Polish SA: administrative fine of 132 000 € for improper positioning of the DPO and failure to include profiling in documentation
Background information
- Date of final decision: 18 December 2024
- National case
- Legal Reference (s): Article 30 (Records of processing activities), Article 35 (Data protection impact assessment), Article 38 (Position of the data protection officer)
- Decision: Administrative fine
- Key words: Administrative fine, Data protection officer, Profiling, Data protection impact assessment, Data subject rights, Record of processing activities
Summary of the Decision
Origin of the case
During the inspection, it turned out that Toyota Bank Polska S.A., as data controller, had led to the situation that the Data Personal Officer (DPO) was not fully independent in his work. Furthermore, Toyota Bank Polska S.A. failed to include profiling in the record of processing activities and data protection impact assessment.
Key Findings
- Improper positioning of the DPO in the organisation
The DPO did not report directly to the highest management of the Bank, i.e., Bank’s Management Board and DPO worked as IT auditor/security specialist in the security team and then in the security department, reporting directly to the Director of that department. Furthermore, Director’s duties also consisted of managing the data processing operations. - Failure to include profiling in documentation
The Bank is profiling numerous customer data in order to determine their creditworthiness. The Bank also processes the result of the so-called credit score, i.e., the credit risk assessment and the assignment of a risk category defined by the Bank. It is the credit risk assessment and the assignment of a credit risk category that involves data profiling that should be and has not been included in the Bank’s record of data processing activities. In addition, the bank did not assess the implications of profiling for the security of the processing of personal data (lack of data protection impact assessment.
Decision
The President of the Personal Data Protection Office has imposed on Toyota Bank Polska S.A. an administrative fine of 60 000 € for infringement of Article 38(3) of the GDPR and a fine of 72 000 € for infringement of Articles 30(1), 35(1,7) of the GDPR.
Total amount of imposed fine on Toyota Bank Polska S.A. was 132 000 €.
For further information:
- National press release: Fine for Toyota Bank for improperly located DPO and failure to include profiling in documentation
- National Decision (Polish)