Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR) provides for the possibility of imposing financial penalties for non-compliance, breach, or infringement of its provisions. In Poland, these penalties are imposed by the President of the Personal Data Protection Office (hereinafter referred to as the PUODO) by way of an administrative decision. Since the GDPR entered into force, over 60 fines have been imposed in Poland, totaling over €3.4 million.
The most recent financial penalty imposed in 2023 by the President of the Personal Data Protection Office, amounting to €100,000, concerns the Minister of Health for an infringement involving the unlawful processing of personal data, including special category data. This data was obtained through an electronic platform and then published on the social media platform "X" without a legal basis. This infringement also involved a lack of appropriate technical and organizational measures ensuring a level of security appropriate to the risk of data processing, as well as a failure to provide data subjects with the information referred to in Article 33(3)(c) and (d) of the GDPR, i.e., a description of the possible consequences of the personal data breach and a description of the measures taken or proposed by the controller to address the breach, including measures to minimize its potential negative effects.
Since January 2024, the Personal Data Protection Office (PUODO) has imposed four fines. The first was imposed again on the Krakow-based portal Morele.net, which was previously fined €660,000 in 2019. Morele.net once again violated the GDPR by failing to implement appropriate technical and organizational measures to ensure the security of data processing in IT systems and the protection of the rights of data subjects, resulting in a violation of the principles of data integrity and confidentiality. The fine amounted to PLN 3,819,960, which is equivalent to €810,000.
Another fine imposed this year concerned a business entity for violating GDPR provisions by failing to notify the President of the Personal Data Protection Office of a personal data breach without undue delay, no later than 72 hours after the breach was discovered, and failing to notify data subjects of the personal data breach without undue delay. An administrative fine of PLN 9,903.60 was imposed. Furthermore, the authority ordered the three individuals listed in the decision, whose PESEL numbers were disclosed as a result of the unauthorized disclosure, to be notified of the personal data breach within three days of the date of notification of the decision, in order to provide them with the information required under Article 34(2) of Regulation 2016/679. It was emphasized that the occurrence of a high risk of violation of the rights or freedoms of natural persons, in addition to an entry in the register of violations, requires the controller to take appropriate actions, both towards the supervisory authority (reporting a data protection breach), but also towards the data subjects.
The latest financial penalty, amounting to PLN 78,575.40, was imposed on Toyota Bank Polska S.A., based in Warsaw, for reporting to the President of the Personal Data Protection Office a personal data breach involving the personal data of one individual, including their name, bank account number, residential address, PESEL (Polish National Identification Number), and ID card series and number. This breach involved an employee's error in sending a bank letter containing a loan agreement and repayment schedule to another customer of the bank, which resulted in the disclosure of data to an unauthorized person. The correspondence was returned to the bank, but the explanation provided indicates that only a security incident was recorded in connection with the situation, and the personal data breach was not reported to the supervisory authority within the required timeframe.
The most severe penalty imposed to date is PLN 4,911,732 imposed on Fortum Marketing and Sales Polska SA, a company collaborating with PIKA Sp. z o.o., whose fine amounted to PLN 250,135. The reported breach indicated that the Controller's customer data was copied, and the incident was related to the implementation of a change in the IT environment for services in order to increase the efficiency of the entire repository. The authority found that the companies bound by the personal data processing agreement committed the infringement due to their failure to implement appropriate technical and organizational measures to ensure the security of personal data, resulting in a breach of their confidentiality, and due to the lack of verification of the processor. When determining the amount of the administrative fine imposed on Fortum Marketing and Sales Polska SA and PIKA sp. z o. o., the authority took into account the circumstances of the case that had an aggravating effect and influenced the amount of the financial penalty imposed, such as: the nature and gravity of the infringement, the degree of responsibility of the companies, taking into account the implemented technical and organizational measures, relevant previous infringements of the provisions of the Regulation and the categories of personal data concerned by the infringement.
It is also worth noting that supervisory authorities have the power to impose sanctions other than financial penalties, such as warnings, restrictions on data processing or a temporary or permanent ban on data processing.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of April 10, 2024
author:
