Polish SA: administrative fine of 132 000 € for improper positioning of the DPO and failure to include profiling in documentation

7 May 2025

Background information

  • Date of final decision: 18 December 2024
  • National case
  • Legal Reference (s): Article 30 (Records of processing activities), Article 35 (Data protection impact assessment), Article 38 (Position of the data protection officer)
  • Decision: Administrative fine
  • Key words: Administrative fine, Data protection officer, Profiling, Data protection impact assessment, Data subject rights, Record of processing activities

 

Summary of the Decision

Origin of the case  

During the inspection, it turned out that Toyota Bank Polska S.A., as data controller, had led to the situation that the Data Personal Officer (DPO) was not fully independent in his work. Furthermore, Toyota Bank Polska S.A. failed to include profiling in the record of processing activities and data protection impact assessment.
 

Key Findings

  1. Improper positioning of the DPO in the organisation
    The DPO did not report directly to the highest management of the Bank, i.e., Bank’s Management Board and DPO worked as IT auditor/security specialist in the security team and then in the security department, reporting directly to the Director of that department. Furthermore, Director’s duties also consisted of managing the data processing operations.
  2. Failure to include profiling in documentation
    The Bank is profiling numerous customer data in order to determine their creditworthiness. The Bank also processes the result of the so-called credit score, i.e., the credit risk assessment and the assignment of a risk category defined by the Bank. It is the credit risk assessment and the assignment of a credit risk category that involves data profiling that should be and has not been included in the Bank’s record of data processing activities. In addition, the bank did not assess the implications of profiling for the security of the processing of personal data (lack of data protection impact assessment.
     

Decision 

The President of the Personal Data Protection Office has imposed on Toyota Bank Polska S.A. an administrative fine of 60 000 € for infringement of Article 38(3) of the GDPR and a fine of 72 000 € for infringement of Articles 30(1), 35(1,7) of the GDPR. 
Total amount of imposed fine on Toyota Bank Polska S.A. was 132 000 €.        

 

For further information: 

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.