In recent days, it was possible to hear about the Provincial Administrative Court in Warsaw upholding the decision of the President of the Personal Data Protection Office to impose a fine on the mayor of Aleksandrów Kujawski in the amount of PLN 40,000.
The mayor, as a personal data controller, failed to conclude a data processing agreement with the entities to which he transferred personal data, thus violating the provisions of the EU regulation (GDPR). The requirement to conclude such an agreement stems directly from the GDPR, and its absence can have serious consequences, as the mayor of Aleksandrów Kujawski discovered – including financial ones. Generally speaking, this agreement regulates the mutual rights and obligations of the parties, which should also ensure appropriate organizational and technical measures to ensure data processing is carried out lawfully. Essential elements of such a document include the scope (what data is being entrusted) and the purpose (indicating the reason for data processing). Appropriately defining contractual provisions and adhering to them is particularly important, as it ensures proper conditions for implementing personal data protection regulations. Templates available online may not be sufficient, therefore, it is essential that the agreement be appropriately tailored to the scope of the controller's activities.
The Surveyor General of Poland was fined PLN 100,000 for violating the principle of lawful data processing , i.e., Article 5 paragraph 1 letter a and Article 6 of the GDPR, which stipulate that personal data must be processed lawfully, fairly, and in a transparent manner for the data subject. The main reason for imposing such a high fine was that, based on agreements with district heads, the Authority obtained information from the land and building register (including land and mortgage register numbers) and published it on the GEOPORTAL2 online platform. The President of the Personal Data Protection Office (UODO) found that these agreements were insufficient and did not constitute a basis for disclosing this category of data.
Land and mortgage register numbers are personal data, and the President of the Personal Data Protection Office (UODO) had no doubts about this when imposing the penalty. According to the GDPR, personal data means any information about an identified or identifiable natural person. The publication of data in the form of land and mortgage register numbers by the Surveyor General of Poland makes it possible for any internet user to access them, which may negatively impact the security of the data subjects.
It is also worth recalling the highest fine ever imposed by the President of the Personal Data Protection Office (UODO), exceeding PLN 2.8 million, imposed on "morele.net" for insufficient organizational and technical security measures, which led to unauthorized access to the personal data of 2.2 million people. GDPR regulations allow national data protection authorities to impose fines of up to EUR 20 million or 4% of annual global turnover.
Tracing the history of fines imposed, we undoubtedly conclude that their amounts are showing an upward trend. This may be due to the provisions of the EU regulation, which stipulate that fines must, in addition to being effective and proportionate in each individual case, also be dissuasive, as well as to the fact that the UODO's budget in 2019 was reduced compared to the previous year – data published by the European Data Protection Board in its annual report.
The reduction in the UODO's budget may come as a surprise, especially since the EU regulation imposed additional obligations on the Authority, requiring greater workload. This is not good news for data controllers; the President of the UODO may be reaching into their pockets when imposing further fines. Unfortunately, this could also mean that these fines will increase to the level of fines imposed by institutions in other European countries.
Source materials:
- Judgment of the Provincial Administrative Court in Warsaw of 26 August 2020, reference number II SA/Wa 2826/19,
- Decision of the President of the Personal Data Protection Office of August 24, 2020, reference number DKN.5112.13.2020,
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L. of 2016, No. 119, as amended)
