The challenges arising from the protection of personal data are countless and inescapable in our landscape. Three years after the GDPR came into force, some clear trends can be seen on the Polish market, from which a set of good enforcement practices may be derived.
Although a majority of the fines for violations of the GDPR have been imposed on companies in the industry and commerce, media, telecoms and broadcasting, finance, and insurance sectors, a number of fines have also been imposed on the public sector and education entities. Nevertheless, the Polish Data Protection Authority has not focused on specific sectors. The DPA often goes beyond its public inspection plans for a given year and often fines entities from different sectors, and for different infringements.
The majority of the GDPR fines in Poland have been issued due to insufficient legal bases for data processing (GDPR Articles 5 and 6), deficiencies in information security (Article 32), or based on insufficient fulfillment of the data breach notification obligation (Articles 33 and 34). There is no common, official calculation method for these fines, and each case is considered separately. The Polish Data Protection Authority makes its decision based on the factors listed in the GDPR, considering, in particular, the intentional or unintentional nature of the act, its duration, the nature and gravity of the infringement, and the level of cooperation with the authority. As penalties count towards revenue for the state budget, the legislator introduced lower penalties for public entities.
The three biggest fines in Poland so far (i.e., those levied on Morele.net, Virgin Mobile Polska, and ID Finance Poland) have been linked to insufficient organizational and technical safeguards that led to unauthorized access to personal data stored by companies. To date, the highest GDPR fine in Poland – PLN 2.8 million (approximately EUR 660,000) – was imposed on Morele.net, for having insufficient organizational and technical safeguards leading to a breach of the personal data of 2.2 million people. The data theft occurred through unauthorized access to an employee’s workstation. According to the authority, this was possible due to a lack of security measures, in this case, because of one-step authentication.
In practice, before the start of the relevant administrative proceedings (and the subsequent imposition of a fine), data controllers/processors may also face an inspection under the Polish Data Protection Act of May 10, 2018. The whole process can be broken down into a few steps, the first being the notice of inspection, followed by the actual inspection, then the finalization of the inspection, when the authority decides whether a violation has occurred. Then the actual administrative proceeding and, possibly, finally, the judicial-administrative proceeding, if there is an appeal of the decision.
If the President of the Data Protection Authority concludes it is in the public interest, upon completion of the proceedings he/she may inform the public about the decision in the Public Information Bulletin (BIP). A decision that is made public should be appropriately anonymized. It seems, however, that the DPA may choose to post a notice on the BIP website stating that a decision has been issued, provide the content of the decision along with the notice, or hold a press conference.
The sanction does not necessarily have to be financial – the authority also has a number of other remedial powers under the GDPR. In practice, for example, the Polish authority generally only requests that entities comply with the information obligation or the data breach notification obligation. Entities have also been sanctioned in several cases for failing to cooperate with the authority.
Failure to co-operate with the Polish DPA during the inspection may, in itself, lead the authority to impose an administrative fine in line with the provisions of the GDPR. In 2020, for example, the Polish DPA imposed a fine of PLN 20,000 (approximately EUR 4,700) on telemarketing company Vis Consulting Sp. z o.o. for failing to cooperate with the supervisory authority during an inspection.
By Tomasz Koryzma, Partner, and Damian Karwala, Senior Associate, CMS
This Article was originally published in Issue 8.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.