First penalty imposed on a public entity for GDPR infringement

18 November 2019   /  Articles

The President of the Personal Data Protection Office imposed the first penalty for GDPR violation on a public entity – the Mayor of Aleksandrów Kujawski. The Mayor has to pay PLN40,000 fine and remedy the infringement within 60 days. The main reasons for this decision was failure to enter into data processing agreements and storage of certain data, including asset declarations, longer than is allowed under the law.

No processing agreements

The Mayor failed to enter into processing agreements with the company hosting resources of the Municipal Office’s Public Information Bulletin (BIP) on its servers. No such agreement was concluded with another entity that provided software for BIP creation and maintenance services related to BIP. Thus, the President of the Office found that the Mayor disclosed personal data without legal basis and therefore violated the principle of lawful processing (Article 5.1(a) GDPR) and the principle of confidentiality (Article 5.1(f) GDPR).

Exceeding lawful storage period

The audit found that BIP website contained, among other things, asset declarations from 2010, while their prescribed storage period is 6 years, which in the opinion of the President of the Office is stipulated by sectoral rules. The Mayor therefore violated the principle of storage limitation (Article 5.1(e) GDPR).

Other infringements

The investigation also found irregularities in security of materials from Municipal Council meetings. The Office only stored them on a dedicated YouTube channel and did not make any backup copies of those recordings, which increased the risk of permanent loss. The risk of publication of Municipal Council meetings recordings on YouTube only was also not analysed. So the principle of integrity and confidentiality (Article 5.1(f)) and the principle of accountability (Article 5.2) were violated.

The principle of accountability was infringed also because of gaps in the register of processing operations. It did not indicate all data recipients or the planned date of data erasure for certain processing operations.

Amount of the fine

According to the President of the Office, the amount of the fine was affected by the Mayor’s refusal to cooperate with the authority during the audit, and failure to remedy the infringements. As a result, the President of the Office found no grounds to reduce the fine which was set a relatively high level, i.e. 40% of the maximum rate for the public sector.

The fine imposed on the Mayor of Aleksandrów Kujawski is the fourth fine ordered by the President of the Personal Data Protection Office for GDPR infringements, but the first one imposed on a public entity. This clearly shows that public institutions are not exempt from the obligation to protect personal data and they will be subject to the same scrutiny as private sector. Regardless of the sector where the fined entity operates, conclusions from the justification of the decision  are the same for all data controllers data processing without legal basis (also without a processing agreement) is deemed by the President of the Office one of the most serious violations, just like data storage for extended periods, and any irregularities in this regard may cause serious consequences.

You will find full communication by the President of the Office at: https://uodo.gov.pl/pl/138/1240,
and its decision in full at:
https://uodo.gov.pl/decyzje/ZSPU.421.3.2019.

 

Author:
 Natalia Wojciechowska, Legal Adviser

Share

Share

Need help with this topic?

Write to our expert

Mateusz Borkiewicz

Managing Partner, Attorney at law

+48 663 683 888 Contact

Articles in this category

DORA on the horizon: key changes for the financial sector 🏦

Articles

More
DORA on the horizon: key changes for the financial sector 🏦

What must an employer bear in mind when employing minors?

Articles

More
What must an employer bear in mind when employing minors?

What should the Policy on the use of AI systems contain?

AI

More
What should the Policy on the use of AI systems contain?

Signallers – how to prepare for the coming changes?

Articles

More
Signallers – how to prepare for the coming changes?

Article synopsis: “GPT chat vs personal data”.

Articles

More
Article synopsis: “GPT chat vs personal data”.
More

Contact

Any questions?see phone number+48 663 683 888
see email address

Hey, have you
signed up to our newsletter yet?

    Check how we process your personal data here