UODO (Poland) - DKE.561.2.2020

From GDPRhub
UODO - DKE.561.2.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 58(1)(e) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 06.07.2020
Published: 16.07.2020
Fine: 1170 EUR
Parties: n/a
National Case Number/Name: DKE.561.2.2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: n/a

The President of the Personal Data Protection Office (UODO) imposed a fine of 5 000 (approx. 1170 EUR) on an individual entrepreneur running a non-public nursery and pre-school for failure to provide the UODO with access to personal data and other information necessary for the performance of its tasks (Article 58(1)(e) GDPR).

English Summary

Facts

The controller notified to the President of the UODO a personal data breach, which consisted in losing access to personal data stored in the run private nursery and pre-school.

Given the lack of information necessary to carry out an assessment of the notification, the supervisory authority requested the controller to clarify the facts three times. The entrepreneur failed to respond to the requests of the President of the UODO.

Dispute

The controller notified a personal data breach to the President of the UODO and should have therefore expected the supervisory authoritie's further communication on the matter. In its assessment of the data breach, the UODO took into account the activity conducted by the controller - the processing concerned personal data related to children, who require special protection.

Holding

The UODO decided that disregarding an obligation to cooperate, on request, with the supervisory authority, especially by hindering access to information necessary for the performance of its tasks, is a serious infringement of Article 58(1)(e) GDPR and as such is subject to an fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Warsaw, 16 July 2020
DECISION
DKE.561.2.2020

Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), following an administrative procedure initiated ex officio to impose on Ms A. T. conducting business activity under the name of [...] in administrative Ł., the President of the Office for the Protection of Personal Data, stating the infringement by Mrs A. T. conducting business activity under the name of [...] in Ł., the provision of Article 58(1)(e) of the Regulation 2016/679, consisting in not providing access to personal data and other information necessary for the President of the Office for the Protection of Personal Data to perform his tasks, i.e. to assess the infringement of personal data protection under Article 34(1) and (2) of the Regulation 2016/679 reported by Mrs A. T. conducting business activity under the name [...] in Ł,

imposes on Mrs A. T. conducting business activity under the name [...] in Ł. an administrative fine in the amount of 5.000 PLN (in words: five thousand PLN), which is equivalent to 1.168,39 EUR, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as of January 28, 2020.

EXPLANATORY MEMORANDUM

The Office for the Protection of Personal Data [...] June 2019 received a notification of a personal data protection breach submitted by Mrs A. T. conducting business activity under the name [...] with a permanent place of business in Ł. (hereinafter also referred to as the 'Entrepreneur'). The infringement of personal data protection consisted in the loss by the Entrepreneur of access to personal data stored in the registered office of his institution, i.e. the Non-public Nursery School and Kindergarten [...], located in Ł. The infringement occurred as a result of taking illegal actions, in the opinion of the Entrepreneur, by an external entity, i.e. the intrusion of persons acting on behalf of entity G. Spółka z ograniczoną odpowiedzialnością" Spółka Komandytowa with its registered office in R. (hereinafter also referred to as "the Company"), to the facility during a performance of children for parents. These persons, when handing out leaflets about the alleged debt of the Entrepreneur, informed the gathered about closing the facility and launching a new one in this place. The Company replaced all the locks in the premises at an unknown date, so the Entrepreneur could not open the above mentioned facility. The equipment of the kindergarten, including computers and documentation containing personal data of employees, children attending the kindergarten and nursery school and their legal guardians were closed inside. The Entrepreneur indicated that the infringement concerned about 200 persons and the scope of personal data of the above mentioned persons included: first and last names, parents' first names, date of birth, bank account number, address of residence or stay, PESEL registration number, e-mail address, series and number of ID card, telephone number. In the opinion of the Entrepreneur, there was a high risk of violation of rights or freedoms of natural persons, therefore 120 persons (all legal guardians of children and employees) were notified about the violation by phone or in person.

Due to the lack of information necessary for the President of the Office for the Protection of Personal Data to assess the infringement, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, in the letter of [...] June 2019. (ref. [...] ) addressed to the address of the permanent place of business activity of the Entrepreneur, i.e. [...] (address indicated in the CEiDG), the President of the Office for the Protection of Personal Data (hereinafter also: "President of the Office for the Protection of Personal Data") invited the Entrepreneur to present anonymized content of the notification addressed to the persons concerned by the infringement, in order to determine whether the controller, in accordance with Article 34(1) and (2) of Regulation 2016/679, notified the data subjects of a personal data protection breach.

Moreover, in this letter the President of PDPO indicated to the Entrepreneur that in accordance with Article 34 paragraph 2 of Regulation 2016/679, the notification should clearly and simply describe the nature of the personal data protection breach and contain at least the information and measures referred to in Article 33 paragraph 3 points b), c) and d) of Regulation 2016/679 , i.e: (1) the name and contact details of the data protection officer or other contact point from which more information may be obtained; (2) a description of the possible consequences of the personal data breach; (3) a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimise its possible adverse effects.

Letter of [...] June 2019. (ref. [...] [...] July 2019) was returned to the sender with the words 'not returned on time'. Therefore, by letter of [...] July 2019, the President of UODO once again asked the undertaking to provide anonymised content of the notice addressed to the persons concerned. The letter was also addressed to the Entrepreneur at his permanent place of business: […]. [...] the correspondence was sent back to the sender with the words 'the return was not made on time'.

The next letter from the President of UODO dated [...] September 2019 was sent both to the address of the permanent place of business: [...] as well as an address for service: [...] (address for service as indicated in CEiDG). The call was addressed to the Entrepreneur at the address of his permanent place of business: [...], was personally collected by the Entrepreneur [...] September 2019. At this point it should be noted that the notice received by the Entrepreneur [...] September 2019, a letter of [...] September 2019, containing information about the "renewed" sending of the notice to the Entrepreneur. However, the summons addressed to the address for service, [...] October 2019, was sent back to the sender with the annotation 'addressee unknown at the indicated address'. Due to the failure of the Entrepreneur to provide the information necessary to resolve the case under ref. [...], the President of UODO once again, by letter of [...] November 2019 addressed to the address of the permanent place of business, called on the Entrepreneur to present anonymized content of the notice addressed to the persons concerned by the infringement. On December [...], 2019, the correspondence was returned to the sender with the annotation 'return not undertaken on time'. To date, the administrator has not responded to any of the abovementioned notices.

By letter dated [...] September 2019. The entrepreneur was informed that failure to respond to the summonses of the President of UODO may, pursuant to Article 83(5)(e) of Regulation 2016/679, result in an administrative fine.  

In connection with the failure of the Entrepreneur to provide the information necessary to determine whether the controller in accordance with art. 34 sec. 1 and 2 of Regulation 2016/679 notified the data subjects about the violation of personal data protection, the President of PDPO initiated ex officio against the Entrepreneur - pursuant to art. 83 sec. 5 lit. e) of Regulation 2016/679, in connection with the violation by the Entrepreneur of art. 58 sec. 1 lit. a) and e) of Regulation 2016/679 - administrative proceedings to impose an administrative fine (under the signature [...] ). The letter informing about the initiation of the procedure of [...] February 2020 was addressed to the Entrepreneur at its permanent place of business: […]. In that letter, the Entrepreneur was also requested - in order to determine the basis for the penalty, on the basis of Article 101a.1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) - to present a financial statement concerning his activity for 2019 or - in the absence thereof - a statement on the amount of turnover and financial result achieved by him in 2019.

Letters of [...] February 2020. The entrepreneur did not receive it either. On [...] March 2020, the letter was returned to the broadcaster with the words 'not received on time'.  

After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following.

Pursuant to Article 57(1)(a) of Regulation 2016/679, the President of the Office for Personal Data Protection, as the supervisory authority within the meaning of Article 51 of Regulation 2016/679, shall monitor and enforce the application of the Regulation on its territory. Within the scope of its competences, the President of PPAs conducts, inter alia, proceedings for the application of Regulation 2016/679 (Article 57(1)(h)), including proceedings for reporting infringements to the supervisory authority (Article 33(1)). In order to enable the President of the PPA to perform his tasks, the President of the PPA has a number of powers, set out in Article 58(1) of Regulation 2016/679, to order the controller and the processor to provide all information necessary for the performance of his tasks (Article 58(1)(a) and the power to obtain from the controller and the processor access to all personal data and all information necessary for the performance of his tasks (Article 58(1)(e). The infringement of the provisions of Regulation 2016/679, consisting in the failure of the controller or the processor to provide access to the data and information referred to above, resulting in the infringement of the authority's powers specified in Article 58(1) (including the right to obtain the data and information necessary for the performance of its tasks), shall be subject, in accordance with Article 83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover in the previous financial year, the higher amount shall apply. It should also be noted that the administrator and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of Regulation 2016/679.

Referring to the above mentioned provisions of Regulation 2016/679 to the facts established in this case and described at the beginning of the justification of this decision, it should be stated that the Entrepreneur, as the controller of personal data of employees, children attending a kindergarten and a nursery school and their legal guardians, processed in a non-public nursery school and kindergarten [...] located in Ł, has breached his obligation to provide the President of the Office for Foreigners with access to information necessary for the performance of his tasks - in this case to assess whether the controller, in accordance with Article 34(1) and (2) of Regulation 2016/679, has notified the data subjects of a personal data protection breach. Such action of the Company constitutes a breach of Article 58(1)(e) of Regulation 2016/679.

The above-described conduct of the Entrepreneur consisting in:

1. three times failure to collect correspondence addressed to the Entrepreneur by the President of UODO (through the Polish Post Office) despite the fact that the Entrepreneur reported a personal data protection breach and should expect the position of the data protection authority in this case,
2. failure to respond to the call of the President of UODO (letter of [...] September 2019 received by the Entrepreneur [...] September 2019) to present anonymized content of the personal data breach notification addressed to the persons concerned,

- indicates a lack of cooperation with the President of the PPA in establishing the facts of the case and correctly resolving it, or at least a gross disregard for his obligations to cooperate with the President of the PPA in the performance of his tasks under Regulation 2016/679. The above statement is further justified by the fact that the Entrepreneur in no way attempted to justify the fact that there was no response to the summons addressed to him.

It should be pointed out here that making it difficult and impossible to gain access to the information which the President of PPAPA requested and demanded from the Entrepreneur, and which is undoubtedly in the Entrepreneur's possession (information with anonymised content of the notice addressed to the persons affected by the infringement), hinders a thorough examination of the case and results in excessive and unjustified prolongation of proceedings.

In view of the above findings, the President of the PPA finds that in the present case there are premises justifying the imposition of an administrative fine on the Entrepreneur - pursuant to Article 83 sec. 5(e) in fine of Regulation 2016/679 - for failure to provide the Entrepreneur with access to information necessary for the President of the PPA to perform his tasks, i.e. to resolve a case under the name [...].

Pursuant to Article 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, a number of circumstances listed in paragraph 2(a) to (k) of the abovementioned provision are referred to. When deciding to impose an administrative fine on an undertaking in the present case and when setting the amount of the fine, the President of UODO took into account the following aggravating circumstances affecting the assessment of the infringement:


1. Nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).

An infringement that is subject to administrative pecuniary sanctions in this case undermines a system designed to protect one of the fundamental rights of the individual, which is the right to the protection of his or her personal data or, more broadly, to the protection of his or her privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, is the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of individuals' rights in this respect. In order to be able to carry out these tasks, supervisory authorities have been equipped with a number of inspection powers, administrative investigation powers and remedial powers. On the other hand, certain obligations are imposed on controllers and processors, correlated with the powers of the supervisory authorities, including the obligation to cooperate with the supervisory authorities and to ensure that they have access to information necessary for the performance of their tasks. Therefore, the actions of the Entrepreneur in the present case, consisting in preventing access to the information requested by the President of UODO, and resulting in hindering and unjustifiably prolonging the proceedings conducted by this authority, should be considered as detrimental to the system of personal data protection, and therefore of great importance and reprehensible nature. The gravity of the infringement is further increased by the fact that the infringement committed by the Entrepreneur was not an incidental event; the Entrepreneur's action was continuous and long-lasting. It lasts from the lapse of the deadline set for submitting explanations in the first letter of the President of UODO of [...] June 2019, to the present day.


    Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).

In the opinion of the President of UODO, there is a lack of willingness on the part of the Entrepreneur to cooperate in providing the authority with all information necessary to resolve the case in the course of which the authority requested it. This is evidenced in particular by the repeated failure to collect correspondence addressed to the Entrepreneur and the lack of response to the only request of the President of UODO received by the Entrepreneur. At this point it should be emphasized that the Entrepreneur was aware of the fact that by not receiving the correspondence and not responding to one of the personally received letters he violated the provision of Article 83(2)(b) of Regulation 2016/679.

It should also be pointed out that receiving correspondence addressed to the Entrepreneur related to the activity conducted by him/her constitutes an obligation which should be required from the entity conducting business activity, in particular when the activity involves processing of children's personal data (requiring special protection, as mentioned in recital 38 of Regulation 2016/679).

It should also be noted that at no stage of [...] proceedings, as well as in the present proceedings, has the Entrepreneur attempted to justify such proceedings. Considering that the Entrepreneur is an entity professionally participating in legal and economic trade, whose activity is related to the processing of personal data (in connection with the type of business activity - day care for children - requiring the acquisition, storage and provision of data of natural persons, in this case employees, children attending a kindergarten and nursery school and their legal guardians), it should be considered that this was and still is a deliberate action of the Entrepreneur preventing the President of UODO from accessing information necessary for the performance of its tasks, which constitutes an infringement of the provisions of Regulation 2016/679.

3. Lack of cooperation with the supervisory authority to remove the infringement and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).

In the course of this proceeding concerning the imposition of an administrative fine, there is no cooperation with a supervisory authority on the part of the Entrepreneur. The Entrepreneur has not submitted any explanations to the case ref. [...].  

Other prerequisites for the administrative fine indicated in art. 83. par. 1 of the Regulation 2016/679). The other prerequisites for the administrative fine indicated in Article 83 sec. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement by the President of UODO (including: all relevant previous infringements on the part of the controller, the way the supervisory authority learned about the infringement, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the infringement (concerning the relationship of the controller with the supervisory authority and not the relationship of the controller with the data subject), could not be taken into account in this case (including: the number of persons harmed and the extent of the harm suffered by them, actions taken by the controller to minimise the harm suffered by the data subjects, the degree of responsibility of the controller taking into account the technical and organisational measures implemented by the controller, categories of personal data concerned by the breach).  

According to Article 83(1) of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on an Entrepreneur in these proceedings meets these criteria. The penalty imposed on the Entrepreneur should discipline him/her to properly cooperate with the President of UODO, both in the further course of the proceedings under [...] and in any other proceedings conducted in the future with the Entrepreneur before the President of UODO. The penalty imposed by this Decision is, in the opinion of the President of UODO, proportional to the gravity of the infringement found and to the possibility of being borne by the Entrepreneur without major damage to his business. The penalty will also serve as a deterrent; it will send a clear signal both to the Entrepreneur and to other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of PPA that disregarding the obligations related to cooperation with the President of PPA (in particular, hindering access to information necessary for the performance of his tasks) constitutes a serious infringement and as such will be subject to financial sanctions. At this point it should be pointed out that the imposition of an administrative fine on the Entrepreneur is - in the face of the Entrepreneur's previous conduct as a party to the proceedings [...] - necessary. A financial penalty is a measure at the disposal of the President of UODO, which should enable access to information necessary in the proceedings. 

Due to the failure of the Entrepreneur to present the financial data for 2019 requested by the President of UODO, when determining the amount of the administrative fine in this case, the President of UODO took into account, on the basis of Article 101a sec. 2 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the estimated size of the enterprise and the specificity, scope and scale of its activity.

Pursuant to the wording of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of the Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date. In this case, the exchange rate of PLN 4.2794 for EUR 1 shall apply.

In view of the above, the President of UODO ruled as in the operative part of this decision. 

The decision is final. Pursuant to Article 53(1) of the Law of 30 August 2002. - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325 as amended), a party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw).

A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court shall suspend the execution of a decision on an administrative fine.

In the proceedings before the Provincial Administrative Court, a party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.

Pursuant to Article 105(1) of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781), the administrative fine shall be paid within 14 days from the date of expiry of the time limit for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In case of postponement of the deadline for paying the administrative fine or its distribution in instalments, the President of the Office for Personal Data Protection calculates interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Art. 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.