Polish DPA: The first fine for non-compliance with an administrative decision order

12 February 2021

An administrative fine of more than PLN 85 000 (EUR 20 000) imposed on an entrepreneur, conducting an economic activity in the field of health care, for the failure to comply with the order imposed on it in an administrative decision.

The Personal Data Protection Office (UODO) ordered the entrepreneur to communicate the breach of their personal data to its patients and to provide these persons with recommendations on how to minimize the potential adverse effects of the incident. The controller failed to do so, as the proceedings revealed, the purpose of which was to check whether the obligations imposed in the UODO’s decision had been fulfilled.

Consequently, the persons affected by the breach knew nothing about it. In the notification there meant to be information such as:

  1. a description of the nature of personal data breach;
  2. the name and contact details for the data protection officer or other contact point where more information can be obtained;
  3. a description of the likely consequences of the personal data breach;
  4. a description of measures taken or proposed by the controller to be taken to address the personal data breach – including measures to mitigate its possible effects.

Properly fulfilling of this obligation would allow data subjects to understand what the breach of protection of their personal data consisted in, to learn the possible consequences of such an incident, and what actions they can take in order to mitigate its possible adverse effects.

Because the entrepreneur ignored the decision of supervisory authority, UODO decided to initiate an ex officio proceedings in the case of imposing an administrative fine. It should be noted that the entrepreneur, despite receiving from the Office detailed instructions concerning, inter alia, the correct wording of the communications and the form in which they should be delivered to patients, as well as the manner of documenting these actions. Even at the stage of the proceedings in the case of imposing a fine did not present complete evidence, which would allow to acknowledge that the obligation resulting from the order of the decision was fulfilled by the entrepreneur.

While imposing the fine, the Office took into account the following aggravating factors:

  • a long duration of the breach, which resulted in increased risk of the adverse effects for persons affected by the breach, and
  • intentional nature of the breach and unsatisfactory level of cooperation with the supervisory authority in order to remedy the breach – the entrepreneur did not follow the recommendations of the Office during the proceedings.

The entrepreneur’s failure to comply with the guidelines provided by the Office demonstrates the blatant disregard for the entrepreneur’s data protection obligations.

The supervisory authority is responsible for monitoring and enforcing compliance with personal data protection laws. In case of non-compliance by controllers, the President of the UODO may use the corrective powers granted to it. These are, among others, the power to order the controller to communicate a personal data breach to the data subject, and the power to impose an administrative fine, in addition to or instead of measures referred to in Article 58(2) of the GDPR.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.