UODO - DKE.561.1.2020

From GDPRhub
UODO - DKE.561.1.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 31 GDPR
Article 58(1)(e) GDPR
Type: Complaint
Outcome: Other Outcome
Decided: 06.07.2020
Published: 10.07.2020
Fine: 3500 EUR
Parties: D. S.
East Power Sp. z o.o.
National Case Number/Name: DKE.561.1.2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: n/a

The President of the Personal Data Protection Office (UODO) imposed a fine of 15 000 PLN (approx. 3500 EUR) on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks. The Polish DPA found that the company violated Art 58(1)(e) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Mr. D. S., a German citizen, submitted a complaint against the processing of his personal data by the company East Power Sp. z o.o. with a registered address in Jelenia Góra, Poland. The complainant submitted that his personal data was used for marketing purposes despite that he objected to such processing.

The complaint was lodged with the German data protection authority competent for Rhineland-Palatinate, but it was taken over for consideration by the President of the UODO, who was the so-called lead authority in this case, because the company is established in Poland.

Dispute[edit | edit source]

The UODO has contacted the company and asked to answer the following questions:

1. On what legal basis, for what purpose and to what extent the company is currently processing the complainant's personal data and from what source the data was obtained.

2. Whether the complainant has requested that the company delete his personal data.

3. In case the complainant requested the deletion of his personal data, why and on what legal basis was his request not complied with.

The company did not reply to the set of questions; the UODO has repeated its request. The company responded that it had not processed the complainant's personal data neither before nor at the time of the request made by the UODO. The company also informed that it had not disclosed the complainant's personal data. At the same time, the President of the company's Management Board stated that "the Company obtained the Complainant's personal data from the Internet", where "they are available in the Google search engine".

The company addressed only one of the two requests, and the explanations provided were incomplete and contradictory. The UODO has therefore sent another request to clarify the answer provided. The company did not respond to the third request of the Polish DPA.

Holding[edit | edit source]

Based on the facts of the case and on the analysis of the GDPR provisions, the UODO has stated that the company acts as a controller of complainant's personal data. The UODO referred to the company's obligation to cooperate with the supervisory authority under Article 31 GDPR. Since the company did not comply with its obligation to provide the President of UODO with access to information necessary for the performance of his tasks - in this case, the substantive settlement of the case, such inaction of the company constituted a breach of Article 58(1)(e) of the GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Warsaw, 10 July 2020
DECISION
DKE.561.1.2020

          The Commission shall be assisted by the European Parliament and the Council in the context of Article 31, Article 58(1)(e) in conjunction with Article 83(1) to (3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2012, p. 1). 2016, p. 1, as amended) (hereinafter referred to as the "Regulation 2016/679"), after conducting ex officio administrative proceedings to impose an administrative fine on East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street, the President of the Office for Personal Data Protection, stating that East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street, the provision of Article 58(1)(e) of Regulation 2016/679, consisting in failure to provide access to personal data and other information necessary for the President of the Office for the Protection of Personal Data to carry out his tasks, that is, to consider the complaint of Mr D. S. for processing of his personal data by East Power Sp. z o.o. with its registered office in Jelenia Góra in breach of Regulation 2016/679,

imposes on East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street an administrative fine in the amount of PLN 15,000 (in words: fifteen thousand zlotys), which is equivalent to EUR 3,505.16, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as of 28 January 2020.

JUSTIFICATION

The Office for Personal Data Protection received a complaint from Mr. D. S., a German citizen, residing in N. (hereinafter referred to as the "Complainant"), for processing by East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street (hereinafter referred to as the "Company"), owner of the website. [...].de, his personal data for marketing purposes in spite of objections raised. President of the Office for the Protection of Personal Data (hereinafter referred to as the "President of the Office for the Protection of Personal Data") within the framework of the initiated administrative proceedings conducted to consider the complaint (under the signature [...]), asked the Company in a letter of [...] March 2019 to respond to the content of the complaint and to answer the following detailed questions about the case:

1. on what legal basis, for what purpose and to what extent the Company is currently processing the complainant's personal data and from what source the data was obtained,
2. whether the Complainant has requested that the Company delete its personal data,
3. why and on what legal basis, if the Complainant asks for his personal data to be deleted, his request has not yet been complied with.

The above letter, correctly delivered to the Company [...] March 2019, remained unanswered.

Therefore, by letter of [...] May 2019, the President of the UODO again asked the Company to respond to the content of the complaint and to answer the detailed questions already formulated in the previous letter. This letter was delivered to the Company on [...] May 2019. In his letter of [...] June 2019 in response to the above request of the President of UODO, the President of the Company's Management Board stated that "the Company did not process, at that time or currently, the Complainant's personal data" and that "the Company did not make available, at that time or currently, the Complainant's personal data". At the same time, the President of the Company's Management Board stated that "the Company obtained the Complainant's personal data from the Internet", where "they are available in the Google search engine".

Considering the above explanations of the Company to be insufficient, the President of the UODO, in his letter of [...] September 2019, requested the Company to provide additional explanations in the case, in particular:

    on what legal basis, for what purpose and to what extent the Company has currently processed or is currently processing the Complainant's personal data,
    the merger relationship on [...] June 2018. The Company and Mr. P. K., who, acting on behalf of the Company, sent the Complainant's e-mail address on that day a message of a marketing nature, in the Complainant's opinion,
    whether, and if so, how the Company responded to the Complainant's request of [...] June 2018 to delete its personal data and stop sending marketing content to it,
    if the Company did not comply with the Complainant's request, why and on what legal basis it did so.

The Company did not respond to the above letter, duly delivered to the Company on [...] September 2019.

By letters of [...] May 2019 and [...] September 2019. The Company was informed that failure to respond to the summonses of the President of the UODO may - in accordance with Article 83(5)(e) of Regulation 2016/679 - impose an administrative fine on the Company.

In connection with the Company's failure to provide the information necessary to resolve the [...] case, initiated by the Complainant's complaint, the President of the PTO initiated ex officio against the Company - pursuant to Article 83(5)(e) of Regulation 2016/679, in connection with the Company's breach of Article 58(1)(a) and (e) of Regulation 2016/679 - administrative proceedings to impose an administrative fine on the Company (under reference DKE.561.1.2020.RZ). The Company was informed about the initiation of the proceedings by letter dated [...] February 2020, delivered to the Company [...] February 2020. In that letter, the Company was also requested - in order to determine the basis for the penalty, on the basis of Article 101a.1 of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781) - to present the Company's financial statements for 2019 or - in the absence thereof - a statement on the amount of turnover and financial result achieved by the Company in 2019.

In response to the letter informing about the initiation of proceedings to impose an administrative fine on the Company, the President of the Management Board of the Company sent a letter to the President of UODO of [...] February 2020, in which he requested withdrawal from imposing an administrative fine in the proceedings DKE.561.1.2020.RZ and for discontinuation of the proceedings in the case of [...]. At the same time, in the same letter, the President of the Management Board of the Company submitted explanations to the case [...]. He indicated in particular that:

    The Company is not currently processing the Complainant's personal data, but previously it was obtained "from publicly available databases" and processed in the scope of the Complainant's name, surname and e-mail address "for the purpose of one-time delivery of e-mails to the Complainant";
    P. K. was an employee of the Company and 'the activities performed by Mr K. were therefore performed by him as an employee of the Company, within the scope of the activities presented to him'. With reference to this part of the explanations, the President of the Management Board of the Company presented in an attachment to his letter copies of three employment contracts (dated [...] April 2018, dated [...] August 2018 and dated [...] April 2019) concluded between the Company and Mr Pi. Ko;
    at the request of the Complainant of [...] June 2018. The Company "ceased all correspondence, did not send any further e-mails to the Complainant due to its request and deleted the Complainant's personal data".

The Company did not present its letter of February [...], 2020, enclosing its financial statements for 2019, stating that it 'has not yet prepared' such a document. The Company also did not submit a statement on the amount of turnover and financial result achieved in 2019, which the President of UODO demanded in case the financial statement could not be presented.

The Company conducts - on the territory of Poland and Germany - activities in the field of, among others, employment agency (including temporary work) and human resources management in enterprises.

After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following.

In accordance with Article 57(1)(a) of Regulation 2016/679, the President of the UODO, as the supervisory authority within the meaning of Article 51 of Regulation 2016/679, shall monitor and enforce the application of the Regulation on its territory. Within the scope of his competences, the President of the PPA shall, inter alia, hear complaints lodged by data subjects, conduct investigations into such complaints to an appropriate extent and inform the complainant of the progress and outcome of such investigations within a reasonable period of time (Article 57(1)(f)). In order to enable the performance of the tasks so defined, the President of the PPA has a number of powers in relation to the proceedings, as set out in Article 58(1) of Regulation 2016/679, including the power to order the controller and the processor to provide any information necessary for the performance of its tasks (Article 58(1)(a)) and the power to obtain from the controller and the processor access to all personal data and to all information necessary for the performance of its tasks (Article 58(1)(e)). The infringement of the provisions of Regulation 2016/679, consisting in the failure of the controller or the processor to provide access to the data and information referred to above, resulting in the infringement of the authority's powers specified in Article 58(1) (including the right to obtain data and information necessary for the performance of its tasks), shall be subject, in accordance with Article 83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover in the previous financial year, the higher amount being applicable. It should also be noted that the administrator and the processor are obliged to cooperate with the supervisory authority in the performance of their tasks, as provided for in Article 31 of Regulation 2016/679.

With reference to the above mentioned provisions of Regulation 2016/679 to the facts established in this case and described at the beginning of the grounds for this decision, it should be stated that the Company - controller of personal data of the Complainant D. S. - as a party to the proceedings under the President of UODO, infringed its obligation to provide the President of UODO with access to information necessary for the performance of his tasks - in this case, the substantive settlement of this case. Such action of the Company constitutes a breach of Article 58(1)(e) of Regulation 2016/679.

In the proceedings under the number [...], the President of UODO called on the Company three times to provide explanations necessary to consider the case.

The first letter issued in the case by the President of UODO [...] March 2019 (correctly delivered to the Company [...] March 2019) remained unanswered.

Response to the second call of the President of UODO (of [...] May 2019, correctly delivered to the Company [...] May 2019) was far from complete (no comprehensive answer to any of the three specific questions asked in the letter of the President of UODO), contradictory (the Company, on the one hand, stated that it obtained the Complainant's personal data from the Internet and, on the other hand, stated that it 'did not process, at that time or currently, the Complainant's personal data') and, in the opinion of the President of UODO, disregarding both the authority and the case in which the authority requested clarifications.

The third letter sent by the President of UODO to the Company (dated [...] September 2019, correctly delivered to the Company [...] September 2019), containing a clarification of the basic issues related to data processing (including the very notion of 'data processing') and additional questions aimed at establishing the facts of the case, again remained unanswered.

More extensive explanations were provided by the Company only in the letter of [...] February 2020 in response to the letter of the President of UODO informing about the initiation of the present procedure concerning the imposition of an administrative fine for failure to provide access to information requested by the President of UODO. However, even these explanations are incomplete and will require further investigation in case [...]. In particular, this concerns the answer to the question on the merger relationship on [...] June 2018. The Company and Mr. P. K., who, acting on behalf of the Company, sent a marketing message to the Complainant's e-mail address on that day. In response to this question, the Company stated that P. K. was employed by the Company on the basis of an employment contract. At the same time, it attached to its letter copies of three employment contracts, which not only did not confirm the Company's explanations, but caused additional doubts as to the actual state of affairs. Firstly, according to the content of all three employment contracts, Mr Pi was a party to them. Ko., and not Mr. P. K. (The Company did not explain in its letter why this discrepancy occurred). Secondly, the duration of the contracts referred to periods both before and after the date expressly requested by the President of the UODO (the date on which Mr P. K. sent an e-mail to the complainant, i.e. [...] June 2018); they did not cover that particular day (the fixed-term employment contract of [...] April 2018 was concluded for the period from [...] April 2018 to [...] May 2018, the fixed-term employment contract of [...] August 2018 was concluded for the period from [...] September 2018 to [...] April 2019 and the permanent employment contract of [...] April 2019 was in force from [...] May 2019). Nor did the Company explain this discrepancy in its letter.

The above-described Company's proceedings in the case with the signature [...] (failure to respond to the summonses of the President of UODO and providing incomplete, unspecific, evasive and contradictory answers to specific, not too complicated and not requiring specialist knowledge in the field of personal data protection questions of the President of UODO) indicates a lack of willingness to cooperate with the President of UODO in determining the facts of the case and correctly resolving it, or at least a gross disregard for his obligations to cooperate with the President of UODO in the performance of his tasks under the Regulation 2016/679. The above statement is additionally justified by the fact that the Company did not try to justify in any way the lack of any response to the two requests for explanations, nor did it contact the Office for Personal Data Protection in order to indicate any doubts it might have regarding the scope of information requested by the President of PDPO.

It should be pointed out here that obstructing and preventing access to information which the President of UODO has requested and requested from the Company and which is undoubtedly held by the Company (e.g. information about the relationship between the Company and Mr. P. K. ), stands in the way of a thorough consideration of the case, and also results in excessive and unjustified prolongation of the proceedings, which is contrary to the basic principles governing administrative proceedings - as defined in Article 12.1 of the Administrative Procedure Code of 14 June 1960 (Journal of Laws of 2020, item 256).

In view of the above findings, the President of the Office of Competition and Consumer Protection (UODO) states that in this case there are premises justifying the imposition of an administrative fine on the Company - pursuant to Article 83 Section 5(e) in fine of Regulation 2016/679 - in connection with the Company's failure to provide access to information necessary for the President of the Office of Competition and Consumer Protection (UODO) to carry out his tasks, i.e. to resolve the case under reference [...]. Referring to the request contained in the Company's letter of [...] February 2020 to withdraw from the imposition of an administrative fine in these proceedings, the President of the PPA indicates that he sees no grounds for a positive outcome. The Company has not justified its request in any way, in particular, it has not attempted to justify its action infringing the provisions of Regulation 2016/679 and has not removed the infringement itself by providing full and exhaustive explanations allowing to issue a decision in the [...] case.

According to Article 83(2) of Regulation 2016/679, administrative fines shall be imposed depending on the circumstances of each individual case. In each case, a number of the circumstances set out in points (a) to (k) of the abovementioned provision are addressed. When deciding on the imposition of an administrative fine on the Company in this case and determining its amount, the President of UODO took into account - among them - the following circumstances affecting the assessment of the infringement:

1. The nature, seriousness and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).

An infringement subject to administrative pecuniary sanctions in the present case undermines a system designed to protect one of the fundamental rights of the individual, which is the right to the protection of his or her personal data or, more broadly, to the protection of his or her privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of individuals' rights in this respect. In order to be able to carry out these tasks, supervisory authorities have been equipped with a number of inspection powers, administrative investigation powers and remedial powers. On the other hand, certain obligations are imposed on controllers and processors, correlated with the powers of the supervisory authorities, including the obligation to cooperate with the supervisory authorities and to provide those authorities with access to information necessary for the performance of their tasks. The Company's actions in this case, which consist in making it difficult and impossible to access the information requested by the President of UODO, and resulting in the hindering and unjustified prolongation of the proceedings conducted by him, should therefore be considered to be detrimental to the entire system of personal data protection, and therefore of great importance and reprehensible nature. The gravity of the infringement is further increased by the fact that the infringement committed by the Company was not a one-off and incidental event; the Company's actions were continuous and long-lasting. It lasts from the expiry of the deadline set for submitting explanations in the first letter of the President of UODO, i.e. from [...] April 2019 to the present day (with respect to some information requested by the President of UODO).

2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).

In the opinion of the President of UODO, there is a lack of willingness on the part of the Company to cooperate in providing the authority with all information necessary to resolve the case in the course of which the authority requested it. This is evidenced, in particular, by the lack of any response to two out of three summonses from the President of UODO addressed to it and received by it. Also the explanations that the Company finally submitted to the President of UODO (incomplete, exchangeable, contradictory) prove the lack of willingness to cooperate with the authority or at least a gross disregard for its obligations related to such cooperation, unacceptable especially in the case of an entity processing personal data professionally (in connection with the type of services provided - through work - requiring obtaining, storing and making available the data of natural persons who are potential employees). It should be emphasized that the Company at no stage of [...] proceedings, as well as in these proceedings, has made an attempt to justify such proceedings. Considering that the Company is an entrepreneur, an entity professionally participating in legal and economic turnover, whose activity is connected with the processing of personal data (in connection with the employment agency services provided), it should also be assumed that it was (and still is) aware of the fact that its conduct constitutes a breach of the provisions of Regulation 2016/679.

3. Unsatisfactory cooperation with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).

In the course of the present proceedings concerning the imposition of an administrative fine, the Company has submitted (by letter of [...] February 2020) additional explanations to the case under the signature [...], however, as it has been shown in detail above, the President of the Office of Competition and Consumer Protection (UODO) cannot consider these explanations to be complete, exhaustive and allow for a decision in the case.

The other prerequisites for the administrative fine indicated in Article 83(1)(a) and (b) of the Act of Accession. The other conditions for imposing an administrative fine set forth in Article 83(2) of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the breach by the President of PPAs (including: all relevant previous breaches on the part of the controller, the manner in which the supervisory authority became aware of the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller with the supervisory authority and not the relationship of the controller with the data subject), could not be taken into account in the present case (including: the number of persons harmed and the extent of the harm suffered by them, actions taken by the controller to minimise the harm suffered by the data subjects, the degree of responsibility of the controller taking into account the technical and organisational measures implemented by the controller, categories of personal data concerned by the breach).

According to Article 83(1) of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Company in these proceedings meets these criteria. It will discipline the Company to properly cooperate with the President of UODO, both in the further course of the proceedings under the [...] name, as well as in possible other proceedings conducted in the future with the Company's participation before the President of UODO. The penalty imposed by this Decision is, in the opinion of the President of UODO, proportionate to the seriousness of the infringement and to the Company's ability to bear it without significant damage to its business. The penalty will also act as a deterrent and will send a clear signal to both the Company and other entities obliged under Regulation 2016/679 to cooperate with the President of UODO that disregarding the obligations to cooperate with him (in particular, obstructing access to information necessary for the performance of his tasks) constitutes a serious infringement and as such will be subject to financial sanctions. At this point it should be pointed out that the imposition of an administrative fine on the Company is - in view of the Company's previous conduct as a party to the proceedings [...] - necessary; it is the only measure at the disposal of the President of PPA, which will make it possible to obtain access to information necessary in the proceedings. In view of the Company's failure to provide the financial data for 2019 requested by the President of UODO, when determining the amount of the administrative fine in this case, the President of UODO took into account, pursuant to Article 101a clause 2 of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781), the estimated size of the Company and the specificity, scope and scale of its operations.

Pursuant to the wording of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date. In this case, the exchange rate of PLN 4.2794 for EUR 1 shall apply.

In view of the above, the President of UODO ruled as in the operative part of this decision. 

The decision is final. A party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of UODO (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court shall suspend the execution of a decision on an administrative fine.

In the proceedings before the Provincial Administrative Court, a party has the right to apply for a right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.

Pursuant to Article 105(1) of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781), the administrative fine shall be paid within 14 days from the date of expiry of the time limit for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In case of postponement of the deadline for paying the administrative fine or its distribution in instalments, the President of the Office for Personal Data Protection calculates interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Art. 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.