UODO (Poland) - DKE.561.23.2020

From GDPRhub
UODO (Poland) - DKE.561.23.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 31 GDPR
Article 58(1)(e) GDPR
Article 58(2)(i) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Article 83(4)(a) GDPR
Article 83(5)(e) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 27.04.2021
Published:
Fine: 22739 PLN
Parties: n/a
National Case Number/Name: DKE.561.23.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Decyzje Prezesa UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish DPA (UODO) imposed a fine of €5000 on a brokerage house for failing to provide the information necessary to carry out an investigation.

English Summary[edit | edit source]

Facts[edit | edit source]

The Polish DPA (The Office for Personal Data Protection) received a complaint from an individual about irregularities in the processing of his personal data by a Bank, consisting in the transfer of the Complainant's personal data - without his consent - to a brokerage house. In order to determine the facts of the case initiated by the complaint, the Office for the Personal Data Protection, on three occasions, summoned the brokerage house to respond to the complaint and to provide explanations. Specifically, it asked the brokerage house about whether it processed the Complainant's data, on what legal basis, and for what purpose. It also asked how the brokerage house sourced the Complainant's data, whether the Complainant objected to processing, and if so, how the brokerage house responded.

The brokerage house claims that it did not receive a summons containing the questions. However, a copy of the summons was twice sent and served to the brokerage house at the address disclosed in the official register. Therefore, the summons sent to the brokerage house were deemed delivered. As a consequence of the failure of the brokerage house to respond to the correspondence addressed to it, the DPA was not able to obtain the information necessary to examine the case. The initiation of proceedings to impose an administrative fine on the brokerage house did not change the situation either, because the brokerage house claims that it did not receive the letter initiating such proceedings either.

Pursuant to Art. 57 GDPR, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of Art. 51 GDPR - monitors and enforces the application of the GDPR on its territory. Within his powers, the President of the Personal Data Protection Office shall investigate complaints brought by data subjects to the appropriate extent and inform the complainant of the progress and the outcome of these proceedings within a reasonable time (Article 57 (1)(f) GDPR). In order to enable the enforcement of such competences, the President of the Personal Data Protection Office has a number of provisions specified in Art. 58 (1) GDPR, authorizing it to conduct proceedings and to obtain from the controller or processor access to any personal data and any information necessary for the performance of its tasks (Article 58 (1) (e) GDPR). Violation of the provisions, consisting in failure to provide the information referred to above, and resulting in a breach of the powers of the supervisory authority specified in Art. 58(1) GDPR, is subject to an administrative fine of up to EUR 20,000,000.

Holding[edit | edit source]

The Polish DPA (The Office for Personal Data Protection) held that the brokerage house breached the powers of the supervisory authority as specified in Art. 58(1) GDPR, and imposed on it an administrative fine of EUR 5,000. The DPA explained that the brokerage house is obliged to organise the receipt of letters in such a way that the correspondence flow is continuous and uninterrupted. Failure to receive summons shall be the responsibility of the organisational unit of the firm. Moreover, the DPA repeated that the obligation to cooperate with the supervisory authority is identical for both controller and processor. This cooperation includes the necessity to provide the supervisory authority with any information in the controller's or processor's possession related to the investigation. The sanctioned brokerage house breached this obligation.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.


        
            
                
                THE CHAIRMAN OF PERSONAL DATA
            
            
                Warsaw, 27
                April
                2021
            
        
        
            DECISION
                    
        DKE.561.23.2020
        Based on Article. 104 § 1 of the Act of June 14, 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended) and Art. 7 sec. 1 and sec. 2, art. 60, art. 101, art. 101a paragraph. 2, art. 103 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), as well as Art. 58 sec. 2 lit. i), art. 83 sec. 1-3, art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) in connection with Art. 31 and art. 58 section 1 lit. e) Regulation of the European Parliament and the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection ) (Journal of Laws UE L 119 of 04/05/2016, p. 1, with the change announced in the Official Journal of the European Union L 127 of 23/05/2018, p. 2) (hereinafter referred to as "Regulation 2016/679"), after conducting the administrative procedure initiated ex officio to impose the imposition on PNP Spółka Akcyjna with its registered office in Warsaw at ul. Marszałkowska 126/134 administrative fine, President of the Office for Personal Data Protection,
finding a breach by PNP Spółka Akcyjna with its registered office in Warsaw at ul. Marszałkowska 126/134, the provisions of art. 31 and art. 58 sec. 1 lit. e) of Regulation 2016/679, consisting in the lack of cooperation with the President of the Personal Data Protection Office in the performance of his tasks and failure to provide access to any information necessary for the President of the Personal Data Protection Office to perform his tasks, i.e. to consider the complaint of Mr. PK on irregularities in the process of processing his personal data, he imposes on PNP Spółka Akcyjna with its registered office in Warsaw at ul. Marszałkowska 126/134 an administrative fine in the amount of PLN 22,739 (in words: twenty two thousand seven hundred and thirty nine zlotys).
SUBSTANTIATION
The Office for Personal Data Protection received a complaint from Mr. PK, hereinafter referred to as the "Complainant", about irregularities in the processing of his personal data by Bank A, hereinafter referred to as "the Bank", consisting in the transfer of the complainant's personal data - without his consent - to the Polish Brokerage House of the Company Akcyjna with its seat in Warsaw at ul. Stanisława Moniuszki 1A (currently: PNP Spółka Akcyjna with its registered office in Warsaw at ul. Marszałkowska 126/134, hereinafter referred to as the "Company").
The President of the Personal Data Protection Office, hereinafter referred to as the "President of the Personal Data Protection Office", as part of the initiated administrative procedure to consider the complaint (under the reference number [...]), asked the Company in a letter of [...] September 2019 to comment - within the deadline 7 days from the delivery of the summons - to the content of the complaint and to answer the following detailed questions regarding the case:

whether the PDM company processes the complainant's personal data, and if so, on what legal basis, to what extent and for what purpose, and for when the data will be processed;
from what source did PDM obtain the Complainant's data;
did the Complainant object to the processing of his data to the Company without his consent, and if so, how did PDM respond to the Complainant's request?

The above letter, addressed to the Company via Poczta Polska and notified twice - on [...] September 2019 and [...] October 2019, was not collected by the Company. It was returned to the sender with the annotation "RETURN not taken on time". In connection with the above, the President of the Personal Data Protection Office - in connection with the wording of Art. 44 § 4 in connection with with art. 45 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended), hereinafter referred to as "k.p.a." - considered them delivered to the Company on [...] October 2019.
On [...] February 2020, the President of the Personal Data Protection Office (UODO) requested the Company again to comment on the content of the complaint and to provide explanations in the matter (by answering questions similar to those in the request of [...] September 2019). This tender offer, addressed to the Company via Poczta Polska and notified twice - on [...] and [...] February 2020, was not received by the Company. It was returned to the sender with the annotation "RETURN not taken on time". In connection with the above, the President of the Personal Data Protection Office - in connection with the wording of Art. 44 § 4 in connection with with art. 45 of the Code of Civil Procedure - considered them delivered to the Company on [...] February 2020
Due to the lack of response to the above requests, the President of the Personal Data Protection Office once again - in a letter of [...] August 2020 - called on the Company to respond to the content of the complaint and to provide explanations on the matter. Also this call, addressed to the Company via Poczta Polska and notified twice - on [...] and [...] August 2020, was not received by the Company. It was returned to the sender with the annotation "RETURN not taken on time". In connection with the above, the President of the Personal Data Protection Office - in connection with the wording of Art. 44 § 4 in connection with with art. 45 of the Code of Civil Procedure - considered them delivered to the Company on [...] August 2020
In the summons of [...] February 2020 and [...] August 2020, the Company was informed that in accordance with Art. 83 sec. 5 lit. e) of Regulation 2016/679, failure to provide access to any personal data and any information necessary for the supervisory body to perform its tasks, resulting in the violation of art. 58 sec. 1 of the Regulation 2016/679 is subject to an administrative fine.
Due to the failure by the Company to provide the information necessary to settle the case no. [...], initiated by the complainant's complaint, the President of the Personal Data Protection Office (UODO) initiated ex officio against the Company, in connection with its breach of the provisions of Art. 31 and art. 58 sec. 1 letter e) of the Regulation 2016/679, administrative proceedings to impose an administrative fine on the Company (ref. DKE.561.23.2020). The Company was informed about the initiation of the procedure by letter of [...] November 2020. This letter, addressed to the Company via Poczta Polska, and notified twice - on [...] and [...] November 2020, was not received by the Company. In connection with the above, the President of the Personal Data Protection Office - in connection with the wording of Art. 44 § 4 in connection with with art. 45 of the Code of Civil Procedure - considered them delivered to the Company on [...] December 2020. The Company was also summoned by the above letter - in order to determine the basis for the penalty, pursuant to Art. 101a paragraph. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as "u.o.d.o." - to submit the Company's financial statements for 2019 or - in its absence - a statement on the turnover and financial result achieved by the Company in 2019.
Until the date of this decision, the Company has not provided the information necessary to consider the case no. […]. The company did not respond to the letter informing about the initiation of the procedure, ref. No. DKE.561.23.2020 on imposing an administrative fine on the Company.
After considering all the evidence collected in the case, the President of UODO considered the following.
Pursuant to Art. 57 sec. 1 lit. a) Regulation 2016/679, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of art. 51 of the Regulation 2016/679 - monitors and enforces the application of this regulation on its territory. Within his competences, the President of the Personal Data Protection Office examines, inter alia, complaints brought by data subjects shall investigate these complaints to the appropriate extent and inform the complainant of the progress and the outcome of these proceedings within a reasonable time (Article 57 (1) (f)). In order to enable the exercise of such competences, the President of the Personal Data Protection Office is entitled to a number of provisions specified in Art. 58 sec. 1 of Regulation 2016/679, rights in the scope of conducted proceedings, including the right to obtain from the controller or processor access to any personal data and any information necessary for the performance of its tasks (Article 58 (1) (e)). Violation of the provisions of Regulation 2016/679, consisting in failure to provide the information referred to above, resulting in a breach of the powers of the supervisory authority specified in art. 58 sec. 1, is subject to - in accordance with art. 83 section 5 letter e) in fine of Regulation 2016/679 - an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year, with the higher amount applicable . It should also be indicated that the controller and the processor are obliged - at the request of the supervisory authority - to cooperate with it in the performance of its tasks, as provided for in Art. 31 of Regulation 2016/679. The breach of this obligation is subject to - pursuant to Art. 83 sec. 4 lit. a) Regulation 2016/679 - an administrative fine of up to EUR 10,000,000, and in the case of a company - up to 2% of its total annual worldwide turnover from the previous financial year, with the higher amount being applicable.
Referring the above-mentioned provisions of Regulation 2016/679 to the actual state of the case, it should be considered first whether the Company is the addressee of the obligations referred to in art. 58 sec. 1 lit. e) and art. 31 of Regulation 2016/679, breach of which is subject to an administrative fine pursuant to art. 83 sec. 4 and 5 of Regulation 2016/679. Both of the above-mentioned provisions of Regulation 2016/679 impose procedural obligations - as part of the proceedings conducted by the President of the Personal Data Protection Office - on administrators and processors. The assessment of whether the Company performs the role of the administrator or the entity processing the personal data of the Complainant in the data processing process, which is the subject of the Complainant's complaint, is an element of the facts to be established in the proceedings with reference number […]. In order to establish this, inter alia, circumstances, the President of the Personal Data Protection Office (UODO) sent to the Company - as part of these proceedings - requests for explanations. Due to the lack of explanations on the part of the Company, it is difficult to establish this circumstance. On the other hand, for the purposes of these proceedings, it is sufficient, made in the proceedings with reference number [...] establishing that the Company processed the Complainant's personal data obtained from the Bank in order to offer and conduct the process of purchasing by the Complainant bonds issued by G. S.A. The above was established unequivocally based on the Complainant's statements and the Bank's explanations presented to the Complainant in the letters of [...] March 2019 and [...] May 2019. Therefore, it should be stated that the Company processed the Complainant's personal data either as controller or as a processor. The fact in which of these roles was and is currently performed by the Company while processing the Complainant's personal data, has no bearing on the outcome of this case. The obligations referred to in Art. 31 and art. 58 sec. 1 lit. e) of Regulation 2016/679, and the responsibility for their breach (implemented in this proceeding on the imposition of an administrative fine), are identical for the controller and the processor.
In the present case, in order to establish the facts of the case initiated by the complainant's complaint, the President of the Personal Data Protection Office (UODO) asked the Company three times to comment on the content of the complaint and to provide explanations by answering three questions regarding the case. None of the letters addressed to the Company - to the addresses disclosed in the Register of Entrepreneurs of the National Court Register as addresses for its registered office (of [...] September 2019, [...] February 2020 and [...] August 2020) by the Company received despite their double notification, therefore they were considered delivered to the Company in accordance with Art. 44 § 4 in connection with with art. 45 of the Code of Civil Procedure As a consequence of the Company's failure to take up the correspondence addressed to it, the President of the Personal Data Protection Office did not obtain the information necessary to consider the case no. […]. This state of affairs has not been changed by the initiation of this proceeding (with reference number DKE.561.23.2020) regarding the imposition of an administrative fine on the Company. Also, the letter informing about the initiation of this procedure was not received by the Company.
It should be noted here that the responsibility for not providing the President of the Personal Data Protection Office with the requested information rests with the Company. This is not changed by the fact that the calls addressed by the President of the Personal Data Protection Office to the Company were not finally received by it. The duty of each organizational unit is to ensure such organization of receipt of letters that the course of correspondence is continuous and uninterrupted and only by authorized persons. Negligence in this respect is a burden for this organizational unit (see, for example, the judgment of the Provincial Administrative Court in Gorzów Wielkopolski of October 18, 2018, file reference number II SAB / Go 90/18 - LEX No. 2576144).
In connection with the above, given that the Company processed - as the controller or processor - the personal data of the Complainant, and thus is undoubtedly in possession of the information necessary to consider the Complainant's complaint, it should be stated that it breached its obligation to provide the President of the Personal Data Protection Office with access to information. necessary for the performance of its tasks - in this case, for the substantive settlement of the case no. […]. Such activity of the Company constitutes a violation of Art. 58 sec. 1 lit. e) Regulation 2016/679. This action is at the same time a violation of Art. 31 of Regulation 2016/679. Cooperation with the supervisory authority in the performance of its tasks, which is the subject of the obligation set out in this provision, also includes (and even above all) the obligation to provide the authority - upon its request - with any information held by the controller or the processor related to its investigations. .
Bearing in mind the above findings, the President of the Personal Data Protection Office states that in the present case there are premises justifying the imposition on the Company - pursuant to Art. 83 sec. 5 lit. e) in fine and art. 83 sec. 4 lit. a) Regulation 2016/679 - an administrative fine in connection with the lack of cooperation with the supervisory body in the performance of its tasks (Article 31) and in connection with the Company's failure to provide access to information necessary for the President of the Personal Data Protection Office to perform its tasks (Article 58 (1) (e), that is until the decision in the case with reference number […].
At the same time, in view of the breach by the Company of the provisions of two provisions of Regulation 2016/679 (Art. 31 and Art. 58 (1) (e), pursuant to Art. 83 sec. 3 of this legal act, according to which, if the controller or processor deliberately or unintentionally violates several provisions of this regulation in the same or related processing operations, the total amount of the administrative fine does not exceed the amount of the penalty for the most serious violation, the President of UODO determined the amount of the administrative a fine not exceeding the amount of the penalty for the most serious of these infringements. In the presented facts, the President of the Personal Data Protection Office considered the most serious violation of the Company's failure to provide access to any information necessary to perform its tasks, i.e. violation of Art. 58 sec. 1 lit. e) Regulation 2016/679. The seriousness of this violation is evidenced by the fact that the lack of access to the information that the President of the Personal Data Protection Office (UODO) has demanded and requests from the Company not only prevents a thorough examination of the case, but also results in excessive and unjustified prolongation of the proceedings, which is contrary to the basic principles governing administrative proceedings. - specified in art. 12 sec. 1 k.p.a. principles of insight and speed of proceedings.
Pursuant to art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. It refers in each case to a number of circumstances listed in points a) to k) of the above-mentioned provision. When deciding to impose an administrative fine on the Company and determining its amount, the President of the Personal Data Protection Office (UODO) took into account the following circumstances aggravating the assessment of the infringement:
1. Nature, gravity and duration of the infringement (Article 83 (2) (a) of Regulation 2016/679).
The breach liable to an administrative pecuniary penalty in the present case undermines the system aimed at protecting one of the fundamental rights of a natural person, which is the right to the protection of his personal data, or more broadly, to the protection of his privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are supervisory authorities with tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the performance of these tasks, supervisory authorities have been equipped with a number of control powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors have been imposed, correlated with the powers of supervisory authorities, with specific obligations, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to information necessary for the performance of their tasks. The actions of the Company in the present case, consisting in avoiding the receipt of correspondence addressed to it by the President of the Personal Data Protection Office, and resulting in a hindrance and unjustified extension of the proceedings conducted by him, should therefore be considered as detrimental to the personal data protection system, and therefore of great importance and reprehensible character. The significance of the breach is additionally increased by the fact that the breach by the Company was not an incidental event. The company's operation was continuous and long-lasting. It lasts from the expiry of the 7-day deadline for submitting explanations in the first request of the President of the Personal Data Protection Office, ie from [...] October 2019 - until the date of this decision.
2. Intentional or unintentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679).
Due to the fact that none of the requests to provide explanations by the President of the Personal Data Protection Office (UODO) were actually received by the Company, there are no grounds to conclude that the actions of the Company subject to penalty in this case were deliberate. In the opinion of the President of the Personal Data Protection Office, the infringement committed by the Company was unintentional, however, due to the fact that it was a consequence of gross and long-term neglect of its basic obligation by the Company (ensuring that the receipt of letters is organized in such a way that the course of official correspondence takes place continuously and undisturbed) , this circumstance should be assessed negatively and considered aggravating in the context of determining the amount of the sentence imposed.
3. The degree of cooperation with the supervisory authority in order to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679.
In the course of these proceedings (reference number DKE.561.23.2020) regarding the imposition of an administrative fine, the Company did not cooperate with the President of the Personal Data Protection Office. In particular, the Company did not provide the information requested by the President of the Personal Data Protection Office in the proceedings with reference number […], Which could be regarded as an action aimed at remedying the infringement found in the present case. Such a complete lack of cooperation with the President of the Personal Data Protection Office (UODO) still hinders the President of the Personal Data Protection Office from quickly and thoroughly examining the complainant's complaint in the proceedings with reference number […].
The remaining conditions for the assessment of an administrative fine specified in Art. 83 sec. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement made by the President of the Personal Data Protection Office (including: any relevant prior infringements by the controller, the manner in which the supervisory authority learned about the infringement, compliance with the measures previously applied in the same case , the application of approved codes of conduct or approved certification mechanisms, financial benefits gained due to the breach or losses avoided) or due to the specific nature of the breach (relating to the controller's relationship with the supervisory authority and not the controller's relationship with the data subject), could not be taken into account in the present case (including: the number of persons injured and the extent of the damage suffered by them, actions taken by the controller to minimize the damage suffered by data subjects, the degree of responsibility of the controller taking into account the technical measures implemented by them organizational and organizational data, categories of personal data concerned by the breach).
Pursuant to the wording of art. 83 sec. 1 of Regulation 2016/679, an administrative fine imposed by a supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of the Personal Data Protection Office, the penalty imposed on the Company in these proceedings meets these criteria. It will discipline the Company to properly cooperate with the President of the Personal Data Protection Office, both in the further course of proceedings with reference number […] and in any other future proceedings with the participation of the Company before the President of the Personal Data Protection Office. The fine imposed by this decision is - in the opinion of the President of the Personal Data Protection Office - proportional to the severity of the breach found and to the possibility of the Company incurring it without major detriment to its activities. Moreover, this penalty will have a deterrent function; will be a clear signal to the Company, obliged under the provisions of Regulation 2016/679 to cooperate with the President of the Personal Data Protection Office, that disregarding the obligations related to cooperation with him (in particular, obstructing access to information necessary for the performance of his tasks) is a serious breach and, as such, is subject to will be financial sanctions. It should be pointed out here that the imposition of an administrative fine on the Company is - in view of the proceedings of the Company to date, as a party to the proceedings [...] - necessary; is the only measure at the disposal of the President of the Personal Data Protection Office, which will enable access to information necessary in the conducted proceedings.
In view of the failure by the Company to present the financial data requested by the President of the Personal Data Protection Office for 2019, when determining the amount of the administrative fine in this case, the President of the Personal Data Protection Office took into account, pursuant to Art. 101a paragraph. 2 u.o.d.o., the estimated size of the Company and the specificity, scope and scale of its activities.
Pursuant to art. 103 u.o.d.o. the equivalent of the amounts expressed in euro, referred to in Art. 83 of Regulation 2016/679, are calculated in PLN according to the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table on January 28 of each year, and if in a given year the National Bank of Poland does not announce the average EUR exchange rate on January 28 - according to the average euro exchange rate announced in the table of exchange rates of the National Bank of Poland that is closest after that date. Bearing in mind the above, the President of the Personal Data Protection Office, pursuant to art. 83 sec. 3 and art. 83 sec. 4 letter a) and art. 83 sec. 5 lit. e) Regulation 2016/679, in connection with art. 103 of the Personal Data Protection Act, for the violations described in the operative part of this decision, imposed on the Company - using the average EUR exchange rate of January 28, 2021 (EUR 1 = PLN 4.5479) - an administrative fine in the amount of PLN 22,739 (which is equivalent to EUR 5,000) ).
Considering the above, the President of the Personal Data Protection Office adjudicated as in the conclusion of this decision.
The decision is final. Pursuant to Art. 53 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended), the party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00-193 Warsaw).
A proportionate fee should be filed against the complaint, pursuant to Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended). Pursuant to Art. 74 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine.
In the proceedings before the Provincial Administrative Court, the party has the right to apply for the right of assistance, which includes exemption from court costs and the appointment of an attorney, legal advisor, tax advisor or patent attorney. The right to assistance may be granted at the request of a party submitted prior to the initiation of the proceedings or in the course of the proceedings. The application is free of court fees.
Pursuant to Art. 105 sec. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from the date the ruling of the administrative court becomes legally binding, to the bank account of the Personal Data Protection Office at NBP, O / O Warsaw, no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 sec. 2 of the aforementioned Act, the President of the Personal Data Protection Office may, upon a justified request of the punished entity, postpone the date of payment of the administrative fine or divide it into installments.

        
              
              
        
        
            2021-05-14