UODO (Poland) - ZSPU.421.3.2019

From GDPRhub
(Redirected from UODO - ZSPU.421.3.2019)
UODO (Poland) - ZSPU.421.3.201
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 18.10.2019
Published:
Fine: 40,000 PLN
Parties: Mayor of Aleksandrów Kujawski
National Case Number/Name: ZSPU.421.3.201
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: n/a

The UODO imposed the first fine on a public entity for unlawful processing of personal data in the Public Information Bulletin (BIP).

English Summary

Facts and questions arising

From 28 January - 1 February 2019, the UODO conducted investigation regarding the compliance of processing operations with the GDPR at the Municipal Office of the Mayor of Aleksandrów Kujawski.

Holding

The UODO found that the local government did not comply with the GDPR because of three main infringements.

First, the Municipal Office was outsourcing the processing of citizens’ personal data to a third party without any legal basis. Indeed, the city did not conclude any contractual agreements with the software service provider as foreseen under Art 28(3) GDPR. The UODO found that the local government violated Article 5(1)(a) and (f) of the GDPR.

Secondly, the personal data collected were stored without any criteria to determine the retention period. Therefore, the UODO found that this processing violated Article 5(1)(e) of the GDPR.

Lastly, the local government did not implement sufficient safeguards to secure a video recording from its Council’s meeting, nor conducted the necessary risk assessment. Therefore, the UODO found that the local government violated Article 5 (1)(f) and (2) of the GDPR.

Comment

Your comment can be added here!

Further Resources

Share blogs or news articles here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the German original for more details.

Pursuant to Article 104 § 1 of the Act of 14 June 1960 - The Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended), Article 7 paragraph 1, Article 60, Article 102 paragraph 1 point 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2010, No. 153, item 659, as amended), Article 102 paragraph 1 point 1 of the Act of 10 May 2010 on the Protection of Personal Data (Journal of Laws of 2010, No. 153, item 659, as amended), Article 102 paragraph 1 point 1 of the Act on the Protection of Personal Data (Journal of Laws of 2010, No. 159, item 659, as amended), Article 102 paragraph 1 point 1 of the Act on the Protection of Personal Data (Journal of Laws of 2010, No. 183, item 659, as amended), the Act on the Protection of Personal Data (Journal of Laws of 2010, No. 183, item 659, as amended) shall be amended. U. of 2019, item 1781) and Article 57(1)(a), Article 58(2)(d) and (i) in connection with Article 5(1)(a), (e) and (f) and (2), Article 24(1) and (2), Article 28, Article 30(1)(d) and (f) and Article 32 as well as Article 83(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2010, No. 33, item 159, as amended). 1 - 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.05.2016, p. 1 and OJ L 127, 23.05.2018, p. 2), following an administrative procedure on the processing of personal data by the Mayor of the Republic of Poland, Aleksandrów Kujawski, President of the Office for the Protection of Personal Data

I. finding that Mayor Aleksandrów Kujawski has violated the rules of law:
(a) Article 5(1)(a) and (f) in conjunction with Article 5(2) of the General Data Protection Regulation,
i.e. the principle of compliance with the law and the principle of confidentiality and Article 28(3) of the general regulation on personal data protection by making personal data available to T. Sp. z o.o. with its registered office in T. and to a consortium of entities: W. S.A.
with its registered office in G. and C. S.A. with its registered office in K. without legal basis, i.e. without prior conclusion of personal data entrustment agreements with the entities mentioned above, referred to in Article 28 paragraph 3 of the general regulation on data protection, in connection with running the website of the Public Information Bulletin of the Municipal Office in Aleksandrów Kujawski,
b) Article 5(1)(e) in conjunction with Article 5(2), i.e. the principle of storage limitation, and Article 24 of the General Data Protection Regulation by not having adequate policies concerning the processing of personal data in the Public Information Bulletin of the Town Hall of Aleksandrów Kujawski in terms of their timeliness and purpose of publication and specifying the time limits for deletion of personal data,
(c) Article 5(1)(f) in conjunction with Article 5(2) of the General Data Protection Regulation, i.e. the principles of integrity and confidentiality, the principle of regularity, and Article 24 of the General Data Protection Regulation, by failing to carry out a risk analysis of the use of the YouTube channel by Mayor Aleksandr Kujawski for the transmission of the recordings of the City Council meetings of Aleksandrów Kujawski,
d) Article 5(1)(f) in conjunction with Article 5(2) of the General Data Protection Regulation, i.e. the principles of integrity and confidentiality, and Article 32 of the General Data Protection Regulation by not implementing appropriate technical and organisational measures to secure the data of natural persons in connection with the storage of session recordings of the Aleksandrów Kujawski City Council exclusively on YouTube servers, without making and storing back-up copies of these recordings in the own resources of the Aleksandrów Kujawski City Council,
e) Article 5(2) of the general regulation on data protection, i.e. the principle of accountability, and Article 30(1)(d) and (f) of the general regulation on data protection by not indicating in the register of personal data processing activities, for activities related to the publication of information on the website of the Public Information Bulletin of the Town Hall in Aleksandrów Kujawski, all data recipients, and not indicating for these activities the planned date of data deletion processing in a manner ensuring data processing in accordance with the principle of limited storage,

Instructs its Mayor Aleksandr Kujawski to bring the processing of personal data into line with the provisions of the General Data Protection Regulation within 60 days of the date on which this Decision becomes final by means of
1) ceasing to make personal data available for the benefit of T. Sp. z o.o. with its registered office in T. and for the benefit of a consortium of entities: W. S.A. with its registered office in G. and C. S.A. with its registered office in K., without legal basis, i.e. without prior conclusion of agreements on entrusting personal data with the entities mentioned above, referred to in Article 28 (3) of the general regulation on personal data protection, in connection with running the website of the Public Information Bulletin of the Town Hall in Aleksandrów Kujawski,
2. the implementation of policies:
- determining the periods of data processing in the Public Information Bulletin of the Municipal Office in Aleksandrów Kujawski in accordance with the law or necessary to achieve the purposes for which the data are processed,
- ensuring that the deadlines for erasure of data are respected,
3. carry out a risk analysis in connection with the publication of session recordings of the City Council and implement appropriate organisational and technical measures in connection with the processing of personal data on YouTube in connection with the transmission of session recordings of the City Council and the storage of recordings on YouTube servers,
4) implementation of appropriate organisational and technical measures aimed at securing the data of natural persons coming from the recordings of the sessions of the Aleksandrów Kujawski City Council by ensuring the availability of back-up copies in the own resources of the City Hall in Aleksandrów Kujawski,
5) including information in the register of personal data processing activities for processing activities related to the Public Information Bulletin management:
(a) all recipients of data to whom the data have been or will be disclosed in accordance with Article 30(1)(d) of the General Data Protection Regulation,
(b) the planned time limits for erasure pursuant to Article 30(1)(f) of the General Data Protection Regulation.

II. for violation of the provisions of Article 5(1)(a), (e) and (f), Article 5(2), Article 28, Article 30(1)(d) and (f) and Article 32 of the General Data Protection Regulation imposes a fine of PLN 40,000 (in words: forty thousand zlotys and 00/100) on the Mayor of Aleksandrów Kujawski. 
Justification

From 28 January to 1 February 2019, the controllers authorized by the President of the Office for Personal Data Protection, carried out an audit at the Mayor Aleksandrow Kujawski (hereinafter referred to as the Mayor) of the compliance of personal data processing with the provisions on personal data protection, i.e. with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general regulation on data protection) (Official Journal of the European Union L 119 of 4.05.2016, p. 1 and Official Journal of the European Union L 127 of 23.05.2018, p. 2) and the Act of 10 May 2018 on the protection of personal data (Official Journal of the European Union of 2019, p. 1781), hereinafter also referred to as the Act. The scope of control covers the manner of personal data processing by the Mayor Aleksandrów Kujawski within the process of sending correspondence and keeping the Public Information Bulletin (BIP), as well as the manner of keeping a register of processing activities and documenting violations of personal data protection. During the audit, oral explanations were received from the employees of the Municipal Office in Aleksandrów Kujawski and the IT systems used for personal data processing and the BIP website were inspected. The factual situation was described in detail in the inspection protocol signed by Mayor Aleksandrów Kujawski.
On the basis of such collected evidence it was established that in the process of personal data processing the Mayor, as the controller, violated the provisions on personal data protection. These deficiencies consisted of
1) making personal data available to T. Sp. z o.o. with its registered office in T. and to a consortium of entities: W. S.A. with its registered office in G. and C. S.A. with its registered office in K. without legal basis, i.e. without prior conclusion of a personal data entrustment agreement with the entities mentioned above, referred to in Article 28 (3) of the general regulation on data protection, in connection with running the website of the Public Information Bulletin of the Municipal Office in Aleksandrów Kujawski;
2) lack of internal procedures concerning the review of resources published in the BIP in terms of ensuring data processing in accordance with the principle of limited storage, as a result of which documents containing personal data are published on the BIP website of the Town Hall in Aleksandrów Kujawski for a period longer than it results from the provisions of law;
3. Fail to implement appropriate technical and organisational measures to protect the rights or freedoms of natural persons in relation to the storage of session recordings exclusively on YouTube servers, without making copies of session recordings of the City Council of Aleksandrów Kujawski in its own resources;
4) failure to conduct a risk analysis in connection with the use of the YouTube channel by the Mayor of the City of Aleksandrów Kujawski in order to implement the legal obligation under Article 8(2) of the Act of 6 September 2001 on Access to Public Information (i.e. Journal of Laws of 2019, item 1429), hereinafter also referred to as udip,
5) failure to indicate in the register of personal data processing activities for activities related to the publication of information on the website of the BIP of the Town Hall in Aleksandrów Kujawski, all data recipients and failure to indicate for these activities the planned date of data deletion processing in a manner ensuring data processing in accordance with the principle of limited storage.

Therefore, on [...] June 2019. The President of the Office for Personal Data Protection initiated administrative proceedings ex officio in order to clarify the circumstances of this case (ZSPU.421.3.2019).
In response to the notification of the opening of the administrative procedure, the Mayor of Aleksandrów Kujawski by letter of [...] June 2019, mark: [...], informed that:
With regard to infringements concerning the period of publication of documents in the BIP, he submitted a request to the Minister of Digitization for interpretation of the provisions of the Act on Access to Public Information and requested that the proceedings be suspended until the above interpretation is received.
(2) It is clear from the Act on Access to Public Information that data sharing concerns persons exercising power and not those who exercised power. Therefore, property declarations may be made available in the BIP only to councillors exercising power for 5 years, i.e. during their term of office, and after that period they should be removed from the BIP and stored in paper form for 6 years in relation to the time limits from the date of their submission and making available on request in accordance with the principle of openness.
The Mayor has not responded to the other violations indicated by the President of the Office for Personal Data Protection in the letter of [...] June 2019, No. ZSPU.421.3.2019, constituting the notice of initiation of the procedure.

Having reviewed all the evidence gathered in the case, the President of the Office for the Protection of Personal Data weighed the following:

The President of the PDPA is the competent authority for the protection of personal data (Article 34 of the Act) and the supervisory authority within the meaning of the provisions of the PDPA (Article 34(2) of the Act).

I.
The Administrator (in this case the Mayor) is obliged to implement appropriate organizational and technical measures, which will ensure that personal data will be processed in accordance with the law, substantially correct, adequate for the purposes of obtaining and adequately secured, so that their processing does not violate the rights and freedoms of natural persons. It is also important that the controller processes personal data only for the time necessary to achieve the purposes of data collection or for the time resulting from the provisions of generally applicable law.
In the absence of provisions regulating the time of processing, the controller should determine the procedures regulating the moment when data deemed unnecessary are deleted by the controller.
Pursuant to Article 4(2) of the General Data Protection Regulation, 'processing' means the operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, organisation, organisation, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, adaptation or combination, restriction, erasure or destruction.
And the lawfulness of the data processing can be considered to be ensured if one of the conditions laid down in Article 6 of the General Data Protection Regulation (ordinary data) or Article 9 of the General Data Protection Regulation (special categories of data) is fulfilled.
First of all, attention should be paid to the principles laid down in Article 5 of the General Data Protection Regulation, which are fundamental for the whole regulation. These principles should be regarded as having overriding force and determining the course of action of the controller in the performance of its tasks under the law.
The basic principle in the general Data Protection Regulation is the 'accountability principle' referred to in Article 5(2) of the general Data Protection Regulation. According to this provision, the controller is responsible for compliance with all the principles in the processing of personal data (as indicated in Article 5(1) of the General Data Protection Regulation) and must be able to demonstrate compliance with them.
The principle of accountability therefore imposes on the controller the burden of proof, consisting in the need for the controller to demonstrate to both the supervisory authority and the data subject evidence of compliance with all data processing rules.
The controller may process data independently or entrust the processing to another entity (the processor - Article 4(8) of the General Data Protection Regulation). According to Article 28(3) of the General Data Protection Regulation, the processing by a processor shall be carried out on the basis of a contract or other legal instrument which is governed by Union or Member State law and binds the processor and the controller, determine the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the controller. Importantly, in such a case, the controller may only use the services of processors that provide sufficient guarantees that appropriate technical and organisational measures are put in place to ensure that the processing complies with the requirements of this Regulation and protects the rights of data subjects (Article 28(1) of the General Data Protection Regulation).
In this respect, it should be pointed out in the present case that the audit carried out showed that the Mayor did not conclude any entrustment agreements with the entities involved in the data processing process within the BIP. As agreed, the BIP resources of the Aleksandrów Kujawski Municipal Office are located on the server of an external entity, located in T. w T., which provides technical parameters for maintaining the BIP website of the entities covered by the agreement, including the Aleksandrów Kujawski Municipal Office, on the basis of a lease agreement concluded between the Kujawsko-Pomorskie Voivodeship and T. Sp. z o.o. with its registered office in T. During the audit, the ABC agreement of [...] July 2016 was presented, in force from [...] January to [...] December 2017, Annex No. 1 of [...] March 2018 to the CDE Agreement for the period from [...] January to [...] December 2018. The current agreement between the Kujawsko-Pomorskie Voivodeship and T. Sp. z o.o. with its registered office in T. The presented agreement and annex no. 1 did not contain any provisions concerning the processing of personal data in connection with the use by the Municipal Office in Aleksandrów Kujawski of the server of an external entity.
During the audit it was established that in connection with the provision of software for the creation of a regional public information bulletin, on January [...], 2015, an agreement No. XYZ was concluded between the Kujawsko-Pomorskie Voivodeship and a consortium of entities: W. S.A. with its registered office in G. and C. S.A. with its registered office in K. The concluded agreement does not include provisions on personal data protection nor does it include an agreement on entrusting personal data processing related to the provision of maintenance services to the Municipal Office in Aleksandrów Kujawski.
During the audit, no agreement between the Kujawsko-Pomorskie Voivodeship and the Mayor of Aleksandrów Kujawski was presented, nor was any other legal instrument demonstrated, which would indicate that the provision of a server and software for creating a regional public information bulletin is performed by the Kujawsko-Pomorskie Voivodeship for the benefit of the Municipal Office in Aleksandrów Kujawski.
The Mayor of the City of Aleksandrów Kujawski should be regarded as the Mayor of the City of Aleksandrów Kujawski, in connection with the use of the server of an external entity, i.e. T. Sp. z o.o. with its registered office in T., on which the resources of the BIP of the City Office in Aleksandrów Kujawski are located, as well as the services of an external entity with respect to the maintenance of the BIP website, i.e. a consortium of entities: W. S.A. with its registered office in G. and C. S.A. with its registered office in K., did not conclude a personal data processing outsourcing agreement with these entities, and thus violated Article 28(3) of the general regulation on data protection.
In the case of making personal data available without a legal basis (without a previously concluded entrustment agreement), there is a breach of the principle of legality (Article 5(1)(a) of the General Data Protection Regulation) and the principle of confidentiality (Article 5(1)(f) of the General Data Protection Regulation). The Mayor did not observe the above principles by commissioning the BIP to the above mentioned entities without prior conclusion of data entrustment agreements. Thus, he allowed for the lack of control over the correctness of the data processing process contained in the BIP and did not prove that it takes place in compliance with the requirements resulting from the provisions of the general regulation on data protection. As a consequence, it should also be recognised that the Mayor also violated the principle of accountability resulting from Article 5(2) of the general regulation on data protection in this respect.
According to Article 24(1) of the General Data Protection Regulation, taking into account the nature, scope, context and purposes of the processing and the risk of any violation of the rights or freedoms of natural persons of varying degrees of probability and importance, the controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with this Regulation and to demonstrate this (paragraph 1). If proportionate to the processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller (paragraph 2). Furthermore, according to Article 5(1)(e) of the General Data Protection Regulation, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods if they are processed solely for archival purposes in the public interest, for purposes of scientific or historical research or for statistical purposes under Article 89(1), provided that the appropriate technical and organisational measures required by this Regulation are implemented to protect the rights and freedoms of data subjects ('retention restriction').
Public information shall be made available at the BIP of the Aleksandrów Kujawski Municipal Office in accordance with the obligation of the Mayor of Aleksandrów Kujawski to do so under Article 8(2) of the udip. The provisions of the Act on Access to Public Information, as well as the provisions of the Regulation of the Minister of Internal Affairs and Administration of 18 January 2007 on the Public Information Bulletin (Journal of Laws of 2007, No. 10, item 68), do not specify the period of making information available in the BIP, both minimum and maximum. However, the lack of periods of processing of information provided (containing personal data) specified by the law does not cause that such information may be processed indefinitely. Therefore, in accordance with the principle of limited storage, resulting from Article 5(1)(e) of the general regulation on data protection, the controller should be guided in this respect by provisions resulting from other legal acts, which specify the period of time for which personal data may be processed, and in cases where the law does not regulate the period of data retention, after analysis, define this period so that the data processing is consistent with the purposes for which it was obtained. Such a position was also presented in the justification of the judgment of the Provincial Administrative Court.
in Lublin of 1 March 2016, case ref. II SA/Lu 876/15, "[z] Article 26 paragraph 1 point 4 of the Act on personal data protection follows the principle of time limitation of making personal data available in the Public Information Bulletin. This principle means that even if certain data correspond to the purpose for which they are collected, they should not be processed, including making them available to other entities ad finitum. A temporary determinant should be the achievement of the purpose of the processing. It should be emphasized that the above mentioned judgment remains valid also in the case of the currently binding provisions on personal data protection.
As a result of inspection of the website of the Public Information Bulletin of the Municipal Office in Aleksandrów Kujawski, it was established in particular that the documents published there include documents containing personal data, i.e. property declarations and information on the results of vacancies. The oldest information concerns the recruitment process conducted in 2012 and contains information about selected candidates in the following scope: name and surname and place of residence within the meaning of the Act of 23 April 1964 on the Civil Code (Journal of Laws of 2019, item 1145), i.e. the place where the person resides with the intention of permanent residence. The oldest property declarations published on the archival website of the BIP of the Municipal Office in Aleksandrów Kujawski concern the year 2010.
Pursuant to Article 24i of the Act of 8 March 1990 on Municipal Self-Government (Journal of Laws of 2019, item 506), the information contained in the property declarations of the councillors is public, except for the information on the address of residence of the person making the declaration and the location of the property. Pursuant to Article 24h, paragraph 6 of the aforementioned Act, a property declaration shall be kept for 6 years. These provisions determine the legality of processing, both in terms of collection and publication of personal data contained in property declarations. Such a position is also confirmed in the literature. "In accordance with Article 24h paragraph 6 of the EEZ, Article 25c paragraph 6 of the EEZ and Article 27c paragraph 6 of the EEZ, the property declaration shall be kept for six years. Considering the public nature of these declarations and their classification as public information, it can be assumed that they should be made available for six years. It is irrelevant whether the person who made the declaration is still in office. The legislator has not provided for a shorter period than 6 years, therefore it seems that once a declaration has been made it remains public for the whole period" (K. Janaczek, Publication of financial statements [in:] (ed.)).
B. Dolnicki Jawnosc in local government [online]. LEX, 2019-08-15 17:49 [access: 2019-08-23 15:31]. Available online: https://sip.lex.pl/#/monograph/369356174/275075).
The publication of vacancy notices is regulated by Article 13, Section 1 of the Act of 21 November 2008 on local government employees (Journal of Laws of 2019, item 1282), pursuant to which the vacancy notice for a vacancy for an official position, including a managerial position for an official, and for the recruitment of candidates for this position is published in the Public Information Bulletin. Moreover, pursuant to Article 15(1) of the aforementioned Act, immediately after the recruitment, information on the outcome of the recruitment is disseminated by publication on the information board in the unit where the recruitment took place and in the Bulletin for at least three months. Thus, the legislator set a minimum deadline for the publication of the selection results, without setting a maximum period, but a maximum deadline, i.e. the deadline after which the data should be removed from the BIP, was left to the administrator (the entity obliged to provide the information). When determining the period of data processing in the BIP, the controller should take into account the legal provisions regulating the time of processing, and in the absence of legal regulations specifying the period of publication, the achievement of the purpose of the processing and the principle of storage limitation.
In this context, it should be noted that information published in the BIP for which the deadline for publication does not result from legal provisions should be evaluated, in accordance with a formal procedure (introduced by the controller) ensuring that the BIP is structured in such a way that all information for which the purpose of processing has been achieved is removed from the BIP. As established by the audit, an internal procedure for the conduct of the BIP has been implemented in Aleksandrów Kujawski City Hall, but it does not contain rules for reviewing the data published in the BIP to ensure that they are processed in accordance with the principle of limited storage. The Mayor of the City of Aleksandrów Kujawski thus violated the provisions of Articles 5(1)(e) and 24(2) of the General Data Protection Regulation.
At this point it should be pointed out that the Mayor by letter of [...] June 2019, mark: [...], informed the President of the Office of filing a motion to the Minister of Digitization for interpretation of udip provisions and requested suspension of the proceedings until the above interpretation is received. Referring to the Mayor's request to suspend the proceedings until the Minister of Digitization has replied to the request for interpretation of the provisions of the Act on Access to Public Information with respect to periods when public information is made available, it should be noted that the President of the Office did not grant the request. In the opinion of the President of the Office, the Minister of Digitization, as the entity responsible for creating the main page of the Public Information Bulletin, is not an entity competent to interpret the provisions of the Act on Access to Public Information, and the guidelines issued by him are not legally binding. It should be emphasized that the Mayor is the controller, and therefore it is the Mayor's responsibility to ensure that the processing of data contained in the BIP complies with the provisions of the general regulation on data protection, thereby complying with the principle of storage restrictions, as defined in Article 5(e) of the general regulation on data protection. The Mayor should develop and implement procedures that will result in deadlines for the deletion of information containing personal data from the BIP and rules for reviewing the content of the BIP in order to verify that the deadlines for the deletion of personal data thus established are respected (Article 24 of the General Data Protection Regulation).
The evidence gathered in the case shows that the Mayor of the City of Aleksandrów Kujawski did not set a deadline for deletion of data published in the Public Information Bulletin in the internal procedures, nor did he develop procedures for reviewing data resources in the materials published in the BIP to ensure that data processing is carried out in accordance with the retention restriction principle. In the absence of such procedures, as stated during the audit, documents containing personal data are published on the BIP website of the Aleksandrów Kujawski City Hall for a longer period than necessary for the purposes for which the data are processed, and even for a longer period than it results from the legal regulations specifying the period of storing documents containing personal data, as it is the case with property declarations. At this point, it should be stressed that the consequence of this is that an unlimited number of Internet users have access to the data. Anyone who has access to the Internet, at any time and without any limitations, can browse the BIP resources of the City Hall in Aleksandrów Kujawski, and consequently have access to the personal data contained in these resources. In doing so, the Mayor of the City of Alexandrów Kujawski has violated Article 5(1)(e) of the General Data Protection Regulation.
Moreover, since the procedure in question is to regulate activities on these data that are essential for the processing of personal data in order to ensure the implementation of the principle of storage limitation, it should be treated as a data protection policy referred to in Article 24(2) of the General Data Protection Regulation. Consequently, in the absence of this procedure, it should be concluded that the Mayor also infringed this provision of the General Data Protection Regulation in the context of the principle of accountability expressed in Article 5(2) of the General Data Protection Regulation.
Referring to the process of personal data processing in connection with the publication of recordings from the session of the municipal council, it should be noted that pursuant to Article 20(1b) of the Act on Municipal Self-Government, municipal council deliberations are transmitted and recorded by means of video and audio recording devices. The recordings of the debates are made available in the Public Information Bulletin and on the commune's website and in another customary way. The Mayor, as the administrator, deciding on the choice of tools for data transmission on the Internet and recording them by means of video and sound recording devices, is responsible for the process of processing these data and the implementation of the principles resulting from the provisions of the general regulation on data protection, including the demonstration of their observance (accountability). Therefore, the Mayor is responsible for ensuring the security of data processed together with the implementation of the right of access to public information under Article 8 udip. Again, attention should be drawn to Article 24(1) of the General Data Protection Regulation and the consequent obligation of the controller (and thus of the Mayor) to implement appropriate technical and organisational measures to ensure and demonstrate that the processing is carried out in accordance with this Regulation. In accordance with Article 32(1) of the ODA, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing and the risk of any violation of the rights or freedoms of natural persons of varying degrees of probability and seriousness, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems and services and the ability to rapidly restore the availability and access to personal data in the event of a physical or technical incident as referred to in Article 32(1)(b) and (c) of the General Regulation.
In the light of the above mentioned provisions of the General Data Protection Regulation, the controller is under an obligation to implement adequate technical and organisational measures, the choice of which is left to the discretion of the controller and should be preceded by an analysis of the risks of violation of the rights or freedoms of natural persons. As it is indicated in the literature, "these measures should be appropriate, which should be understood as striving to make the measures effective, i.e. to prevent data protection violations or to reduce to a minimum the risk of their occurrence, bearing in mind that a complete elimination of the risk may not be feasible" (P. Fajgielski, Komentarz do art. 32 [in:] ed. P. Fajgielski, General Regulation on data protection. Personal Data Protection Act. Commentary. Wolters Kluwer Polska, 2018).
During the audit it was established that in connection with the obligation to transmit and publish the proceedings of the City Council of Aleksandrów Kujawski in the BIP, a YouTube channel was established and an agreement was concluded with an external entity to transmit the meetings of the City of Aleksandrów Kujawski's authorities in the Internet via the YouTube.com platform. The publication of personal data processed in connection with the recording and publication of sessions of the City Council of Aleksandrów Kujawski is carried out using the YouTube channel. The BIP website of the Aleksandrów Kujawski City Hall contains a link to a dedicated YouTube channel. The findings of the inspection show that once the recording of the session is completed, the recording is automatically saved on the YouTube website, and no copy of the recording remains in the Aleksandrów Kujawski City Hall. In the absence of a copy of the session recording, in case of loss of data posted on YouTube, Mayor Aleksandr Kujawski will lose access to the recording without having the appropriate technical and organisational measures to address this risk, there is no possibility to ensure the confidentiality, integrity, availability and resilience of the processing systems and services and the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident referred to in Article 32(1)(b) and (c) of the General Data Protection Regulation. According to the evidence, the Mayor did not indicate that there are procedures in place that would guarantee the protection of personal data processed on YouTube.
The decision to use the YouTube channel was not preceded by an analysis of possible risks resulting from the use of this tool during the processing of personal data of participants in the session of the City Council. In particular, when deciding to use the YouTube channel, it was not taken into account that the administrator's use of resources and tools offered by external entities, in this case by the entity operating the YouTube channel, may be associated with a higher risk of personal data protection violation due to the fact that the organizational and technical measures used to protect personal data published on YouTube were defined and implemented by Google LLC (with its registered office in the USA), the owner of YouTube. The risk analysis for the processing of personal data in connection with their publication in BIP is particularly important due to the fact that the Mayor of Aleksandrów Kujawski uses the YouTube channel both to transmit data on YouTube from the session of the City Council and to further store session recordings exclusively on YouTube servers (he does not have his own back-up copies of the recordings - which may also lead to a breach of the principle of continuity of processes). The lack of risk analysis and procedures led to a breach of the principle of accountability - Article 5(2) of the General Data Protection Regulation.
Thus, it should be considered that the Mayor of Aleksandrów Kujawski, in connection with the obligation to broadcast and publish the recordings of the session of the City Council in the Public Information Bulletin, has not carried out a risk analysis and has not implemented appropriate security measures referred to in Article 32 of the General Data Protection Regulation, corresponding to the risk of violation of rights or freedoms of natural persons. It should be noted that the controller's obligation during data processing is to determine the risk taking into account the nature, scope and context of the data processed, which results from Article 24(1) of the general data protection regulation.
The findings of the audit do not indicate that organisational and technical measures were taken to secure the data of natural persons in connection with the storage of session recordings of the City Council exclusively on YouTube servers by backing up these recordings and storing them in the own resources of the City Hall in Aleksandrów Kujawski. Thus, the controller did not implement appropriate organisational and technical measures referred to in the aforementioned Article 32 of the general data protection regulation.
The audit also revealed deficiencies in the scope of keeping the register of personal data processing activities. Pursuant to Article 30(1) of the general data protection regulation, each controller and, where applicable, the controller's representative shall keep a register of personal data processing activities for which they are responsible. That register shall contain all the following information:
(a) the name and contact details of the controller and any joint controllers and, where applicable, the controller's representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or in international organisations;
(e) where applicable, the transfer of personal data to a third country or international organisation, including the name of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of the relevant safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the General Data Protection Regulation.
The audit found that the Municipal Office in Aleksandrów Kujawski has established a register of processing activities, which includes 54 processing activities. However, the register does not indicate the planned date of deletion of personal data by indicating a specific storage period, the register refers only to a uniform factual list of files for communes. By letter of [...] February 2019, mark: [...], the Mayor sent to the Office for the Protection of Personal Data sample cards from the register of activities, including the card concerning processing activities related to the publication of asset declarations in the BIP. According to this charter, the planned deadline for deletion of data from the BIP was set by the Mayor at 5 years, which in the case of asset declarations is inconsistent with Article 24h(6) of the Act on Municipal Self-Government. In addition, by letter of [...] June
2019, the sign: [...], the Mayor sent explanations that 'it is clear from the Access to Public Information Act that the sharing of data concerns those in power and not those in power. Therefore, property declarations may only be made available in beep for the period of 5 years, i.e. during the term of office, and after that period they should be removed from the beep and stored in paper form for 6 years in relation to the time limits from the date of their submission and made available on request in accordance with the principle of openness'. The above position of the Mayor is incorrect, because, as indicated above, the provisions of the Act on Municipal Self-Government state that the period for storing such information is 6 years. Moreover, the position of the literature in this respect should be recalled again: "(...) [it does not matter whether the person who made the statement is still in office. The legislator did not foresee a shorter period than 6 years, therefore it seems that once a declaration has been made it remains public for the whole period" (K. Janaczek, Publication of property declarations [in:] (ed.) B.). Dolnicki Jawnosc in local government [online]. LEX, 2019-08-15 17:49 [access: 2019-08-23 15:31]. Available online: https://sip.lex.pl/#/monograph/369356174/275075). In relation to the above, it should be emphasized here that the obligation to maintain the BIP and make public information available in it results from the provisions of udip. Therefore, since the legislator decided that property declarations are public (excluding information on the address of residence of the person making the declaration and on the place where the real estate is located), it should be considered that they constitute public information which is subject to publication in the BIP for the period resulting from the provisions of the Act on Municipal Self-Government, i.e. for the period of 6 years, regardless of whether the person is still a councillor or has ceased to be one. As a consequence, the 6-year period should be indicated in the register of personal data processing activities kept by the Mayor as the planned date of deletion of personal data included in the property declaration.
In the register of processing activities, not all data recipients, including processing entities, were also indicated, while during the audit, agreements with entities providing the service of providing access to the server on which the BIP resources are stored and the guarantee service in connection with the establishment of the regional bulletin of public information, which is related to access by these entities to personal data processed by the Mayor in connection with running the BIP were presented. Moreover, the register of processing activities does not indicate the entity operating the YouTube channel, on which recordings of the sessions of the City Council of Aleksandrów Kujawski are available. It should be noted here that according to Article 4(9), first sentence, of the General Data Protection Regulation, 'recipient' means a natural or legal person, public authority, individual or any other entity to whom personal data are disclosed, regardless of whether it is a third party or not. As it is indicated in the literature, "the recipient of data within the meaning of the commented provision should be considered, inter alia, an entity processing data on behalf of a controller to whom the controller discloses personal data" (Fajgielski Paweł, Commentary to Regulation No. 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), [in:] General Data Protection Regulation. Personal Data Protection Act. Comment.). It should also be pointed out that Article 30(1)(d) of the General Data Protection Regulation provides for the obligation to list in the register of processing activities all recipients of data, regardless of whether they have their registered office in a Member State of the European Union or in a third country.
Thus, it should be recognised that the Mayor did not indicate in the register of personal data processing activities all recipients of data and did not indicate for all processing activities the planned date of data deletion, and thus violated Article 30(1)(d) and (f) of the general data protection regulation and Article 5(2) of the general data protection regulation, i.e. the principle of accountability.
To sum up, it should be pointed out that the above infringements prove that the Mayor does not process personal data in accordance with the principles resulting from Article 5(1)(a), (e) and (f) of the General Data Protection Regulation. Consequently, this implies a breach of the principle of accountability referred to in Article 5(2) of the General Data Protection Regulation, according to which the controller is responsible for compliance with paragraph 1 and must be able to demonstrate compliance ('accountability'). It should be underlined here that the principles set out in Article 5(1) of the General Data Protection Regulation are the starting point for the fulfilment of the obligations of the controller and the rights of data subjects, as well as for the assessment of the legitimacy of these processes.

II.
    Under Article 58(2)(i) of the General Data Protection Regulation, each supervisory authority has the power to impose, in addition to or instead of the other remedies provided for in Article 58(2)(a) to (h) and (j) of the General Data Protection Regulation, an administrative pecuniary sanction under Article 83 of the Regulation, depending on the circumstances of the specific case. In view of the above, the President of the Office for the Protection of Personal Data, exercising his powers under the aforementioned provision of the General Data Protection Regulation, concluded that, in the present case, there were conditions justifying the imposition of an administrative fine on the Mayor.
When determining the amount of the fine, the President of the Office of Protection took into account the following circumstances of the case, read against the Mayor and having an aggravating effect on the amount of the financial penalty imposed:
Duration of infringements covered by the order specified in this decision - the irregularities found were not removed during the inspection carried out by the Mayor, or in the course of administrative proceedings. It should be noted that the audit showed that the oldest information on the recruitment for vacant positions in the BIP refer to the recruitment process conducted in 2012, and the oldest property declarations refer to 2010.
All relevant previous violations on the part of the administrator - making available by the Mayor PIT-11 and PIT-37 forms in a non-anonymous version on the BIP website (the President of the Office issued a decision in this matter reminding the Mayor of 6 December 2018, mark: ZSPU.440.46.2018.[...], and a decision maintaining it in force on 7 May 2019, mark: ZSPU. 440.46.2018.[...].II).
3) Intentional nature of the infringement - the Mayor in connection with the infringement indicated in item 2 and the administrative proceedings conducted in this respect by the President of the Office of Anti-Trust and Consumer Protection did not implement any solutions to counteract such infringements in the future, including the procedure for reviewing data resources in the materials published in the BIP. Therefore, in a conscious and purposeful manner, the Mayor made data available in the BIP without introducing appropriate procedures in this respect, considering that he was not obliged to do so (which is also indicated by the Mayor's request to the Minister of Digitization to interpret the provisions of the udip).
The violations found during the control concern persons whose data are included in the content of materials constituting public information, published in the BIP of the Municipal Office in Aleksandrów Kujawski. It should be emphasized again that the audit showed that the oldest information on the recruitment for vacancies in the BIP concerns the recruitment process conducted in 2012, and the oldest property declarations concern 2010. The scope of data processed by the above mentioned persons within the indicated materials includes the so-called "ordinary" data. The scope of such data is wide and includes in particular detailed information on the property status of a given person.
High level of responsibility of the administrator - in the absence of Mayor's actions aimed at ensuring an adequate level of data security and failure to implement appropriate data protection policies. As a result of the above, it is possible to provide access to data to an unlimited number of Internet users.
Lack of cooperation of the controller after the initiation of proceedings - the controller in response to the notification on the initiation of administrative proceedings did not refer to the violations indicated in it, except for the issue related to the date of data retention made available on the BIP website.
When determining the amount of the administrative fine, the President of the Office for Personal Data Protection did not find grounds to conclude that there were any mitigating circumstances affecting the final penalty.
The lack of evidence indicating that the Mayor obtained financial benefits and avoided losses in connection with the infringement did not have any impact on the penalty.
In the present case, the authority did not consider the circumstances referred to in Article 83(2)(j) of the General Data Protection Regulation when imposing the penalty, due to the lack of application of codes of conduct and approved certification mechanisms by the controller.
In deciding whether or not to impose an administrative fine, and also in determining its amount, the President of the Office of Competition and Consumer Protection considered as the most important the serious nature of the infringement resulting from the disclosure of personal data without a legal basis to other entities and the violation of the principle of accountability.
Moreover, the President of the Office took into account that the body under assessment is a public sector entity and, when estimating the amount of the fine, also took into account the amount of its budget for 2018, the manner of its implementation and the budget for 2019.
At this point, it should also be noted that Article 102 of the Personal Data Protection Act provides for the limitation of the amount (to PLN 100,000) of the penalty that may be imposed on a public sector entity.
In the opinion of the President of the Office for Personal Data Protection, the administrative fine of PLN 40,000 applied in the established circumstances of this case fulfils the functions referred to in Article 83 (1) of the general regulation on data protection, i.e. it is effective, proportionate and dissuasive in this individual case.
It should be considered that the penalty will be effective if its imposition leads the Mayor to apply technical and organizational measures that ensure a degree of security of the processed data corresponding to the risk of violation of the rights and freedoms of persons and the seriousness of the risks associated with the processing of these personal data.
In the opinion of the President of the PDPA, the financial penalty applied is proportional to the infringement found, especially due to the gravity of the infringement, categories of personal data affected by the infringement, failure to comply with the controller's obligations under the general regulation on data protection and the duration of the infringement (infringements covered by the injunction were not removed in the course of control).
The dissuasive nature of a financial penalty is linked to the prevention of future infringements and the increased attention paid to the tasks of the controller. The penalty is intended to deter both the controller, from repeated infringements, and others. When imposing the administrative fine for personal data protection infringements by this decision, the President of the Office for Personal Data Protection has taken into account both aspects: firstly, the repressive nature, the Mayor has violated the general data protection regulation; secondly, the preventive nature, both the Mayor and other controllers, will be effectively discouraged from violating personal data protection law in the future, while at the same time exercising greater diligence in the performance of their duties under the general data protection regulation.
The purpose of the penalty imposed is to ensure that the Mayor properly fulfils the obligations provided for in Article 5(1)(a), (e) and (f), Article 5(2), Article 24(1) and (2), Article 28(3), Article 30(1)(d) and (f) and Article 32(1) of the General Data Protection Regulation,
and consequently, to conduct data processing in accordance with the applicable legal regulations.
In view of the above, the President of the Office for the Protection of Personal Data resolved as in the operative part.


The decision is final. A party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw within 30 days from the date of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw). The complaint must be accompanied by a relative entry, pursuant to Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts
(Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for assistance, which includes exemption from court fees and the appointment of an attorney, legal adviser, tax advisor or patent attorney. The right to assistance may be granted upon a Party's request filed prior to the commencement of proceedings or in the course of proceedings. The application is free of court fees.


Pursuant to Article 74 of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court suspends the enforcement of a decision on an administrative fine.
Pursuant to Article 105(1) of the Personal Data Protection Act, the administrative fine shall be paid within 14 days of the expiry of the time limit for filing a complaint with the Provincial Administrative Court, or from the date of the administrative court ruling becoming final and binding, to the bank account of the Office for Personal Data Protection at NBP O/O Warsaw No. 28 1010 1010 1010 0028 8622 3100 0000.