First penalty imposed on a public entity for GDPR infringement

The President of the Personal Data Protection Office imposed the first penalty for GDPR violation on a public entity – the Mayor of Aleksandrów Kujawski. The Mayor has to pay PLN40,000 fine and remedy the infringement within 60 days. The main reasons for this decision was failure to enter into data processing agreements and storage of certain data, including asset declarations, longer than is allowed under the law.

No processing agreements

The Mayor failed to enter into processing agreements with the company hosting resources of the Municipal Office’s Public Information Bulletin (BIP) on its servers. No such agreement was concluded with another entity that provided software for BIP creation and maintenance services related to BIP. Thus, the President of the Office found that the Mayor disclosed personal data without legal basis and therefore violated the principle of lawful processing (Article 5.1(a) GDPR) and the principle of confidentiality (Article 5.1(f) GDPR).

Exceeding lawful storage period

The audit found that BIP website contained, among other things, asset declarations from 2010, while their prescribed storage period is 6 years, which in the opinion of the President of the Office is stipulated by sectoral rules. The Mayor therefore violated the principle of storage limitation (Article 5.1(e) GDPR).

Other infringements

The investigation also found irregularities in security of materials from Municipal Council meetings. The Office only stored them on a dedicated YouTube channel and did not make any backup copies of those recordings, which increased the risk of permanent loss. The risk of publication of Municipal Council meetings recordings on YouTube only was also not analysed. So the principle of integrity and confidentiality (Article 5.1(f)) and the principle of accountability (Article 5.2) were violated.

The principle of accountability was infringed also because of gaps in the register of processing operations. It did not indicate all data recipients or the planned date of data erasure for certain processing operations.

Amount of the fine

According to the President of the Office, the amount of the fine was affected by the Mayor’s refusal to cooperate with the authority during the audit, and failure to remedy the infringements. As a result, the President of the Office found no grounds to reduce the fine which was set a relatively high level, i.e. 40% of the maximum rate for the public sector.

The fine imposed on the Mayor of Aleksandrów Kujawski is the fourth fine ordered by the President of the Personal Data Protection Office for GDPR infringements, but the first one imposed on a public entity. This clearly shows that public institutions are not exempt from the obligation to protect personal data and they will be subject to the same scrutiny as private sector. Regardless of the sector where the fined entity operates, conclusions from the justification of the decision  are the same for all data controllers data processing without legal basis (also without a processing agreement) is deemed by the President of the Office one of the most serious violations, just like data storage for extended periods, and any irregularities in this regard may cause serious consequences.

You will find full communication by the President of the Office at: https://uodo.gov.pl/pl/138/1240,
and its decision in full at:
https://uodo.gov.pl/decyzje/ZSPU.421.3.2019.

 

Author:
 Natalia Wojciechowska, Legal Adviser

Employee alcohol testing and GDPR

Employers have no right to alcohol test their employees on their own, and that includes random testing – this is the position of the President of the Personal Data Protection Office (UODO) in response to the amendment of the Labour Code that became effective on 4 May 2019 (full text of the position is available HERE).

Why the doubts?

The subject of permissibility of alcohol testing of employees is not new. The discussion whether protection of privacy and personal rights of employees should be more important than the issues such as safety has been going on for years. Those doubts came up again after the Labour Code had new Article 221badded. In accordance with that Article, the basis for processing of special data category, including also health information, may be consent of the employee, but only when provision of that data is initiated by the employee – which means that it cannot be the initiative of the employer, which was generally the case before in alcohol testing carried out by employers. Is the knowledge whether an employee is sober a health information? In the opinion of the President of the UODO – it is.

How can workers be tested for alcohol in the context of the UODO President’s opinion?

The President of the UODO found that the aforementioned amendment had no material impact on the rights and obligations of employers specified in Article 17 of the Act on Upbringing in Sobriety and Counteracting Alcoholism, as in the opinion of the authority in this scope that Act is exhaustive and constant – employee alcohol testing should be carried out on the condition of meeting the following two requirements jointly:

  1. Employer has a justified suspicion that the employee arrived at work after consuming alcohol or consumed alcohol at work,
  2. Employee alcohol test is carried out by authorised body appointed to protect public order (e.g. police), and blood sampling is done by a person with appropriate professional qualifications.

Regardless of the stipulations and interpretation of data protection laws, the existing form of the aforementioned provision, in the opinion of the UODO, excludes the permissibility of random preventative alcohol testing of workers by employers. In the opinion of the President of the UODO “employee alcohol testing cannot be treated as:

  • a form of monitoring of work performed by the employees, referred to in Article 22 (3) § 4 of the Labour Code,
  • an activity necessary to ensure safe working conditions for all employees,
  • justified by legitimate interest of the employer.”

Could employees be tested with their consent?

In the context of the UODO President’s opinion presented above, but also prior case law, you should be very careful in your approach to testing employees with their consent and at their initiative (when, for example, they want to “prove” that they are sober), in particular when the test result would constitute basis for further steps taken towards the employee. Even in recent ruling of the Supreme Court of 4 December 2018, case file number: I PK 194/17, the Supreme Court stressed that “in every situation the entity authorised to carry out alcohol testing is a body appointed to protect public order. Performance of alcohol testing by the employer or its designee may even be deemed to constitute circumventing of Article 17. 3 of the Act on Upbringing in Sobriety, even when employee gives their consent”.

Considering the above, the position of the UODO President must be applied in the development of the employee alcohol testing procedures until possible future law changes.

Author:
Natalia Wojciechowska – legal adviser

Contact

Any questions?see phone number+48 663 683 888
see email address

Hey, have you
signed up to our newsletter yet?

    Check how we process your personal data here