Data Protection Academy » Data Protection News » First Polish fine imposed on a public body
First Polish fine imposed on a public body
Date: 31.10.2019
Responsible body: Mayor of the Polish city Aleksandrów Kujawski
Nature of the data breach: lack of agreement on the processing of personal data
First Polish fine against a public institution was imposed by the President of the Office for the Protection of personal data imposed on a public institution. The data protection fine amounts to 40,000 zloty for non-compliance with the GDPR. The precise reason for imposing the fine was that the mayor of the city had not concluded an agreement on the processing of personal data with the entities to which he had transferred data.
Specifically, it concerns a company whose servers contained the resources of the Public Information Bulletin (BIP) of the Aleksandrów Kujawski Town Hall. Such an agreement was also not concluded with another company that provided software for the creation of GDP and provided services in this area. The President of the Office concluded that against Article 28 paragraph 3 of the GDPR was infringed. This provision obliges the controller to conclude a processing contract with the body that carries out the processing of personal data.
In the absence of such an agreement, the Mayor is responsible for the disclosure of personal data without legal basis. This violates the principle of lawfulness of processing (Article 5 paragraph 1(a) GDPR) and against the principle of integrity and confidentiality (Article 5 paragraph 1(f) of the GDPR).
During the investigation it was also found that the recorded materials of the city council meetings were only available via a link to a dedicated YouTube channel in BIP. No backup copies of these recordings were available at the municipal office. No risk analysis was conducted for the publication of recordings of council meetings exclusively on YouTube. Thus, the principles of integrity and confidentiality were violated (Article 5 paragraph 1 letter f of the GDPR) and the principle of accountability (Article 5 paragraph 2 of the GDPR).
The accountability principle was also violated in relation to the deficiencies in the register of processing activities. For example, neither all data recipients nor the planned date of data erasure for certain processing activities were indicated.
The imposition of the fine took into account the fact that, despite the irregularities detected in the course of the procedure, the data controller did not remedy them or introduce solutions to prevent future infringements. The data controller also failed to cooperate with the supervisory authority. The President of the Office therefore decided that no reduction of the amount of the fine was possible.
In addition to the fine, the President of the Office ordered the controller to take measures to remedy the violations within 60 days.
Legal basis: Article 5 the GDPR
Fines: 40,000 zloty
Country: Poland
Source: European Data Protection Board
- Compliance management in the company - 13 March 2023
- The Supply Chain Act (LkSG) - 2 January 2023
- Hamburg imposes data protection fine on Facebook - 18 February 2020