Banner1.png
Banner3.png

UODO - DKE.561.17.2020

From GDPRhub
UODO - DKE.561.17.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 31 GDPR
Article 58(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 18.12.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: DKE.561.17.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Decyzje Prezesa UODO (in PL)
Initial Contributor: Agnieszka Rapcewicz

The Polish DPA issued a warning to a sole proprietor for the lack of cooperation with the supervisory authority in the performance of its tasks and the failure to provide information necessary for the DPA perform its tasks.

English Summary[edit | edit source]

Facts[edit | edit source]

The Office for the Protection of Personal Data received a complaint from a data subject regarding irregularities in the processing of her personal data by a sole proprietor. The DPA asked the entrepreneur for clarification on the processing of the data subject's personal data. Correspondence from the supervisory authority was delivered to the controller but remained unanswered. The entrepreneur also failed to respond to a second request for explanations. Due to the entrepreneur's failure to provide information necessary to resolve the case initiated by the data subject's complaint, the President of UODO initiated administrative proceedings to impose an administrative fine on the entrepreneur.

Holding[edit | edit source]

The DPA found that the controller violated Article 31 GDPR and Article 58(1)(e) GDPR and issued a warning to the entrepreneur.

Comment[edit | edit source]

The entrepreneur was informed about the initiation of administrative proceedings and collection of evidence in the case by letter from October 2020, which was duly delivered . In this letter the DPA had informed the controller that if he would have provided comprehensive explanations and justified lack of earlier response, it may have had a mitigating influence on the amount of the administrative fine or may have resulted in the abandonment of its imposition.

In response to the letter informing about the initiation of proceedings to impose an administrative fine on the entrepreneur, by letter from December 2020, the entrepreneur's legal representative submitted explanations that allowed the President of the Office for Personal Data Protection to continue the proceedings concerning the data subject's complaint.

The explanations provided by the controller and the other circumstances of the case led the supervisory authority to consider it sufficient to issue a warning.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Pursuant to Article 104 § l of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256 as amended) in connection with Article 7 and Article 60 of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, item 1781) and pursuant to Article 31 and Article 58(1)(e) in connection with Article 58(2)(b) of the Regulation of the European Parliament and of the Council EU 2016/679 of 27 April 2016. on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 04.05.2016, p. 1, as amended), having conducted administrative proceedings on the processing of personal data by Mr T. P. conducting business under the name T, President of the Office for Personal Data Protection,

shall issue a warning to Mr T. P. conducting business activity under the name T. for infringement of the provisions of Article 31 and Article 58(1)(e) of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Dz. Urz. EU L 119 of 04.05.2016, p. 1 as amended) hereinafter referred to as "Regulation 2016/679", consisting in the lack of cooperation with the President of the OCCP in the performance of the body's tasks and the failure to provide information necessary for the President of the OCCP to perform his tasks.

Justification

The Office for the Protection of Personal Data received a complaint from Ms J. B. (hereinafter: "the Complainant"), regarding irregularities in the processing of her personal data by Mr T. P. conducting a business activity under the name T., hereinafter also referred to as "the Entrepreneur". The President of the Office for Personal Data Protection (hereinafter referred to as "the President of the Office for Personal Data Protection"), in the framework of the administrative proceedings initiated to examine the lodged complaint (under the reference [...]), by letter dated [...] March 2019, asked the Entrepreneur to respond to the content of the complaint and to provide answers to the following specific questions concerning the case:

1) when (please indicate the exact date), from what source, on what legal basis (please indicate the specific legal provision(s)) the Entrepreneur obtained the Complainant's personal data;

2) whether, and if so on what legal basis, the Entrepreneur is currently processing the Complainant's personal data, as well as on what legal basis, for what purpose and until when the data will be processed;

(3) whether the Complainant had requested the Entrepreneur to remove her personal data from the Entrepreneur's systems and, if so, how the Entrepreneur had responded to that request and what information the Complainant had been provided with in relation thereto.

The letter was delivered to the Entrepreneur on [...] April 2019, as confirmed on the "Receipt for postal delivery". The Entrepreneur did not respond to the letter. Consequently, [...] July 2019, a letter was sent to the Entrepreneur with a renewed request for immediate clarification of the case. This letter was delivered [...] July 2019, which was confirmed on the "Letter Receipt". The Entrepreneur did not respond to this letter either. Thus, [...] January 2020, another letter was sent to the Entrepreneur with a renewed request for immediate clarification of the case. The letter was delivered on [...] February 2020, which was confirmed on the "Receipt of letter delivery". The trader did not reply to this letter either. By letter of [...] August 2020. The Entrepreneur was instructed that failure to respond to the summons of the President of the DPAO may result, pursuant to Article 83(5)(e) in conjunction with Article 58(1)(e) of Regulation 2016/679, in the imposition of an administrative fine on the Entrepreneur.

Due to the Entrepreneur's failure to provide information necessary to resolve the case under reference [...], initiated by the Complainant's complaint, the President of UODO initiated ex officio against the Entrepreneur - based on Article 83(5)(e) of Regulation 2016/679, in connection with the Entrepreneur's violation of Article 31 and Article 58(1)(e) of Regulation 2016/679 - administrative proceedings to impose an administrative fine on the Entrepreneur (under reference DKE.560.17.2020 [...]. The Entrepreneur was informed about the initiation of administrative proceedings and collection of evidence in the case by letter dated [...] October 2020, which was duly delivered [...] November 2020. In the aforementioned letter, the Entrepreneur was also summoned - in order to determine the basis for the penalty assessment, pursuant to Article 101a(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) - to present a financial report on the activity conducted by the Entrepreneur for the year 2019 or, in the absence thereof, a statement on the amount of turnover and financial result achieved by the Entrepreneur in 2019. In the aforementioned letter the Entrepreneur was also instructed that if he/she provides comprehensive explanations in the proceedings under reference DKE.561.17.2020 [...] called for by the President of the Office for Personal Data Protection and justifies his/her earlier lack of response to these calls, this circumstance in the proceedings under reference DKE.561.17.2020 [...] may have a mitigating influence on the amount of the administrative fine or may result in the abandonment of its imposition.

In response to the letter informing about the initiation of proceedings to impose an administrative fine on the Entrepreneur, by letter of [...] December 2020, the Entrepreneur's legal representative submitted explanations that allowed the President of the Office for Personal Data Protection to continue the proceedings in case ref.

Moreover, by letter of [...] December 2020. The Entrepreneur also explained that:

The Entrepreneur, as part of its business activities, conducts [...]. The applicant was not a member of [...]. She took advantage of the probationary training on one occasion. In accordance with the procedure to be followed in such a case, the Applicant was required to complete a trial training application form, in which personal data and a statement of health had to be provided.
At the end of the training, the applicant requested that the application form be returned or destroyed. Thus, in her presence, the form was destroyed in a document shredder. As indicated by the Entrepreneur, the Applicant seemed to be satisfied with such an action, thus it was with great surprise that the Entrepreneur received the information about filing a complaint by the Applicant with the Office for Personal Data Protection.
As a justification for the lack of cooperation with the President of the DPA, the Entrepreneur indicated that between April 2019 and October 2020, he was frequently on sick leave due to illness and numerous injuries. In addition, due to the COVID-19 outbreak from March 2019 to October 2020. [...] was closed. The above-mentioned circumstances made it impossible for him to participate in the activities related to the Applicant's case.

Having considered all the evidence collected in the case, the President of the Office for the Protection of Personal Data considered the following.

Pursuant to Article 57(1)(a) of Regulation 2016/679, the President of the Office for Personal Data Protection - as a supervisory authority within the meaning of Article 51 of Regulation 2016/679 - monitors and enforces the application of the Regulation in its territory. Within the scope of its competences, the President of the DPA shall, inter alia, investigate complaints lodged by data subjects, conduct proceedings on such complaints to the appropriate extent and inform the complainant of the progress and outcome of such proceedings within a reasonable period of time (Article 57(1)(f)). In order to enable the fulfilment of the tasks thus defined, the President of the DPAO has a number of powers set out in Article 58(1) of Regulation 2016/679 with regard to the proceedings, including the power to order the controller and the processor to provide any information needed to fulfil its tasks (Article 58(1)(a)) and the power to obtain from the controller and the processor access to any personal data and any information needed to fulfil its tasks (Article 58(1)(e)).

In addition, the DPA President has a number of remedial powers set out in Article 58(2), including issuing reminders to the controller or processor in the event of a breach of Regulation 2016/679 by the processing operations.

A breach of Regulation 2016/679 by a controller or processor's failure to provide access to the data and information referred to above, resulting in a breach of the authority's powers set out in Article 58(1) (including the power to obtain the data and information necessary for the performance of its tasks), shall, pursuant to Article 83(5)(e) in fine of Regulation 2016/679, be subject to an administrative fine of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total annual worldwide turnover in the preceding financial year, with the higher amount applying. On the other hand, a breach of the provisions of Regulation 2016/679, consisting in a lack of willingness to cooperate with the supervisory authority in the performance of its tasks (Article 31), is subject, in turn, pursuant to Article 83(4)(a) of Regulation 2016/679, to an administrative fine of up to EUR 10,000,000, and in the case of a company - of up to 2% of its total annual worldwide turnover from the previous financial year, with the higher amount applying.

The President of the DPA, acting pursuant to Article 58(2)(b) of Regulation 2016/679, may also consider it justified to issue a warning to the Entrepreneur with regard to the identified breach of the provision of Article 31 in conjunction with Article 58(1)(e) of Regulation 2016/679.

According to recital 148 of Regulation 2016/679, in order to make the enforcement of the Regulation more effective, sanctions, including administrative monetary penalties, should be imposed for breaches of the Regulation - in addition to or instead of the corresponding measures imposed under this Regulation by the supervisory authority. Where the infringement is minor, a fine may be substituted for a warning. Due regard should however be paid to the nature, gravity and duration of the breach, whether the breach was intentional, the measures taken to minimise the damage, the degree of liability or any relevant previous breach, the manner in which the supervisory authority became aware of the breach, the compliance with the measures imposed on the controller or processor, the application of codes of conduct and any other aggravating or mitigating factors.

When referring the above-cited provisions of Regulation 2016/679 to the factual situation established in the present case and described at the beginning of the justification of this decision, it should be stated that the Entrepreneur - the controller of personal data of the Applicant Ms J. B. - as a party to the proceedings conducted by the President of the Office for Harmonisation in the Internal Market (OCCP) under case No [...], undoubtedly breached the obligation to provide the President of the Office for Harmonisation in the Internal Market (OCCP) with access to the information necessary to perform his/her tasks - in this case to resolve the matter.

However, in response to the information about the commencement of the administrative proceedings in case no. DKE.561.17.2020 [...], the Entrepreneur's proxy, by letter of [...] December 2020, submitted explanations allowing the President of the Office for Competition and Consumer Protection to continue the proceedings in case no. [...].

When deciding on the sanction to be imposed on the Company in the present case, the President of the Office for Harmonisation in the Internal Market took into account the following circumstances influencing the assessment of the infringement:

1. the nature, gravity and duration of the breach (Article 83(2)(a) of Regulation 2016/679).

The infringement sanctioned in the present case undermines the system aimed at protecting one of the fundamental rights of an individual, which is the right to protection of his/her personal data, or more broadly, to protection of his/her privacy. An essential element of this system, which is framed by Regulation 2016/679, is the supervisory authorities, which are charged with the tasks of protecting and enforcing individuals' rights in this regard. In order to be able to perform these tasks, supervisory authorities have been equipped with a number of inspection powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors have been imposed, correlated with the powers of supervisory bodies, certain obligations, including the obligation to cooperate with supervisory bodies and the obligation to provide these bodies with access to personal data and other information necessary to perform their tasks.

In the opinion of the President of the Office for Harmonisation in the Internal Market and Consumer Protection, the Entrepreneur's actions certainly resulted in a shortage of access to evidence indicating the legality and lawfulness of the Entrepreneur's processing of the Complainant's personal data.

2. the intentional or unintentional nature of the breach (Article 83(2)(b) of Regulation 2016/679).

The Article 29 Working Party, in its Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 adopted on 3 October 2017, referring to the intentional or unintentional nature of a breach, indicated that, in principle, "intentionality" includes both knowledge and deliberate action, in relation to the characteristics of the criminal act, while "unintentionality" means the lack of intention to cause a breach, despite the failure of either the controller or the processor to comply with the legally required duty of care. Intentional breaches are more serious than unintentional breaches and consequently more likely to attract an administrative fine.

In the opinion of the President of the Office for Competition and Consumer Protection, the infringement in question was unintentional and negligent. The Company was willing to cooperate in providing the authority with all information (evidence) necessary to continue the proceedings under case file [...].

3 The degree of cooperation with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).

In the course of the present proceedings, the Entrepreneur expressed its willingness to cooperate with the President of the Office for Harmonisation in the Internal Market in order to remove the breach consisting in particular in providing explanations to the extent to which the conduct of the proceedings under reference [...] was thwarted, justifying the lack of such cooperation by the state of health and a difficult epidemic situation in the country.

The other premises indicated in Article 83. para. 2 of Regulation 2016/679 did not have an impact (aggravating or mitigating) on the assessment of the breach made by the President of the DPAO (including: any relevant previous breaches by the controller, the way the supervisory authority learned about the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller with the supervisory authority and not the relationship of the controller with the data subject), could not be taken into account in the present case (including: the number of persons affected and the extent of the damage suffered by them, the measures taken by the controller to minimise the damage suffered by data subjects, the degree of responsibility of the controller taking into account the technical and organisational measures implemented by it, the categories of personal data affected by the breach).

Therefore, acting on the basis of Article 58(2)(b) of Regulation 2016/679, according to which each supervisory authority has the power, within the scope of its proceedings, to issue a warning to the controller or processor in case of a breach of the provisions of this Regulation by the processing operations, the President of the DPA considers it justified to issue a warning to the Entrepreneur with regard to the identified breach of the provision of Article 31 in connection with Article 58(1)(e) of Regulation 2016/679.

The President of the Office for Harmonisation in the Internal Market (the "President of the Office for Harmonisation in the Internal Market") considered that in this case the issuance of a warning, in the light of the criteria set out in Article 83(2) of the RODO, would be sufficient, and at least as "effective, proportionate and dissuasive" as the imposition of a fine (vide Article 83(1) of the RODO).

It should also be noted that in the event of a similar occurrence in the future, any warning issued by the President of UODO against the Company will be taken into account when assessing the prerequisites for the possible imposition of an administrative penalty, in accordance with the principles set out in Article 83(2) of Regulation 2016/679.

In this factual and legal state, the President of the Office for Harmonisation in the Internal Market (OCCP) decided as in the operative part of this decision.

The decision is final. The party has the right to lodge a complaint against the decision with the Voivodship Administrative Court in Warsaw within 30 days from the date of its delivery through the President of the Office for Harmonisation in the Internal Market (address: ul. Stawki 2, 00 - 193 Warsaw). The entry fee for the complaint amounts to PLN 200.

In proceedings before the Voivodship Administrative Court, a Party has the right to apply for the right to assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent agent. The right to assistance may be granted upon a motion of a Party filed before the initiation of proceedings or in the course of proceedings. The application shall be free of court fees.