Polish SA: administrative fine of 2 700 € against Specer sp. z o.o. for appointing chairman of the company as its DPO
Background information
- Date of final decision: 12 September 2025
- National case
- Legal Reference(s): Article 38 (Position of the data protection officer)
- Decision: Administrative fine
- Key words: Administrative fine, Data protection officer
Summary of the Decision
Origin of the case
A company whose activities are focused on the provision of medical services notified an incident with data in 2023 to the President of the Personal Data Protection Office: someone else’s documents were issued to the patient. According to the notification, the chairman of the company was also the DPO. The President of the Personal Data Protection Office therefore initiated administrative proceedings in order to clarify how that happened.
Key Findings
In the course of the proceedings, it appeared that the company, the data controller, was aware that the DPO had to be independent from the company’s authorities in order to be able to report on the risks. However, the company took the view that the exercise of that function by the chairman himself did not threaten that independence.
According to the President of the Personal Data Protection Office, the company relied on individual, incorrect interpretations of Article 38 (6) GDPR, drawing inappropriate conclusions. It considered that, since it carried out activities covered by medical confidentiality, there was no conflict of interest between the board of directors and the DPO. The protection of patients’ medical records and the protection of their data is simply one of the company’s most important obligations and is carried out by the chairman.
The President of the Personal Data Protection Office indicated in the decision that the DPO is the person who is to assist the data controller and the processor in ensuring that the processing and data protection comply with the rules on the protection of personal data. Therefore, the GDPR explicitly states that the DPO may perform other tasks and duties only if they do not give rise to a conflict of interest. A conflict of interest is a situation where there is a fear that certain circumstances may adversely affect the impartial and disinterested performance of official duties. The chairman of the company may not perform the duties of DPO in such a way.
Decision
The President of the Personal Data Protection Office has imposed on Specer sp. z o.o. an administrative fine of 2 700 € for infringement of Article 38 (6) of the GDPR.
For further information:
- Press release: The chairman of a company may not be a DPO at the same time. A fine for Specer (English and Polish)
- Decision in Polish