sectoral provisions. Commentary). In the opinion of the President of the Personal Data Protection Office, in these proceedings, the effectiveness and deterrent nature of the penalty, taking into account the principle of proportionality, can only be achieved by means of a financial penalty. The severity of this penalty, to a greater extent than the one previously imposed in the proceedings with reference number DKE.561.9.2020 warning, will discipline the Company to properly cooperate with the President of the Personal Data Protection Office also in other future proceedings with the participation of the Company before the President of the Personal Data Protection Office. The penalty imposed by this decision is - in the opinion of the President of the Personal Data Protection Office - proportional to the seriousness and reprehensible nature of the detected violation. At the same time, the imposed penalty is the only way to force the Company to enforce the personal data protection rules. This penalty will also serve as a deterrent through its social impact, indicating that disregarding the obligations arising from Regulation 2016/679, in particular failure to provide the data protection authority with access to information necessary to perform its tasks, constitutes a violation of high importance and as such will be subject to financial sanctions.

Due to the failure to provide the President of the Personal Data Protection Office with the Company's financial data, appropriate arrangements regarding the basis for the penalty were made by the President of the Personal Data Protection Office in accordance with Art. 101a section 2 u.d.o. The President of the Personal Data Protection Office determined the basis for the administrative fine in an estimated manner, taking into account the financial data regarding the Company for the years 2017-2019 available on the website of the Ministry of Justice https://ekrs.ms.gov.pl/. The analysis of the obtained financial data of the Company shows that it conducts active business activities. In view of the above, it should be stated that in these proceedings the administrative fine was estimated so that it would not result in an excessive burden on the Company's business.

Taking into account the provisions of Art. 103 u.d.o. (see point 29 of the justification for the decision), the President of the Personal Data Protection Office, for the violations described in the operative part of this decision, imposed on the Company - using the average euro exchange rate of January 28, 2022 (1 EUR = 4.5697 PLN) - an administrative fine in the amount of PLN 27. PLN 418 (equivalent to EUR 6,000).

Taking the above into account, the President of the Personal Data Protection Office ruled as in the operative part of this decision.



The decision is final. Pursuant to Art. 53 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2022, item 329, as amended), the party has the right to lodge a complaint against the decision to the Provincial Administrative Court in Warsaw , within 30 days from the date of its delivery, through the President of the Personal Data Protection Office (address: ul. Stawki 2, 00 - 193 Warsaw).

A relative entry must be filed against the complaint, in accordance with Art. 231 in connection with Art. 233 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2022, item 329, as amended). Pursuant to Art. 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), a party's submission of a complaint to the administrative court suspends the execution of the decision regarding the administrative fine.

In proceedings before the Provincial Administrative Court, the Party has the right to apply for the right to assistance, which includes exemption from court costs and the appointment of a lawyer, legal advisor, tax advisor or patent attorney. The right to assistance may be granted at the request of a Party submitted before the initiation of the proceedings or during the proceedings.

The application is free of court fees. Pursuant to Art. 105 section 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for filing a complaint to the Provincial Administrative Court, or from the date of its finality. the decision of the administrative court, to the bank account of the Office for Personal Data Protection at the National Bank of Poland O/O Warsaw no. 28 1010 1010 0028 8622 3100 0000.

Moreover, in accordance with Art. 105 section 2 of the above-mentioned Act, the President of the Personal Data Protection Office may, at the justified request of the penalized entity, postpone the deadline for paying the administrative fine or divide it into installments. In the event of deferment of the deadline for payment of an administrative fine or spreading it into installments, the President of the Office for Personal Data Protection charges interest on the unpaid amount on an annual basis, using a reduced interest rate for late payment, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2021, item 1540, as amended), from the day following the date of submission of the application.