Data Protection Academy » Data Protection News » First Polish fine imposed on a public body

First Polish fine against public body

First Polish fine imposed on a public body

Date: 31.10.2019

Responsible body: Mayor of the Polish city Aleksandrów Kujawski

Nature of the data breach: lack of agreement on the processing of personal data

First Polish fine against a public institution was imposed by the President of the Office for the Protection of personal data imposed on a public institution. The data protection fine amounts to 40,000 zloty for non-compliance with the GDPR. The precise reason for imposing the fine was that the mayor of the city had not concluded an agreement on the processing of personal data with the entities to which he had transferred data.

Specifically, it concerns a company whose servers contained the resources of the Public Information Bulletin (BIP) of the Aleksandrów Kujawski Town Hall. Such an agreement was also not concluded with another company that provided software for the creation of GDP and provided services in this area. The President of the Office concluded that against Article 28 paragraph 3 of the GDPR was infringed. This provision obliges the controller to conclude a processing contract with the body that carries out the processing of personal data.

In the absence of such an agreement, the Mayor is responsible for the disclosure of personal data without legal basis. This violates the principle of lawfulness of processing (Article 5 paragraph 1(a) GDPR) and against the principle of integrity and confidentiality (Article 5 paragraph 1(f) of the GDPR).

During the investigation it was also found that the recorded materials of the city council meetings were only available via a link to a dedicated YouTube channel in BIP. No backup copies of these recordings were available at the municipal office. No risk analysis was conducted for the publication of recordings of council meetings exclusively on YouTube. Thus, the principles of integrity and confidentiality were violated (Article 5 paragraph 1 letter f of the GDPR) and the principle of accountability (Article 5 paragraph 2 of the GDPR).

The accountability principle was also violated in relation to the deficiencies in the register of processing activities. For example, neither all data recipients nor the planned date of data erasure for certain processing activities were indicated.

The imposition of the fine took into account the fact that, despite the irregularities detected in the course of the procedure, the data controller did not remedy them or introduce solutions to prevent future infringements. The data controller also failed to cooperate with the supervisory authority. The President of the Office therefore decided that no reduction of the amount of the fine was possible.

In addition to the fine, the President of the Office ordered the controller to take measures to remedy the violations within 60 days.

Legal basis: Article 5 the GDPR

Fines: 40,000 zloty

Country: Poland

SourceEuropean Data Protection Board

Back to the overview of the data breaches

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

Examples of GDPR fines: what happens in data protection

GDPR infringements are punished with heavy fines. Find out which data protection infringements are suspected and secure yourself.

Italian data protection supervisory authority imposed 27.8 million fine

The telecommunications operator was found to be involved in unlawful processing for marketing purposes. millions of people were affected.

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.