UODO (Poland) - DOKE.561.1.2023

From GDPRhub
UODO - DOKE.561.1.2023
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.06.2023
Published:
Fine: 33012 PLN
Parties: n/a
National Case Number/Name: DOKE.561.1.2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (Poland) (in PL)
Initial Contributor: nho23

The Polish DPA imposed a fine of €7,000 on a controller for failing to comply with a request to provide it with information and granting it access to personal data in accordance with Article 58 (1)(a) and (e) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject filed a complaint with the Polish DPA, claiming that the controller ilegally made their person data available to with third parties. The DPA opened a procedure and requested information from the controller.

In particular, the DPA asked: whether the controller was processing the data subject's personal data and if so, what data, on what legal basis and for what purpose; whether the controller made these data available to third parties and, if so, when, on what legal basis, for what purpose and to which entities.

Despite having received two letters requesting the information and advising that failure to comply with the request would result in the opening of a sanctioning procedure for breaching the duty of cooperation with the supervisory authority, the controller did not provide any information.

As a result, the DPA opened an ex officio procedure.

Holding[edit | edit source]

Initially, DPA assessed whether the controller was the addressee of the obligations contained in Article 58(1)(a) and (e) GDPR. According to the DPA, both provisions impose obligations on controllers and processors within the context of procedures conducted by supervisory authorities.

The DPA recalled that it used its investigative power to request information from the controller in the course of an investigation regarding an alleged violation of the GDPR, warning that failure to comply with this request would characterize an infringement in itself.

Then, the DPA highlighted that it is irrelevant whether the complaint presented by the data subject was valid or not, being enough to ascertain the condition of controller in relation to the investigated facts. In the specific case, the DPA considered that this condition was proven since the company was in possession of the personal data of the data subject. Therefore, it concluded that the the controller was obliged to provide the required information.

However, despite having being notified twice, the controller failed to comply with the request. According to the DPA, the lack of access to information resulted in an obstacle to the objective, thorough and complete assessment of the case, as well as in the unjustified extension of the proceeding initiated with the data subject's complaint. In view of the above, it found a violation of Article 58(1)(a) and (e) GDPR and imposed a fine of PLN 33,012 (€7,000).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Based on Article. 104 § 1 of the Act of June 14, 1960 Code of Administrative Procedure (Journal of Laws of 2023, item 775) in connection with Art. 7 sec. 1 and 2, art. 60, art. 101, art. 101a sec. 2 and art. 103 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and pursuant to art. 57 sec. 1 lit. a) and ... h), art. 58 sec. 2 lit. i), art. 83 sec. 1-2 and Art. 83 sec. 5 lit. e) in connection with art. 58 sec. 1 lit. a) and e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Official Journal UE L 119 of 04/05/2016, p. 1, with changes announced in the Official Journal of the EU L 127 of 23/05/2018, p. 2, and in the Official Journal of the EU L 74 of March 4, 2021, p. 35), hereinafter referred to as "Regulation 2016/679", after conducting administrative proceedings initiated ex officio to impose an administrative fine on H. Sp. z o. o. with its registered office in W. at Al. (…), President of the Personal Data Protection Office,

finding a violation by H. Sp. z o. o. with its registered office in W. at Al. (…) the provisions of art. 58 sec. 1 lit. a) and ... e) Regulation 2016/679, consisting in not providing the President of the Office for Personal Data Protection with access to information necessary to perform his tasks, imposes on H. Sp. z o. o. with its registered office in W. at Al. (...) an administrative fine in the amount of PLN 33,012 (say: thirty-three thousand and twelve zlotys).



JUSTIFICATION

Facts

The President of the Personal Data Protection Office (hereinafter referred to as the "President of the Personal Data Protection Office") received a complaint from Mr R. B., domiciled in in I. at ul. (…) (hereinafter referred to as "the Complainant") for irregularities in the processing of his personal data by H. Sp. z o. o. with its registered office in W. at Al. (…) (hereinafter referred to as the "Company") consisting in making the Complainant's personal data available to a third party without a legal basis. In connection with the above, in order to consider the allegations raised by the Complainant, the President of the UODO initiated explanatory proceedings with reference number DS.523.2725.2022.

As part of the above-mentioned proceedings - acting pursuant to art. 58 sec. 1 lit. a) and lit. e) of Regulation 2016/679 - the President of the UODO, in a letter of May 16, 2022, called on the Company to provide explanations in the case and to answer the following detailed questions regarding the essence of the case:

1)    "whether, and if so, when, on what legal basis, for what purpose and scope, the Company obtained the Complainant's personal data, including his name, surname and telephone number (...),

2)   whether, and if so, on what legal basis, to what extent and for the purpose, the Company is currently processing the Complainant's personal data, including his name, surname and telephone number (...) and how long these data will be processed by the Company,

3)   whether, and if so, when, on what legal basis, for what purpose and scope, and to which entities, the Company disclosed the Complainant's personal data, including his name, surname and telephone number (...)". The company was also requested to refer to the Complainant's allegation, according to which, quote: "The probable violation of my personal data, i.e. name, surname and telephone number, i.e. (...) could have occurred as a result of their probable illegal acquisition in (. ...) from the above-mentioned companies [including the Company] in order - contrary to applicable law - to "infect" my mobile phone with advanced software (...). During the period (...), SMS messages were sent to my mobile phone from the above-mentioned entities [including from the Company]. However, there is a suspicion that the domains (pages) to which the recipients were redirected by these messages were fake. Opening these pages would infect my phone (…).

This request, addressed to the current address of the Company's registered office on the date of dispatch, disclosed in the National Court Register, i.e. Al. (...), W., after two notifications on: May 18, 2022 and May 26, 2022, was not collected by the addressee and returned to the sender with the annotation "RETURN not taken on time". In connection with the above, the President of the UODO, based on the provision of art. 44 § 4 in connection with art. 45 of the Act of June 14, 1960, the Code of Administrative Procedure (Journal of Laws of 2023, item 775, as amended) (hereinafter referred to as "the Code of Administrative Procedure"), considered them to be properly delivered to the Company on June 1, 2022. and ... left in the case files. The company did not respond to this request of the President of the Personal Data Protection Office.

In connection with the above, the President of the UODO again - in a letter of January 25, 2023 - asked the Company for clarification in the case. Also, this call advised twice on: January 27, 2023 and February 6, 2023 was not received by the Company. Returned to the sender with the annotation "RETURN not taken on time", in accordance with the wording of art. 44 § 4 in connection with art. 45 k.p.a., was deemed to have been properly delivered to the Company on February 10, 2023. In the absence of receipt of the letter, the Company did not provide the President of the UODO with the requested information.

Both of the above the summons - i.e. both the letter of May 16, 2022 and the letter of January 25, 2023 - contained an instruction indicating that failure to provide explanations in the case, resulting in a violation of the obligation to cooperate with the supervisory authority, may result in imposing an administrative fine on the Company in accordance with art. 83 sec. 5 lit. e) Regulation 2016/679.

The above factual circumstances were determined by the President of the UODO on the basis of all official correspondence that the President of the UODO addressed to the Company, which correspondence is stored in the files of the proceedings with reference number DS.523.2725.2022. This correspondence documents in a full and exhaustive manner all attempts by the President of the UODO to obtain access to personal data and information needed to perform his tasks - in this case, to consider the case with reference number DS.523.2725.2022, and on the other hand, it reflects the Company's lack of reaction to the requests of the President of the UODO.

Procedure

Due to the Company's failure to provide information necessary to resolve the case with reference number DS.523.2725.2022, the President of the UODO initiated ex officio proceedings against her - pursuant to art. 83 sec. 5 lit. e) of Regulation 2016/679 - these administrative proceedings (ref. DOKE.561.1.2023) on the imposition of an administrative fine on the Company for violation of Art. 58 sec. 1 lit. a) and letter e) Regulation 2016/679.

The Company was informed about the initiation of the proceedings in a letter of March 23, 2023. This correspondence, addressed to the address of the Company's registered office, was advised twice on: March 30, 2023 and April 7, 2023, was not received by the Company. In connection with the above, the President of the UODO - pursuant to the wording of art. 44 § 4 in connection with art. 45 k.p.a. - considered it to have been delivered to the Company on April 13, 2023. In this letter, the Company was requested to determine the basis for the penalty pursuant to Art. 101a sec. 1 u.o.d.o., to present a financial statement or other document presenting the amount of turnover and the financial result achieved by it in 2022. The company was informed about the alleged infringement; was also instructed about the sanctions for this violation, as well as the still existing possibility of submitting explanations that the President of the UODO demanded from her in the proceedings with reference number DS.523.2725.2022, which could have a mitigating effect on the amount of the administrative fine imposed in this case. In addition, the Company was informed about the possibility of expressing its opinion - before issuing an administrative decision, on the collected evidence and materials and the submitted requests.

The company did not take any action in response to the information about the initiation of these proceedings.

After considering all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following.

Regulations

In accordance with art. 57 sec. 1 lit. a) Regulation 2016/679, the President of the UODO - as a supervisory authority within the meaning of art. 51 of Regulation 2016/679 - monitors and enforces the application of this regulation on its territory. As part of his competence, the President of the UODO considers, among others: complaints lodged by data subjects, conducts proceedings regarding these complaints to the appropriate extent and informs the complainant about the progress and results of these proceedings within a reasonable time (Article 57(1)(f) of Regulation 2016/679) and conducts proceedings in on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority (Article 57(1)(h) of Regulation 2016/679).

In order to enable the implementation of such tasks, the President of the UODO is entitled to a number of tasks specified in art. 58 sec. 1 of Regulation 2016/679, rights in the field of conducted proceedings, including the right to order the controller and the processor to provide all information needed to perform their tasks (Article 58(1)(a) and the right to obtain from the controller and the processor access to all personal data and information necessary to perform its tasks (Article 58(1)(e).

Violation of the provisions of Regulation 2016/679 consisting in the controller's or processor's failure to provide access to personal data and information, resulting in a violation of the authority's rights set out in art. 58 sec. 1 of this legal act, is subject - in accordance with Art. 83 sec. 5 lit. e) in fine of Regulation 2016/679 - an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual global turnover from the previous financial year, with the higher amount applicable.

When assessing whether, and if so, to what extent an administrative fine should be imposed, the supervisory authority is obliged to take into account the following circumstances (prerequisites for the penalty) specified in Art. 83 sec. 2 Regulation 2016/679:

a)     the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the given processing, the number of data subjects affected and the extent of the damage suffered by them,

b)     the intentional or unintentional nature of the infringement,

c)     actions taken by the controller or processor to minimize the damage suffered by the data subjects,

d)     the degree of responsibility of the controller or processor, taking into account the technical and organizational measures implemented by them pursuant to art. 25 and 32,

e)     any relevant previous infringements by the controller or processor,

f)      the degree of cooperation with the supervisory authority in order to remove the infringement and mitigate its possible negative effects,

g)    the categories of personal data affected by the breach,

h)     how the supervisory authority found out about the infringement, in particular whether and to what extent the controller or processor reported the infringement,

i)       if the controller or processor concerned by the case were previously subject to the measures referred to in Art. 58 sec. 2 - compliance with these measures,

j)       application of approved codes of conduct pursuant to Art. 40 or approved certification mechanisms under Art. 42,

k)     any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained directly or indirectly from the infringement or losses avoided.

In addition, the supervisory authority - in accordance with art. 83 sec. 1 of Regulation 2016/679 - ensures that the applied administrative fines are effective, proportionate and dissuasive in each individual case (principles of imposing a penalty).

In order to determine the basis for the assessment of the administrative fine, the entity against which the proceedings to impose the administrative fine are pending is obliged, at the request of the President of the UODO, to provide him, within 30 days from the date of receipt of the request, with the data necessary to determine this basis (Article 101a section 1 u.o.d.o.). However, in the event of failure to provide this data by the entity subject to the penalty, the President of the UODO determines the basis for the administrative fine in an estimation manner, taking into account the size of the entity, the specificity of its activity or generally available financial data regarding the entity (Article 101a(2) u.o.d.o.).

Pursuant to the content of art. 103 u.o.d.o. the equivalent of the amounts expressed in euro referred to in Art. 83 of Regulation 2016/679, is calculated in PLN at the average euro exchange rate announced by the National Bank of Poland in the table of exchange rates as at January 28 of each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the exchange rate table of the National Bank of Poland, which is the closest after that date.

Application to Art. 60 u.o.d.o. proceedings regarding the violation of provisions on the protection of personal data are conducted by the President of the Personal Data Protection Office. In turn, art. 7 sec. 1 u.o.d.o. provides that in matters not covered by this Act, the provisions of the Code of Administrative Procedure shall apply to administrative proceedings before the President of the UODO (including proceedings regarding the imposition of an administrative fine referred to in Chapter 11 of the Act). In accordance with art. 7 sec. 2 u.o.d.o. these proceedings are single-instance proceedings.

Article 44 § 4 k.p.a. in connection with art. 44 § 1 k.p.a. in connection with art. 45 k.p.a. provide that the fiction of delivery occurs at the end of the last day of the period, i.e. 14 days in the case of delivery of a letter to the address of the registered office of a legal person by the postal operator, and the letter is left in the case files.

Legal assessment

Referring the above-mentioned provisions of Regulation 2016/679 to the facts established in this case, it should first be considered whether the Company is the addressee of the obligations referred to in Art. 58 sec. 1 lit. a) and ... e) of Regulation 2016/679, the violation of which is subject to an administrative fine pursuant to art. 83 sec. 5 Regulation 2016/679. Both of the above-mentioned provisions of Regulation 2016/679 impose procedural obligations - as part of the proceedings conducted by the President of the UODO - on controllers and processors.

In the case with reference number DS.523.2725.2022, the President of the UODO determined - based on the information and evidence provided by the Complainant in his complaint, and in the absence of evidence to the contrary - that the Complainant's personal data were processed by the Company, acting as an administrator in this processing process. The company was in possession of the Complainant's personal data regarding the name, surname and telephone number, which it used to market its own services by sending an SMS to the Complainant's telephone number, containing a link to a website which, in the Complainant's opinion, could have infected his phone with malicious software. It is irrelevant in this case whether the described processing took place on the basis of any of the legal grounds indicated in art. 6 sec. 1 of Regulation 2016/679 and whether it was made in accordance with the other provisions of this regulation. On the other hand, for the purposes of this case, the finding that in the contested processing process the Company acted as the controller of the Complainant's personal data allows for the conclusion that the Company was obliged to provide all information requested by the President of the UODO for a thorough and comprehensive consideration of the complaint, which is the subject of the proceedings with reference number . DS.523.2725.2022.

In these proceedings, in order to obtain the Company's explanations necessary to examine the legitimacy of the allegations raised by the Complainant - acting pursuant to Art. 58 sec. 1 lit. a) and lit. e) of Regulation 2016/679 - the President of the UODO twice asked the Company to respond to the content of the complaint and to provide explanations by answering detailed questions about the case (see point 2 and 4 of the justification for this decision). None of these letters, addressed to the address of the Company's registered office disclosed in the National Court Register, was received by the Company despite having been notified twice, therefore these letters were considered properly delivered to the Company in accordance with Art. 44 § 4 in connection with art. 45 k.p.a. As a consequence of the described omission of the Company, the President of the UODO did not obtain access to personal data and information needed to perform his tasks - in this case, to examine the legitimacy of the Complainant's complaint.

This state of affairs was not changed by the initiation by the President of the UODO of these proceedings regarding the imposition of an administrative fine on the Company (reference number DOKE.561.1.2023). The letter of March 23, 2023 addressed to the Company as part of these proceedings (see point 8 of the justification for this decision) was also not received by the Company, and therefore remained without any response from it.

At this point, it should be noted that the responsibility for failure to provide the President of the UODO with the information requested by him rests with the Company. This is not changed by the fact that the summons addressed by the President of the Personal Data Protection Office to the Company have not been finally received by it. It is the duty of each organizational unit to ensure such organization of the receipt of letters that the course of correspondence takes place in a continuous and uninterrupted manner and only by authorized persons (see Judgment of the Provincial Administrative Court in Gorzów Wielkopolski of October 18, 2018, reference number II SAB/Go 90 /18, LEX No. 2576144). Similarly, the Supreme Administrative Court, in its judgment of May 24, 2004, issued in the case with reference number act FSK 40/04 (LEX No. 137872) stated that it is the duty of legal persons and organizational units to organize work in such a way that the delivery of letters during working hours and at the premises of their registered office is always possible. Neglecting this obligation should be considered gross negligence on the part of the Company, which in no way should adversely affect the possibility of exercising the powers of the supervisory authority, including the timeliness of the proceedings conducted by the President of the UODO.

Therefore, it is indisputable that the President of the UODO, exercising the right referred to in Art. 58 sec. 1 lit. a) and ... e) of Regulation 2016/679, sent the Company a request to provide information needed to perform its tasks - in this case, to resolve the substantive case with reference number DS.523.2725.2022. It is also indisputable that the President of the UODO did not obtain the requested information from the Company, which constitutes a violation of Art. 58 sec. 1 lit. a) and letter e) Regulation 2016/679.

The lack of access to the information requested by the President of the UODO from the Company resulted in an obstacle to an objective, thorough and comprehensive consideration of the case, as well as an unjustified extension of the duration of the proceedings initiated by the Complainant's complaint, which, in turn, was in contradiction with the basic principles governing administrative proceedings - set out in article 12 sec. 1 k.p.a. principles of thoroughness and speed of proceedings.

Considering the above, the President of the UODO states that in this case there were premises justifying imposing on the Company - pursuant to art. 83 sec. 5 lit. e) in fine of Regulation 2016/679 - an administrative fine in connection with the Company's failure to provide access to personal data and information necessary for the President of the UODO to perform his tasks, i.e. to resolve the case with reference number DS.523.2725.2022.

Premises and principles of administratively imposing a fine

Pursuant to the content of art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, attention is drawn to a number of premises listed in points a) to k) of the above-mentioned provision (see point 13 of the justification for this decision). When deciding to impose an administrative fine on the Company in this case and determining its amount, the President of the UODO took into account the following circumstances aggravating the assessment of the infringement:

Nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).

A breach subject to an administrative fine in this case undermines the system aimed at protecting one of the basic rights of a natural person, which is the right to the protection of his personal data, or more broadly - to protect his privacy. An important element of this system, the framework of which is defined by the provisions of Regulation 2016/679, are supervisory authorities, which have been assigned tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the implementation of these tasks, supervisory authorities have been equipped with a number of control powers, powers to conduct administrative proceedings and corrective powers. On the other hand, controllers and processing entities have been imposed certain obligations, correlated with the powers of supervisory authorities, including the obligation to provide these authorities with access to personal data and information necessary to perform their tasks. The importance of breaching these obligations was emphasized by the EU legislator himself, providing for their violation the higher penalty of the two specified in the provisions of Regulation 2016/679 - a penalty of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual global turnover from the previous financial year , with the higher amount applicable. The Company's conduct in this case, consisting in not collecting letters addressed to it and not submitting the explanations requested by the President of the UODO - resulting in difficulties and unjustified extension of the proceedings conducted by the President of the UODO, should therefore be considered as violating the personal data protection system, and therefore importance and reprehensible character. The gravity of the infringement is additionally increased by the fact that the infringement committed by the Company was not a one-time and incidental event. The stated omission of the Company was continuous and long-lasting. It lasted from the expiry of the 7-day deadline for submitting explanations, set out in the first summons addressed to the Company in the proceeding ref. no. DS.523.2725.2022 - calculated from June 1, 2022, i.e. from the date on which the letter was deemed to have been properly delivered to the Company - i.e. from June 8, 2022, to the date of issuing the decision terminating these proceedings.

Unintentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).

Due to the fact that none of the calls for explanations sent by the President of the UODO to the Company was actually received by it, there are no grounds to believe that the Company's action, subject to punishment in this case, was intentional. In the opinion of the President of the UODO, the infringement committed by the Company was unintentional, however, due to the fact that it resulted from gross and long-term negligence by the Company of its basic obligation (to ensure such organization of the receipt of letters so that the course of official correspondence was continuous and undisturbed ), this circumstance should be assessed negatively and considered aggravating in the context of determining both the legitimacy of the imposition and the amount of the imposed penalty.

Degree of cooperation with the supervisory authority to remove the infringement and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679.

In the course of these proceedings regarding the imposition of an administrative fine on the Company, the Company did not cooperate in any way with the President of the UODO. In particular, the Company did not provide the information requested by the President of the Personal Data Protection Office in the proceedings with reference number DS.523.2725.2022, which could be treated as an action aimed at removing the violation found in this case or mitigating its effects. Such lack of cooperation with the President of the UODO resulted in difficulties and unjustified extension of the proceedings conducted by the President of the UODO. Such effects of the Company's persistence in the state of infringement (lack of will to restore the lawful state consisting in fulfilling its procedural obligations in proceedings before the President of the UODO) must affect - in the opinion of the President of the UODO - aggravating assessment of the infringement found.

In the opinion of the President of the UODO, none of the circumstances referred to in Art. 83 sec. 2 Regulation 2016/679, does not support the mitigation of the established - taking into account the above-mentioned aggravating circumstances - the amount of the penalty imposed by this decision.

Other, below-indicated circumstances referred to in Art. 83 sec. 2 of Regulation 2016/679, after assessing their impact on the infringement found in this case, were considered neutral by the President of the UODO, i.e. having neither an aggravating nor mitigating effect on the amount of the adjudicated administrative fine:

Any relevant previous violations by the administrator (Article 83(2)(e) of Regulation 2016/679). The President of the UODO has not stated that the Company has previously committed any violations of the provisions on the protection of personal data, therefore there are no grounds for treating this circumstance as aggravating. And since such a state (fulfilling the obligations arising from the provisions on the protection of personal data) is a natural state in the legal environment in which the Company operates, it cannot have a mitigating effect on the assessment of the infringement made by the President of the UODO.

How the supervisory authority found out about the infringement (Article 83(2)(h) of Regulation 2016/679). Information about the infringement found in this case was obtained by the President of the UODO ex officio by analyzing the course of proceedings pending before him with reference number DS.523.2725.2022. This is a natural way of obtaining information about this type of infringement, resulting from the competence of the President of the UODO to assess the course of these proceedings and assess what information is necessary for him to resolve the case. Therefore, there are no grounds for a negative assessment of the fact that the information about the infringement does not come from the Company; however, this fact cannot be taken into account in favor of the Company, since it did not participate in obtaining information about the infringement by the President of the UODO.

Compliance with the measures previously applied in the same case referred to in Art. 58 sec. 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679). Before issuing this decision, the President of the UODO did not apply any measures listed in art. 58 sec. 2 of Regulation 2016/679, therefore the Company was not obliged to take any action related to their application, and which actions, subject to the assessment of the President of the UODO, could have an aggravating or mitigating impact on the assessment of the violation found.

Use of approved codes of conduct or approved certification mechanisms (Article 83(2)(j) of Regulation 2016/679). The company does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application is not - as provided for by the provisions of Regulation 2016/679 - mandatory for administrators, therefore the circumstance of their non-application cannot be considered to the Company's disadvantage in this case. In favor of the Company, however, the circumstance of adopting and applying such instruments as measures guaranteeing a higher than standard level of protection of personal data being processed could be taken into account.

Financial benefits achieved directly or indirectly in connection with the infringement or losses avoided (Article 83(2)(k) of Regulation 2016/679). The President of the UODO did not state that the Company, due to the failure to provide the information requested by him, gained any financial benefits or avoided such losses. Therefore, there are no grounds for treating this circumstance as incriminating the Company. The statement of the existence of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. On the other hand, the Company's failure to achieve such benefits, as a natural state resulting from the assumption that an entrepreneur conducting business activity obtains financial benefits (profits) on this account, provided that the applicable legal rigors are followed, is a circumstance that, by nature, cannot be a mitigating factor for it . This is confirmed by the wording of Art. 83 sec. 2 lit. k).

Other aggravating or mitigating factors (Article 83(2)(k) of Regulation 2016/679). The President of the UODO, examining the case comprehensively, did not notice any circumstances other than those described above that could affect the assessment of the infringement and the amount of the adjudicated administrative fine.

Other circumstances listed in art. 83 sec. 2 Regulation 2016/679 inevitably could not be taken into account by the President of the UODO due to the specific nature of the infringement (concerning the relationship between the administrator and the supervisory authority, and not with the data subjects). These are:

number of injured persons and the extent of the damage suffered by them (Article 83(2)(a) of Regulation 2016/679) - due to the fact that the infringement (the Company's failure to grant the President of the Personal Data Protection Office access to the necessary information) does not involve a data breach personal data of any person and, as a consequence, no damage to natural persons occurred in the case;

actions taken by the administrator to minimize the damage suffered by the data subjects (Article 83(2)(c) of the Regulation 2016/679) - due to the fact that there were no damages to natural persons in the case, no is the obligation and possibility for the Company to take any action to minimize them;

the degree of responsibility of the administrator, taking into account the technical and organizational measures implemented by them pursuant to art. 25 and 32 of Regulation 2016/679 (Article 83(2)(d) of Regulation 2016/679) - due to the fact that the infringement itself does not involve technical and organizational measures implemented by the Company to ensure protection personal data and the security of their processing;

categories of personal data to which the violation concerned (Article 83(2)(g) of Regulation 2016/679) - due to the fact that the violation consisting in failure to provide access to information necessary for the President of the UODO to perform his tasks does not involve the violation of any personal data.

Pursuant to the wording of Art. 83 sec. 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. When defining the above-mentioned rules for imposing administrative fines, reference should be made to the views of the legal doctrine on the protection of personal data. “A sanction is effective if it achieves the purpose for which it was introduced. The sanction is proportionate if it does not exceed the severity threshold determined by taking into account the circumstances of the individual case. A sanction is a deterrent if it meets the considerations of individual and general prevention, in other words, it is a clear signal of disapproval of the violation for the society, as well as for the sanction's addressee" (P. Litwiński (ed.), Regulation of the European Parliament and of the Council (EU) 2016 /679 of April 27, 2016 [...]; Commentary on Article 83 [in:] P. Litwiński (ed.) General Regulation on the Protection of Personal Data. Act on Protection of Personal Data. Selected Sectoral Provisions. Commentary). The rules for imposing administrative fines defined in this way require reference to the size, financial capabilities and position of the fined entity on the market, and as a measure of these attributes of the fined entity, in the case of an enterprise, Regulation 2016/679 allows us to assume the total annual global turnover from the previous year turnover (Article 83(5) of the Regulation 2016/679). Complementing this principle, the provision of art. 101a sec. 2 u.o.d.o. provides that in the absence of such data, the President of the UODO determines the basis for the administrative fine based on estimates as to the size of the entity, the specificity of its business or generally available financial data regarding the entity. Reference to the economic potential of the punished entity is necessary because, among others, a penalty that is disproportionately low in relation to the financial capacity of the perpetrator of the infringement (the penalty is even "imperceptible" for this entity) will not be effective and dissuasive for this entity; a penalty that is too severe (a penalty whose payment will threaten the entity's existence) will not be a proportional penalty.

In the opinion of the President of the UODO, the fine imposed on the Company in these proceedings complies with the principles set out in Art. 83 sec. 1 Regulation 2016/679. Its ailment in the financial dimension will discipline the Company to properly cooperate with the President of the UODO in proceedings conducted with its participation before the President of the UODO. Therefore, in terms of disciplining the Company, the penalty will be effective (it will achieve its goal). The penalty imposed by this decision is also - in the opinion of the President of the UODO - proportional to the seriousness of the infringement found and to the possibility of incurring it by the Company without significant detriment to its operations. This penalty will also serve as a deterrent; will be a clear signal for the Company, which is obliged under the provisions of Regulation 2016/679 to cooperate with the President of the UODO, that disregarding the obligations related to cooperation with him (in particular, hindering access to personal data and information necessary to perform his tasks) is a violation of great importance and as such, it will be subject to financial sanctions.

In view of the Company's failure to provide the financial data requested by the President of the UODO for 2022, when determining the amount of the administrative fine in this case, the President of the UODO took into account, based on art. 101a sec. 2 u.o.d.o., the estimated size of the Company and the specificity, scope and scale of its operations. In the opinion of the President of the UODO, the Company conducts business activity on a medium scale, as evidenced by the amount of its share capital in the amount of PLN 234,350.00. The company has been present on the Polish market for several years (the Company's entry in the Register of Entrepreneurs of the National Court Register took place on September 1, 2010), which proves the stable nature of its operations. The scope of the Company's activity focuses primarily on the wholesale and retail sale of audiovisual, computer and telecommunications equipment in specialized stores, as well as repair and maintenance of these devices. The scale of the Company's operations may be evidenced by the amount of sales revenue generated by the Company in 2021 in the amount of PLN 3,788,677.68 (data from the financial statements for the financial year 2021 - included due to the lack of availability of financial data for 2022). The sale of the Company's goods and services is also subject to VAT, of which the Company is an active payer (data from the list of VAT taxpayers - www.podatki.gov.pl/wykaz-podatnikow-vat-wyszukiwarka). The significant amount of revenue generated by the Company does not qualify it for exemption from the above-mentioned public levy, which also supports the recognition of the Company as a profitable and prosperous entity.

Due to the fact that in this case an entity operating on a medium scale is subject to a fine, the administrative fine imposed on it by this decision is relatively small (constituting 0.035% of the maximum amount of the fine, which, in accordance with Article 83(5)(e) ) in fine of Regulation 2016/679, the President of the UODO could adjudicate for the violation found in this case) will be a severe and thus effective penalty for him, but also possible to bear it without threatening the material foundations of his existence and business.

Considering the provision of art. 103 u.o.d.o. For the infringements described in the conclusion of this decision, the President of the UODO imposed on the Company - using the average euro exchange rate of January 30, 2023 (where EUR 1 = PLN 4.7160) - an administrative fine of PLN 33,012 (equivalent to PLN 7,000 euro).

Considering the above, the President of the UODO ruled as in the operative part of this decision.



Instruction

The decision is final. In accordance with art. 53 § 1 of the Act of August 30, 2002 Law on Proceedings before Administrative Courts (Journal of Laws of 2023, item 259), hereinafter referred to as "A.P.A.", the party has the right to lodge a complaint against the decision to the Voivodeship Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00-193 Warsaw). A relative entry must be made against the complaint, in accordance with art. 231 in connection with art. 233 p.p.s.a. In accordance with art. 74 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) (hereinafter referred to as "u.o.d.o.") lodging a complaint by a party to the administrative court suspends the execution of the decision regarding the administrative fine.

In the proceedings before the Provincial Administrative Court, the Party has the right to apply for assistance, which includes exemption from court costs and the appointment of a lawyer, legal advisor, tax advisor or patent attorney. The right to assistance may be granted at the request of the Party submitted before the initiation of the proceedings or in the course of the proceedings. The application is free of court fees.

In accordance with art. 105 sec. 1 of the u.o.d.o., the administrative fine should be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from the date when the administrative court's decision becomes final, to the bank account of the Office for Personal Data Protection in NBP o/o Warsaw No. 28 1010 1010 0028 8622 3100 0000.

In addition, in accordance with art. 105 sec. 2 u.o.d.o., the President of the Office for Personal Data Protection may, at the justified request of the punished entity, postpone the date of payment of the administrative fine or divide it into installments. In the event of postponing the payment of an administrative fine or spreading it into installments, the President of the Office for Personal Data Protection shall charge interest on the unpaid amount on an annual basis, using a reduced interest rate for late payment, announced pursuant to art. 56d of the Act of August 29, 1997. Tax Ordinance (Journal of Laws of 2022, item 2651, as amended), from the day following the date of submission of the application.