The most frequent GDPR breaches in Poland – ranking

From the beginning, penalties for non-compliance with the GDPR have been a kind of a scare tactic intended to motivate businesses to behave in a certain way or implement the necessary standards. Nevertheless, there are still entities and organizations that find themselves exposed to those penalties. Which articles of the GDPR are most often breached by Polish enterprises? What are the violations for which the President of the Personal Data Protection office (“PUODO”) imposes fines?

Please read our #TOPranking created on the basis of PUODO’s decisions. In subsequent publications, we will present our subjective assessment of the penalties imposed by the PUODO and discuss in more detail the GDPR articles that are breached most frequently

Areas of violations

Since the GDPR came into force, more than 30 fines have been imposed on companies in Poland, totalling over €2.5 million. Of course, not all of these fines were later upheld in full by the courts, but they indicate the direction of the PUODO’s interventions. Which provisions of the GDPR are violated most often? Below is a summary of the provisions that are most often challenging for entrepreneurs:

1. 10 instances of the PUODO imposing a fine: Article 58 of the GDPR and Article 31 of the GDPR, i.e., failure to cooperate with the PUODO in the performance of his tasks and failure to provide all information required by the PUODO to carry out his tasks. This is the winner of our ranking and the first topic we will analyse as part of our series of articles.
2. 9 instances of imposing a fine: Article 32 of the GDPR, i.e., the requirement for the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
3. 9 decisions issued by the PUODO imposing a fine: Article 5 of the GDPR defining the rules regarding the processing of personal data, i.e.:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• integrity and confidentiality;
• accountability.

1. 9 decisions issued by the PUODO imposing a fine: Article 34 of GDPR imposing the obligation to communicate the personal data breach to the data subject.
2. 7 instances of imposing a fine: Article 33 of the GDPR, i.e. the obligation to notify a personal data breach to the supervisory authority.
3. 5 instances of imposing a fine: Article 25 of the GDPR on the controller’s consideration of data protection by design and data protection by default.
4. 2 instances of imposing a fine: Article 6 of the GDPR on the lawfulness of personal data processing.
5. 2 instances of imposing a fine: Article 24 of GDPR, concerning the controller’s obligations to implement appropriate technical and organisational measures.
6. 1 instance of imposing a fine: Article 14 of the GDPR relating to instances where personal data have not been obtained from the data subject.
7. 1 instance of imposing a fine: Article 9 of the GDPR on the processing of special categories of personal data.

In the subsequent publications, we will discuss each of the above provisions in detail and indicate the causes for the PUODO to impose an administrative penalty.

Failure to cooperate

We will first address the undisputed winner in terms of the number of violations, i.e. Article 31 of the GDPR in combination with Article 58 of the GDPR. Article 31 of the GDPR imposes the obligation of the controller and processor to cooperate with the supervisory authority (the PUODO) in the performance of its tasks. Article 58 of the GDPR, in turn, refers to the investigative powers of the supervisory authority and its corrective and advisory powers. The PUODO has so far issued 10 decisions imposing fines on businesses for failure to cooperate with the supervisory authority. Penalties for violations of Article 31 of the GDPR in combination with the relevant provision of Article 58 of the GDPR have been imposed, among others, on Virgin Mobile Polska, Vis Consulting sp. z o. o., Anwara sp. z o.o., PNP S.A. or an entrepreneur running a private nursery and kindergarten. So, apparently, the PUODO hands out penalties equally between big players and small, local businesses.

Examples of violations

What is the cooperation and where is the challenge? How to ensure that you are in compliance with the GDPR? Here are a few examples of situations in which PUODO has imposed a fine on a business because of it had some reservations regarding the cooperation:

1. The Company processed the following data of a data subject: name, surname, residential address and personal ID number PESEL without the subject’s knowledge or consent. At the same time, the Company did not respond to the data subject’s complaint and did not provide to the PUODO answers to specific questions about the case, such as:
2. When and from what source the Company obtained the Complainant’s personal data, in particular, the Complainant’s name, surname, residential address and personal ID number PESEL;
3. Whether the Complainant’s personal data was shared with any other entity;
4. Whether the Complainant has requested the Company to fulfil its information obligation towards the Complainant; and
5. Whether the Complainant has asked the Company to remove his personal data.

In this case, the Company ignored the PUODO’s request and exposed itself to a fine of PLN 21,397.

Link to the decision: https://uodo.gov.pl/decyzje/DKE.561.16.2020

The Company was accused of improper processing of personal data. The PUODO asked the Company a number of questions concerning the basis for data processing, data processing agreements, etc. The PUODO did receive a written response, however, in the opinion of the authority, it was insufficient and incomplete. As a result of the failure to cooperate with the PUODO in the performance of his tasks and to provide him with access to personal data and other information, the Company exposed itself to a fine of PLN 12,838.20.

Link to the decision: https://www.uodo.gov.pl/decyzje/DKE.561.13.2020%20

The PUODO decided that an inspection of personal data processing was to be conducted in relation to the Surveyor General of Poland with regard to the provision of personal data from the land and building registry through the GEOPORTAL2 site. However, the Surveyor General refused to agree to the inspection. Due to the failure to provide the PUODO (during the inspection of compliance with the personal data regulations) with access to premises, equipment and means for processing personal data, and with access to personal data and information necessary for the PUODO to perform his tasks, a fine of PLN 100,000 was imposed on the Surveyor General of Poland.

Link to decision: https://uodo.gov.pl/decyzje/DKE.561.3.2020

Amount of fine

Finally, as a reminder, it is worth pointing out that the PUODO is authorised to impose a fine for GDPR breach in the context of Article 31 of the GDPR of up to €10,000,000, and in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher. Thus, the fines described above imposed on businesses for failing to cooperate with the supervisory authority may not have reached record levels, but they were certainly noticeable. Hence, should you receive a letter from the PUODO in connection with an investigation conducted by the authority, do not disregard it. Efficient provision of the required information may not only allow you to avoid a fine for violation of Article 31 of the GDPR, but also lead to discontinuation of the pending proceedings or persuade the authority not to impose penalties for other potential violations if you provide the right arguments.

We will describe other most frequent GDPR violations soon. We recommend following our publications to learn how to protect yourself from getting into the next editions of the ranking. We are also available if you need to consult any data protection issues. Do not hesitate to contact us!