Banner2.png

UODO (Poland) - DKN.5131.4.2024

From GDPRhub
UODO - DKN.5131.4.2024
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 25(1) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 23a(1)(2) ustawa o działalności leczniczej (law on medical service activities)
Type: Investigation
Outcome: Violation Found
Started:
Decided: 17.01.2025
Published:
Fine: 1145891 PLN
Parties: n/a
National Case Number/Name: DKN.5131.4.2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: w.p.

A controller installed a CCTV hidden in wall clocks within the neonatal ward. A loss or theft of CCTV memory cards caused a data breach, affecting 190 individuals. For violations found, the DPA imposed on the controller a total fine of PLN 1,145,891 (approximately €262,500).

English Summary

Facts

A hospital (a controller) notified the Polish DPA (UODO) about a data breach. The data breach amounted to loss or theft of two CCTV memory cards. The CCTV covered the area of two rooms located within the neonatal ward. The breach affected 190 individuals, including controller’s employees, patients and their guardians. Additionally, shortly after the breach notification, an article describing the controller unlawful processing of the CCTV data was published.

The DPA decided to initiate ex officio proceedings against the controller.

During the proceedings, the controller explained they used wall clocks, equipped with a CCTV to protect health and safety of newborns. The controller claimed there was an increased number of infections on the neonatal ward. Because preventive measures implemented prior to the CCTV were insufficient, the controller decided to rely on the CCTV. The personal data collected by the CCTV were processed under Article 23a(1)(2) of law on medical service activities (ustawa o działalności leczniczej) and Article 22 note 1 of the labour code (kodeks pracy) and Article 6(1)(f) GDPR too. The CCTV records were stored for no longer then 30 days. Moreover, the controller emphasised that QR codes with privacy notices and sticker informing about the CCTV were placed within their premises.

Regarding the data breach, the controller clarified that stolen memory cards served as the only storage of the recordings and the controller didn’t possess any backups. After the breach, the controller organised few meetings with their employees and notified data subject about the breach.

Holding

The DPA found the controller violated, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 6(1) GDPR, Article 9(1) GDPR, Article 13(1) GDPR and Article 13(2) GDPR.

For the DPA there was no legal basis covering processing of the CCTV data by the controller. The controller didn’t demonstrate the CCTV was necessary for the purpose of limiting the number of infections or had positive influence on the course of treatment. Consequently, the conditions of article 23a of law on medical service activities were not fulfilled. Because that provision was an exclusive legal basis for hospitals’ CCTV processing of patients’ data, neither 222 of the labour law nor Article 6(1)(f) GDPR didn’t apply. Thus, the controller processed the CCTV data in unlawful manner and violated Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 6(1) GDPR, Article 9(1) GDPR.

Furthermore, the controller violated Article 13(1) GDPR and Article 13(2) GDPR. The DPA found the controller used a secret CCTV, which was hidden in the wall clocks. As a result, the data subjects were unaware of being under surveillance. Moreover, the privacy notices didn’t serve their purposes. Vague and undefined term of “crucial premises”, as used by the controller in their documents, was incomprehensive for data subjects, making them unable to find whether a room or an area they used was under the CCTV. Also, the sticker informing about the CCTV within the neonatal ward was place only on the main door. Such a practice was misleading data subjects as to the scope of the CCTV.

The above mentioned violations resulted in fine of PLN 687,534.75 (approximately €157 500).

Additionally, the controller violated Article 5(1)(f) GDPR, Article 5(2) GDPR, Article 25(1) GDPR, Article 32(1) GDPR, Article 32(2) GDPR.

The controller. didn’t secure the CCTV properly. The risk assessment performed by the controller didn’t include thorough description of threats associated with using the CCTV. In particular, a loss or theft of the data stored on memory cards was not taken into account. Therefore, the controller didn’t implement technical and organisational measures mitigating the risk posed by the CCTV. Because of that, the breach occurred.

In consequence, the controller received another fine of PLN 458,356.50 (approximately € 105,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. 

On the basis of Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2024, item 572) in connection with Article 7, Article 60, Article 101 and Article 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) and Article 57 par. 1 letter a) and letter h), Article 58 par. 2 letter i), Article 83 par. 1 - 3, Article 83 par. 4 letter a) in connection with Article 24 par. 1, Article 25 par. 1 and Article 32 par. 1 and 2, as well as Article 83 paragraph 5 (a) and (b) in conjunction with Article 5 paragraph 1 (a) and (f), Article 5 paragraph 2, Article 6 paragraph 1, Article 9 paragraph 1, Article 13 paragraph 4, 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4.05.2016, p. 1, OJ EU L 127, 23.05.2018, p. 2 and OJ EU L 74, 4.03.2021, p. 35), hereinafter referred to as "Regulation 2016/679", after conducting ex officio administrative proceedings regarding the infringement of the provisions on personal data protection by X. with its registered office in K. (K., (…)), President of the Personal Data Protection Office,

1) finding that X. with its registered office in K. (K., ul. (…)) violated the provisions of:a) Art. 6 sec. 1 and Art. 9 sec. 1 of Regulation 2016/679, consisting in the unlawful processing of personal data, including special category data through the use of video surveillance in two hospital wards of the (...) Ward,b) Art. 13 sec. 1 and 2 of Regulation 2016/679, consisting in failure to comply with the information obligation towards persons whose personal data were subject to processing, as a result of the introduction of video surveillance in two hospital wards of the (...) Ward,

which resulted in the violation of Art. 5 sec. 1 lit. a) of Regulation 2016/679 (principles of legality, reliability and transparency) and Art. 5 sec. 2 of Regulation 2016/679 (principles of accountability),

imposes on X. with its registered office in K. (K., ul. (...)) an administrative fine in the amount of PLN 687,534.75 (in words: six hundred eighty-seven thousand five hundred thirty-four zlotys and 75/100),

2) finding that X. with its registered office in K. has violated the provisions of: Art. 24 sec. 1, Art. 25 sec. 1 and Art. 32 sec. 1 and 2 of Regulation 2016/679, consisting in the failure to apply appropriate technical and organizational measures ensuring a level of security corresponding to the risk of data processing using external data carriers, in order to protect the personal data recorded therein, including their protection against accidental loss, destruction or damage and disclosure to unauthorized persons,

which resulted in the violation of Art. 5 sec. 1 letter f) of Regulation 2016/679 (principle of integrity and confidentiality) and Art. 5 sec. 2 of Regulation 2016/679 (principle of accountability)

imposes on X. with its registered office in K. (K., ul. (...)) for the violation of Art. 5 sec. 1 letter f), Art. 5 sec. 2, Art. 25 sec. 1 and Art. 32 sec. 1 and 2 of Regulation 2016/679 an administrative fine in the amount of PLN 458,356.50 (in words: four hundred fifty-eight thousand three hundred fifty-six zlotys and 50/100).

Justification

X. with its registered office in K. (K., ul. (...)), hereinafter also referred to as the Administrator, Facility or Medical Center, is an entity whose primary business activity is focused on providing medical benefits and services, in particular in the scope of (...). It should also be emphasized that the Facility is part of (...), which manages a network of specialist neonatological and obstetrics and gynecology hospitals located in (...) Poland (voivodeship (...)), as well as medical centers offering access to professional and comprehensive medical care.

On July 26, 2023, the Medical Center reported a breach of personal data protection, consisting in the loss or theft of memory cards from 2 video monitoring devices that recorded images in 2 rooms of the Department (...). In accordance with the Administrator's declaration indicated in the supplement to the notification of the breach of personal data protection, in connection with the occurrence of the incident in question, he filed a notification of suspicion of committing a crime with the Prosecutor's Office (...).

At the same time, on August 3, 2023, an article was published on the website (...) [1] regarding the practices of the Medical Center in connection with the monitoring system used by this entity. The content of the aforementioned article indicates that the journalists of the service, as part of the information provided by an employee of the aforementioned facility, determined that, quoted "(...) in the department (...), where I work, the management installed hidden cameras "in the router and in watches". They had a microphone, which is prohibited. We were not informed about their installation in any way. In addition, quote: »Our private conversations and certainly images of patients - newborns and premature babies - were recorded on the cameras, which their parents have no idea about. (...) the devices "were configured so as not to record sound" (according to the informant, they recorded both image and sound)«.

The President of the Personal Data Protection Office (hereinafter referred to as the "President of the Personal Data Protection Office" or "supervisory authority"), in connection with the reported breach of personal data protection and the above-mentioned press releases, conducted explanatory proceedings, and then on February 28, 2024, initiated ex officio administrative proceedings regarding the possibility of violation by X. with its registered office in K., as the data controller, of the obligations arising from Art. 5 par. 1 letters a) and f), Art. 5 par. 2, Art. 6 par. 1, Art. 9 sec. 1, art. 13 sec. 1 and 2, art. 24 sec. 1, art. 25 sec. 1 and art. 32 sec. 1 and 2 of Regulation 2016/679, in connection with the introduction of video surveillance in 2 rooms of the Branch (...) without a legal basis and the loss or theft of memory cards on which the recording from the aforementioned video surveillance was recorded (ref. DKN.5131.4.2024. (...)).

The President of the UODO, as a result of the explanatory proceedings and administrative proceedings, established the following factual circumstances.

I. Video monitoring at the Department (...). The President of the UODO requested the Administrator in letters on August 7, 2023, January 31, and February 28, 2024 to provide explanations regarding the implementation of video monitoring in 2 rooms of the Department (...).

The explanations provided by the Facility in correspondence on August 17, 2023, February 12, March 11, and August 30, 2024 indicate that: 1) The Facility is subject to video monitoring (without sound recording) covering the area of the building located at ul. (...) in K. (publicly accessible rooms and key rooms, including the rooms of the Department (...), in accordance with applicable regulations) and the area around this building,

2) The Administrator, as the legal basis authorizing him to obtain personal data as a result of the introduction of ad hoc video monitoring at the above-mentioned rooms of the Branch (...), indicated: - art. 23a paragraph 1 point 2 of the Act of 15 April 2011 on medical activity (Journal of Laws of 2024, item 799) in connection with § 29 of the Regulation of the Minister of Health of 26 March 2019 on detailed requirements to be met by the premises and equipment of an entity performing medical activity (Journal of Laws of 2022, item 402), - art. 6 paragraph 1 letter f) of Regulation 2016/679 due to the legitimate interest, - art. 222 of the Act of 26 June 1974 - the Labor Code (Journal of Laws of 2023, item 1465, as amended) in order to ensure the safety of employees and the protection of property, as well as to keep confidential information, the disclosure of which could expose the employer to damage,

3) video monitoring in the rooms of the Branch (...) was conducted in the period from 1 to 23 July 2023, and to implement the above. actions, the Administrator used clocks with an image recording function (i.e. a camera installed in the clock enabling image recording),

4) the motivation and purpose of implementing video monitoring was to ensure the health and safety of newborns, due to the increased number of symptoms of gastrointestinal infection,

5) personal data obtained through the applied video monitoring, quote (...) "were to be stored for a period not longer than 30 days from the date of recording",

6) In a letter dated February 12, 2024 (date of posting: February 13, 2024, date of receipt: February 19, 2024), the Administrator indicated that before implementing ad hoc monitoring (i.e. 2 additional monitoring devices installed in 2 rooms of the Department (...)), no analysis confirming the necessity of introducing the above solution was carried out. In addition, he emphasized that in the period preceding the use of additional monitoring devices, the Facility took steps to eliminate the occurrence of infections in newborns through: increased cleaning of rooms, fumigations, replacement of sanitary and hygienic devices, an enhanced sanitary regime, conducting training for parents of newborns on hand washing and hygiene procedures. The Administrator also informed that, quoted (...) "Changes to the Regulations (...) regarding video monitoring were introduced by a resolution of the Management Board (...).

7) In a letter dated March 11, 2024, the Administrator provided the supervisory body with evidence confirming the implementation (before the introduction of additional video monitoring) of security measures aimed at detecting incorrect and unintentional behaviors causing infections in newborns in the Ward (...) in the form of letters from the (...) Team dated March 21, May 9 and June 7, 2023, an analysis (...) and a report (...).

8) The facility indicated that it had fulfilled the information obligation towards persons staying on the premises of the medical entity through the quoted (...) "stickers located on the Hospital building in places where monitoring is used, containing the said information and referring to the content of the information clause regarding the use of video monitoring, via a QR code redirecting to the website with the clause in question",

9) with respect to the employees of this medical facility, the Administrator indicated that each newly employed person is informed about the video monitoring used,

10) the employees of the Administrator were informed (information provided by e-mail) about the adoption on June 16, 2021 of a resolution by the management board of X. on the introduction of changes to the Regulations (...) regarding the introduction pursuant to Art. 222 of the Labor Code, video surveillance on the premises of the workplace from July 1, 2021,

11) The Administrator attached to the letter of August 17, 2023, sample photos with stickers placed in the hospital informing about the use of video surveillance on its premises, the content of the information clause regarding the use of video surveillance in the hospital, a printout of the e-mail informing all employees about the introduction of changes to the Regulations (...) and the content of the resolution amending the Regulations (...) together with the content of the information clause regarding monitoring on the premises of the workplace.

12) In a letter dated February 12, 2024 (date of posting: February 13, 2024, date of receipt: February 19, 2024), the Administrator indicated that access to the full content of the information clause regarding the video monitoring used in the facility is possible (apart from the QR code) at the reception desk (possibility of obtaining the clause in print). In addition, the full content of this information clause is available on the Medical Center website.

13) In a letter dated October 24, 2023, the Medical Center indicated that, in accordance with point 4 of the information clause, video monitoring covers key rooms, which in the analyzed case are the rooms of the Department (...). At the same time, it should be emphasized that the analyzed information clause does not include a definition that would specify and explain the term "key rooms".

14) In a letter dated March 11, 2024 (date of receipt: March 14, 2024, date of posting: March 11, 2024), the Administrator informed that Annex No. (...) to the Regulations (...) covering the list of buildings and rooms covered by video monitoring had not been updated before the implementation of additional monitoring in 2 wards (...).

15) In connection with the review of files conducted on August 28, 2024, the Medical Center, in a letter dated August 30, 2024, submitted to the supervisory body a document entitled: "Final position of the party in the case", in which it informed that in 2 wards of the (...) Ward, where ad hoc video monitoring had been installed, there were: "children who were transferred from section 1 and 2 and no longer require intensive care. Children staying in these rooms are provided with rehabilitation, feeding and care training by their parents”.

II. Loss of memory cards from video monitoring in the Ward (...). On July 26, 2023, the Administrator made an initial report of a breach of personal data protection (a supplementary report was submitted on September 15, 2023), consisting in the loss or theft of memory cards from 2 video monitoring devices that recorded images in 2 rooms of the Ward (...) (report registered under reference number (...)). In the report of a breach of personal data protection, the Administrator indicated that, quoted (...) "The Manager (...) received information from one of the doctors that the inserted devices had been moved to another place in the Department and when they were checked on July 24, 2023 at approx. 8:00 a.m., it turned out that the memory cards on which the monitoring recording was made had been removed (the devices did not record current data on an external server, the recording was only made on the memory card, so there is no access to a backup copy of the recordings)". At the same time, the Facility informed that as a result of the incident, the personal data of 190 people were breached, including 30 patients, 60 statutory representatives of patients, 97 staff members and 3 students doing internships.

The explanations provided by the Administrator in letters dated October 5 and 24, 2023 and February 12, 2024 indicate that:

1) The Administrator has implemented the Policy (...) and the related Security procedure (...), which documents are part of the applicable System (...),

2) The Medical Center has a management system certificate confirming that it has introduced and applies an Information Security Management System compliant with the requirements of PN-EN ISO/IEC 27001:2017-06, undergoing annual audits (the last one in October 2022) (documents submitted in the letter dated October 5, 2023).

3) in accordance with the Administrator's declaration, monitoring of compliance with procedures is carried out on an ongoing basis by verifying the completeness of employee documentation, making the content of the procedure available to current and new employees (in order to familiarize themselves with the applicable rules), verifying stickers with information on video monitoring in the medical facility, verifying the availability of processed information and the operation of individual cameras and recorders in a continuous and automatic manner by the IT system.

4) The Administrator organized and conducted several meetings with the Department staff. The Department staff was informed that in the event of coming into possession of memory cards or information on the subject event, it should be immediately forwarded to the Hospital management. In addition, a notification of suspicion of a crime was filed, on the basis of which an investigation was initiated by the 8th Police Station (...), file reference number (...).

5) In the supplementary notification form, the Administrator informed that on September 15, 2023, it completed the process of notifying data subjects of the occurrence of the personal data protection breach in question, i.e. the loss of memory cards from video monitoring in the wards (...).

6) In addition to the explanations provided in the letter of October 5, 2023, the Medical Center submitted to the supervisory authority a list of the method of notifying individual entities, the Policy (...), the Procedure (...), an internal note regarding IT department employees, an internal note regarding audits in the Hospital, an analysis (...) and an internal note regarding meetings held with the Department staff.

7) In a letter dated October 24, 2023, the Administrator responded to the supervisory authority's inquiries set out in the letter dated October 11, 2023, informing that the memory cards from additional monitoring devices had not been encrypted.

8) The Administrator attached to the correspondence dated October 24, 2023 a description of the method by which the Administrator (including before the personal data breach) regularly tests, measures and assesses the effectiveness of technical and organizational measures to ensure the security of personal data processed as part of video monitoring) and software screenshots. The document in question (date of preparation: October 20, 2023) covered the technical and organizational guidelines that the video monitoring conducted at the above-mentioned facility is to meet. In addition, in accordance with an internal memo dated October 4, 2023 (submitted to the supervisory authority in a letter dated October 5, 2023), the Facility conducts annual internal audits covering, among other things, compliance with procedures in the scope of the applied video monitoring (the card (...) and the protocol (...) with an annex were submitted in a letter dated March 11, 2024).

9) In a letter dated February 12, 2024 (date of receipt: February 19, 2024, date of posting: February 13, 2024), the Administrator indicated that 2 additional monitoring devices installed in the rooms of the Branch (...) did not meet the requirements established and specified in the document entitled "Description (...)" and were not configured with the software (...) (system ensuring network access control), (...) (software monitoring a number of network parameters, as well as the operation and integrity of servers), or (...) (vulnerability management system). The aforementioned devices were also not, quote (...) "installed in the internal computer network, data was saved to the memory cards located in them". At the same time, the Medical Center informed that the implementation of additional monitoring devices in the relevant rooms of the Department (...) was the responsibility of the Department staff and the department (...), and their implementation did not take place on the basis of the schedule, and no protocol of their installation was prepared.

10) the investigation conducted by (….) file reference number (...) was discontinued by the decision of (...), due to the failure to identify the perpetrator of the act.

11) In a letter dated 11 March 2024 (date of receipt: 14 March 2024, date of posting: 11 March 2024), the Administrator responded to the supervisory authority's inquiries contained in the letter dated 28 February 2024, informing that before the personal data breach occurred, it conducted an analysis (...). Furthermore, it indicated that the document in the form of the "Policy (...)" was amended by a resolution of the Management Board (...), which entered into force on (...), while the "Policy (...)" has not been updated since 30 April 2021.

In this factual situation, after reviewing all the evidence collected in the case, the President of the Personal Data Protection Office considered the following:

Pursuant to Art. 34 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the Act of 10 May 2018, the President of the Personal Data Protection Office is the competent authority for data protection and the supervisory authority within the meaning of Regulation 2016/679. Pursuant to Art. 57 sec. 1 letters a) and h) of Regulation 2016/679, without prejudice to other tasks specified under that Regulation, each supervisory authority on its territory shall monitor and enforce the application of this Regulation and conduct proceedings in the event of infringement of this Regulation, including on the basis of information received from another supervisory authority or other public authority.

I. Legal basis for the processing of personal data. Art. 5 of Regulation 2016/679 specifies the principles for the processing of personal data that must be respected by all controllers, i.e. entities that, alone or jointly with others, determine the purposes and means of processing personal data. According to Art. 5 sec. 1 letter a) of Regulation 2016/679, personal data must be processed lawfully, fairly and in a transparent manner for the data subject ("lawfulness, fairness and transparency"). Compliance with the above principle is necessary for the proper implementation of the principle of accountability resulting from Art. 5 sec. 2 of Regulation 2016/679.

According to Art. 6 sec. 1 Regulation 2016/679 the processing of personal data is lawful only if at least one of the following conditions is met:a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;c) processing is necessary for compliance with a legal obligation to which the controller is subject;d) processing is necessary to protect the vital interests of the data subject or another natural person;e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject data concerns, is a child.


It should be noted that the provision of Article 6(1)(f) of Regulation 2016/679 does not apply to the processing of personal data by public authorities in the performance of their duties.

Article 9(1) of Regulation 2016/679 prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person. Recital 35 of Regulation 2016/679 specifies the concept of personal data concerning health by indicating that "Personal data concerning health should include all data concerning the health of the data subject revealing information about the past, present or future physical or mental health of the data subject".

In this case, first of all, it is necessary to analyze the legal grounds indicated by the Controller authorizing him to introduce additional video monitoring in 2 rooms of the Department (...). According to the information provided in the letter of 17 August 2023, the legal norm justifying the implementation of the above monitoring is art. 23a sec. 1 item 2 of the Act of 15 April 2011 on medical activity (Journal of Laws of 2024, item 799) in connection with § 29 of the Regulation of the Minister of Health of 26 March 2019 on detailed requirements to be met by premises and equipment of an entity performing medical activity (Journal of Laws of 2022, item 402).

Art. 23a sec. 1 point 2 of the above-mentioned Act (in the wording in force at the time of the infringements of Regulation 2016/679 described in this decision) indicates that the head of an entity performing medical activities may specify in the organisational regulations the method of observation of rooms in which health care services are provided and patients stay, in particular bed rooms, sanitary and hygienic rooms, changing rooms, cloakrooms, if this results from separate provisions – using devices enabling image recording (monitoring). In accordance with the position of the Administrator, separate provisions authorizing him to introduce ad hoc video monitoring in 2 rooms of the Ward (...) pursuant to Art. 23a sec. 1 point 2 of the Act on Medical Activity are the legal standards included in § 29 of the Regulation of the Minister of Health of 26 March 2019 on detailed requirements to be met by premises and equipment of an entity performing medical activity. According to the aforementioned provision, it is permissible to install devices in bed rooms that allow for the observation of patients if it is necessary in the process of their treatment and to ensure their safety. The key element in this provision is the resonance of the element of the need to introduce monitoring as a mandatory condition.

Therefore, in accordance with the adopted assumptions, the Administrator should have evidence, e.g. relevant analyses, which would clearly indicate that only the introduction of ad hoc video monitoring in 2 rooms of the Ward (...) would contribute to reducing the number of patients' illnesses and the effective process of their treatment. It should be emphasized that only appropriate argumentation supported by adequate evidence would meet the condition of legality for the introduction of image recording in accordance with the provision cited above. It should be noted here that the Administrator did not have evidence that the use of video monitoring is necessary in the process of treating patients (e.g. to reduce their disease incidence) or necessary to ensure their safety, which was confirmed in a letter dated February 12, 2024, quoted "(...) The Administrator did not conduct an analysis confirming the need to introduce ad hoc monitoring in the Ward's bed rooms". At the same time, in the correspondence, the Administrator informed that he had taken actions to detect incorrect and unintentional behaviors causing infections of newborns in the Ward, however, the above did not release the Facility from the obligation to prove the absolute need to implement ad hoc video monitoring in the above-mentioned area. Moreover, based on the Report submitted by the Administrator (...), it is not possible to distinguish which factors actually contributed to the reduced number of patient infections (from 25 to 18) – in particular, taking into account the increased use of pharmacology in the ward in question, as discussed in the Analysis (...), quote: (...), as well as the loss or theft of memory cards from additional monitoring devices and the lack of access to the recorded image.

In addition to clearly proving the need to implement video monitoring, medical facilities are also obliged to introduce appropriate changes to the organizational regulations, quote (...) "in accordance with art. 23a of the Act on the Application of Monitoring, the principles of using monitoring should be specified in the content of the organizational regulations, thus it will be necessary to change them if the facility expands the monitoring it has" [2]. The Patient Rights Ombudsman also made a similar statement in the guide for managers of medical facilities entitled "Video monitoring in medical entities" informing that, quote (...) "The manager of a medical entity, at the time of implementation of video monitoring in a medical entity, is obliged to introduce the method of its conduct into the organizational regulations. The obligation imposed by the legislator on the manager of the entity highlights the need to protect the rights of natural persons - patients and employees of the medical entity - against unjustified use of data collected as a result of the use of video monitoring. In this perspective, the decision to introduce monitoring belongs to the manager of the medical entity, who, based on the analysis of adverse events, has the knowledge adequate to assess whether video monitoring will support the work of the staff in ensuring patient safety".

The Administrator, when asked by the President of the UODO in a letter dated 31 January 2024 about whether he had introduced relevant changes to the organizational regulations (in connection with the introduction of additional monitoring devices) in a way that was not true, indicated that the quoted (...) "Changes to the Regulations (...) regarding video monitoring were introduced by a resolution of the Management Board (...)". This did not constitute fulfillment of the above obligation by the Medical Center due to the fact that ad hoc video monitoring in 2 rooms of the Department (...) operated from 1 July to 23 July 2023, and therefore it could not be included in the resolution of the Management Board (...) cited by the Administrator. As a result of the above, the Facility did not meet the requirements related to the introduction of additional monitoring in this respect. The Administrator's passivity in connection with the analyzed video monitoring is also confirmed by the fact that it did not update Annex No. (…) to the Regulations (…) of the Facility amended by the resolution of the Management Board (…), thus not indicating new areas covered by video monitoring. At the same time, it should be noted that in accordance with chapter (…) of Annex No. 1 to the Resolution of the Management Board (…) of company X with (…) quoted (…) "(…)". In its correspondence with the supervisory body, in a letter dated March 11, 2024, the Administrator directly admitted to irregularities in the above-mentioned scope, declaring that the quoted (…) "Annex No. (…) to the Regulations (…) of the Hospital, i.e. the list of buildings and rooms covered by video monitoring, was not updated before the implementation of additional monitoring in the Hospital Ward". In view of the above, due to the demonstrated irregularities in the introduction of ad hoc video monitoring in 2 rooms of the Ward (...), the Medical Centre cannot use Article 23a paragraph 1 item 2 of the Act on Medical Activity as the legal basis for its action, as the mandatory conditions for recognising the monitoring in question as legal have not been met (i.e. failure to introduce adequate regulations in the organisational regulations and failure to demonstrate the need to implement video monitoring).

At the same time, it should also be emphasised that the analysis of the provisions of the Act on Medical Activity (in the wording applicable at the time of the occurrence of the violations of Regulation 2016/679 described in this decision), as well as the provisions of other legal acts relating to this matter, clearly indicates the existence of an obligation on the part of medical facilities to respect the privacy and dignity of the patient in connection with the provision of medical services, which obligation the Administrator failed to fulfil towards its patients by installing ad hoc video monitoring. Consequently, despite the fact that the obligation in this respect in the provisions of the Act on Medical Activity was expressly formulated only as a result of its amendment, which entered into force on 6 September 2023, it cannot be assumed that previously (and therefore also during the operation of ad hoc video monitoring in the above-mentioned rooms) the Medical Centre was exempted from taking them into account when providing services (which will be discussed later in this decision).

The Voivodship Administrative Court in Warsaw also commented on this matter in its judgment of 13 September 2019, file ref. Act VII SA/Wa 1545/19, LEX No. 2728947, in which one of the parties to the administrative proceedings was the Patients' Rights Ombudsman, quote: "The Court, in the composition adjudicating this case, fully shares the position of the authority, which is supported by the doctrine that the patient's intimacy, i.e. closeness, should be referred to all feelings and actions related to the provision of health care services. Intimacy understood in this way consists of: caring for the patient's well-being, respect for the patient, understanding their situation, exchanging intimate information, considering the patient to be an entity of the highest value. Intimacy refers both to the patient himself - to the sphere of his exclusively personal, confidential life, and to relationships with other people based on cordiality and familiarity. Violation of intimacy is related to a sense of shame. The intimate zone of a human being should be subject to special protection, according to which only the individual in question may dispose of this sensitive sphere of feelings."

In order to conduct a detailed legal analysis of the introduction of ad hoc video monitoring by the Medical Center, reference should be made to Annex No. 1 IV entitled "Maternity Unit" point 4 of the Regulation of the Minister of Health of March 26, 2019 on detailed requirements to be met by premises and equipment of an entity performing medical activities, which directly refers to the possibility of using video monitoring in rooms intended for maternity women and newborns. According to this provision, the maternity unit should have at least one room intended for maternity women and newborns in the first hours of life, after complicated deliveries, in which the possibility of direct observation or using cameras equipped with autostart functions is ensured, in particular the possibility of observing faces. This provision may constitute a legal basis for the application of such a form of observation only in a situation where the health condition of newborns, due to birth complications, is not stable and may pose a threat to their life or health. In the event of the implementation of video monitoring by the Administrator in 2 rooms of the Department (...) (in the period from July 1 to July 23, 2023), this legal basis cannot be applied, because in accordance with the "Final position of the party in the case" submitted in a letter dated August 30, 2024, in the rooms in which ad hoc video monitoring was installed there were: "children who were transferred from sections 1 and 2 and no longer require intensive care. Children staying in these rooms are subject to rehabilitation, feeding and care training by their parents” – thus confirming that the implementation of monitoring was not aimed at observing newborns whose life or health was at risk. 

In a letter dated August 17, 2023, the Administrator also indicated that the legal basis justifying the implementation of ad hoc video monitoring in 2 rooms of the Department (...), in addition to art. 23a sec. 1 item 2 of the Act on Medical Activity is also art. 6 sec. 1 letter f) of Regulation 2016/679 and art. 222 of the Labor Code. 

As indicated above, in the case of medical facilities, the principles of introducing video monitoring (and processing of personal data related thereto) are regulated by the provisions of the Act on Medical Activity. An administrator who does not meet the principles of its introduction resulting from these provisions (as is the case with the Medical Center) cannot rely on other grounds for processing personal data to justify its use, including the ground specified in art. 6 sec. 1 letter f) of Regulation 2016/679. Incidentally, it should be noted that in connection with the video monitoring used in 2 rooms of the Ward (...), health data were also processed, and these may only be processed after meeting one of the grounds in art. 9 sec. 2 of Regulation 2016/679. For obvious reasons, the ground referred to in art. 6 sec. 1 letter f) of Regulation 2016/679 cannot be considered such a ground for processing these data. It should be noted here that the provisions of Regulation 2016/679 established the basic principles of personal data processing, including the principle of lawfulness, formulated in Article 5 paragraph 1 letter a) of Regulation 2016/679. The principle of lawfulness, "also referred to as the lawfulness of data processing, means the requirement to comply with the standards established in the provisions of law. The principle of lawfulness of data processing has a broad substantive scope, and it concerns not only the provisions of the commented regulation, but also the provisions contained in other normative acts. (...) Among the provisions concerning data processing, a special role is played by the requirements relating to the lawfulness of processing (also referred to as the so-called grounds for the admissibility of data processing or conditions for the lawfulness of data processing), specified in the provisions of Articles 6, 9 and 10 of the commented regulation. These provisions indicate cases where data processing is legally permissible (in simple terms: when personal data may be lawfully processed)" (P. Fajgielski, Commentary to Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary).

It should therefore be emphasized that the use of the premise expressed in Article 6 paragraph 1 letter f) of Regulation 2016/679 requires an in-depth analysis of the given factual situation. First, it should be assessed whether there is a legitimate interest on the part of the controller or a third party. In accordance with the position of W. Chomiczewski expressed in the commentary to Regulation 2016/679 entitled "Legally justified interest as a premise legalizing data processing - concept" (LEX/el. 2018), "For the implementation of the purpose resulting from the controller's interest understood in this way, processing must be necessary. This means a reasonable need to achieve this purpose. It should be assessed both in relation to processing in general and to the processing of individual categories of personal data. In the next step, it should be assessed whether the planned implementation of the purpose resulting from the controller's or a third party's legitimate interest may violate the interests, fundamental rights or freedoms of the data subject that require personal data protection. Processing on the basis of art. 6 sec. 1 letter f of the general regulation will not be permissible if, after making the above assessment, it turns out that the interests, fundamental rights and freedoms of the data subject that require personal data protection override the legitimate interests of the controller or a third party".

Taking the above into account and taking into account the previous findings regarding the analyzed case, it should be considered unjustified for the Controller to indicate art. 6 section 1 letter f) of Regulation 2016/679 as the legal basis authorizing the implementation of additional video monitoring in the form of 2 monitoring devices in 2 rooms of the Branch (...).

The Administrator's reference to art. 222 of the Labor Code as the legal basis authorizing the introduction of ad hoc monitoring in 2 rooms of the Branch (...) should also be considered inappropriate. According to the content of the aforementioned provision, the use of monitoring in the workplace is permitted if it is necessary to ensure the safety of employees or the protection of property or production control or to keep confidential information, the disclosure of which could expose the employer to damage. The issue of the principles of introducing video surveillance by an employer in the workplace was raised in the judgment of the European Court of Human Rights of 17 October 2019, López Ribalda and Others v. Spain [Grand Chamber], applications no. 1874/13 and 8567/13, which indicates that, quote; "the employer may apply video surveillance measures in the workplace. These criteria must be applied taking into account the specificity of the employment relationship and the development of new technologies that may enable the adoption of measures that increasingly interfere with the private life of employees. In this context, in order to ensure that video surveillance measures at the workplace are proportionate, national courts should take into account the following factors when balancing the various competing interests:- whether the employee was notified of the possibility that the employer would introduce video surveillance measures and of the application of such measures: although in practice employees may be notified in different ways, depending on the specific factual circumstances of each case, notification should in principle be clear as to the nature of the monitoring and should take place before it is carried out;- the scope of the monitoring carried out by the employer and the degree of intrusion into the employee's privacy: in this respect, the extent of the privacy in the place monitored, together with any limitations as to time and area and the number of people having access to the results, should be taken into account;- whether the employer has put forward legitimate reasons justifying the monitoring and its scope: the more intrusive the monitoring, the more serious the justification required;- whether it was possible to introduce a monitoring system based on less intrusive methods and means: in this respect, an assessment should be made in the light of the specific circumstances of each case as to whether the objective pursued by the employer could be achieved without interfering with the privacy of employees to such an extent; - the consequences of monitoring for the employees subject to it: in particular, the employer's use of the monitoring results and whether these results were used to achieve the declared objective of this measure should be taken into account; - whether the employee was provided with appropriate guarantees, especially when the functioning of the employer's monitoring is of an intrusive nature: such guarantees may take the form of, among others, providing the employees and staff representatives with information about the installation and scope of monitoring, declaring such a measure to an independent body or the existence of the possibility of filing a complaint." [3]. The aspect of respect for the dignity of employees in connection with the introduction of video monitoring in the workplace is the subject of many publications in the doctrine. K. Jaśkowski also commented on this subject matter [in:] E. Maniewska, K. Jaśkowski, Labor Code. Commentary, 11th edition, Warsaw 2019, art. 22(2), art. 22(3), noting that, quote: "Undoubtedly, monitoring the work of employees constitutes an interference with their right to privacy. The commented provisions should therefore be interpreted taking into account the need to balance these conflicting values and interests of both parties to the employment relationship, which means that monitoring as a type of control over an employee by the employer must take into account the need to respect the personal rights of employees, including the right to privacy. In this respect, the standards set by the ECtHR case law to art. 8 ECHR (see, in particular, judgments: of 9 January 2018, 1874/13 and 8567/13, López Ribalda and Others v. Spain, with a comment by M. Mrowicki, LEX no. 2418052; of 28 November 2017, 70838/13, Antović and Mirković v. Montenegro; LEX no. 2398411; judgment of the Grand Chamber of 5 September 2017, 61496/08, Bărbulescu v. Romania, with a comment by M. Mrowicki, LEX no. 2347233; of 3 April 2007, 62617/00, Copland v. the United Kingdom, LEX no. 527588; of 2 August 1984, 8691/79, Malone v. Great Britain, LEX no. 80974).”.

According to the information provided by the Administrator in the correspondence conducted so far, the implementation of the monitoring in question was in no way related to ensuring the safety of staff or the protection of property, as the installation of monitoring devices was justified by the quote (...) "solely by reasons related to the need to eliminate and prevent in the future a situation involving a greater than usual number of symptoms of neonatal infections" (the Administrator's declaration in the letter of March 11, 2024). In view of the above, the legal basis indicated by the Administrator does not apply to the factual circumstances of the case established during the administrative proceedings. Taking into account these discrepancies, one may get the impression that the Administrator was aware of the illegality of his actions - in connection with the above, his actions were intentional and deliberate. At this point, it is worth recalling the position of the Undersecretary of State in the Ministry of Health expressed in the letter of June 3, 2019, reference number SZDL.073.3.2019.CP, in response to the letter of the Patient Rights Ombudsman to the Minister of Health (ref. RzPP-DSD.420.81.2019 RzPP-DSD.420.81.2019.JN.PGE) of May 14, 2019 regarding video monitoring in entities performing medical activities, quote: "However, allowing video monitoring (constant observation of the patient) for the purpose of controlling medical personnel and for other (organizational) purposes other than those directly related to the patient's treatment process and ensuring their safety seems risky. Such recordings, i.e. fixed images of the patient (e.g. in intimate situations) would be a "by-product" of observation of medical personnel and the application of medical and organizational standards adopted in a given hospital. In this case, there would be an excessive risk of treating the patient as an object and violating the principles of respecting their intimacy, dignity and privacy"[4].

Taking into account the above findings, the position of the President of the UODO is justified that in the analyzed case, the video monitoring used by the Administrator in 2 rooms of the Ward (...) was introduced without meeting the conditions provided for in the applicable provisions of law. There is also no doubt that the personal data of patients covered by the video monitoring in question constituted a special category of personal data (i.e. health data), subject to special protection regulated under art. 9 sec. 1 of Regulation 2016/679, which the Administrator did not effectively comply with. It should be noted that in the course of the proceedings it was not established that the ad hoc video monitoring in 2 rooms of the Ward (...) also recorded sound.

When analysing the case at hand, it is crucial to emphasise and clearly state that the video monitoring used in 2 rooms of the (...) Branch was introduced incorrectly, i.e. in a manner inconsistent with the applicable provisions, and it blatantly endangered the proper implementation of the rights of citizens under the Constitution of the Republic of Poland of 2 April 1997 (Journal of Laws No. 78, item 483, as amended). This is particularly important, as, in accordance with Art. 47 of the Constitution of the Republic of Poland, every person has the right to legal protection of their private and family life, honour and good name, and to make decisions about their personal life. It should be emphasised that the right to privacy is one of the fundamental human rights, and its protection is a fundamental element of the system of values. At the same time, the effects of violations of unauthorised access to information may be claimed under the provisions of civil, criminal and administrative law. The Court of Appeal in Warsaw also commented on the matter in question in its judgment of 19 November 2019, file reference VI ACa 397/18, indicating that "The right to privacy in the light of constitutional regulations is understood primarily through the prism of the autonomy of the individual derived from the concept of dignity of the human person, which, in the light of Art. 30 of the Constitution of the Republic of Poland, constitutes the source of all rights and freedoms. The right to the protection of private life, which is the subject of protection under Art. 47 of the Constitution of the Republic of Poland, means the right of the individual to decide about his or her personal life. The individual, as a subject endowed with autonomy of will, has the right to independently designate the area of his or her privacy, in particular to set the limits of the accessibility of his or her personal life and information about it to others. The right to privacy in the aspect of the information autonomy of the individual means the right to decide which information concerning him or her will be available to third parties". In correlation with the above-mentioned Article 51 of the Constitution of the Republic of Poland is also a provision, according to which every citizen has the right to the protection of personal data. According to the Court of Appeal in Warsaw (judgment of 23 August 2018, file reference VI ACa 1927/16), "The right to the protection of personal data is an emanation of the right to information autonomy, allowing an individual to control, to a certain extent, the manner and scope of information concerning them that is made available. In the event of its violation, depending on the specific circumstances of the case, it may result in a violation of specific personal rights, subject to a separate regime, protected by the provisions of the Constitution, as well as in particular within the framework of the regulations of Article 23 of the Civil Code and 24 of the Civil Code". In addition to the rights guaranteed by the Constitution of the Republic of Poland, it is also worth citing Article 20 sec. 1 of the Act of 6 November 2008 on patient rights and the Patient Rights Ombudsman (Journal of Laws of 2024, item 581), which states that a patient has the right to respect for their privacy and dignity, in particular during the provision of health services. It is worth emphasizing here that the video monitoring introduced by the Administrator in 2 rooms of the Ward (...) recorded within its scope images showing both newborns and their mothers, allowing their images to be recorded also during intimate activities, including feeding or caring for children - which is contrary to the obligation to respect the privacy and dignity of patients, referred to above. P. Grzesiewski expressed his views in detail on the interpretation of the above-mentioned legal norm [in:] Patient Rights and the Patient Rights Ombudsman. Commentary, ed. D. Karkowska, Warsaw 2021, art. 20. "At the beginning of the analysis concerning the values protected by art. 20 sec. 1 of the Personal Data Protection Act, it should be noted that this provision regulates two separate rights - to respect for dignity and to respect for intimacy. Dignity and intimacy have not been defined anywhere. When looking for the meaning of these concepts for the purposes of this analysis, one should primarily refer to the case law of the Constitutional Tribunal. Of course, dignity plays the primary role, as the foundation of all freedoms and rights. Intimacy is related to it, as well as to the right to privacy. These terms are objectively related, and their scopes interpenetrate. In the case of dignity, art. 30 of the Constitution of the Republic of Poland is of fundamental importance, in the light of which the inherent and inalienable dignity of a person is the source of freedom and human and citizen rights. The importance of human dignity was also expressed by the legislator in the preamble to the Constitution, calling on all those who apply the Constitution of the Republic of Poland to do so while taking care to preserve the inherent dignity of man. Dignity is inviolable, and its respect (as already indicated) and protection is the duty of public authorities. In order to determine the subject and scope of protection established by art. 20 sec. 1 of the U.P.P., it is important that human dignity cannot be considered exclusively in one conceptual plane. The case law of the Constitutional Tribunal has established a two-dimensional perception of the constitutionally guaranteed dignity of man - firstly, human dignity, as a transcendent value, primary in relation to other human rights and freedoms (for which it is the source), inherent and inalienable - always accompanies man and cannot be violated either by the legislator or by specific acts of other entities". The same position was presented in the judgment of the Supreme Administrative Court of 25 February 2020, file reference II OSK 3837/19, quoted (...) "Respect for human dignity consists of a number of values. From the point of view of patient rights, respect for dignity consists of the right to privacy. An expression of this right to respect for privacy is such action by an entity providing health services that does not violate this sphere. An excess is the introduction of a patient monitoring system that goes beyond the limits set by law [...]. The patient's right to the protection of privacy and dignity includes granting him the right to be informed about monitoring and to have the right to express or refuse consent to monitoring". Remaining on the subject of respect for dignity, at this point it is worth referring to the report (result of an audit carried out in 2019-2023) of the Supreme Audit Office entitled "Observance of Patient Rights in the Healthcare System" (ref. KZD.430.1.2024, Reg. No. 15/2024/P/23/047/KZD) published on September 19, 2024, which indicates numerous irregularities in the scope of observing the right to respect for the privacy and dignity of patients during the provision of health services. The aforementioned audit also covered the issue of video monitoring, the post-audit conclusions of which highlight the problem related to image recording in medical entities. The Supreme Audit Office emphasized that, quote: "The limitation of the patient's privacy is the unjustified, excessive use of video monitoring. The audit findings indicate that video monitoring covered rooms in which the regulations in force during the period covered by the audit did not provide for the presence of cameras, and internal regulations regarding video monitoring were sometimes drawn up unreliably. Irregularities in this respect were found in 18% of entities"[5].

To sum up the arguments analysed above, it should be clearly emphasised that the Administrator, during the period of ad hoc video monitoring in the wards of the Department (...), processed personal data of patients, which also constitute a special category of personal data (i.e. health data) in breach of the applicable provisions of law, i.e. in breach of the provisions, i.e. art. 6 sec. 1 and art. 9 sec. 1 of Regulation 2016/679, and consequently in breach of the principle of legality, expressed in art. 5 sec. 1 letter a) of Regulation 2016/679 and the principle of accountability, referred to in art. 5 sec. 2 of Regulation 2016/679.

II. Information obligation. In the conducted administrative proceedings, the President of the UODO also found a violation by the Administrator of Article 13 paragraphs 1 and 2 of Regulation 2016/679, which refers to the information obligation towards persons whose personal data are processed. In accordance with Article 13 paragraph 1 of Regulation 2016/679, the administrator is obliged to provide the persons from whom the personal data remained with the following information: his identity and contact details and, where applicable, the identity and contact details of his representative, where applicable - the contact details of the data protection officer, the purposes of personal data processing, and the legal basis for processing, if the processing is carried out on the basis of Article 6 paragraph 1 lit. (f) – legitimate interests pursued by the controller or by a third party information on the recipients of the personal data or categories of recipients, if any, where applicable - information on the intention to transfer personal data to a third country or an international organisation and on the finding or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or appropriate safeguards and on the possibilities of obtaining a copy of the data or the place where the data has been made available. On the other hand, pursuant to Article 13(2) of Regulation 2016/679, in addition to the information specified in paragraph 1 of the aforementioned Article the controller is obliged to provide the data subjects with the information necessary to ensure the reliability and transparency of processing: the period for which the personal data will be stored and, if this is not possible, the criteria for determining this period, information on the right to request from the controller access to the personal data relating to the data subject, their rectification, erasure or restriction of processing or the right to object to the processing, as well as the right to transfer data, if the processing is carried out on the basis of Article 6 paragraph 1 letter a) or Article 9 paragraph 2 letter a) – information on the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, information on the right to lodge a complaint with the supervisory authority, information whether the provision of personal data is a statutory or contractual requirement or a condition for concluding a contract and whether the data subject is obliged to provide them and what are the possible consequences of not providing data.

After analysing the content of the information clause and the explanations provided in this respect by the Administrator, the Supervisory Authority found that the Medical Centre had not fulfilled the information obligation resulting from the above-mentioned provision of Regulation 2016/679 towards persons whose data were covered by ad hoc video monitoring in 2 rooms of the Department (...). In accordance with point 4 of the information clause submitted in the letter of 17 August 2023, quote (...) "video monitoring covers the area of the building located at ul. (...) in K. (publicly accessible rooms and key rooms, in accordance with applicable regulations) and the area around this building". The provision formulated in the manner presented does not provide full and exhaustive information to data subjects as to the actual area covered by video monitoring in the Facility, in particular it does not directly indicate that monitoring is also used in bed rooms. It should be strongly emphasized that when using video monitoring, a key element is the precise and reliable indication of the rooms in which monitoring devices are installed. The term "key rooms" used by the Administrator is too general and may raise doubts as to interpretation. The Administrator must also remember that information in this regard is intended for data subjects, and therefore must be understandable to them. In other words, the content of the information clause should clearly indicate in which rooms the video monitoring has been installed. Using the phrase "key rooms" does not meet this requirement, because data subjects do not know (and do not need to know) the conceptual scope of this term, i.e. know which rooms the Administrator considers to be key. According to the Medical Center, which was expressed in a letter dated October 24, 2023, quoted (...) "The said information clause was deliberately constructed in such a way, i.e. with a general approach to rooms that are not publicly available, as "key rooms, in accordance with applicable regulations", in order to meet the requirement of conciseness of the information provided, set out in Art. 12 of the GDPR, referred to in Art. 13 of the GDPR, i.e. the information clause. If a solution were used in which all rooms covered by monitoring were enumerated in the content of the information clause, its volume would be much larger, which would not meet the aforementioned principle of conciseness of information, and moreover, it would become opaque, due to the fact that the list of monitored rooms alone would fill most of its content". At this point, it should be emphasized that the Administrator, through the prism of the analyzed case, overinterpreted and distorted Art. 12 sec. 1 of Regulation 2016/679, because the term "key rooms", as shown above, is not understandable to data subjects and therefore does not meet the requirement of transparent information in accordance with this provision of Regulation 2016/679. It should be noted here that there cannot be situations in which the Administrator, taking refuge in the principle of conciseness and transparency, does not provide data subjects with full and reliable information, as well as information understandable to them, on the processing of their personal data. It should be emphasized that for data subjects, one of the primary pieces of information they would like to obtain regarding the monitoring used in medical facilities whose services they use is information about the specific rooms in which it is used. From the perspective of data subjects, in addition to the legal basis for processing, this is the most valuable information. Justifying the Administrator's omissions and irregularities in the implementation of the provisions of Art. 13 of Regulation 2016/679 in the manner described above is therefore inadmissible.

It is worth emphasizing that the Controller, taking into account the extensiveness of the information provided, could have applied the layered information clause proposed by the Article 29 Working Party in the Guidelines on Transparency under Regulation 2016/679 of 29 November 2017. Layered fulfillment of the information obligation may be applied in various forms of communication, including digital, telephone or personal, and with different bases of processing. The issue in question was also expressed in the European Data Protection Board Guidelines 3/2019 on the processing of personal data by video devices adopted on 29 January 2020, cited (...) "In light of the amount of information that must be provided to the data subject, data controllers may adopt a layered approach if they decide to use a combination of methods to ensure transparency (WP260, point 35; WP89, point 22). In the matter of video surveillance, the most important information should be placed on the warning sign itself (first layer), and further mandatory details may be made available through other means (second layer)." (p. 28, point 111)". At the same time, while remaining on the subject of the information obligation, it should be pointed out that information on the video surveillance used was placed (via an information sticker) only on the main door of the Ward (...), and not directly next to the rooms with ad hoc monitoring installed. The above may mislead patients, patients' visitors and facility employees as to the actual area covered by monitoring. The President of the UODO asked the Administrator twice (letters of September 25 and October 11, 2023) whether the obligation to provide information on the video monitoring used had been fulfilled in relation to the persons covered by monitoring in the above-mentioned rooms of the Department (...), but he did not receive an adequate answer. In letters dated 5 and 24 October 2023, the Medical Center only emphasized in enigmatic words that, quote (...) "Users of the rooms where video surveillance was used, including patients, patients' visitors and hospital employees, were informed about the use of video surveillance on the hospital premises through stickers located on the hospital building in places where surveillance was used, containing the said information and referring to the content of the information clause regarding the use of video surveillance, via a QR code redirecting to the website with the clause in question". Meanwhile, as shown above, the information presented in this way did not fulfill its primary purpose, because the data subjects did not know that the scope of surveillance also covered 2 rooms of the Department (...).

The nature of the video surveillance used must also be considered. The original information indicated in the article indicated that the video surveillance introduced in 2 rooms of the Department (...) did not have an open form. According to the information, both employees and patients were not informed about the implemented monitoring. An additional aspect supporting the above-mentioned statement is the fact that the Administrator used clocks with an image recording function (i.e. a camera installed in the clock enabling image recording) to carry out the above-mentioned activities, as informed by the supervisory authority in a letter dated August 17, 2023. In the same correspondence, the Administrator indicated that the use of this type of monitoring devices enabled quick action and installation (taking into account the need to immediately take appropriate steps in connection with the threat to the safety of newborns), quoted(…) “unlike solutions with wired cameras, the installation of which would require a longer time and undertaking more advanced activities, including construction, which was excluded at that time due to the nature of the Department and the potential inconvenience to its normal functioning”. Furthermore, it should be emphasised that the implementation of ad hoc monitoring by installing 2 additional cameras was not carried out on the basis of a schedule and no protocol regarding their installation was prepared in this respect. Another factor remaining in opposition to the open nature of the applied video monitoring is the lack of knowledge of the facility staff about the implemented activities. In accordance with the provisions of the “Policy (...)” in force since 1 April 2019, quote (...) “(…)”. When asked by the President of the Personal Data Protection Office in a letter dated 28 February 2024 whether he had informed employees before implementing this monitoring about the introduction of new areas covered by monitoring in accordance with the "Policy (...)" section "Principles (...)" applicable in the organization, in a letter dated 11 March 2024 he referred to the above-mentioned issue evasively, providing an inadequate answer, quote: (...) "The company's employees were informed about the adoption in (...) of a resolution by the management board of X. on the introduction of changes to the Regulations (...) regarding the introduction of video monitoring on the premises of the workplace from 1 July 2021, pursuant to Art. 22 2 of the Labor Code. This information was communicated to all employees of the Hospital by e-mail after the adoption of the said resolution" (e-mail sent to all employees of the facility on 25 August 2021). It is worth recalling that ad hoc video monitoring in the rooms of the Branch (...) was used from 1 to 23 July 2023, therefore the information provided to employees in 2021 cannot necessarily include the extension of monitoring that took place in 2023.

At this point, it is worth citing the document entitled "Guidelines of the President of the Personal Data Protection Office regarding the use of video monitoring Version 1 June 2018" [6], which emphasizes that, quote (...) "The provisions of the GDPR and national regulations do not allow monitoring to be carried out using hidden cameras. Only law enforcement and special services carrying out activities based on the acts regulating their activities are authorized to conduct covert monitoring. The use of hidden cameras may be considered an excessive form of data processing, and may involve administrative and civil liability, and even criminal liability".

Thus, when analysing the evidence collected, it should be unquestionably stated that the video monitoring used in the above-mentioned area was a hidden monitoring, about which neither patients nor employees of the facility were informed. At the same time, it should be emphasised that the Administrator himself was also aware of the questionable form of implementation of this monitoring, declaring this fact in a letter dated 12 February 2024, quoted (...) "We are aware of the imperfections of the method of ad hoc monitoring used".

Summing up the above considerations, the President of the UODO, based on the evidence collected, stated that the Medical Centre had failed to fulfil its information obligation towards persons covered by ad hoc video monitoring in the rooms of the Department (...), thus violating its obligations arising from art. 13 sec. 1 and 2 of Regulation 2016/679.

III. Principles of security of personal data processing. Art. 5 sec. 1 lit. Article 5(2)(f) of Regulation 2016/679 indicates that personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures ("confidentiality and integrity"). In accordance with Article 5(2) of Regulation 2016/679, the controller is responsible for compliance with the provisions of paragraph 1 and must be able to demonstrate compliance with them ("accountability").

The above-mentioned principle of confidentiality referred to above is specified in further provisions of this Regulation, including Article 24(1). 1 of Regulation 2016/679, which indicates that, taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of breaching the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure that processing is carried out in accordance with Regulation 2016/679 and to be able to demonstrate it. These measures are reviewed and updated, where necessary. As it results from Art. 24 par. 1 of Regulation 2016/679, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of breaching the rights and freedoms of natural persons are factors that the controller is obliged to take into account in the process of building a data protection system, also in particular from the point of view of the other obligations indicated in Art. 25 par. 1, Art. 32 par. 1 or Art. 32 par. 2 of Regulation 2016/679. The indicated provisions specify the principle of confidentiality specified in Article 5 paragraph 1 letter f) of Regulation 2016/679, and compliance with this principle is necessary for the proper implementation of the principle of accountability resulting from Article 5 paragraph 2 of Regulation 2016/679.

Pursuant to Article 25 paragraph 1 of Regulation 2016/679, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity of infringements of the rights and freedoms of natural persons resulting from processing, the controller - both when determining the means of processing and at the time of processing itself - shall implement appropriate technical and organisational measures, such as pseudonymisation, designed to effectively implement data protection principles, such as data minimisation, and to provide the processing with the necessary safeguards in order to meet the requirements of this Regulation and protect the rights of data subjects.

It follows from the content of Article 32 paragraph 1 of Regulation 2016/679 that the controller is obliged to apply technical and organisational measures appropriate to the risk of varying likelihood and severity of infringements of the rights and freedoms of natural persons. The provision specifies that when deciding on technical and organizational measures, the state of technical knowledge, the cost of implementation, the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying likelihood and severity should be taken into account. It follows from the cited provision that determining appropriate technical and organizational measures is a two-stage process. First, it is important to determine the level of risk associated with the processing of personal data, taking into account the criteria indicated in Article 32 paragraph 1 of Regulation 2016/679, and then it should be determined what technical and organizational measures will be appropriate to ensure a level of security corresponding to this risk. Those arrangements, where appropriate, should include measures such as pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to promptly restore the availability and access to personal data in the event of a physical or technical incident, and regular testing, measuring and evaluating the effectiveness of technical and organisational measures to ensure the security of processing. In accordance with Article 32(2) of Regulation 2016/679, when assessing the appropriate level of security, the controller shall take into account in particular the risks presented by the processing, in particular those resulting from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Taking into account in particular the scope of personal data processed by the Controller, contained on lost or stolen memory cards placed in video monitoring devices (i.e. image and health data), in order to properly fulfil the obligations imposed by the aforementioned provisions of Regulation 2016/679, the Controller was obliged to take actions ensuring an appropriate level of data protection by implementing appropriate technical and organisational measures to ensure the security of the personal data being processed. The nature and type of these actions should result from the conducted risk analysis, in which the vulnerabilities relating to the resources used and the resulting threats should be identified, and then adequate security measures should be determined. An incorrect estimation of the risk level prevents the application of appropriate security measures for a given resource and increases the probability of its occurrence. The effect of the above was the loss of control over the personal data of persons whose data was located on lost or stolen memory cards, on which the recording from the video monitoring installed in 2 rooms of the Department was stored (...).

At the same time, it should be emphasized that due to the nature and specificity of the Department (...), the patients were also children (newborns). This is important because at the time of loss or theft of memory cards with recorded images of newborn patients, it cannot be ruled out that the images obtained by an unauthorized person were made public on websites. In accordance with the educational campaign conducted and the published guide entitled "The image of a child on the Internet", the President of the UODO refers in it to the risks associated with the aforementioned sharing of images of children, such as cyberbullying or the use of content with their participation for criminal purposes.

It should be noted that Regulation 2016/679 introduced an approach in which risk management is the foundation of activities related to the protection of personal data. Risk management is a continuous process that forces the data controller not only to ensure compliance with the provisions of Regulation 2016/679 through a one-time implementation of organizational and technical security measures, but also to ensure the continuity of monitoring the level of threats and to ensure accountability in terms of the level and adequacy of the introduced security measures. In view of the above, it becomes necessary to be able to prove to the supervisory authority that the solutions introduced to ensure the security of personal data are adequate to the level of risk, and also take into account the nature of the given organization and the mechanisms used for processing personal data. The controller must therefore independently conduct a detailed analysis of the data processing processes conducted and assess the risk, and then apply such measures and procedures that will be adequate to the estimated risk. The consequence of this approach is the need to independently select security measures based on the analysis of threats. Specific security measures and procedures are not indicated to the controllers. Conducting a detailed analysis of the data processing processes conducted and assessing the risk is the responsibility of the Controller, who should then, based on such analysis, apply such measures and procedures that will be adequate to the assessed risk.

In view of the above, a properly conducted risk assessment provides the controller with the ability to determine and implement technical and organizational measures that will eliminate or at least significantly reduce the established level of risk of materialization of identified threats to the processed personal data. The risk assessment conducted by the controller should be documented and justified by the factual circumstances existing at the time of its conduct. The main factors that make up a proper assessment, which should be taken into account during the analysis, are the characteristics of the processing processes taking place, assets, vulnerabilities, threats and current security measures. It should be remembered that factors such as the scope and nature of the personal data processed by the controller are also important when assessing the risk, because they will determine any negative effects on a natural person occurring at the time of a breach of the protection of their personal data. 

The risk analysis provided by the Controller in a letter dated March 11, 2024 in the form of a document entitled "Analysis (...)" (no date of preparation) raises many doubts. The risk analysis conducted by the Medical Center was prepared incorrectly, as it did not take into account the identified vulnerabilities in detail, and the threats related to the processing of personal data in connection with the video monitoring conducted were not correctly and comprehensively identified. As a result, the aforementioned risk analysis did not specify security measures aimed at mitigating the risks related to the video monitoring conducted by the Facility.

Analyzing the submitted document, it should be stated that among the provisions contained in the risk analysis, the Administrator did not indicate the possibility of an event involving the loss or theft of external data carriers (i.e. memory cards). In view of the above, it should be assumed that the Medical Center conducted the aforementioned analysis inadequately, thus failing to take into account the adequate risks related to the video monitoring conducted at the Facility. Therefore, the Controller failed to conduct a risk analysis for the situation that gave rise to the personal data protection breach reported to the President of the UODO, which should be considered inconsistent with the above-quoted provisions of Regulation 2016/679. Meanwhile, as indicated by the Regional Administrative Court in Warsaw in its judgment of 13 May 2021, reference number II SA/Wa 2129/20, “The data controller should, therefore, conduct a risk analysis and assess the threats it is dealing with”. The Regional Administrative Court in Warsaw made a similar statement in its judgment of 5 October 2023, reference number II SA/Wa 502/23. In turn, in the judgment of 27 February 2024, reference number Act II SA/Wa 1404/23, the Regional Administrative Court in Warsaw stated that "(...) there is no doubt that in order for the risk analysis to be carried out properly, the threats that may occur in the data processing process should be properly defined by the controller." It should also be noted here that the Controller had implemented a "System (...)", which also included the procedure (...). The "Procedure (...)" was in force in the organization from April 1, 2019 and in accordance with the declaration of the Administrator contained in the letter dated March 11, 2024, quoted (...), "the document "Procedure (...)" was not updated after April 30, 2021", when the last modification of the above-mentioned document took place. At the same time, in accordance with the provisions of the analyzed procedure, section "Security (...)" point (...), quoted (...) "(...)". In view of the above, the President of the UODO twice inquired to the Administrator, in letters dated October 11, 2023 and February 28, 2024, whether lost (i.e. lost or stolen) memory cards on which the video image from the installed cameras was recorded, were cryptographically secured in accordance with the guidelines in force in the organization. In letters dated October 24, 2023 and February 28, 2024, the Medical Center October 2023 and March 11, 2024 responded and confirmed that the quoted (...) "Memory cards from additional monitoring devices were not cryptographically secured".

Also relevant to this case is the document entitled "Description (...)" (date indicated on the document: October 20, 2023), which was submitted to the supervisory authority in a letter dated October 24, 2023. In accordance with the principles specified in the document cited above: - the internal computer network in which the monitoring is installed has segmentation and access control implemented by software (...), - monitoring of the operation of individual cameras, recorders and all other devices, software and services important for the proper functioning of the company is implemented by monitoring software (...), which, in addition to notifying about any anomalies in the monitored resources, also records all events, - additional solutions implemented in the network that increase the level of security, including data processed in the scope of video monitoring, are vulnerability management systems (...) and a security system (...) together with the service (...).

At the same time, it should be noted that when asked whether the additional monitoring devices installed in the rooms of the Branch in question (...) were configured with the software used in the organization (...), (...) and (...), and whether these cameras were installed in (...), the Administrator replied in the negative, indicating that the quoted (...) "two additional monitoring devices inserted in the rooms of the Branch (...) did not meet the requirements set out in the document attached to the last letter, i.e. "Description (...)" and the additional devices were not configured with the software (...), (...) or (...)".

Therefore, it should be pointed out that, according to the established facts, the Administrator did not comply with its own regulations and procedures related to the introduction of video monitoring and securing data carriers, of which he was fully aware. The Provincial Administrative Court in Warsaw also commented on this subject in its judgment of January 19, 2021 r., file reference II SA/Wa 702/20, in which he stated that "(...) the data controller should appropriately protect personal data against accidental loss using appropriate technical and organizational measures. Personal data should be processed in a way that ensures appropriate security and appropriate confidentiality, including protection against unauthorized access to them and to the equipment used to process them and against unauthorized use of such data and such equipment (recital 39 of Regulation 2016/679)". It is also worth citing the judgment of the Supreme Administrative Court of 5 July 2024, file reference III OSK 2654/22, in which it was indicated that "(...) the controller was obliged to implement appropriate technical and organizational measures to ensure a level of security corresponding to this risk. The implementation of such measures should be understood as the introduction of safeguards that will be adequate to the assumed risk, ergo will prevent violation of the principles of personal data processing under normal conditions. In the circumstances of this case, it was not about preventing the loss of personal data carriers, but about preventing their disclosure in the event of such loss”.

Risk management (conducting a risk analysis and implementing appropriate security measures on this basis) is one of the basic elements of the personal data protection system and is a continuous process. In the case in question, the Administrator did not apply technical and organizational measures guaranteeing an appropriate level of security of the processed data located on lost or stolen memory cards. At this point, it is necessary to refer to the judgment of the Supreme Administrative Court of 6 December 2023, file reference III OSK 2931/21, which emphasized that the quoted (...) “Unquestionably "appropriate" under Article 32 sec. 1 GDPR technical and organizational measures are not effective measures in every case, but rather measures that could have been objectively required of a given entity (administrator or processor) at the time and in the circumstances of access to personal data”.

At the same time, the information provided by the Administrator indicating that, quoted (...) “For over a dozen years, the Company has had a management system certificate confirming that it has introduced and applies an Information Security Management System compliant with the requirements of PN-EN ISO/IEC 27001:2017-06, undergoing annual audits (the last one in October 2022) is required to be specified. Obtaining these certificates is preceded by external audits verifying, among other things, compliance with procedures in the scope of, among others, video monitoring in the Hospital”. Thus, it must be a cause for concern that a medical facility with such a certificate has violated the provisions of Regulation 2016/679 in the scope in question as a result of an incorrectly conducted risk analysis and failure to comply with its own procedures for securing data carriers.


In light of the findings made during these proceedings, it should be indicated that the Administrator, by failing to apply technical and organizational measures ensuring an appropriate level of security of the processed data, which resulted in a breach of personal data protection reported to the President of the Personal Data Protection Office, violated Art. 5 par. 1 letter f) of Regulation 2016/679, reflected in the form of the obligations specified in Art. 24 par. 1, Art. 25 par. 1, Art. 32 par. 1 and Art. 32 par. 2. The consequence of the violation of Art. 5 par. 1 letter f) of Regulation 2016/679 is the obligation to provide personal data protection services. f) of Regulation 2016/679 is a violation of the principle of accountability expressed in Art. 5 paragraph 2 of Regulation 2016/679. As it results from the judgment of the Provincial Administrative Court in Warsaw of 10 February 2021, file reference II SA/Wa 2378/20, "The principle of accountability is therefore based on the legal responsibility of the controller for the proper fulfilment of obligations and imposes on him the obligation to demonstrate, both to the supervisory authority and to the data subject, evidence of compliance with all data processing principles". The issue of the principle of accountability is interpreted similarly by the Provincial Administrative Court in Warsaw in its judgment of 26 August 2020, file reference Act II SA/Wa 2826/19, "Taking into account all the provisions of Regulation 2016/679, it should be emphasized that the controller has significant freedom in the scope of applied security measures, but at the same time is liable for violating the provisions on personal data protection. It results directly from the principle of accountability that it is the controller who should demonstrate, and therefore prove, that he complies with the provisions specified in Art. 5 paragraph 1 of Regulation 2016/679."

When assessing the circumstances of the personal data protection breach in question, it should be emphasised that when applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this Regulation (expressed in Article 1 paragraph 2) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In the event of any doubts, e.g. as to the performance of obligations by controllers - not only in a situation where a personal data protection breach has occurred, but also when developing technical and organisational security measures to prevent it - these values should be taken into account first.

IV. Administrative fines. A. Conduct subject to administrative fines. Application of Article 83 paragraph 3 of Regulation 2016/679.

Taking into account the above findings and the identified violations of the provisions of Regulation 2016/679, the President of the UODO, exercising his authority specified in Article 58 paragraph 2 letter i) of Regulation 2016/679, according to which each supervisory authority has the authority to apply, in addition to or instead of other corrective measures provided for in Article 58 paragraph 2 letters a)-h) and letter j) of this Regulation, an administrative fine under Article 83 paragraph 4 letter a) and paragraph 5 letters a) and b) of Regulation 2016/679, taking into account the circumstances established in the proceedings in question, stated that in the case at hand there were grounds justifying the imposition of an administrative fine on the Controller. The administrative proceedings conducted by the President of the Personal Data Protection Office serve to verify the compliance of data processing with the provisions on the protection of personal data and are aimed at issuing an administrative decision in order to apply the remedial powers specified in Article 58 paragraph 2 of Regulation 2016/679.

In accordance with Article 83 paragraph 4 letter a) of Regulation 2016/679, infringements of the provisions concerning the obligations of the controller and the processor referred to in Articles 8, 11, 25 - 39 and 42 and 43 are subject, in accordance with paragraph 2, to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - of up to 2% of its total annual global turnover from the previous financial year, whichever is higher.

In accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679, a) and b) of Regulation 2016/679, infringements of the provisions concerning the basic principles of processing, including the conditions for consent, referred to in Articles 5, 6, 7 and 9, and the rights of data subjects referred to in Articles 12 to 22, shall be subject to an administrative fine of up to EUR 20 000 000 in accordance with paragraph 2, or in the case of an undertaking, of up to 4% of its total annual worldwide turnover in the previous financial year, whichever is higher.

Article 83 paragraph 3 of Regulation 2016/679 provides that where the controller or processor, intentionally or negligently, in the context of the same or related processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount of the fine for the most serious infringement.

In connection with the finding in this case of numerous infringements of the provisions of Regulation 2016/679 (Article 6 par. 1, Article 9 par. 1, Article 13 par. 1 and 2, Article 24 par. 1, Article 25 par. 1 and Article 32 par. 1 and 2, as well as Article 5 par. 1 letters a) and f) and Article 5 par. 2), the President of the UODO is authorised to apply one or more corrective measures specified in Article 58 par. 2 of Regulation 2016/679. These powers of the supervisory authority include the power to apply, in addition to or instead of other measures referred to in that provision, an administrative pecuniary penalty under Article 83, depending on the circumstances of a specific case. The circumstances of this case, in particular the seriousness of the infringements found, as will be discussed in the following parts of the justification, indicate that it will be appropriate and necessary to exercise this power.

In determining the specific sanctions for the infringements found in this case, the President of the UODO used the guidance contained in the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR (version 2.1) adopted on 24 May 2023, hereinafter referred to as the "Guidelines 04/2022". The first step of the methodology for calculating administrative fines adopted therein is to "determine the processing operations in a given case and assess the application of Article 83 paragraph 3 of the GDPR" (see paragraph 17 of the Guidelines 04/2022). Expanding on this guidance in paragraph 24 of its guidelines, the EDPB recommends first determining: a) whether the circumstances indicate a single conduct or multiple conducts subject to sanction; b) in the case of a single conduct, whether this conduct constitutes a single infringement or multiple infringements; c) in the case of a single conduct that constitutes multiple infringements, whether the attribution of one infringement excludes the attribution of another infringement or whether they should be attributed in parallel.

The interpretation of the concept of "single conduct" is contained - in reference to Article 83.3 of Regulation 2016/679, which refers to "the same or related processing operations" - in paragraph 28 of the Guidelines 04/2022. According to it, "[t]he term 'related' refers to the principle according to which one conduct may consist of several parts which are implemented as a result of a single act of will and are contextually (in particular as regards the identity of the data subject, the purpose and nature of the processing), spatially and temporally so closely linked that from an objective point of view they can be considered as one coherent conduct".

Referring the above provisions of Regulation 2016/679 and the guidelines contained in Guidelines 04/2022 to the circumstances of this case, the President of the UODO stated the following.

1. The President of the UODO found that the actions of the Medical Center considered in this case related to the implementation of ad hoc video monitoring in two rooms of the (...) Department were inconsistent with the applicable provisions (constituting an infringement of Art. 6 sec. 1 and Art. 9 sec. 1 of Regulation 2016/679), as well as the failure to fulfil the information obligation towards the persons whose personal data were covered by the registration in question (constituting an infringement of Art. 13 sec. 1 and 2 of Regulation 2016/679) constitute "one coherent conduct" within the meaning presented by the EDPB. Both of these actions of the Facility (constituting at the same time an infringement of Art. 5 sec. 1 letter a) and Art. 5 sec. 2 of Regulation 2016/679) are, in the opinion of the President of the UODO, the result of a single act of will of the Administrator, who decided to implement a temporary process of processing their personal data by means of video surveillance, which is supposedly not disclosed to data subjects, and to fail to fulfil the information obligation towards such data subjects. The fact that the above-mentioned processing operations constituting the subject of the considered infringements of the provisions of Regulation 2016/679 (Article 6 paragraph 1, Article 9 paragraph 1, Article 13 paragraphs 1 and 2) are related processing operations within the meaning of Article 83 paragraph 3 of Regulation 2016/679 is indicated – apart from their being covered by a single act of will of the Medical Center – also by the common context of this processing. In the opinion of the President of the Personal Data Protection Office, these processing operations are combined by: a) the purpose of processing – it was to eliminate the causes and prevent a future increase in the number of symptoms of infections among newborns hospitalized in the rooms of the (...) Ward; b) the nature of processing – the monitoring used in the rooms of the (...) Ward was, by assumption adopted by the Medical Centre, of a secret nature (this is evidenced by: the devices used, i.e. clocks with an image recording function, and failure to comply with the obligation to inform about the introduction of monitoring in the above-mentioned area); the failure to fulfil the information obligation with regard to the persons whose data was processed in this way was a natural and logical consequence of the secret nature of the processing assessed in this case; (c) the level of risk of the processing – increased – in relation to other processes of processing by the Medical Centre of the personal data of its patients, persons visiting patients, employees, etc. – the level of risk of the processing in question results from the fact that it was not subject to technical and organisational security measures normally applied by the Medical Centre for other data processing operations (in particular, the monitoring, recording and transfer of personal data originating from covert monitoring took place outside the IT systems and procedures intended – and therefore appropriately secured – for this type of activities carried out on personal data originating from “open” monitoring carried out in other rooms and parts of the Medical Centre); (d) the identity of the data subjects – processing processes covered by all infringements relating to the conduct of the Medical Centre consisting in the use of covert monitoring (Article 6 paragraph 1, Article 9 sec. 1 and art. 13 sec. 1 and 2 of Regulation 2016/679) concern personal data of the same, precisely defined group of people - patients, their families, visitors and staff of the Facility staying in two specific rooms of the Ward (...);e) temporal context of processing - the duration of the unlawful processing of personal data by means of covert monitoring, and therefore the duration of all violations identified in relation to this processing, is the same and is precisely defined - this is the period from 1 to 23 July 2023. Having therefore found that: firstly, the actions of the Medical Centre consisting in implementing and allowing the operation of ad hoc and covert video monitoring and failing to fulfil the information obligation towards the persons covered by this monitoring constitute one coherent conduct (which results from their being covered by one act of will and the context of the processing covered by that act of will), and secondly, this conduct violates several provisions of Regulation 2016/679 (Article 6 par. 1, Article 9 par. 1, Article 13 par. 1 and 2, and – as a consequence – Article 5 par. 1 letter a) and Article 5 par. 2), it should be further stated that none of these identified violations excludes – in the opinion of the President of the UODO – attributing another of them to the Medical Centre. In particular, the finding of an infringement of the provisions defining the basic, general principles of processing (in this case – Article 5 paragraph 1 letter a) and Article 5 paragraph 2 of Regulation 2016/679) does not exclude the attribution to the controller (and the imposition of a financial penalty for it) of an infringement of the specific provisions concretising those principles (Article 6 paragraph 1, Article 9 paragraph 1, Article 13 paragraphs 1 and 2 of Regulation 2016/679). The above therefore allows the Medical Centre to be attributed the above-mentioned infringements “in parallel” – none of them excludes the attribution to the Medical Centre of the remaining ones. In such a situation, the provision of Article 83 paragraph 3 of Regulation 2016/679 will apply to all the infringements indicated above.

2. The actions (omissions) of the Medical Center leading to the infringement of the provisions of Article 24 paragraph 1, Article 25 paragraph 1, Article 32 paragraphs 1 and 2 and – consequently – Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679 constitute "one coherent conduct" within the meaning presented by the EDPB in paragraph 28 of Guidelines 04/2022 and – at the same time – do not constitute such one conduct with its actions considered above leading to the infringement of Article 6 paragraph 1, Article 9 paragraph 1, Article 13 paragraphs 1 and 2 (and Article 5 paragraph 1 letter a) and Article 5 paragraph 2) of Regulation 2016/679. This is evidenced by the following circumstances:a) The infringements of the provisions of Article 24 par. 1, Article 25 par. 1, Article 32 par. 1 and 2 and – as a consequence – Article 5 par. 1 letter f) and Article 5 par. 2 of Regulation 2016/679 were not (unlike his conduct related to the implementation of covert monitoring considered above) the result of a specific act of will, a single decision of the Medical Centre. Their source was the inadvertent failure to take actions implementing and enforcing the application of measures to protect personal data stored on external data carriers (in particular on memory cards used in video surveillance cameras). This omission, made already at the stage of determining the means of processing – which was expressed in the incorrect analysis of the risk associated with the processing processes used in the Facility (and already constituting an infringement of art. 25 par. 1 of Regulation 2016/679) – continued during the processing itself (additionally leading to a violation of the provisions of art. 24 par. 1 and art. 32 par. 1 and 2 of the Regulation). It was an ongoing process caused not so much by a single act of will, but by the lack of a single, specific decision of the Medical Center, which could have prevented infringements of all the provisions considered here – art. 24 par. 1, art. 25 par. 1, art. 32 par. 1 and 2 and – as a consequence – art. 5 par. 1 letter f) and art. 5 par. 2 of Regulation 2016/679.b) As indicated above, the conduct of the Medical Center leading to the violation of the provisions of Art. 24 par. 1, Art. 25 par. 1, Art. 32 par. 1 and 2 and – as a consequence – Art. 5 par. 1 letter f) and Art. 5 par. 2 of Regulation 2016/679, is a continuous and long-term situation. On the other hand, its conduct related to the use of covert video monitoring (resulting in a violation of Art. 6 par. 1, Art. 9 par. 1, Art. 13 par. 1 and 2 and – as a consequence – Art. 5 par. 1 letter a) and Art. 5 par. 2 of Regulation 2016/679) was an ad hoc, short-term action, intended to be one-off and time-limited. Such a different time context of both behaviours (resulting in infringements of both groups of provisions of Regulation 2016/679) does not allow us to assume that this is one coherent conduct of the Medical Center.c) The purpose and nature of the processing, in connection with which the infringements of the provisions of Art. 24 par. 1, Art. 25 par. 1, Art. 32 par. 1 and 2 and – as a consequence – Art. 5 par. 1 letter f) and Art. 5 par. 2 of Regulation 2016/679 occurred, were the same in the case of all these infringements. The above violations were found in connection with the processing of personal data recorded in electronic form on portable data carriers, and this processing was for the purpose of storing personal data on external media, or possibly transferring them between other electronic devices (computers, cameras, servers, etc.). The purpose of processing defined in this way distinguishes this conduct from the conduct related to the use of covert video surveillance, the purpose of which was to use personal data from visual recordings for the purposes of increasing the level of medical care in the Facility. d) The processing processes that were the subject of both types of conduct of the Medical Center (leading to violations of both groups of provisions of Regulation 2016/679) concerned personal data of different groups of people. As indicated above, the processing related to covert video surveillance violated the protection of personal data of a specific, specified and relatively small number of people who were in two rooms covered by this monitoring. However, processing personal data on unsecured portable data carriers could threaten the protection of personal data of all persons whose data was in the possession of the Medical Center and which could be processed in this way (data of all patients, all employees, all persons whose images were obtained using video monitoring, including monitoring in accordance with the provisions of Regulation 2016/679, etc.). Moreover, this threat concerned the data of all these persons in the full scope of the data held by the Medical Center.

Having therefore found that: firstly, the Medical Center's omissions consisting in the failure to apply (both at the design stage and during processing) appropriate technical and organizational measures ensuring a level of security appropriate to the risk of data processing using external data carriers constitute one coherent conduct, and secondly, this conduct violates several provisions of Regulation 2016/679 (art. 24 par. 1, art. 25 par. 1, art. 32 par. 1 and 2, and, consequently, art. 5 par. 1 letter f) and art. 5 par. 2), it should be further stated that none of these identified infringements excludes – in the opinion of the President of the UODO – attributing another of them to the Medical Center. In particular, the finding of an infringement of the provisions specifying basic, general principles of processing (in this case – art. 5 par. 1 letter f) and art. 5 par. 2 of Regulation 2016/679) does not exclude the attribution to the controller (and imposition of a financial penalty for this) of a breach of the detailed provisions concretizing these principles (Article 24 paragraph 1, Article 25 paragraph 1, Article 32 paragraphs 1 and 2 of Regulation 2016/679, while an administrative fine is not imposed for a breach of the provision of Article 24 paragraph 1, due to the fact that it is not mentioned in Article 83 paragraphs 4-6 of Regulation 2016/679). The above therefore allows the Medical Center to be attributed the above-mentioned breaches "in parallel" - none of them excludes the attribution to the Medical Center of the remaining ones. In such a situation, the provision of Article 83 paragraph 3 of Regulation 2016/679 will apply to all the above-mentioned breaches. 3. Due to the fact that two separate acts of the Medical Center (not concerning the same or related processing operations) are subject to punishment in this case, the provision of Article 83 par. 3 of Regulation 2016/679 will not apply to the coincidence of both groups of infringements of the provisions of Regulation 2016/679. As a consequence, the sum of both penalties imposed for the infringement of both groups of provisions of Regulation 2016/679 could exceed the amount of the penalty (maximum threat) for one of them (infringements of both groups of provisions are equally serious due to the fact that they include some that are subject to a "more serious" penalty – up to EUR 20 000 000 or up to 4% of the total global annual turnover). It should be pointed out here that the only reason for the infringements of Article 6 par. 1, Article 9 par. 1, Article 13 par. 1 and 2 (and Art. 5 par. 1 letter a) and Art. 5 par. 2) of Regulation 2016/679 are considered – alongside infringements of Art. 24 par. 1, Art. 25 par. 1, Art. 32 par. 1 and 2 (and Art. 5 par. 1 letter f) and Art. 5 par. 2) of Regulation 2016/679 – in one proceeding (and assessed in one decision of the President of the UODO) is the circumstance of their identification during the proceedings concerning the notification of a data protection breach consisting in the loss or theft of memory cards from video surveillance devices. These infringements do not concern the same or related processing operations within the meaning of Art. 83 par. 3 of the GDPR; are considered in a single decision because they accidentally came to the attention of the President of the Personal Data Protection Office at the same time, within the framework of the proceedings already underway. There would be no obstacles to – in connection with the fact that separate conduct of the Medical Center is being considered – covering them with separate proceedings and separate decisions imposing sanctions for the identified violations. As stated in the Guidelines 04/2022, such a situation excludes the application of the limitation of the total amount of the imposed administrative fine to the (maximum) amount of the fine for the most serious violation, resulting from Article 83 paragraph 3 of Regulation 2016/679 (see paragraph 45 of the Guidelines 04/2022). 4. To sum up the above:a) The President of the UODO found in this case that the Medical Center had, by one conduct (described in point 1 above), violated several provisions of Regulation 2016/679 (Article 6 par. 1, Art. 9 par. 1, Art. 13 par. 1 and 2 and – as a consequence – Art. 5 par. 1 letter a) and Art. 5 par. 2 of Regulation 2016/679). In relation to all these violations, the provision of Article 83 par. 3 of Regulation 2016/679 was applied, however – since all violations are punishable (in abstracto) by the same penalty under Article 83 par. 5 of Regulation 2016/679 (up to EUR 20 000 000 or up to 4% of annual turnover) – all of these infringements should be assigned the same seriousness. The consequence of this is that it is impossible to impose – for the infringements listed above – a fine higher than the maximum fine for one of them (EUR 20 000 000 – due to the need to adopt the so-called “static maximum penalty” with respect to the Facility – see point 5 on page 40 of the justification for this decision).b) By separate conduct (described in point 2 above) the Medical Center violated further provisions of Regulation 2016/679 (Article 24 par. 1, Article 25 par. 1 and Article 32 par. 1 and 2 and – as a consequence – Article 5 par. 1 letter f) and Article 5 sec. 2 of Regulation 2016/679). Due to this distinctive nature of the Administrator's conduct, the President of the UODO did not consider them together with the previous infringements and imposed a separate administrative fine for them. It should be noted that in the case of infringement of the provisions of Art. 25 sec. 1 and Art. 32 sec. 1 and 2 of Regulation 2016/679, the penalty resulting from Art. 83 sec. 4 of Regulation 2016/679 (up to EUR 10 000 000 or 2% of annual turnover) applies. However, infringements of the aforementioned provisions result in a subsequent breach of the principles of integrity and confidentiality, as well as accountability, expressed respectively in Art. 5 sec. 1 letter f) and Art. 5 sec. 2 of Regulation 2016/679, which infringements are already punishable by the penalty specified in Article 83 paragraph 5 of Regulation 2016/679 (up to EUR 20 000 000 or 4% of annual turnover). The consequence of this is that it is impossible to impose – for all the infringements listed above – a penalty higher than the maximum penalty for the most serious infringement (i.e. for the infringement of Art. 5 paragraph 1 letter f) and Art. 5 paragraph 2, punishable by a penalty of up to EUR 20 000 000 – due to the need to adopt the so-called “static maximum penalty” with respect to the Institution – see point 5 on page 49 of the justification of this decision).

B. Justification for imposing and determining the amount of the administrative fine for violating the provisions of Art. 6 par. 1, Art. 9 par. 1 and Art. 13 par. 1 and 2 of Regulation 2016/679, which resulted in a violation of Art. 5 par. 1 letter a), and consequently also Art. 5 par. 2 of Regulation 2016/679.

The administrative fine against the Administrator was imposed for violating Art. 5 par. 1 letter a), Art. 5 par. 2, Art. 6 par. 1, Art. 9 par. 1 and Art. 13 par. 1 and 2 of Regulation 2016/679 – on the basis of Art. 83 par. 5 letters a) and b) of this Regulation.

At the same time, the administrative fine of PLN 687,534.75 (in words: six hundred eighty-seven thousand five hundred thirty-four zlotys and 75/100), imposed on the Administrator jointly for the infringement of all the above provisions - pursuant to the provisions of Article 83 paragraph 3 of Regulation 2016/679 - does not exceed the amount of the fine for the most serious infringement found in this case, i.e. infringement of Article 5 paragraph 1 letter a) and Article 5 paragraph 2 of Regulation 2016/679, which, pursuant to Article 83 paragraph 5 letter a) of Regulation 2016/679, is subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - of up to 4% of its total annual global turnover from the previous financial year. When deciding to impose an administrative fine, the President of the Personal Data Protection Office – pursuant to Article 83 paragraph 2 letters a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:

1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a of Regulation 2016/679). In the opinion of the President of the Personal Data Protection Office, this infringement is of significant importance and serious nature, because the Administrator is a medical entity that provides medical services for a fee and is obliged to provide patients with a sense of security. An entity of trust, which the Medical Center undoubtedly is, should be expected to be familiar with the regulations and to apply them properly, as well as to provide higher standards of services provided. This facility, by incorrectly processing the personal data of patients, patients' guests and employees through two additional monitoring devices installed in the rooms of the Section (...), violated the principle of compliance with the law of data processing, referred to in art. 5 sec. 1 letter a) of Regulation 2016/679, and consequently also the principle of accountability resulting from art. 5 sec. 2 of Regulation 2016/679. Moreover, it should be emphasized that the Administrator did not fulfill the information obligation towards the persons whose image was covered by the image registration, referred to in art. 13 sec. 1 and 2 of Regulation 206/679. The above means that the Medical Center violated not only the basic obligations imposed by Regulation 2016/679 on administrators, but also posed a gross threat to the proper implementation of the rights granted to citizens under the Constitution of the Republic of Poland. In this case, there is no evidence to indicate that the persons (patients, employees of the Facility) whose data were recorded by video monitoring devices installed in two rooms of the Ward (...), suffered material damage, however, the incorrect processing of their personal data and without informing them about it constitutes non-material damage (harm) for them, e.g. by violating their personal rights, such as mental well-being or the right to privacy, etc. It should also be emphasized that the Administrator's action in question also constituted a gross violation of the privacy and dignity of patients due to the hidden nature of this monitoring. According to the information provided by the Administrator in the correspondence, ad hoc video monitoring at the Department (...) operated from 1 to 23 July 2023 (at the same time, this is a state of violation of the provisions of Regulation 2016/679) - thus recording the image of 190 people, including 30 patients, 60 statutory representatives of patients, 97 staff members and 3 students undergoing internships (in accordance with the information provided in the supplementary form for reporting a breach of personal data protection).

2. Intentional nature of the infringement (Article 83 paragraph 2 letter b of Regulation 2016/679). In accordance with Guidelines 04/2022 on the calculation of administrative fines based on the GDPR (adopted on 24 May 2023, version 2.1.), "(...) "intentionality" includes both knowledge and deliberate action, in connection with the characteristics of a prohibited act (...)" (p. 20 point 55). The explanatory proceedings conducted and the explanations and evidence obtained during them confirm that the Controller, when implementing ad hoc video monitoring, did not comply with its own applicable procedures related to the functioning of the monitoring conducted so far at the Facility, of which it was fully aware and aware. The above position was also confirmed by the Administrator himself in a letter dated February 12, 2024, quoted (...) "We are aware of the imperfections of the ad hoc monitoring method used". At the same time, it should be recalled that the video monitoring installed in 2 rooms of the Department (...) was supposed to be covert monitoring, i.e. employees, patients and visitors were not to learn about the introduction of monitoring. Despite being aware of the applicable law and the implemented procedures regarding video monitoring in the facility, the Administrator deliberately did not include regulations regarding the installation of additional cameras in the above-mentioned area - which additionally supports the assumption of intentionality. In view of the above, it should be undoubtedly recognized that the analyzed violation of the provisions of Regulation 2016/679 was an intentional action of the Medical Center. 3. Categories of personal data concerned by the breach (Article 83 paragraph 2 letter g of Regulation 2016/679). Personal data covered by ad hoc video monitoring installed in 2 rooms of the Ward (...) were images of patients, patients' guests and staff of this medical facility. It should be noted that the specificity of the area in which the image recording devices were installed is associated with many intimate situations related to the postnatal period of patients and their newborn children. The above means that personal data processed as part of monitoring also constitute data subject to special protection under Article 9 paragraph 1 of Regulation 2016/679 (i.e. health data). This imposes on the controllers of this data the obligation to treat this information in a special way, also due to the possible negative consequences for the data subjects in the event of its disclosure to unauthorized persons, including their discrimination or loss of reputation.

In this context, it is necessary to refer to the Guidelines 04/2022, which indicate that: "As regards the requirement to include the categories of personal data concerned by the breach (Article 83 paragraph 2 letter g) of the GDPR), the GDPR clearly indicates the types of data that are subject to special protection and therefore a more rigorous response when imposing fines. This applies at least to the types of data covered by Articles 9 and 10 of the GDPR and data outside the scope of these articles, the dissemination of which immediately causes damage or discomfort to the data subject (...)" (p. 21, point 57).

4. The manner in which the supervisory authority learned of the breach (Article 83 paragraph 2 letter h of Regulation 2016/679). The supervisory authority received information about the potential breach of personal data protection provisions on August 3, 2023, after the publication of an article on the website of the (...) service regarding the practices of the Medical Center in connection with the monitoring system used by this entity in 2 rooms of the (...) Department, and not directly from the Controller. In connection with the fact that the President of the UODO obtained knowledge about the possibility of the Facility conducting activities inconsistent with applicable legal provisions, including the provisions of Regulation 2016/679 from media reports, in the opinion of the supervisory authority, this circumstance can be treated as having an aggravating effect on the amount of the administrative fine imposed. When determining the amount of the administrative fine, the President of the UODO found no grounds for taking into account any mitigating circumstances that could have an impact on reducing the final amount of the fine imposed on X. with its registered office in K.

The other circumstances indicated below, referred to in Article 83 paragraph 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were considered by the President of the UODO to be neutral in his opinion, i.e. having neither an aggravating nor a mitigating effect on the amount of the administrative fine imposed.

1. Actions taken to minimize the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679). In the context of this premise, the purpose of the Controller's action is important, i.e. minimizing the damage suffered by data subjects covered by ad hoc video monitoring in 2 rooms of the Branch (...). The President of the UODO did not note such actions of the Controller in this case. In view of the presented factual circumstances, this circumstance should be categorized as neutral.

2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by it under Article 25 and 32 (Article 83 paragraph 2 letter d of Regulation 2016/679). This administrative fine was imposed on the Controller for violating the provisions of Article 5 paragraph 1 letter a) of Regulation 2016/679 (principle of legality, fairness and transparency), Art. 5 sec. 2 of Regulation 2016/679 (principle of accountability) in connection with Art. 6 sec. 1, Art. 9 sec. 1 and Art. 13 sec. 1 and 2 of Regulation 2016/679. The issue of the security principles of the processed personal data and the technical and organizational measures applied by the Controller were not the subject of analysis in this respect. 

3. Any relevant previous violations by the controller (Art. 83 sec. 2 letter e of Regulation 2016/679). The President of the UODO did not find any previous violations of the personal data protection regulations on the part of the Medical Center, therefore there is no basis to treat this circumstance as an aggravating factor. It is the duty of every administrator to comply with the law, and therefore the lack of previous violations cannot be a mitigating circumstance when imposing sanctions.

4. The degree of cooperation with the supervisory authority in order to eliminate the breach and mitigate its potential negative effects (Article 83 paragraph 2 letter f of Regulation 2016/679). The President of the UODO would like to point out that at the time of initiating the explanatory proceedings (which was initiated by a letter from the supervisory authority dated 7 August 2023), the Administrator had already ceased ad hoc video monitoring in 2 rooms of the Branch (...), and thus the infringement of the provisions of Regulation 2016/679. In connection with the above, the elimination of the infringement took place without prior action by the authority, which means that it is not possible to assess its degree of cooperation with the Administrator. The factual situation presented in this way cannot constitute an aggravating or mitigating circumstance when imposing sanctions.

5. Compliance with previously applied measures in the same case, referred to in art. 58 sec. 2 of Regulation 2016/679 (art. 83 sec. 2 letter i of Regulation 2016/679). Before issuing this decision, the President of the UODO did not apply any measures listed in art. 58 sec. 2 of Regulation 2016/679 to the Controller in the case at hand, and therefore the controller was not obliged to take any actions related to their application, and which actions, assessed by the President of the UODO, could have an aggravating or mitigating effect on the assessment of the identified infringement.

6. Application of approved codes of conduct under art. 40 of Regulation 2016/679 or approved certification mechanisms under art. 42 of Regulation 2016/679 (art. 83 sec. 2 letter j of Regulation 2016/679). X. with its registered office in K. does not apply approved certification mechanisms referred to in art. 42 of Regulation 2016/679. Furthermore, during the proceedings, the Facility did not inform the supervisory authority whether it applies approved codes of conduct referred to in art. 40 of Regulation 2016/679. It should be emphasised that their implementation and application is not – as provided for in the provisions of Regulation 2016/679 – obligatory for controllers and processors, and therefore the circumstance of their non-application cannot be considered to the detriment of the Controller in this case. In favour of the Controller, however, the circumstance of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of processed personal data could be taken into account

7. Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly in connection with the infringement or losses avoided (Article 83 paragraph 2 letter k of Regulation 2016/679). The President of the UODO did not find that the controller gained any financial benefits or avoided such losses in connection with the infringement. There is therefore no basis for treating this circumstance as aggravating the controller. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed decidedly negatively. On the other hand, the failure of the controller to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that cannot be mitigating for the Controller by its nature. This is confirmed by the very wording of the provision of Article 83 paragraph 2 letter k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - those that occurred on the side of the entity committing the infringement.

8. Other aggravating or mitigating factors applicable to the circumstances of the case (Article 83 paragraph 2 letter k) of Regulation 2016/679). The President of the UODO, in a comprehensive consideration of the case, did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the administrative fine imposed.

Finally, it is necessary to indicate that when determining the amount of the administrative fine in this case, the President of the UODO applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the guidelines set out in this document:

1. The President of the UODO categorized the violation of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). Among the provisions of Regulation 2016/679 violated by the Medical Center is the provision of Article 5 paragraph 1 letter a) of Regulation 2016/679 specifying the basic principles of processing. Infringement of this provision belongs – in accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679 – to the category of violations punishable by the higher of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 20,000,000 or up to 4% of the total annual turnover of the enterprise in the previous financial year). They are therefore more serious than other infringements (indicated in Article 83 paragraph 4 of Regulation 2016/679).

2. The President of the UODO assessed the infringement found in this case (in particular the infringement of the basic principles of processing) as an infringement with a high level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account among those listed in Article 83 paragraph 2 Regulation 2016/679, which concern the subject of the infringements (they constitute the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. It should be noted here that considering their combined impact on the assessment of the infringement found in this case, taken as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is high. The consequence of this is the adoption, as the starting amount for calculating the penalty, of a value ranging from 20% to 100% of the maximum amount of the penalty that may be imposed on the Medical Center, i.e., taking into account the limit specified in Article 83 paragraph 5 of Regulation 2016/679, from EUR 4,000,000 to EUR 20,000,000 (see Subchapter 4.2.4 of Guidelines 04/2022). The President of the UODO considered the amount of EUR 10,000,000.00 (equivalent to PLN 43,653,000) to be an adequate starting amount justified by the circumstances of this case. 3. The President of the UODO adjusted the starting amount corresponding to the high seriousness of the identified infringement to the turnover of the Medical Center, as a measure of its economic power (see Chapter 4.3 of Guidelines 04/2022). In accordance with Guidelines 04/2022, in the case of undertakings with an annual turnover of EUR 10-50 million, the supervisory authority may consider further calculating the amount of the fine based on a value between 1.5% and 10% of the starting amount. Considering that the turnover of the Medical Center in 2023 amounted to PLN (…) i.e. EUR (…) (at the average exchange rate of 29 January 2024), the President of the UODO considered it appropriate to adjust the amount of the fine subject to calculation to a value corresponding to 3% of the starting amount, i.e. EUR 300,000.00 (equivalent to PLN 1,309,590.00).

4. The President of the UODO assessed the impact of the remaining circumstances (apart from those included above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022) on the established infringement. These circumstances, which may have an aggravating or mitigating impact on the assessment of the infringement, refer – as the Guidelines 04/2022 assume – to the subjective side of the infringement, i.e. to the entity itself that committed the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The President of the UODO, taking into account the high seriousness of the infringement, considered that the aggravating circumstance in this case is the manner in which the authority found out about the infringement (Article 83 paragraph 2 letter h) of Regulation 2016/679). The supervisory authority, when conducting the analysis in this case, did not take into account any mitigating circumstances that would have an impact on reducing the amount of the sanction. The remaining premises (from Article 83 paragraph 2 letters c, d, e, f, i, k)) of Regulation 2016/679) - as indicated above - had no impact, neither mitigating nor aggravating, on the assessment of the infringement and, consequently, on the amount of the penalty. Due to the existence of an aggravating circumstance in the case, it is therefore justified to correct the amount of the penalty established taking into account the turnover of the Medical Center (item 3 above); in the opinion of the President of the UODO, the impact of these premises on the assessment of the infringement is to increase it by 5% - to the amount of EUR 315,000.00 (equivalent to PLN 1,375,069.50).

5. The President of the UODO stated that the amount of the administrative fine determined in the manner presented above does not exceed – in accordance with Article 83 paragraph 3 of Regulation 2016/679 – the legally defined maximum amount of the fine provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022). As indicated above, the most serious infringement in this case is the infringement of Article 5 paragraph 1 letter a), punishable by an administrative fine of up to EUR 20 000 000, and in the case of an undertaking – of up to 4% of its total annual worldwide turnover in the previous financial year, whichever is higher. The President of the UODO determined that the "dynamic maximum amount" for this infringement and for this perpetrator of the infringement expressed as a percentage (4%) of its turnover would amount to EUR (...), therefore, in this case, the "static maximum amount" for the infringement in question should be applied - as higher - amounting to EUR 20,000,000. The above amount of EUR 315,000.00 clearly does not exceed EUR 20,000,000.

6. Despite the fact that the amount of the penalty determined in accordance with the above principles does not exceed the legally specified maximum penalty, the President of the UODO considered that it requires additional correction due to the principle of proportionality referred to in ArticleArticle 83 paragraph 1 of Regulation 2016/679 as one of the three penalty directives (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine equivalent to EUR 315,000.00 would be an effective penalty (due to its severity, it would achieve its repressive purpose, which is to punish unlawful conduct) and a deterrent penalty (effectively discouraging both the Medical Center and other controllers from committing future infringements of the provisions of Regulation 2016/679). However, such a penalty would be - in the opinion of the President of the UODO - a disproportionate penalty due to its excessive severity. The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see points 137 and 139 of the Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of the specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to Article 83 [in] P. Litwiński (ed.) General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary). Therefore, taking into account the proportionality of the penalty, the President of the UODO further reduced the amount of the penalty – to 50% of the amount obtained after taking into account aggravating circumstances (see point 4 above), i.e. to EUR 157,500.00 (equivalent to PLN 687,534.75). In his opinion, such a determination of the final amount of the imposed penalty will not reduce its effectiveness and deterrent nature. This amount is a threshold above which a further increase in the amount of the penalty will not result in an increase in its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the penalty could be at the expense of its effectiveness and deterrent nature, as well as the coherent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities on the EU and EEA internal market.

C. Justification for imposing and determining the amount of the administrative fine for violating the provisions of Article 25 sec. 1 and art. 32 sec. 1 and 2 of Regulation 2016/679, which resulted in a violation of art. 5 sec. 1 letter f), and consequently art. 5 sec. 2 of Regulation 2016/679.

The administrative fine against the Administrator was imposed for the violation of art. 25 sec. 1 and art. 32 sec. 1 and 2 of Regulation 2016/679 on the basis of the above-mentioned art. 83 sec. 4 letter a) of Regulation 2016/679, while for the violation of art. 5 sec. 1 letter f) and art. 5 sec. 2 of Regulation 2016/679 – on the basis of art. 83 sec. 5 letter a) of that regulation.

At the same time, the administrative fine of PLN 458,356.50 (in words: four hundred fifty-eight thousand three hundred fifty-six zlotys and 50/100), imposed on the Administrator jointly for the infringement of all the above provisions - pursuant to the provisions of Article 83 paragraph 3 of Regulation 2016/679 - does not exceed the amount of the fine for the most serious infringement found in this case, i.e. infringement of Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679, which, pursuant to Article 83 paragraph 5 letter a) of Regulation 2016/679, is subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - of up to 4% of its total annual global turnover from the previous financial year. When deciding on the imposition of an administrative fine, the President of the UODO – in accordance with Article 83 paragraph 2 letter b) of the GDPR – a) - k) of Regulation 2016/679 – took into account the following circumstances of the case, which constitute the necessity to apply this type of sanction in this case and have an aggravating effect on the amount of the administrative fine imposed:

1. The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage they suffered (Article 83 paragraph 2 letter a of Regulation 2016/679). The infringement of personal data protection regulations found in this case, which resulted (and still results) in the possibility of obtaining unauthorised access to data located on unsecured external data carriers (i.e. memory cards) by an unauthorised person or persons (breach of the principle of confidentiality), is of significant importance and serious nature, as it creates a high risk of negative consequences for data subjects. The Medical Center's breach of its obligations to apply security measures to protect the processed data from being made available to unauthorized persons entails not only a potential but also a real possibility of using this data by third parties without the knowledge and against the will of the data subject, contrary to the provisions of Regulation 2016/679. Moreover, by the time this decision is issued, the lost or stolen external data carriers have not been found, so an unauthorized person or persons may still have access to the personal data stored on this carrier. The violation of the provisions and principles concerning the protection of personal data in connection with their processing by the Facility within the framework of its business activity in the field of medical services without implementing adequate technical and organizational measures (violation of art. 32 sec. 1 and sec. 2 of Regulation 2016/679) is also of significant importance due to the significant scale of data processing by the Facility and the type of activity it performs, and thus also the scope of the processed data (data of special categories, including health data). It should be emphasized once again that the Medical Center provides medical services in Poland, including in the scope of (...). This fact determines the scope of data processed by it, the disclosure of which may cause particular damage to the persons concerned. It should also be noted that the data processed by the Administrator constitute medical confidentiality, which also affects the necessity to assume a significant nature and gravity of the violation. Moreover, the violations of the provisions of Regulation 2016/679 identified during the explanatory proceedings and then as a result of the administrative proceedings resulted in a violation of the principle of integrity and confidentiality (Article 5 paragraph 1 letter f) of Regulation 2016/679), i.e. the obligation to process the personal data of employees, patients and their visitors in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures, as well as the principle of accountability (Article 5 paragraph 2 of Regulation 2016/679), which is why they were of significant importance and serious nature due to the fact that all the above-mentioned organisational and technical measures are of fundamental importance for ensuring the security of data processing in technical and organisational terms. In this case, there is no evidence to indicate that the persons (patients, their visitors and the Company's employees) to whose data third parties gained access have suffered material damage, however, the breach of the confidentiality of their data itself constitutes non-material damage (harm) for them, e.g. by violating their personal rights, such as mental well-being, the right to privacy, etc. Natural persons whose data have been obtained in an unauthorized manner as a result of a breach of personal data protection may at least feel a fear of losing control over their personal data, identity theft or identity fraud, discrimination (health data) or finally - financial loss. As indicated by the District Court in Warsaw in its judgment of 6 August 2020, file reference XXV C 2596/19, the fear, i.e. loss of security, constitutes real non-material damage associated with the obligation to repair it. In turn, the Court of Justice of the EU in its judgment of 14 December 2023 in Natsionalna agentsia za prihodite (C-340/21) stressed that "Article 82(1) of the GDPR must be interpreted as meaning that the fear of possible use by third parties in a manner constituting a misuse of personal data, which the data subject has as a result of an infringement of that regulation, may in itself constitute "non-material damage" within the meaning of that provision".

It should also be emphasized that the Controller conducted an incorrect risk analysis, as shown above, as a result of which it did not apply appropriate security measures to ensure the protection of personal data processed using external data carriers (i.e. memory cards). The duration of the infringement of the provisions of Regulation 2016/679 covered the period of operation of ad hoc video monitoring in 2 rooms of the Department (...), i.e. from 1 to 23 July 2023.

When analysing the case in question, the Authority took into account the fact that the personal data contained on the lost data carrier concerned 190 people, including 30 patients, 60 statutory representatives of patients, 97 staff members and 3 students undergoing internships (in accordance with the declaration of the Administrator in the supplementary form for reporting a breach of personal data protection), however, it should be emphasised that in accordance with the adopted guidelines aimed at harmonising the methodology used by supervisory authorities when calculating the amount of a financial penalty, it is obliged to assess the premise referred to in Article 83 paragraph 2 letter b). a) Regulation 2016/679, comprehensively, i.e. take into account in its assessment the total gravity, nature and duration of the infringement of the provisions of Regulation 2016/679, the nature, scope or purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them. As it results from the Guidelines 04/2022 (chapter 4.2.1. point iv), when analysing all the elements constituting the infringement, the number of data subjects on whom the infringement has a specific, but also, importantly, potential impact should also be taken into account. Considering the circumstances in question, the Authority may consider that the quoted (...) "the infringement is of a "systemic" nature and may therefore have an impact, even at different times, on additional data subjects who have not filed complaints or notifications with the supervisory authority. The supervisory authority may, depending on the circumstances of the case, take into account the ratio of the number of affected data subjects to the total number of data subjects in a given context (e.g. the number of citizens, customers or employees) in order to assess whether the breach is of a systemic nature". Taking into account the above EDPB guidelines, the failure of the Controller to ensure an adequate level of security of the processed personal data, as an accepted action in the organisation despite only one identified case of a personal data breach, could potentially concern all patients and employees and therefore be of a systemic nature (the above-mentioned persons could potentially be exposed to the loss of confidentiality of their data processed on external data carriers). The supervisory authority was therefore right to assess this circumstance as an aggravating factor.

2. Unintentional nature of the breach (Article 83 paragraph 2 letter b of Regulation 2016/679). The loss of control over the personal data of persons whose data is located on lost or stolen external data carriers (i.e. memory cards) became possible as a result of the Medical Center's failure to comply with the obligation to apply appropriate security measures to ensure the protection of this data. In the opinion of the supervisory authority, this constitutes the unintentional nature of the breach, resulting from the negligence of the Administrator, who did not properly conduct a risk analysis in the area covered by the personal data protection breach. In this case, the Facility should have taken into account that the adopted solutions would not ensure an adequate level of personal data security, which may lead to a violation of the provisions on personal data protection.

Taking into account the findings in the case that is the subject of this decision, it should be stated that the Facility did not act intentionally, but nevertheless it was negligent, resulting in a significant increase in the risk of breaching the availability and confidentiality of the processed data, which is evidence of gross negligence and constitutes a significant circumstance that has an aggravating effect on the amount of the administrative fine.

3. Categories of personal data concerned by the breach (Article 83 paragraph 2 letter g of Regulation 2016/679). The personal data contained on the missing or stolen unencrypted memory cards included, among others, images of patients, patients' guests and the staff of the Ward (...) recorded by monitoring devices in the bed rooms. It should also be stated that the specificity of the area in which the image recording devices were installed (image recording during the provision of health services) was associated with many intimate situations related to the postnatal period of patients and their newborn children. The above means that the personal data contained in the memory cards in question also constituted data subject to special protection under Article 9(1) of Regulation 2016/679, as they constitute health data. This imposes on the controllers of this data the obligation to treat this information in a special way, also due to the possible negative consequences for the data subjects in the event of their disclosure to unauthorized persons, including their discrimination or loss of good name.

In this context, it is worth recalling the Guidelines 04/2022, which indicate that: "As regards the requirement to take into account the categories of personal data concerned by the infringement (Article 83(2)(g) of the GDPR), the GDPR clearly indicates the types of data that are subject to special protection and therefore a more rigorous response when imposing fines. This applies at least to the types of data covered by Article 9 and 10 of the GDPR and data not covered by these articles, the dissemination of which immediately causes damage or discomfort to the data subject (...)". (p. 21, point 57).

When determining the amount of the administrative fine, the President of the UODO found no grounds to take into account any mitigating circumstances that could have an impact on reducing the final amount of the fine imposed on X. with its registered office in K.

The other circumstances indicated below, referred to in art. 83 sec. 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the UODO to be neutral in his opinion, i.e. having neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine.

1. Actions taken to minimize the damage suffered by data subjects (Article 83 paragraph 2 letter c of Regulation 2016/679). The Controller, in accordance with the declaration set out in section 10 of the supplementary breach notification, informed that on September 15, 2023, it completed the process of notifying persons whose data were covered by the breach in question (i.e. identified persons staying in the rooms covered by the recordings on memory cards), thus properly fulfilling the obligation imposed on the controller in Article 34 paragraph 1 of Regulation 2016/679. It should be emphasized that the mere fulfillment by the Medical Center of the above obligation to inform data subjects of the occurrence of a personal data protection breach cannot be interpreted as a mitigating factor and having a lowering effect on the amount of the administrative fine imposed. 2. The degree of responsibility of the controller, taking into account the technical and organisational measures implemented by it under Article 25 and 32 (Article 83 paragraph 2 letter d of Regulation 2016/679). In this case, the President of the UODO found that the Medical Centre had violated the provisions of Article 25 paragraph 1 and Article 32 paragraphs 1 and 2 of Regulation 2016/679. In his assessment, the controller bears a high degree of responsibility for failing to implement appropriate technical and organisational measures that would have prevented a breach of personal data protection. It is obvious that, in the considered context of the nature, purpose and scope of personal data processing, the Controller did not "do everything that could be expected of it"; thus, it did not fulfil the obligations imposed on it under the provisions of Article 25 and 32 of Regulation 2016/679. In this case, however, this circumstance constitutes the essence of the infringement itself; it is not merely a factor influencing – either as a mitigating or aggravating factor – its assessment. For this reason, the lack of appropriate technical and organizational measures referred to in Article 25 and Article 32 of Regulation 2016/679 cannot be considered by the President of the UODO in this case as a circumstance that could additionally influence a more severe assessment of the infringement and the amount of the administrative fine imposed on the Controller.

3. Any relevant previous infringements by the controller (Article 83 paragraph 2 letter e) of Regulation 2016/679). The President of the UODO did not find any previous infringements of the provisions on personal data protection on the part of the Medical Center, and therefore there is no basis to treat this circumstance as an aggravating factor. It is the duty of every administrator to comply with the provisions of the law, and therefore the lack of previous violations cannot be a mitigating circumstance when imposing sanctions.

4. The degree of cooperation with the supervisory authority in order to eliminate the violation and mitigate its possible negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). The President of the UODO does not have information indicating that the Administrator, after reporting the personal data protection violation in question and initiating administrative proceedings, took action to mitigate its negative effects. The Administrator only properly notified the persons whose personal data were covered by the ad hoc monitoring in question in 2 rooms of the Branch (...). In the absence of other evidence indicating the implementation of the above-mentioned activities, the supervisory authority cannot accept the analyzed premise as a mitigating one.

5. The manner in which the supervisory authority learned of the breach (Article 83 paragraph 2 letter h of Regulation 2016/679). The President of the UODO found that the Controller had violated the provisions on personal data protection as a result of the initial notification of a personal data breach made by the Medical Center on July 26, 2023, which was subsequently supplemented on September 15, 2023. By making the notification, the Controller fulfilled its legal obligation, therefore there is no basis to consider that this fact constitutes a mitigating circumstance. As indicated by the EDPB in Guidelines 04/2022 (p. 32), "Pursuant to Article 83 paragraph 2 letter h) of the GDPR, the manner in which the supervisory authority learned of the breach may constitute a significant aggravating or mitigating circumstance. When assessing this aspect, particular weight may be given to the question of whether the controller or processor notified the breach to the supervisory authority on its own initiative, and if so, to what extent, before the supervisory authority was informed of the breach by means of, for example, a complaint or proceedings. This is not relevant where the controller is subject to specific notification obligations (e.g. the obligation to notify a personal data breach under Article 33 of the GDPR). In such cases, the fact that a notification was made should be considered a neutral circumstance” (p. 31, point 98). 

6. Compliance with measures previously taken in the same case as referred to in Article 58(1). 2 of Regulation 2016/679 (Article 83 paragraph 2 letter i of Regulation 2016/679). Before issuing this decision, the President of the UODO did not apply any of the measures listed in Article 58 paragraph 2 of Regulation 2016/679 to the Controller in the case at hand, and therefore the controller was not obliged to take any action related to their application, and which actions, assessed by the President of the UODO, could have an aggravating or mitigating effect on the assessment of the identified infringement.

7. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679 (Article 83 paragraph 2 letter j of Regulation 2016/679).X. with its registered office in K. does not apply approved certification mechanisms referred to in Art. 42 of Regulation 2016/679. Furthermore, during the proceedings, the Facility did not inform the supervisory authority about the application of approved codes of conduct referred to in Art. 40 of Regulation 2016/679. It should be emphasised that their implementation and application is not, however – as provided for in the provisions of Regulation 2016/679 – obligatory for controllers and processors, and therefore the circumstance of their non-application cannot be considered to the detriment of the Controller in this case. On the other hand, the circumstance of adopting and applying such instruments as means guaranteeing a higher than standard level of protection of the personal data being processed could be taken into account to the Controller’s advantage.

8. Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits directly or indirectly achieved in connection with the infringement or losses avoided (Article 83 paragraph 2 letter k of Regulation 2016/679). The President of the UODO did not find that the controller gained any financial benefits or avoided such losses in connection with the infringement. There is therefore no basis for treating this circumstance as aggravating the controller. The finding of the existence of measurable financial benefits resulting from the infringement of the provisions of Regulation 2016/679 should be assessed decidedly negatively. On the other hand, the failure of the controller to achieve such benefits, as a natural state, independent of the infringement and its effects, is a circumstance that by its nature cannot be a mitigating circumstance for the Controller. This is confirmed by the very wording of the provision of Article 83 paragraph 2 letter k. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - those incurred by the entity committing the infringement.

9. Other aggravating or mitigating factors applicable to the circumstances of the case (Article 83 paragraph 2 letter k of Regulation 2016/679). The President of the UODO, in a comprehensive consideration of the case, did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the administrative fine imposed.

Finally, it is necessary to indicate that when determining the amount of the administrative fine in this case, the President of the UODO applied the methodology adopted by the EDPB in Guidelines 04/2022. In accordance with the guidelines set out in this document:

1. The President of the UODO categorized the violation of the provisions of Regulation 2016/679 found in this case (see Chapter 4.1 of Guidelines 04/2022). The provisions of Regulation 2016/679 violated by the Medical Center include the provisions of Article 5 paragraph 1 letter f) and Article 5 paragraph 2 of Regulation 2016/679, which define the basic principles of processing. Infringement of these provisions belongs – in accordance with Article 83 paragraph 5 letter a) of Regulation 2016/679 – to the category of violations punishable by the higher of the two penalties provided for in Regulation 2016/679 (with a maximum amount of up to EUR 20,000,000 or up to 4% of the total annual turnover of the enterprise in the previous financial year). They are therefore in abstracto more serious than other infringements (indicated in Article 83 paragraph 4 of Regulation 2016/679).

2. The President of the UODO assessed the infringement found in this case (in particular the infringement of the basic principles of processing) as an infringement with a high level of seriousness (see Chapter 4.2 of Guidelines 04/2022). In this assessment, these premises were taken into account among those listed in Article 83 paragraph 2 Regulation 2016/679, which concern the subject of the infringements (they constitute the "seriousness" of the infringement), i.e.: the nature, gravity and duration of the infringements (Article 83 paragraph 2 letter a) of Regulation 2016/679), the intentional or unintentional nature of the infringements (Article 83 paragraph 2 letter b) of Regulation 2016/679) and the categories of personal data concerned by the infringements (Article 83 paragraph 2 letter g) of Regulation 2016/679). A detailed assessment of these circumstances has been presented above. It should be noted here that considering their combined impact on the assessment of the infringement found in this case, taken as a whole, leads to the conclusion that its level of seriousness (understood in accordance with Guidelines 04/2022) is high. The consequence of this is the adoption, as the starting amount for calculating the penalty, of a value ranging from 20% to 100% of the maximum amount of the penalty that may be imposed on the Medical Center, i.e., taking into account the limit specified in Article 83 paragraph 5 of Regulation 2016/679, from EUR 4,000,000 to EUR 20,000,000 (see Subchapter 4.2.4 of Guidelines 04/2022). The President of the UODO considered the amount of EUR 10,000,000.00 (equivalent to PLN 43,653,000) to be an adequate starting amount justified by the circumstances of this case. 3. The President of the UODO adjusted the starting amount corresponding to the high seriousness of the identified infringement to the turnover of the Medical Center, as a measure of its economic power (see Chapter 4.3 of Guidelines 04/2022). In accordance with Guidelines 04/2022, in the case of undertakings with an annual turnover of EUR 10-50 million, the supervisory authority may consider further calculating the amount of the fine based on a value between 1.5% and 10% of the starting amount. Considering that the turnover of the Medical Center in 2023 amounted to PLN (…) i.e. EUR (…) (at the average exchange rate of 29 January 2024), the President of the UODO considered it appropriate to adjust the amount of the fine subject to calculation to a value corresponding to 3% of the starting amount, i.e. EUR 300,000.00 (equivalent to PLN 1,309,590.00).

4. The President of the Personal Data Protection Office assessed the impact of the remaining circumstances (apart from those taken into account above in the assessment of the seriousness of the infringement) indicated in Article 83 paragraph 2 of Regulation 2016/679 (see Chapter 5 of Guidelines 04/2022) on the established infringement. These circumstances, which may have an aggravating or mitigating impact on the assessment of the infringement, refer – as assumed by Guidelines 04/2022 – to the entity responsible for the infringement, i.e. to the entity itself that committed the infringement and to its conduct before, during and after the infringement. A detailed assessment and justification of the impact of each of these premises on the assessment of the infringement have been presented above. The supervisory authority did not take into account any circumstances, both aggravating and mitigating, that affect the amount of the administrative fine. The remaining conditions (Article 83 paragraph 2 letters c), d), e), f), h), i), j), k)) of Regulation 2016/679) – as indicated above – had no mitigating or aggravating effect on the assessment of the infringement and, consequently, on the amount of the penalty. Due to the lack of aggravating or mitigating circumstances in the case, the President of the UODO did not adjust the established penalty, leaving it at EUR 300,000.00 (equivalent to PLN 1,309,590.00).

5. The President of the UODO stated that the amount of the administrative fine established in the manner presented above does not exceed – in accordance with Article 83 paragraph 3 of Regulation 2016/679 – the legally defined maximum amount of the penalty provided for the most serious infringement (see Chapter 6 of Guidelines 04/2022). As indicated above, the most serious infringement in this case is the infringement of Article 5 paragraph 1 letter f) and Article 5 paragraph 2, punishable by an administrative fine of up to EUR 20,000,000, and in the case of an undertaking – of up to 4% of its total annual global turnover from the previous financial year, whichever is higher. The President of the UODO determined that the "dynamic maximum amount" for this infringement and for this perpetrator of the infringement expressed as a percentage (4%) of its turnover would amount to EUR (…), therefore, in this case – as a higher one – the "static maximum amount" should be applied, amounting to EUR 20,000,000 for the infringement in question. The amount of EUR 300,000.00 indicated above clearly does not exceed EUR 20,000,000. 6. Despite the fact that the amount of the fine determined in accordance with the above principles does not exceed the legally defined maximum fine, the President of the UODO considered that it requires additional correction due to the principle of proportionality listed in Article 83 paragraph 1 of Regulation 2016/679 as one of the three directives on the assessment of the fine (see Chapter 7 of Guidelines 04/2022). Undoubtedly, a fine equivalent to EUR 300,000.00 would be an effective penalty (due to its severity, it would achieve its repressive purpose, which is to punish unlawful conduct) and a deterrent (effectively discouraging both the Medical Center and other controllers from committing future infringements of the provisions of Regulation 2016/679). However, in the opinion of the President of the UODO, such a penalty would be disproportionate due to its excessive severity. The principle of proportionality requires, among other things, that the measures adopted by the supervisory authority do not go beyond what is appropriate and necessary to achieve the legitimate objectives (see points 137 and 139 of the Guidelines 04/2022). In other words: "A sanction is proportionate if it does not exceed the threshold of severity determined by taking into account the circumstances of the specific case" (P. Litwiński (ed.), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [...]; Commentary to Article 83 [in] P. Litwiński (ed.) General Data Protection Regulation. Personal Data Protection Act. Selected sectoral provisions. Commentary). Therefore, taking into account the proportionality of the penalty, the President of the Personal Data Protection Office further reduced the amount of the penalty – to 35% of the amount obtained after taking into account aggravating circumstances (see point 4 above), i.e. to EUR 105,000.00 (equivalent to PLN 458,356.50). In his opinion, such a determination of the final amount of the penalty imposed will not reduce its effectiveness and deterrent nature. This amount is a threshold above which a further increase in the amount of the penalty will not be associated with an increase in its effectiveness and deterrent nature. On the other hand, a greater reduction in the amount of the penalty could take place at the expense of its effectiveness and deterrent nature, as well as the coherent application and enforcement of Regulation 2016/679 and the principle of equal treatment of entities on the internal market of the EU and the EEA. In the opinion of the President of the UODO, the administrative pecuniary penalties applied in the total amount of PLN 1,145,891.25 (in words: one million one hundred forty-five thousand eight hundred ninety-one zlotys and 25/100) for the infringements of the provisions of Regulation 2016/679 established by this decision fulfil, in the established circumstances of this case, the functions referred to in art. 83 paragraph 1 of Regulation 2016/679, i.e. they will be effective, proportionate and deterrent in this individual case. According to the President of the UODO, the administrative pecuniary penalties imposed on the Medical Centre will be effective because they will lead to a situation in which the Facility will comply with the applicable provisions of the law and will permanently cease violating the provisions on the protection of personal data through the use of video monitoring in the facility (i.e. in bed rooms) without a legal basis. The effectiveness of administrative fines is therefore equivalent to a guarantee that the Controller will, from the moment these proceedings are concluded, treat the requirements of the provisions on personal data protection with the utmost diligence.

The administrative fines applied are also proportionate to the established breach of the provisions of Regulation 2016/679, in particular its seriousness, effect, the number of individuals affected by it and the high risk of negative consequences that these individuals suffer as a result of this breach. The amount of the fines was set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of breach of the administrator's obligations, but on the other hand, it does not cause a situation in which the need to pay it will entail negative consequences in the form of a significant deterioration of the Administrator's financial situation. According to the President of the UODO, the Medical Center should and is able to bear the consequences of its negligence in the area of data protection, hence the imposition of administrative fines is fully justified. 

In the opinion of the President of the UODO, the administrative fines applied meet the conditions referred to in Article 83 sec. 1 of Regulation 2016/679 due to the seriousness of the established breach of the provisions of Regulation 2016/679 in the context of the basic objective of Regulation 2016/679 – protection of fundamental rights and freedoms of natural persons, in particular the right to protection of personal data.

Referring to the amount of administrative fines imposed on the Administrator, the President of the UODO considered that they were proportionate to the financial situation of the Administrator and would not constitute an excessive burden for him. The financial report submitted by the Administrator on 2 April 2024 shows that net sales revenues as at the day ending the financial year 2023 amounted to PLN (…), therefore the administrative fines in this case, imposed in the total amount constitute approx. (…) % of the above amount. At the same time, it is worth emphasizing that the total amount of the fines imposed is only 1.31% of the maximum amount of the fine that the President of the UODO could – applying in accordance with Art. 83 sec. 5 of Regulation 2016/679 the static maximum penalty (i.e. EUR 20,000,000) – impose on the Administrator for the violation of the provisions of Regulation 2016/679 found in this case.

In the opinion of the President of the Personal Data Protection Office, administrative fines will fulfill a repressive function in these specific circumstances, as they will constitute a response to the Medical Center's violation of the provisions of Regulation 2016/679, but also a preventive function, as they will contribute to preventing future violations by the Administrator of the obligations arising from the provisions on the protection of personal data.

In the opinion of the President of the Personal Data Protection Office, the administrative fines applied meet the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679, due to the gravity of the identified violations in the context of the fundamental requirements and principles of Regulation 2016/679 – in particular the principle of legality, reliability and transparency expressed in Art. 5 sec. 1 letter a) of Regulation 2016/679 and the principle of confidentiality and integrity referred to in Art. 5 sec. 1 letter f) of Regulation 2016/679.

Pursuant to the content of Art. 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in Art. 83 of Regulation 2016/679, is calculated in zlotys at the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as of 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average euro exchange rate on 28 January - at the average euro exchange rate announced in the National Bank of Poland's exchange rate table closest after that date.

Having the above in mind, the President of the Personal Data Protection Office, on the basis of art. 83 sec. 4 letter a) and art. 83 sec. 5 letter a) in connection with art. 83 sec. 3 of Regulation 2016/679 and in connection with art. 103 of the Act of 10 May 2018 on the protection of personal data, for the infringement of: - art. 6 sec. 1, art. 9 sec. 1, art. 13 sec. 1 and 2 of Regulation 2016/679, which resulted in a violation of Art. 5 par. 1 letter a) and, consequently, also Art. 5 par. 2 of Regulation 2016/679, imposed on Centrum Medyczne – applying the average euro exchange rate of 29 January 2024 (EUR 1 = PLN 4.3653) – an administrative fine in the amount of PLN 687 534.75 (which is the equivalent of EUR 157,500.00), - Art. 25 par. 1 and Art. 32 par. 1 and 2 of Regulation 2016/679, which resulted in a violation of Art. 5 par. 1 letter f) and, consequently, also Art. 5 par. 2 Regulation 2016/679, imposed on Centrum Medyczne – using the average euro exchange rate of 29 January 2024 (1 EUR = 4.3653 PLN) – an administrative fine in the amount of PLN 458,356.50 (equivalent to EUR 105,000.00), i.e. a total amount of PLN 1,145,891.25 (equivalent to EUR 262,500.00).

The purpose of the imposed administrative fines is to ensure that X., with its registered office in K., complies with the provisions of Regulation 2016/679 in the future and, consequently, conducts data processing in accordance with applicable legal provisions.

In this factual and legal situation, the President of the Personal Data Protection Office decided as in the operative part.
Retrieved from "https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.4.2024&oldid=45851"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki