| UODO - DKE.561.13.2020 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 31 GDPR Article 58(1)(e) GDPR Article 58(2)(i) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 09.12.2020 |
| Published: | |
| Fine: | 12838 PLN |
| Parties: | n/a |
| National Case Number/Name: | DKE.561.13.2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Polish |
| Original Source: | Urząd Ochrony Danych Osobowych (in PL) |
| Initial Contributor: | Agnieszka Rapcewicz |
The Polish DPA (UODO) imposed a fine of €3000 on a company for failing to respond to DPA's letters and provide access to personal data and other information necessary to carry out the DPA's tasks.
English Summary
Facts
The Office for Personal Data Protection received a complaint from an individual concerning irregularities in the processing of his personal data by Smart Cities Sp. z o.o. with its registered office in Warsaw. The President of the UODO initiated an ivestigation. The DPA requested the Company to provide information about processing the complainant's personal data. In response, the President of the Management Board of the Company, submitted explanations to the President of the DPA, which were incomplete. The President of the DPA, considering the above explanations of the Company as insufficient, requested the Company to supplement them. The letter was delivered to the Company, which was confirmed on the acknowledgement of receipt of the letter (signature of the recipient, without indication of the date of receipt of the letter). The Company did not reply to the letter. Further letters from Tthe DPA remained unreceived by the Company.
The President of the UODO initiated an administrative proceeding against the Company to impose an administrative fine on the Company.
Holding
The DPA found that the Company violated Article 31 GDPR and Article 58(1)(e) GDPR and imposed a fine of €3,000 on the Company.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Pursuant to Article 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256 as amended), Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), Article 83 (1)-(3), Article 83 (5)(e) in connection with Article 31, Article 58 (1)(e), Article 58 (2)(i) of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 04.05.2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), having conducted ex officio administrative proceedings on imposing an administrative fine on Smart Cities Sp. z o.o. with its registered office in Warsaw, ul. Krucza 16-22, the President of the Office for Personal Data Protection stating that Smart Cities Sp. z o.o. violated the provisions of Article 31 and Article 58 (1) (e) of Regulation 2016/679 by failing to cooperate with the President of the Office for Personal Data Protection in the performance of its tasks and by failing to provide access to personal data and other information necessary for the President of the Office for Personal Data Protection to perform its tasks imposes on Smart Cities Sp. z o.o. with its registered office in Warsaw at ul. Krucza 16-22 an administrative fine in the amount of PLN 12,838.20 (in words: twelve thousand eight hundred and thirty-eight zlotys twenty groszy). JUSTIFICATION The Office for Personal Data Protection received a complaint from Mr K. T., residing in W. (hereinafter "the Complainant") concerning irregularities in the processing of his personal data by Smart Cities Sp. z o.o. with its registered office in Warsaw, ul. Krucza 16-22 (hereinafter "the Company"). The President of the Office for Personal Data Protection (hereinafter referred to as "the President of the Office for Personal Data Protection"), within the framework of the administrative proceedings initiated to examine the complaint filed (under the reference [...], by letter dated [...] June 2019, requested the Company to respond to the content of the complaint and to provide answers to the following specific questions concerning the case: 1) whether, and if so on what legal basis, for what purpose and to what extent, the Company processes the Complainant's personal data, 2) on what legal basis, to what extent and for what purpose the Company provided the Complainant's personal data to A.S.A, 3) whether the Company concluded a contract with A.S.A. for entrustment of personal data processing (in the event of a positive answer to this question, the Company was requested to present the contract for entrustment of personal data processing). In response to the aforementioned request, the President of the Management Board of the Company, in a letter dated [...] August 2019, submitted explanations to the President of the DPA, which were incomplete and thus did not provide a basis for the consideration of the aforementioned complaint by the DPA. The President of the DPA, considering the above explanations of the Company as insufficient, by letter of [...] May 2020, requested the Company to supplement them by: 1) indicating the specific purposes of the processing for which the agreement of [...] May 2018 was concluded; 2) submitting to the file of the proceedings documents which specify the purposes of the processing of the personal data to which the agreement of [...] May 2018 relates, in particular: (a) the main contracts concluded between Smart Cities Sp. z o.o. and A. S.A; (b) the documents defining the cooperation between Smart Cities Sp. z o.o. and A. S.A. The letter was delivered to the Company, which was confirmed on the acknowledgement of receipt of the letter (signature of the recipient, without indication of the date of receipt of the letter). The Company did not reply to the letter. Consequently, on [...] August 2020, a letter was sent to the Company with a renewed request to provide additional explanations in the case without delay. On [...] September 2020, the letter was returned to the sender with the notation 'return not taken on time'. By letter of [...] August 2020. The Company was instructed that failure to respond to the summons of the President of the DPAO may result, pursuant to Article 83(5)(e) in conjunction with Article 58(1)(a) of Regulation 2016/679, in the imposition of an administrative fine on the Company. In view of the Company's failure to provide full information necessary to resolve the case ref. [...], initiated by the Complainant's complaint, the President of the Office for Personal Data Proetction initiated ex officio against the Company - based on Article 83(5)(e) of the Regulation 2016/679, in connection with the Company's violation of Article 31 and Article 58(1)(a) and (e) of the Regulation 2016/679 - an administrative proceeding to impose an administrative fine on the Company (under ref. DKE.560.13.2020.DS). The Company was informed of the initiation of the proceedings by letter dated [...] September 2020, which [...] October 2020 was returned to the sender with the annotation "return receipt not taken in time". By this letter, the Company was also requested - in order to determine the basis for the penalty assessment, pursuant to Article 101a(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) - to present the Company's financial statements for 2019 or, in the absence thereof, a statement of the turnover and financial result achieved by the Company in 2019. By the date of this decision, the Company has not provided the information necessary for the consideration of the case under reference [...]. The Company also did not respond to the letter informing about the initiation of proceedings under case no. DKE.560.13.2020 concerning the imposition of an administrative fine on the Company. Having considered all the evidence gathered in the case, the President of the Office for Personal Data Protection determined as follows. Pursuant to Article 57(1)(a) of Regulation 2016/679, the President of the UODO - as a supervisory authority within the meaning of Article 51 of Regulation 2016/679 - shall monitor and enforce the application of the Regulation in his territory. Within the scope of its competences, the President of the DPA shall, inter alia, investigate complaints lodged by data subjects, conduct proceedings on such complaints to the appropriate extent and inform the complainant of the progress and outcome of such proceedings within a reasonable period of time (Article 57(1)(f)). In order to enable the fulfilment of the tasks thus defined, the President of the DPA has a number of powers set out in Article 58(1) of Regulation 2016/679 with regard to the proceedings, including the power to order the controller and the processor to provide any information needed to fulfil its tasks (Article 58(1)(a)) and the power to obtain from the controller and the processor access to any personal data and any information needed to fulfil its tasks (Article 58(1)(e)). A breach of Regulation 2016/679, whereby the controller or the processor fails to provide access to the data and information referred to above, resulting in a breach of the authority's powers under Article 58(1) (including the power to obtain the data and information necessary for the performance of its tasks), shall, pursuant to Article 83(5)(e) in fine of Regulation 2016/679, be subject to an administrative fine of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total annual worldwide turnover in the preceding financial year, with the higher amount applicable. Conversely, a breach of Regulation 2016/679, consisting in a lack of willingness to cooperate with the supervisory authority in the performance of its tasks (Article 31), is instead subject, pursuant to Article 83(4)(a) of Regulation 2016/679, to an administrative pecuniary penalty of up to EUR 10,000,000 and, in the case of an undertaking, of up to 2% of its total annual worldwide turnover from the preceding financial year, the higher amount applying: According to Article 83(3) of Regulation 2016/679, if a controller or processor infringes intentionally or unintentionally several provisions of this Regulation in the course of the same or related processing operations, the total amount of the administrative pecuniary penalty shall not exceed the amount of the penalty for the most serious infringement. Applying the aforementioned provisions of Regulation 2016/679 to the factual situation established in the present case and described at the beginning of the justification of this decision, it should be stated that the Company - the controller of personal data of the applicant Mr K. T. - as a party to the proceedings conducted by the President of the Office for Harmonization in the Internal Market (OCCP) under case No [...], breached its obligation to provide the President of the OCCP with access to the information necessary to perform his tasks - in this case, to decide on the merits of the case. Such action by the Company constitutes a breach of Article 58(1)(e) of Regulation 2016/679. In the proceedings under case file [...], the President of the Office for Personal Data Protection summoned the Company three times to provide explanations necessary for the examination of the case. The Company's response to the first summons of the President of the UODO (dated [...] June 2019) was far from complete (no exhaustive answer to any of the three detailed questions asked in the letter of the President of the UODO) and to date has not provided an opportunity for the DPAO to fully and thoroughly consider the complaint of the person whose data has been breached. Subsequent letters addressed to the Company by the President of the Office for Personal Data Protection(of [...] May 2020 and [...] August 2020) were not collected by the Company and consequently the President of the Office for Personal Data Protection failed to provide any answer. The above-described conduct of the Company in the case under case ref. no. [...] (giving incomplete answers to specific questions of the President of the Office for Personal Data Protection (OCCP) which are not very complicated and do not require any specialist knowledge in the field of personal data protection and the lack of answers to subsequent requests of the President of the Office for Harmonisation in the Internal Market (OCCP) addressed to the Company in order to supplement the evidence in the case) indicates a lack of will to cooperate with the President of the Office for Personal Data Protection in the determination of the facts of the case and its proper resolution or at least a flagrant disregard of its obligations concerning the cooperation with the President of the Office for Personal Data Protection (OCCP) in the performance of its tasks under Regulation 2016/679. The above statement is further substantiated by the fact that the Company in no way attempted to justify the fact of the lack of any response to the two requests for explanations, nor did it contact the Office for Personal Data Protection in order to signal any possible doubts it might have had as to the scope of the information requested by the President of the Office for Personal Data Protection. It should be pointed out at this point that obstructing and preventing access to information which the President of the Office for Harmonization in the Internal Market has requested and demands from the Company, and which is undoubtedly in the Company's possession (e.g. concerning the main agreements concluded between Smart Cities Sp. z o.o. and A. S.A. referred to in the letter of [...] August 2019) ), stands in the way of a thorough examination of the case, it also results in an excessive and unjustified prolongation of the proceedings, which contradicts the basic principles governing administrative proceedings - set out in Article 12(1) of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended) principles of thoroughness and speed of proceedings. Moreover, the Company is obliged to cooperate with the supervisory authority in the performance of its tasks, as stipulated in Article 31 of Regulation 2016/679. In view of the above findings, the President of the UODO concludes that in the present case there were premises justifying the imposition on the Company - pursuant to Article 83(5)(e) in fine and Article 83(4)(a). (a) of Regulation 2016/679 - an administrative fine in connection with the lack of willingness to cooperate with the supervisory authority in the performance of its tasks (Article 31) and in connection with the Company's failure to provide access to the information necessary for the President of the Office for Harmonization in the Internal Market to perform its tasks (Article 58(1)(e)), that is, to resolve the case ref. Pursuant to the content of Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, a number of circumstances listed in points a) to k) of the aforementioned provision shall be taken into account. When deciding to impose an administrative fine on the Company in the present case and determining the amount of the fine, the President of the Office for Personal Data Protection took into account the following circumstances having an aggravating effect on the assessment of the infringement: Nature, gravity and duration of the breach (Article 83(2)(a) of Regulation 2016/679). The infringement subject to an administrative fine in the present case undermines the system aimed at protecting one of the fundamental rights of an individual, which is the right to protection of his/her personal data, or more broadly, to protection of his/her privacy. An important element of this system, the framework of which is set out by Regulation 2016/679, is the supervisory authorities, which are charged with the tasks of protecting and enforcing individuals' rights in this regard. In order to be able to perform these tasks, supervisory authorities have been equipped with a number of inspection powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors, correlated with the powers of supervisory authorities, have been imposed certain obligations, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to information necessary for the performance of their tasks. The Company's actions in this case, consisting in obstructing and preventing access to the information requested by the the President of the Office for Personal Data Protection and resulting in hindering and unjustifiably prolonging the proceedings conducted by the President of the Office for Personal Data Protection should therefore be regarded as undermining the system of personal data protection and therefore as very serious and reprehensible. The gravity of the infringement is further increased by the fact that the infringement committed by the Company was not an incidental event; the Company's action was continuous and long-lasting. It has lasted from the end of the period to be heard, i.e. from [...] May 2020, until the present time. 2. willful nature of the infringement (Article 83(2)(b) of Regulation 2016/679). In the opinion of the President of the Office for Personal Data Protection, there is a lack of willingness on the part of the Company to cooperate in providing the authority with all the information necessary to resolve the case in the course of which the authority requested it. This is evidenced, in particular, by the lack of any reply to two out of three requests made to the Company by the President of the Office for Personal Data Protection. Also the incomplete explanations submitted by the Company to the President of the Office for Personal Data Protection in response to the first letter addressed to the President of the Office for Personal Data Protection testify to the lack of will to cooperate with the authority or at least a flagrant disregard of its obligations related to such cooperation. It should be emphasised that the Company at no stage of the proceedings under case file No [...], as well as in the present proceedings, made no attempt to justify such conduct. Taking into account that the Company is an entrepreneur, an entity professionally participating in legal and economic trade, it should also be assumed that the Company was (and still is) aware that its action consisting in not collecting correspondence from the President of the Office for Personal Data Protection (in the presence of knowledge that administrative proceedings ref. no. [...] are pending before the President of the Office for Harmonisation in the Internal Market, to which the Company is a party) constitutes a breach of the basic obligations of an entrepreneur, in particular the obligations arising from Regulation 2016/679. 3. failure to cooperate with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679. In the course of the present proceedings (DKE.560.13.2020) for the imposition of an administrative pecuniary penalty, the Company has not submitted supplementary explanations to the case ref. [...], which continues to significantly hinder the President of the Office for Personal Data Protection (OCCP) from issuing a decision in this case. Other prerequisites for the assessment of an administrative fine indicated in Article 83. para. 2 of Regulation 2016/679 did not have an impact (aggravating or mitigating) on the assessment of the breach made by the President of the DPA (including: any relevant previous breaches by the controller, the manner in which the supervisory authority became aware of the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller with the supervisory authority and not the relationship of the controller with the data subject), could not be taken into account in the present case (including: the number of persons affected and the extent of the damage suffered by them, the measures taken by the controller to minimise the damage suffered by data subjects, the degree of responsibility of the controller taking into account the technical and organisational measures implemented by it, the categories of personal data affected by the breach). Pursuant to the wording of Article 83(1) of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Company in the present proceedings meets these criteria. It will discipline the Company to properly cooperate with the President of the Office for Personal Data Protection, both in the further course of the proceedings under case file No [...], as well as in any other future proceedings with the participation of the Company before the President of the Office for Personal Data Protection. In the opinion of the President of the Office for Personal Data Protection, the penalty imposed by the decision is proportionate to the gravity of the infringement and to the Company's capacity to bear it without significant detriment to its business. The penalty will also have a deterrent function; it will be a clear signal both to the Company and to other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of the Office for Personal Data Protection that disregarding the obligations related to cooperation with the President of the Office for Personal Data Protection (in particular, obstructing access to information necessary for the performance of the President's tasks) constitutes a breach of great significance and, as such, will be subject to financial sanctions. At this point, it should be noted that imposing an administrative fine on the Company is - in view of the Company's conduct so far as a party to the proceedings [...] - necessary; it is the only measure at the disposal of the President of the Office for Pesonal Data Protection which will make it possible to obtain access to information necessary in the conducted proceedings. In view of the Company's failure to present the financial data for 2019 requested by the President of the Office for Personal Data Protection, when determining the amount of the administrative fine in the present case, the President of the Office for Personal Data Protection took into account, pursuant to Article 101a(2) of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, item 1781), the estimated size of the Company and the specificity, scope and scale of its activity. Pursuant to the content of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates on 28 January of each year, and in the case where in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the National Bank of Poland's table of exchange rates nearest to that date. In view of the above, the President of the Office for Personal Data Protection, pursuant to Article 83(3) and Article 83(4)(a) and Article 83(5)(e) of Regulation 2016/679, in conjunction with Article 103 of the Personal Data Protection Act 2018, for the infringements described in the operative part of this decision, imposed on the Company - using the average euro exchange rate as at 28 January 2020. (1 EUR = 4.2794 PLN) - an administrative fine in the amount of 12,838.20 PLN (equivalent to 3,000 EUR), according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table on 28 January 2020. Taking into account the above, the President of the Office for Personal Data Protection (the "President of the Office") ruled as in the operative part of this decision. The decision is final. The party has the right to lodge a complaint against the decision with the Voivodship Administrative Court in Warsaw within 30 days from the date of its delivery through the President of the Office for Harmonization in the Internal Market (address: ul. Stawki 2, 00 - 193 Warsaw). The complaint should be subject to a proportional entry, pursuant to art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the filing of a complaint by a party to an administrative court suspends the execution of a decision with regard to an administrative fine. In proceedings before the Voivodship Administrative Court, a Party has the right to apply for the right to assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right to assistance may be granted upon a motion of a Party filed before the initiation of proceedings or in the course of proceedings. The application is free of court fees. Pursuant to Article 105(1) of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, pos. 1781), the administrative fine shall be paid within 14 days from the lapse of the deadline for lodging a complaint to the Voivodship Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for Personal Data Protection in the NBP O/O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105(2) of the above-mentioned Act, the President of the Office for Personal Data Protection may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it into instalments. In the case of postponement of the date of payment of an administrative fine or spreading it into installments, the President of the Office for Personal Data Protection calculates interest on the unpaid amount on an annual basis, using a reduced rate of interest for default, announced on the basis of Article 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date on which the application was submitted.
