First penalty imposed on a public entity for GDPR infringement

The President of the Personal Data Protection Office imposed the first penalty for GDPR violation on a public entity – the Mayor of Aleksandrów Kujawski. The Mayor has to pay PLN40,000 fine and remedy the infringement within 60 days. The main reasons for this decision was failure to enter into data processing agreements and storage of certain data, including asset declarations, longer than is allowed under the law.

No processing agreements

The Mayor failed to enter into processing agreements with the company hosting resources of the Municipal Office’s Public Information Bulletin (BIP) on its servers. No such agreement was concluded with another entity that provided software for BIP creation and maintenance services related to BIP. Thus, the President of the Office found that the Mayor disclosed personal data without legal basis and therefore violated the principle of lawful processing (Article 5.1(a) GDPR) and the principle of confidentiality (Article 5.1(f) GDPR).

Exceeding lawful storage period

The audit found that BIP website contained, among other things, asset declarations from 2010, while their prescribed storage period is 6 years, which in the opinion of the President of the Office is stipulated by sectoral rules. The Mayor therefore violated the principle of storage limitation (Article 5.1(e) GDPR).

Other infringements

The investigation also found irregularities in security of materials from Municipal Council meetings. The Office only stored them on a dedicated YouTube channel and did not make any backup copies of those recordings, which increased the risk of permanent loss. The risk of publication of Municipal Council meetings recordings on YouTube only was also not analysed. So the principle of integrity and confidentiality (Article 5.1(f)) and the principle of accountability (Article 5.2) were violated.

The principle of accountability was infringed also because of gaps in the register of processing operations. It did not indicate all data recipients or the planned date of data erasure for certain processing operations.

Amount of the fine

According to the President of the Office, the amount of the fine was affected by the Mayor’s refusal to cooperate with the authority during the audit, and failure to remedy the infringements. As a result, the President of the Office found no grounds to reduce the fine which was set a relatively high level, i.e. 40% of the maximum rate for the public sector.

The fine imposed on the Mayor of Aleksandrów Kujawski is the fourth fine ordered by the President of the Personal Data Protection Office for GDPR infringements, but the first one imposed on a public entity. This clearly shows that public institutions are not exempt from the obligation to protect personal data and they will be subject to the same scrutiny as private sector. Regardless of the sector where the fined entity operates, conclusions from the justification of the decision  are the same for all data controllers – data processing without legal basis (also without a processing agreement) is deemed by the President of the Office one of the most serious violations, just like data storage for extended periods, and any irregularities in this regard may cause serious consequences.

You will find full communication by the President of the Office at: https://uodo.gov.pl/pl/138/1240,
and its decision in full at:
https://uodo.gov.pl/decyzje/ZSPU.421.3.2019.

Author:
 Natalia Wojciechowska, Legal Adviser