Tag: personal data protection

First penalty imposed on a public entity for GDPR infringement

Posted on by kancelaria

The President of the Personal Data Protection Office imposed the first penalty for GDPR violation on a public entity – the Mayor of Aleksandrów Kujawski. The Mayor has to pay PLN40,000 fine and remedy the infringement within 60 days. The main reasons for this decision was failure to enter into data processing agreements and storage of certain data, including asset declarations, longer than is allowed under the law.

No processing agreements

The Mayor failed to enter into processing agreements with the company hosting resources of the Municipal Office’s Public Information Bulletin (BIP) on its servers. No such agreement was concluded with another entity that provided software for BIP creation and maintenance services related to BIP. Thus, the President of the Office found that the Mayor disclosed personal data without legal basis and therefore violated the principle of lawful processing (Article 5.1(a) GDPR) and the principle of confidentiality (Article 5.1(f) GDPR).

Exceeding lawful storage period

The audit found that BIP website contained, among other things, asset declarations from 2010, while their prescribed storage period is 6 years, which in the opinion of the President of the Office is stipulated by sectoral rules. The Mayor therefore violated the principle of storage limitation (Article 5.1(e) GDPR).

Other infringements

The investigation also found irregularities in security of materials from Municipal Council meetings. The Office only stored them on a dedicated YouTube channel and did not make any backup copies of those recordings, which increased the risk of permanent loss. The risk of publication of Municipal Council meetings recordings on YouTube only was also not analysed. So the principle of integrity and confidentiality (Article 5.1(f)) and the principle of accountability (Article 5.2) were violated.

The principle of accountability was infringed also because of gaps in the register of processing operations. It did not indicate all data recipients or the planned date of data erasure for certain processing operations.

Amount of the fine

According to the President of the Office, the amount of the fine was affected by the Mayor’s refusal to cooperate with the authority during the audit, and failure to remedy the infringements. As a result, the President of the Office found no grounds to reduce the fine which was set a relatively high level, i.e. 40% of the maximum rate for the public sector.

The fine imposed on the Mayor of Aleksandrów Kujawski is the fourth fine ordered by the President of the Personal Data Protection Office for GDPR infringements, but the first one imposed on a public entity. This clearly shows that public institutions are not exempt from the obligation to protect personal data and they will be subject to the same scrutiny as private sector. Regardless of the sector where the fined entity operates, conclusions from the justification of the decision  are the same for all data controllers data processing without legal basis (also without a processing agreement) is deemed by the President of the Office one of the most serious violations, just like data storage for extended periods, and any irregularities in this regard may cause serious consequences.

You will find full communication by the President of the Office at: https://uodo.gov.pl/pl/138/1240,
and its decision in full at:
https://uodo.gov.pl/decyzje/ZSPU.421.3.2019.

 

Author:
 Natalia Wojciechowska, Legal Adviser

Employee alcohol testing and GDPR

Posted on by kancelaria

Employers have no right to alcohol test their employees on their own, and that includes random testing – this is the position of the President of the Personal Data Protection Office (UODO) in response to the amendment of the Labour Code that became effective on 4 May 2019 (full text of the position is available HERE).

Why the doubts?

The subject of permissibility of alcohol testing of employees is not new. The discussion whether protection of privacy and personal rights of employees should be more important than the issues such as safety has been going on for years. Those doubts came up again after the Labour Code had new Article 221badded. In accordance with that Article, the basis for processing of special data category, including also health information, may be consent of the employee, but only when provision of that data is initiated by the employee – which means that it cannot be the initiative of the employer, which was generally the case before in alcohol testing carried out by employers. Is the knowledge whether an employee is sober a health information? In the opinion of the President of the UODO – it is.

How can workers be tested for alcohol in the context of the UODO President’s opinion?

The President of the UODO found that the aforementioned amendment had no material impact on the rights and obligations of employers specified in Article 17 of the Act on Upbringing in Sobriety and Counteracting Alcoholism, as in the opinion of the authority in this scope that Act is exhaustive and constant – employee alcohol testing should be carried out on the condition of meeting the following two requirements jointly:

  1. Employer has a justified suspicion that the employee arrived at work after consuming alcohol or consumed alcohol at work,
  2. Employee alcohol test is carried out by authorised body appointed to protect public order (e.g. police), and blood sampling is done by a person with appropriate professional qualifications.

Regardless of the stipulations and interpretation of data protection laws, the existing form of the aforementioned provision, in the opinion of the UODO, excludes the permissibility of random preventative alcohol testing of workers by employers. In the opinion of the President of the UODO “employee alcohol testing cannot be treated as:

  • a form of monitoring of work performed by the employees, referred to in Article 22 (3) § 4 of the Labour Code,
  • an activity necessary to ensure safe working conditions for all employees,
  • justified by legitimate interest of the employer.”

Could employees be tested with their consent?

In the context of the UODO President’s opinion presented above, but also prior case law, you should be very careful in your approach to testing employees with their consent and at their initiative (when, for example, they want to “prove” that they are sober), in particular when the test result would constitute basis for further steps taken towards the employee. Even in recent ruling of the Supreme Court of 4 December 2018, case file number: I PK 194/17, the Supreme Court stressed that “in every situation the entity authorised to carry out alcohol testing is a body appointed to protect public order. Performance of alcohol testing by the employer or its designee may even be deemed to constitute circumventing of Article 17. 3 of the Act on Upbringing in Sobriety, even when employee gives their consent”.

Considering the above, the position of the UODO President must be applied in the development of the employee alcohol testing procedures until possible future law changes.

Author:
Natalia Wojciechowska – legal adviser

Contact

Any questions?see phone number+48 663 683 888
see email address

Hey, have you
signed up to our newsletter yet?

    Check how we process your personal data here

    Ustawienia Prywatności

    Zdecyduj, które ciasteczka chcesz włączyćMożesz zmienić ustawienia w dowolnym momencie. Pamiętaj, że ograniczenie ciasteczek może zablokować korzystanie z niektórych funkcji. Aby uzyskać informacje na temat usuwania plików cookie, skorzystaj z funkcji pomocy w swojej przeglądarce.Dowiedz się więcej o używanych przez nas plikach cookie.

    Za pomocą suwaka można włączać i wyłączać różne typy plików ciasteczek:

    • Zablokuj wszystkie
    • Elementy zasadnicze
    • Funkcjonalne
    • Analityczne
    • Reklamowe

    Ta strona będzie:

    • Remember which cookies group you accepted

    Ta strona internetowa nie będzie:

    • Remember your login details
    • Essential: Remember your cookie permission setting
    • Essential: Allow session cookies
    • Essential: Gather information you input into a contact forms newsletter and other forms across all pages
    • Essential: Keep track of what you input in a shopping cart
    • Essential: Authenticate that you are logged into your user account
    • Essential: Remember language version you selected
    • Functionality: Remember social media settings
    • Functionality: Remember selected region and country
    • Analytics: Keep track of your visited pages and interaction taken
    • Analytics: Keep track about your location and region based on your IP number
    • Analytics: Keep track of the time spent on each page
    • Analytics: Increase the data quality of the statistics functions
    • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
    • Advertising: Gather personally identifiable information such as name and location

    Ta strona będzie:

    • Essential: zapamiętaj ustawienie uprawnień do plików cookie
    • Essential: Zezwalaj na pliki cookie sesji
    • Niezbędne: zbieraj informacje, które wprowadzasz do formularza kontaktowego, biuletynu i innych formularzy na wszystkich stronach
    • Essential: Śledź, co wkładasz do koszyka
    • Essential: Uwierzytelnij się, że jesteś zalogowany na swoje konto użytkownika
    • Essential: Zapamiętaj wybraną wersję językową

    Ta strona internetowa nie będzie:

    • Zapamiętaj swoje dane logowania
    • Funkcjonalność: Zapamiętaj ustawienia mediów społecznościowych
    • Funkcjonalność: Zapamiętaj wybrany region i kraj
    • Analytics: śledź odwiedzane strony i podejmowane interakcje
    • Analytics: śledź swoją lokalizację i region w oparciu o Twój numer IP
    • Analytics: Śledź czas spędzony na każdej stronie
    • Analytics: Zwiększ jakość danych funkcji statystycznych
    • Reklama: dostosuj informacje i reklamy do swoich zainteresowań na podstawie np. treść, którą odwiedziłeś wcześniej. (Obecnie nie używamy plików cookie służących do kierowania lub kierowania
    • Reklama: gromadzenie informacji umożliwiających identyfikację osoby, takich jak imię i nazwisko oraz lokalizacja

    Ta strona będzie:

    • Essential: zapamiętaj ustawienie uprawnień do plików cookie
    • Essential: Zezwalaj na pliki cookie sesji
    • Niezbędne: zbieraj informacje, które wprowadzasz do formularza kontaktowego, biuletynu i innych formularzy na wszystkich stronach
    • Essential: Śledź, co wkładasz do koszyka
    • Essential: Uwierzytelnij się, że jesteś zalogowany na swoje konto użytkownika
    • Essential: Zapamiętaj wybraną wersję językową
    • Funkcjonalność: Zapamiętaj ustawienia mediów społecznościowych
    • Funkcjonalność: Zapamiętaj wybrany region i kraj

    Ta strona internetowa nie będzie:

    • Zapamiętaj swoje dane logowania
    • Analytics: śledź odwiedzane strony i podejmowane interakcje
    • Analytics: śledź swoją lokalizację i region w oparciu o Twój numer IP
    • Analytics: Śledź czas spędzony na każdej stronie
    • Analytics: Zwiększ jakość danych funkcji statystycznych
    • Reklama: dostosuj informacje i reklamy do swoich zainteresowań na podstawie np. treść, którą odwiedziłeś wcześniej. (Obecnie nie używamy plików cookie służących do kierowania lub kierowania
    • Reklama: gromadzenie informacji umożliwiających identyfikację osoby, takich jak imię i nazwisko oraz lokalizacja

    Ta strona będzie:

    • Essential: Remember your cookie permission setting
    • Essential: Allow session cookies
    • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
    • Essential: Keep track of what you input in a shopping cart
    • Essential: Authenticate that you are logged into your user account
    • Essential: Remember language version you selected
    • Functionality: Remember social media settings
    • Functionality: Remember selected region and country
    • Analytics: Keep track of your visited pages and interaction taken
    • Analytics: Keep track about your location and region based on your IP number
    • Analytics: Keep track of the time spent on each page
    • Analytics: Increase the data quality of the statistics functions

    Ta strona internetowa nie będzie:

    • Zapamiętaj swoje dane logowania
    • Reklama: wykorzystuj informacje do dostosowanej reklamy ze stronami trzecimi
    • Reklama: pozwala łączyć się z serwisami społecznościowymi
    • Reklama: Zidentyfikuj urządzenie, z którego korzystasz
    • Reklama: Zbierz dane osobowe, takie jak imię i nazwisko oraz lokalizację

    Ta strona będzie:

    • Essential: Remember your cookie permission setting
    • Essential: Allow session cookies
    • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
    • Essential: Keep track of what you input in a shopping cart
    • Essential: Authenticate that you are logged into your user account
    • Essential: Remember language version you selected
    • Functionality: Remember social media settings
    • Functionality: Remember selected region and country
    • Analytics: Keep track of your visited pages and interaction taken
    • Analytics: Keep track about your location and region based on your IP number
    • Analytics: Keep track of the time spent on each page
    • Analytics: Increase the data quality of the statistics functions
    • Advertising: Use information for tailored advertising with third parties
    • Advertising: Allow you to connect to social sitesl Advertising: Identify device you are using
    • Advertising: Gather personally identifiable information such as name and location

    Ta strona internetowa nie będzie:

    • Zapamiętaj dane logowania
    Zapisz i zamknij