UODO - DKE.561.11.2020

From GDPRhub
UODO - DKE.561.11.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 34(4) GDPR
Article 57(1)(a) GDPR
Article 58(2)(e) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(6) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 05.01.2021
Published:
Fine: 85588 PLN
Parties: n/a
National Case Number/Name: DKE.561.11.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Decyzje Prezesa UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish DPA (PUODO) imposed a fine of EUR 20,000 on a health care entrepreneur for failure to comply with an order imposed on him in an administrative decision. This decision had instructed the entrepreneur to notify its patients of the breach of their personal data and to provide them with recommendations on how to minimise the negative effects.

English Summary[edit | edit source]

Facts[edit | edit source]

The President of the Office for the Protection of Personal Data (UODO) ordered the entrepreneur to notify its patients of the breach of their personal data and to provide them with recommendations on how to minimise the potential negative effects of the incident. The controller failed to do so, as shown by the proceedings aimed at checking whether the obligations imposed in the decision of the UODO were fulfilled.

Consequently, the persons affected by the breach knew nothing about it.

Proper compliance with the obligation imposed by the DPA would allow data subjects to understand what the personal data breach consisted of, the possible consequences of such an event, and what steps they can take to minimize its possible negative effects.

As the entrepreneur ignored the decision of the supervisory authority, the DPA decided to initiate ex officio proceedings for imposing an administrative fine.

Dispute[edit | edit source]

Holding[edit | edit source]

The DPA found that an entrepreneur violated Article 34 GDPR by not notifying the data subjects about the breach of their personal data and imposed on the controller a fine of EUR 20,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Pursuant to Article 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256 as amended), Article 7(1) and (2), Article 60, Article 101, Article 101a and Article 103 of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, item 1781) and Article 57(1)(a), Article 83(1)-(2) and Article 83(6) in connection with Article 58(2)(e) and (i) of the Regulation of the European Parliament and of the Council EU 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Official Journal of the European Union L 119 of 04.05.2016, p. 1 and Official Journal of the European Union L 127 of 23.05.2018, p. 1 as amended), having conducted ex officio administrative proceedings concerning the imposition of an administrative fine on Ms M. Z. conducting business activity under the name K., the President of the Office for Personal Data Protection

establishing that Ms M. Z. conducting business activity under the name K. failed to comply with the order of the administrative decision of the President of the Office for Personal Data Protection of [...] February 2020 (file reference [...])

imposes on Ms M. Z. conducting business activity under the name K. an administrative fine in the amount of PLN 85 588 (in words: eighty-five thousand five hundred and eighty-eight zlotys).

JUSTIFICATION

The Office for Personal Data Protection received a notification of a personal data protection breach dated [...] July 2019 submitted by Ms. M. Z. conducting business under the name K., (hereinafter also referred to as the "Entrepreneur").In the content of the notification, the Entrepreneur informed that the breach consisted in unauthorised copying on [...] April 2019 of personal data of one hundred patients from the system ([A]) of the clinic by a former employee in order to use them for marketing of own services. At the same time, he indicated that the infringement concerned the following categories of patients' personal data: PESEL number, first and last names, parents' first names, date of birth, address of residence or stay and telephone number. The entrepreneur refrained from notifying the data subjects of the personal data protection infringement, despite the fact that he assessed the risk of infringement of the rights and freedoms of natural persons as high. In view of the above, the President of the Office for the Protection of Personal Data (hereinafter also referred to as the "President of the Office for Personal Data Protection"), by his statement of [...] August 2019 (ref. [...]), addressed to the Entrepreneur pursuant to Article 52(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and Article 34(4) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the EU L 119 of 04.05.2016, p. 1 and Dz. Urz. UE L 127 of 23.05.2018, p. 2) (hereinafter referred to as "Regulation 2016/679"), called on him to immediately notify data subjects of the breach of the protection of their personal data and to provide them with recommendations on how to minimise the potential negative effects of the breach. Moreover, the President of the Office for Harmonization in the Internal Market (the "OFODO") indicated to the Entrepreneur sample risks related to the breach and sample recommendations concerning measures that the affected persons could take to protect themselves against negative effects of the breach.

Due to the Entrepreneur's failure to respond to the notification of [...] August 2019, the President of the DPA initiated administrative proceedings for failure to notify data subjects of a breach of the protection of their personal data. By an administrative decision of [...] February 2020 (ref. [...]), the President of the DPA ordered the Entrepreneur, pursuant to Article 58(2)(e) of Regulation 2016/679, to notify data subjects - within three days from the date on which the decision becomes final - of a personal data protection breach in order to provide them with the information required under Article 34(2) of Regulation 2016/679, i.e.:

(a) a description of the nature of the personal data breach;

(b) the name and contact details of the Data Protection Officer or the designation of another contact point from which further information may be obtained;

(c) a description of the possible consequences of the personal data breach;

(d) a description of the measures applied or proposed by the controller to address the breach, including measures to minimise its possible effects.

The entrepreneur did not lodge a complaint to the Voivodship Administrative Court against the abovementioned administrative decision and therefore it became legally binding as of [...] April 2020.

In order to check whether the obligations imposed by the aforementioned decision were performed by the Entrepreneur, the President of the Office for Personal Data Protection instituted an investigation procedure under file number [...].

In the letter of [...] May 2020, the Entrepreneur was requested to provide explanations and a list of persons to whom the information referred to in the order of the decision was provided, as well as information on the manner of their provision and evidence of their provision (copies of ten sample notices with proof of posting). At the same time, the Entrepreneur was instructed in the letter that ascertaining non-compliance with the order imposed by the President of the Office for Personal Data Protection may result in the imposition of an administrative fine on the Entrepreneur, pursuant to Article 83(6) of Regulation 2016/679. In response to the above summons, the Entrepreneur did not send the requested copies of the notifications, and only in a letter received by the Office for Personal Data Protection on [...] May 2020, The Entrepreneur's attorney informed that, quote: "Unfortunately, despite our will, we have not been able to create such a list, as we do not know which patients' data were collected by the doctor referred to in the notification submitted by K. Currently, over [...] persons are treated in our facilities and notifying all of them of a possible breach of their personal data is impossible".

On [...] June 2020 the President of the Office for Competition and Consumer Protection addressed to the Entrepreneur a reminder pursuant to Article 15 § 1 of the Act of 17 June 1966 on enforcement proceedings in administration (Journal of Laws of 2020, U. of 2020, item 1427 as amended) requesting the Entrepreneur to comply with the order of the decision within 7 days and to document the compliance with this order by presenting evidence in the form of a list of persons who were notified due to the infringement of personal data protection, including the information on how the notification was sent, as well as copies of selected ten letters with acknowledgements of sending. On the same day, the Entrepreneur's attorney was also informed by phone about the obligation to comply with the order of the President of the Office for Harmonization in the Internal Market and to present evidence of its execution. In a letter received by the Office for Personal Data Protection on [...] June 2020, the Entrepreneur's attorney submitted copies of ten notices sent by registered mail on [...] June 2020 with the following content: "We would like to inform you that in 2019 your personal data (name, surname, telephone number) may have been breached by one of our doctors (D. B.). At the same time, we would like to inform you that this person no longer works in our clinic and an investigation is underway against him. If you have any questions, please contact the RODO administrator at our facility: M. K. [...]". The submitted copies of the notices did not contain all the information that the Entrepreneur was obliged to provide pursuant to the decision of the President of the Office for Harmonisation in the Internal Market (the President of the Office), i.e. they did not contain information regarding the description of the nature of the breach, description of possible consequences of the breach and description of measures applied or proposed by the administrator in order to remedy the breach, including measures to minimise its possible effects. Therefore, by letter dated [...] July 2020, the President of the Office for Harmonisation in the Internal Market called the Entrepreneur to supplement the explanations and present evidence documenting the implementation of the decision. In response to the renewed request for clarifications, the Entrepreneur's representative explained by e-mail of [...] July 2020 that, quote: '(...) the points you mentioned in the request have been fulfilled:

(b) If you have any questions, please contact the RODO administrator at our facility:

M. K. […]

c) It is not possible to clarify this point, in my opinion it is sufficient how we have listed what data has been violated.

d) At the same time, we would like to inform you that this person no longer works at our clinic and there is an investigation against him.

Therefore, I believe that there is no basis for sending notices to patients again."

In the opinion of the President of the Office for Competition and Consumer Protection, the explanations submitted by the Entrepreneur's representative and the evidence presented by him gave grounds to conclude that the Entrepreneur failed to comply with the order of the administrative decision of the President of the Office for Competition and Consumer Protection of [...] February 2020, ref.

In connection with the above, in a letter dated [...] September 2020, the President of the Office for Harmonisation in the Internal Market initiated ex officio administrative proceedings under No DKE.561.11.2020[. .11.2020.[...] regarding the imposition of an administrative monetary penalty on the Entrepreneur for non-compliance with the order issued by the supervisory authority pursuant to Article 58(2)(e) in conjunction with Article 34(1) and (2) of Regulation 2016/679. By the above letter, the Entrepreneur was, inter alia, requested to provide financial data in the form of a financial statement or, in the absence thereof, a statement of turnover and financial result for 2019 in order to determine the basis for the administrative monetary penalty. Furthermore, the letter indicated that if the Entrepreneur presents evidence of the full implementation of the order of the decision of the President of the Office for Harmonisation in the Internal Market, this circumstance may have a mitigating influence on the amount of the administrative fine imposed in the present proceedings or may result in the abandonment of its imposition.

In response to the letter informing about the commencement of the procedure for imposing an administrative fine, the attorney of the Entrepreneur, by e-mail of [...] September 2020, undertook to send a "new notification to the patients affected by the infringement". Furthermore, on [...] September 2020, the Entrepreneur's attorney contacted the Office for Personal Data Protection by telephone requesting a list of the ten notices he had previously submitted (by letter dated [...] June 2020) for the [...] case. He was informed that in connection with the proceedings currently conducted against the Entrepreneur (ref. DKE.561.11.2020.[...]) concerning the imposition of an administrative fine for non-compliance with the order issued by the President of the Office for Harmonisation in the Internal Market (Trade Marks and Designs) by decision ref. A staff note was drawn up on [...] September 2020 to reflect this telephone conversation. On [...] September 2020, the Entrepreneur's attorney sent by e-mail a sample notice to the Data Protection Authority in order to agree its content with the Authority and subsequently send it to the persons affected by the data breach. In connection with the above email containing the sample notification of a personal data breach, the DPA employee also contacted the Entrepreneur's attorney by email (on [...] September 2020) and then by telephone (on [...] October 2020) to clarify that the notification was incomplete. The Entrepreneur's attorney was informed that the notice should indicate the full (consistent with the notification dated [...] July 2019) scope of the personal data disclosed as a result of the breach, and should include a description of the possible consequences of the personal data breach and the remedial steps taken by the controller. The Entrepreneur's attorney was further advised that examples of possible consequences and remedial steps were indicated to the Entrepreneur in the text of the decision of [...] February 2020, ref. During the phone call, the entrepreneur's proxy undertook to send evidence of compliance with the decision by the end of October 2020.  In a letter received by the Office for Personal Data Protection on [...] November 2020, the attorney of the Entrepreneur stated that, quote: "I would like to inform you that in accordance with the request sent by the Department of Penalties and Enforcement of the Office for Personal Data Protection, we notified a total of 37 persons (victims). This is the number of persons that ultimately resulted from our IT department's analysis of the logins and information seen by Mr D(...) B(...). At the same time, I inform you that these are all the persons affected in this case." In the list of persons to whom the Entrepreneur sent notices of violation of their personal data, attached to the letter, thirty-seven items were indicated, with two items from the list repeated. Moreover, the letter was accompanied by: a copy of a VAT invoice No. [...] dated [...] October 2020 issued by Poczta Polska S.A. to the Entrepreneur documenting the purchase of thirty-seven postage stamps worth PLN 3.30 each, a copy of a statement dated [...] October 2020 saying "We confirm the sending of 37 ordinary letters by Mr M. K." bearing an illegible signature and stamp reading "W. [...] *AN*" and a copy of an unaddressed sample notification. In response to the above letter, on [...] November 2020, the President of the Office for Harmonisation in the Internal Market (Urząd Komunikacji Elektronicznej, UODO) addressed a request to the Entrepreneur to supplement the evidence, indicating that the submitted explanations and evidence are incomplete and do not provide a basis to conclude that the Entrepreneur did indeed notify data subjects, as ordered by the administrative decision of the President of the Office for Harmonisation in the Internal Market (Urząd Komunikacji Elektronicznej, UODO) of [...] February 2020, ref. [***] The Entrepreneur was requested to supplement the evidence of compliance with the order of the decision, i.e. to send a correct list of persons to whom the notices were sent and copies of all addressed notices together with registered mail or return receipts - within 7 days of the delivery of this letter. In response, the Entrepreneur's attorney, by letter received by the DPA on [...] December 2020, advised that, quote, "there is no obligation to send registered mail and it is sufficient for me to send it by regular mail and confirm its mailing. I complied with this order and confirmed it with an invoice and a written certificate from a postal worker". He further indicated that quote "the number of notices is correct - the repeat patients are not random, they are a result of them having been to the appointment twice".

 

Having considered all the evidence gathered in the case, the President of the Office for the Protection of Personal Data stated as follows.

Pursuant to Article 57(1) of Regulation 2016/679, without prejudice to other tasks defined under the Regulation, each supervisory authority within its territory (including the President of the Office for Personal Data Protection within the territory of the Republic of Poland) inter alia monitors and enforces the application of the Regulation (Article 57(1)(a)) and conducts proceedings on its application (Article 57(1)(h)). The instruments for the performance of the tasks referred to in Article 57(1) of Regulation 2016/679 are the remedial powers granted to the supervisory authorities (including the President of the DPA) by Article 58(2) of Regulation 2016/679, including in particular the power to order the controller to notify the data subject of a personal data breach (Art. 58(2)(e), as well as the power to impose, in addition to or instead of the other measures referred to in Article 58(2) of Regulation 2016/679, an administrative pecuniary sanction under Article 83 of that Regulation (Article 58(2)(i)).

Pursuant to Article 83(6) of Regulation 2016/679, failure to comply with an order issued by a supervisory authority pursuant to Article 58(2) is subject to an administrative pecuniary penalty of up to EUR 20,000,000 and, in the case of an undertaking, up to 4% of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable.

Applying the above-mentioned provisions of Regulation 2016/679 to the factual situation established in the case and described above, it should be stated that the Entrepreneur did not comply (or - according to the terminology used by the EU legislator in Article 83(6) of Regulation 2016/679) - "does not comply") with the order of the administrative decision of the President of the Office for Harmonization in the Internal Market of [...] February 2020, ref.

By the final administrative decision of the President of the DPAO of [...] February 2020, ref. [...], the Entrepreneur was obliged to notify data subjects - within three days from the date on which the decision becomes final - of the breach of their personal data that occurred on [...] April 2019, in order to provide them with the information required under Article 34(2) of Regulation 2016/679, i.e.

(a) a description of the nature of the personal data breach;

(b) the name and contact details of the Data Protection Officer or the designation of another contact point from which further information may be obtained;

(c) a description of the possible consequences of the personal data breach;

(d) a description of the measures implemented or proposed by the controller to address the breach, including measures to minimise its possible effects.

The President of the OFODO indicated in the administrative decision in question that the proper fulfilment of the obligation set out in Article 34 of Regulation 2016/679 is to provide data subjects - promptly and in a transparent manner - with information about the breach of the protection of their personal data, together with a description of the possible consequences of the breach of the protection of personal data and measures that they can take to minimise its possible negative effects. In the justification of the decision, the President of the Office for Harmonisation in the Internal Market (the "OFODO") emphasised that the breach of confidentiality of the data in the form of PESEL number together with first and last names, parents' names, date of birth, address of residence or stay and telephone number results in a high risk for the rights and freedoms of the persons to whom the data refer and requires that these persons should be notified of the breach in order to inform them, inter alia, about the possible negative effects of the breach and actions (measures) they can take to protect themselves against the negative effects of the breach. In conclusion, the President of the Office for PErsonal Data Protection  stated that by acting in accordance with the law and showing due care for the interests of data subjects, the controller (Entrepreneur) should have ensured the best possible protection of personal data to data subjects without undue delay.

In the opinion of the President of the Office for Harmonisation in the Internal Market (the President of the Office for Harmonisation in the Internal Market), the Entrepreneur failed to prove - neither in the course of the proceedings to verify the implementation of the decision of the President of the Office for Personal Data Protection (Ref. No. [...]), nor in the course of the present proceedings to impose an administrative fine on the Entrepreneur (Ref. DKE.561.11.2020.[...]) - that he had complied with the order of the administrative decision of [...] February 2020, Ref.

At the outset, it should be emphasised that in accordance with the principle of accountability formulated in Article 5(2) of Regulation 2016/679, the controller is responsible for compliance with the provisions of paragraph 1 of this provision (including, in accordance with the so-called principle of legality, the processing of personal data 'lawfully') and must be able to demonstrate compliance with them. In the present case, the President of the Office for Personal Data Protection  validly determined, by an administrative decision of [...] February 2020, ref. [...], that the Entrepreneur processes personal data in breach of the law, namely of the provisions of Article 34(1) and (2) of Regulation 2016/679 ordering the controller - in case of occurrence of a personal data breach likely to result in a high risk of infringement of the rights or freedoms of natural persons - to promptly notify the data subjects of this breach (in the form and with the content specified in paragraph 2). The application of the accountability principle in the present case means that the Entrepreneur is obliged - in particular in the procedure before the President of the Office for Personal Data Protection - to prove the enforcement of the order of the decision, which enforcement would be equivalent to the restoration of the processing of personal data by the Entrepreneur to compliance with the law. Such implications of the accountability principle are confirmed by the doctrine of personal data protection law, according to which "The statement that the controller should be able to prove compliance with the principles can be read as imposing on the controller the burden of proof regarding the compliance with the principles of data processing. In the event of a dispute with either the data subject or the supervisory authority, the controller should be able to provide evidence that it is complying with the principles. Such evidence may be primarily documents relating to data processing and data protection." (P. Fajgielski [in:] Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, Warsaw 2018, Article 5. https://sip.lex.pl/#/commentary/587773149/570589/fajgielski-pawel-komentarz-do-rozporzadze nia -nr-2016-679-w-sprawie-ochrony-osob-fizycznych-w...?cm=URELATIONS).

In the present case - in the opinion of the President of the Office for Harmonisation in the Internal Market (OCCP) - the Entrepreneur did not present evidence of the fulfilment of the obligation referred to in Article 34(1) and (2) of Regulation 2016/679.
Firstly, the Entrepreneur proved (by submitting a copy of the postal delivery book) that on [...] June 2020 it sent notices of personal data breach to ten persons. In view of the content of these notifications - which indisputably do not meet the requirements of Article 34(2) of Regulation 2016/679 - and their small number in relation to the number of one hundred persons whose data were breached indicated in the notification of [...] July 2019 (or the number of thirty-seven persons indicated by the Entrepreneur - after verification - in the letter received by the Office for Personal Data Protection on [...] November 2020), this action cannot be considered in any way as the implementation of the order of the decision of the President of the Office for Personal Data Protection.

Secondly, the documents presented by the Entrepreneur as evidence of the notices addressed on [...] or [...] October 2020 to thirty-seven persons do not clearly indicate that such notices were actually addressed to the persons whose data were infringed. This is evidenced by the following circumstances:

(a) VAT Invoice No. [...] dated [...] October 2020 documents only the purchase of thirty-seven postage stamps and not the performance of the postal service (delivery of postal mail).

b) There is no certainty that the statement 'We confirm the posting of 37 ordinary letters by Mr M. K.' originates from a postal operator (there is no indication of the operator's company or any other designation). The statement is, moreover, unverifiable and, therefore, unreliable, since, due to the illegible signature, the person making the statement cannot be identified.

c) Even if the above statement confirmed that the 317 ordinary letters were sent by the Entrepreneur (which, as indicated above, is not the case), it is certainly not possible on the basis of it (even taking into account also the invoice documenting the purchase of postage stamps) to conclude that these were the notices referred to in the order of the decision, that they contained the content compliant with the sample (unaddressed) notice presented by the Entrepreneur, and finally - that they were addressed to the persons affected by the infringement (specified in the list compiled by the Entrepreneur).

Summing up the above, there are no grounds to conclude that the Entrepreneur complied with its obligation under Article 34(1) and (2) of Regulation 2016/679 to notify data subjects of the breach of the protection of their personal data, which is the subject of the notification of [...] July 2019, and thus complied with the order of the administrative decision of the President of the PDO dated [...] February 2020, ref. The state of non-compliance with the order issued by the President of UODO is current as of the date of issuance of this decision.

It should be pointed out here that the state of infringement of the provisions of Regulation 2016/679 constituting the subject matter of these proceedings, i.e. non-compliance with the order issued by the President of the Office for Personal Data Protection (OCCP), lasts from [...] March 2020, i.e. from the day following the day on which the deadline for its implementation set out in the decision expired. However, it should be emphasised that the state of violation of the provisions of Regulation 2016/679, the remedy for which was to be provided by the order of the decision (the state of failure to inform the persons affected by the violation), is much longer; it lasts at least since [...] July 2019, when the Entrepreneur made a notification of the violation of personal data protection, so he undoubtedly already had knowledge of it.
The entrepreneur, despite being correctly served with the decision of the President of the Office for Personal Datat Protection, did not in any way attempt to execute the order. He only undertook any actions as a result of the intervention of the President of the Office for Personal Data Protectiont. However, these actions were dilatory and - as shown above - ineffective, which increased the risk of additional damage to the persons affected by the breach. According to Recital 86 of Regulation 2016/679, "Information should be provided to data subjects as soon as reasonably practicable, in close cooperation with the supervisory authority, respecting guidance given by the supervisory authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimise the immediate risk of harm will require that data subjects are informed immediately, while the implementation of appropriate measures against the same or similar data protection breaches may justify later information."

It should be stressed that both in the course of the proceedings for verifying the compliance with the decision of the President of the Office for Harmonisation in the Internal Market (ref. [...]) and in the course of the present proceedings for imposing an administrative fine on the Entrepreneur (ref. DKE.561.11.2020.[...]), an employee of the Office for Personal Data Protection gave the Entrepreneur a number of instructions on how to comply with the order, in particular how to properly formulate the notices and how to deliver them to the persons concerned, as well as how to document these actions before the President of the Office for Personal Data Protection who is responsible for the enforcement of his orders. In the opinion of the President of the Office for PErsonal Data Protection (the President of the Office for Personal Data Protection), the entrepreneur's failure to comply with these instructions, or even ignoring them, proves that he grossly disregarded his obligations related to personal data protection.

Taking into account the above considerations, the President of the Office for Personal Data Protection(OCCP) concludes that in the present case there were premises justifying the imposition of an administrative fine on the Entrepreneur - pursuant to Article 83(6) of Regulation 2016/679 - in connection with non-compliance with the order issued pursuant to Article 58(2)(e) of Regulation 2016/679. Pursuant to the content of Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In doing so, attention is paid in each case to a number of circumstances listed in points a) to k) of the aforementioned provision. When deciding to impose an administrative pecuniary penalty on the Entrepreneur in the present case and determining its amount, the President of the Office for Personal Data Protection took into account, among them, the following circumstances having an aggravating effect on the assessment of the infringement:

(a) The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question (Article 83(2)(a) of Regulation 2016/679)
The infringement subject to administrative fine in the present proceedings (non-compliance with the order issued by the President of the OCCP under Article 58(2) of Regulation 2016/679) infringes the system aimed at protecting one of the fundamental rights of an individual, which is the right to protection of his/her personal data, or more broadly - to protection of his/her privacy. An important element of this system, which is framed by Regulation 2016/679, is the supervisory authorities, which are charged with the tasks of protecting and enforcing individuals' rights in this regard. In order to enable the performance of these tasks, supervisory authorities have been equipped with a number of remedial powers, including the power to order the controller to notify the data subject of a data protection breach (Article 58(2)(e)). The Entrepreneur's disregard for the order issued against it by the President of the Office for PErsonal Data Protection, which is in fact a concretisation of the obligation provided for by the provisions of Regulation 2016/679, means in fact disregard for the provisions on personal data protection and the role of the President of the Office for Harmonisation in the data protection system defined by the provisions of Regulation 2016/679. Such conduct of the Entrepreneur, which is an entity that professionally and on a large scale processes personal data of patients (including health data, i.e. data subject to special protection under Article 9 of Regulation 2016/679), should be considered as significant and particularly reprehensible. The gravity of the infringement is further increased by the fact that the infringement committed by the Entrepreneur was not a one-off and incidental event; the Entrepreneur's conduct subject to assessment in these proceedings is continuous and long-term in nature. It lasted from [...] March 2020, i.e. from the day following the expiry of the time limit set in the decision to implement the injunction contained in the decision, until the present day. Such a long duration of the breach (prolonging the state of breach of the provision of Article 34 of Regulation 2016/679, the remedy for which was to be provided by the order of the decision, which undoubtedly increases the risk of negative consequences for the persons affected by the breach) is contrary to the ratio legis of the provision of Article 34 of Regulation 2016/679 assuming that, in order to minimise the risk of damage to the persons affected by the breach, the notification of the breach of their personal data should be made as soon as possible - "without undue delay" (Article 34(1) of Regulation 2016/67/679). The seriousness of the controller's breach of this obligation is highlighted, inter alia, in WP 253 of the Article 29 Working Party of 3 October 2017 on the application and setting of administrative fines for the purposes of Regulation 2016/679 (https://uodo.gov. en/en/10/13), according to which "a controller/processor who has been negligent by failing to comply with the notification obligation or at least by failing to notify all details of the breach as a result of an incorrect assessment of the extent of the breach may, according to the supervisory authority, deserve a more serious sanction - in other words, such a breach is unlikely to be considered minor".

(b) Intentional nature of the breach (Article 83(2)(b) of Regulation 2016/679)

The Article 29 Working Party, in its Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 adopted on 3 October 2017, referring to the intentional or unintentional nature of a breach, indicated that, in principle, "intentionality" includes both knowledge and intentional action, in relation to the characteristics of the criminal act, while "unintentionality" means the absence of intent to cause a breach, despite the failure of the controller or processor to comply with the legally required duty of care. Intentional breaches are more serious than unintentional ones and consequently more likely to result in an administrative fine. In the course of the proceedings, the entrepreneur ignored the Office's recommendations as to the correct implementation of the obligation, which indicates a deliberate failure to comply with the order. It should be stressed that at no stage of the proceedings did the Entrepreneur present complete evidence of compliance with the order of the above mentioned decision.

c) Unsatisfactory level of cooperation with the supervisory authority in order to remedy the infringement and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679)

Assessing the Entrepreneur's cooperation with the President of the DPA throughout the case initiated by the Entrepreneur's notification of a personal data protection breach on [...] July 2019, it should be stated that even before the breach occurred, i.e. before [...] March 2020. (the date of expiry of the deadline for compliance with the order of the decision of the President of the Office for Personal Data Protection of 26 February 2020, ref. [...]) The Entrepreneur completely disregarded the measures imposed on it by the President of the Office for Personal Data Protection - both the speech of the President of the Office for Personal Data Protection of [...] August 2019 (ref. [...]) and the decision of the President of the Office for Personal Data Protection of [...] February 2020 itself. Despite the correct delivery of both documents to the Entrepreneur, he did not take any action to implement them. It was only after the President of the Office for Personal Data Protection instituted proceedings to verify the enforcement of the decision (ref.: [...]) and in the course of the present proceedings to impose an administrative fine on the Entrepreneur (ref. DKE.561.11.2020.[...]) that the Entrepreneur corresponded with the President of the Office for Personal Data Protection and undertook certain actions to enforce the decision. However, as shown above, these actions were dilatory and ineffective; they did not end - despite appropriate instructions given to the Entrepreneur's attorney by an employee of the DPA in writing, by email and by telephone - with the Entrepreneur performing the obligation referred to in Article 34 of Regulation 2016/679 and demonstrating this fact before the President of the DPA.

 

The other prerequisites for the assessment of the administrative pecuniary penalty indicated in Article 83.2 of Regulation 2016/679 had no influence (aggravating or mitigating) on the assessment of the breach made by the President of the DPAO (including: the degree of responsibility of the controller taking into account the technical and organisational measures implemented, any relevant previous breach on the part of the controller, the categories of personal data affected by the breach, the manner in which the supervisory authority became aware of the breach, compliance with the measures applied in the same case referred to in Art. 58(2) of Regulation 2016/679, the application of approved codes of conduct or approved certification mechanisms, the financial benefits achieved or losses avoided due to the breach).
Pursuant to the wording of Article 83(1) of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of the Office for Personal Data Protection, the penalty imposed on the Entrepreneur in the present proceedings meets these criteria. The penalty will discipline the Entrepreneur to comply with the provisions of the decision and to properly cooperate with the President of the Office for Personal Data Protection in any other potential future proceedings with the participation of the Entrepreneur. In the opinion of the President of the Office for Personal Data Protection, the penalty imposed by the decision is proportionate to the gravity and reprehensible nature of the infringement. The penalty will also serve as a deterrent; it will be a clear signal both for the Entrepreneur and other addressees of the decision of the President of the Office for Personal Data Protection that non-compliance with the order imposed by the President of the Office for Personal Data Protection constitutes a separate infringement (independent of the infringement, the removal of which gave rise to the order) and an infringement of significant gravity. As such, it will be subject to financial sanctions. It should be noted that in the opinion of the President of the Office for Personal Data Protection, imposing an administrative fine on the Entrepreneur is a measure that will ensure compliance with the injunction issued against the Entrepreneur by way of the decision of [...] February 2020 ref.

In view of the Entrepreneur's failure to present the financial data for 2019 requested by the President of the Office for Personal Data Protection, when determining the amount of the administrative fine in this case the estimated size of the Entrepreneur's enterprise and the specificity, scope and scale of its activity were taken into account. In the course of the proceedings, it was established that the Entrepreneur conducts large-scale business activity in the service sector that undoubtedly generates large revenues and profits, i.e. health care. The information presented on the Entrepreneur's website ([...]) shows that it runs at least three medical facilities: D., K. and K. The large scale of the Entrepreneur's activity was confirmed by the Entrepreneur's representative in a letter received by the Office for Personal Data Protection on [...] May 2020, in which he stated as follows: "Currently, over [...] people are treated in our facilities". In view of the above, it should be stated that the administrative fine imposed in this decision will not be associated with an excessive detriment to the activity conducted by the Entrepreneur.

Pursuant to the wording of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates on 28 January each year, and in the event that in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the National Bank of Poland's table of exchange rates nearest to that date. In this case, the exchange rate of PLN 4.2794 per EUR 1 applicable on 28 January 2020 shall apply. The administrative fine of PLN 85,588 imposed by the decision is therefore the equivalent of EUR 20,000.

Taking into account the above, the President of the Office for Personal Data Protection decided as in the operative part of the present decision. 

The decision is final. The party has the right to lodge a complaint against the decision with the Voivodship Administrative Court in Warsaw within 30 days from the date of its delivery through the President of the Office for Personal Data Protection (address: 2 Stawki Street, 00 - 193 Warsaw). The complaint should be subject to a proportional entry, pursuant to art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the filing of a complaint by a party to an administrative court suspends the enforcement of the decision with regard to an administrative fine.

Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Voivodship Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for Personal Data Protection in the NBP O/O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105(2) of the abovementioned Act, the President of the Office for Personal Data Protection may, upon a justified request of the penalised entity, defer the deadline for payment of the administrative fine or spread it into instalments. In the case of postponing the date of payment of an administrative fine or spreading it into installments, the President of the Office for Harmonization in the Internal Security Agency calculates interest on the unpaid amount on an annual basis, using the reduced rate of interest for default, as published on the basis of Article 56d of the Act of 29 August 1997 on the Tax Ordinance (Journal of Laws of 2004, No. 76, item 259, as amended). - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date on which the application was submitted.