Data Protection Academy » Data Protection News » First Polish fine imposed on a public body

First Polish fine against public body

First Polish fine imposed on a public body

Date: 31.10.2019

Responsible body: Mayor of the Polish city Aleksandrów Kujawski

Nature of the data breach: lack of agreement on the processing of personal data

First Polish fine against a public institution was imposed by the President of the Office for the Protection of personal data imposed on a public institution. The data protection fine amounts to 40,000 zloty for non-compliance with the GDPR. The precise reason for imposing the fine was that the mayor of the city had not concluded an agreement on the processing of personal data with the entities to which he had transferred data.

Specifically, it concerns a company whose servers contained the resources of the Public Information Bulletin (BIP) of the Aleksandrów Kujawski Town Hall. Such an agreement was also not concluded with another company that provided software for the creation of GDP and provided services in this area. The President of the Office concluded that against Article 28 paragraph 3 of the GDPR was infringed. This provision obliges the controller to conclude a processing contract with the body that carries out the processing of personal data.

In the absence of such an agreement, the Mayor is responsible for the disclosure of personal data without legal basis. This violates the principle of lawfulness of processing (Article 5 paragraph 1(a) GDPR) and against the principle of integrity and confidentiality (Article 5 paragraph 1(f) of the GDPR).

In addition to the fine, the President of the Office instructed the controller to take measures within 60 days to remedy the infringements

Legal basis: Article 5 the GDPR

Fines: 40,000 zloty

Country: Poland

SourceEuropean Data Protection Board

Back to the overview of the data breaches

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

Data protection Fines

Examples of GDPR fines: what happens in data protection

GDPR infringements are punished with heavy fines. Find out which data protection infringements are suspected and secure yourself.
Data protection Fines

Italian data protection supervisory authority imposed 27.8 million fine

The telecommunications operator was found to be involved in unlawful processing for marketing purposes. millions of people were affected.
Data protection Fines

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.