Since the application of the EU General Data Protection Regulation, the Polish President of the Office for Personal Data Protection has already imposed five administrative financial penalties for noncompliance with personal data protection rules that mainly related to infringement concerning the security and confidentiality of personal data.

There has been enforcement action taken against both the public and the private sector, though it's worth noting four of the five enforcement actions have been against the private sector. 

Public sector

In October, the data protection authority imposed the first penalty on a public entity. A fine of approximately 9,350 euros was imposed on the mayor of Aleksandrów Kujawski city for, among other things, having failed to conclude a data-processing agreement.

Among the offenses committed by the mayor, the DPA also indicated:

  • Failure to comply with a confidentiality rule.
  • Failure to comply with the storage-limitation principle.
  • The absence of internal procedures for reviewing the resources available in public records bulleting to determine the period of their publication.
  • Infringement of the accountability principle, given the existence of missing entries in the record of processing activities.

It should be noted that this penalty imposed by the DPA is relatively high. Pursuant to the Polish Personal Data Protection Act, the president of the DPA may impose on public finance sector entities, research institutes and the National Bank of Poland a fine of up to approximately 23,475 euros.

Private sector

So far, the DPA has issued more than 134 decisions and imposed four financial penalties on private entities for violations of the GDPR.

In October, a fine of approximately 47,000 euros was imposed on a company from the marketing industry for failure to implement appropriate technical and organizational measures to enable a data subject to easily and effectively withdraw their consent to the processing of personal data and to exercise the right to request the immediate deletion of personal data (the right to be forgotten). 

In September 2019, a fine of approximately 660,000 euros was imposed on an e-commerce website for insufficiently protecting the security and confidentiality of personal data, which resulted in unauthorized access to a database having 2,200,000 users. 

In April, a fine of approximately 13,000 euros was imposed on the football sports union for failing to secure and ensure the confidentiality of personal data by publishing the personal details of football referees on their website.

And, finally, in March, a fine of approximately 221,000 euros was imposed on an entity for failure to comply with the information obligation arising from Article 14 of the GDPR.

To date, more than 5,000 complaints have been recorded in Poland about noncompliance with the GDPR’s provisions. This is one of the highest results in Europe. This indicates that financial penalties are real and data protection within organizations is an important issue. The management boards of companies recognize they need to place more emphasis on compliance within their organizations.

Prevention pays

What should you do to avoid high penalties such as those described above and to be prepared for possible inspections by the DPA? In accordance with the principle "prevention is better than the cure," it is necessary to ensure your business complies with the provisions of personal data protection law. Review your company’s compliance with personal data protection rules, and not only from a legal perspective, but also to verify the IT security compliance with applicable requirements.

Photo by Kamil Gliwiński on Unsplash