Increased activity of the Polish Data Protection Authority

Firstly, in March 2019, the UODO fined one of the credit information agencies – Bisnode Polska sp. z o.o. for failure to fulfil its information obligation resulting from Art. 14 of the GDPR¹. The decision was heavily criticised as being too harsh, in particular in comparison to a similar historic case. In this historic case, the company processed personal data obtained from the register of entrepreneurs of the National Court Register ("NCR"). Such data contains only names and surnames, as well as personal ID of the members of companies' bodies. Except for the company's address, there is no individual contact data regarding those persons. Having in mind that members of the management boards very often are not based (or have never even been to) the company's registered address, contacting them would be very burdensome. In the case against Bisnode Polska sp. z o.o., the company processed also data regarding sole entrepreneurs gathered in other registers (Central Registry and Information on Business Activity and REGON database of the Central Statistical Office). Such registers contain address of such persons and very often, other contact data such as telephone number. Therefore, contact with such persons could be possible. Moreover, according to the newly adopted amendments to the Act on re-use of public sector information, which entered into force in May 2019, the information obligation specified in Art. 14 of the GDPR is not applicable to personal data of natural persons representing legal entities. This means that data concerning management or supervisory board members in companies gathered from publicly available sources (i.e. NCR) does not trigger the information obligation. The exemption, however, does not apply to sole entrepreneurs, whose data is stored in other registers listed above. Although both companies processed publicly available data, Bisnode Polska sp. z o.o. was found not to be GDPR-compliant. The fine in question amounted to PLN 943,470 (approx. EUR 217,850).

Secondly, in April 2019, the UODO imposed a fine of PLN 55,750.50 (approx. EUR 12,872) on a local football association (Lower Silesia Football Association; Dolnośląski Związek Piłki Nożnej; "DZPN"). DZPN disclosed online personal data of sport judges who have been granted judicial licenses. However, the data disclosed contained not only names and surnames but also their exact residence addresses and PESEL (i.e. identification) numbers. Such broad disclosure was not justifiable. DZPN noticed its own breach and notified the UODO about it. However, due to the fact that numerous attempts to remedy the breach were unsuccessful (therefore, the breach lasted for a long time) and as many as 585 judges were affected by it, The UODO decided that the breach in question was serious and consequently fined DZPN. It is worth mentioning that when calculating this fine, The UODO considered also the following mitigating circumstances: smooth cooperation between DZPN and UODO and the fact that the breach did not cause any damage to the data subjects.

In September 2019, the UODO issued a decision imposing a fine which is the biggest one to date and amounts to PLN 2,830,410 (approx. EUR 660,000). The fine was based on the following facts: In November 2018, Morele.net Group – a popular Polish e-commerce player owning numerus online shops offering wide range of various products (including electronic equipment, toys, cosmetics, pet accessories and food, sport equipment and clothing, or furniture) ("Morele.net") notified UODO about two personal data protection breaches and subsequently, in December 2018 – about another breach. All three breaches resulted in an unauthorized access to personal data of the abovementioned on-line shops' clients. Hackers demanded money and threatened to disclose the stolen data to public. Morele.net did not pay the demanded sum and so the database had been published online.

As it turned out, the disclosed personal data contained not only information such as names, telephone numbers, or correspondence addresses but with respect to around 40 thousand customers – their ID cards details, as well as information regarding their financial situation gathered from credit applications (source of income, monthly net income data, costs of living and maintaining a household, number of dependants, marital status, sum of monthly financial obligations). Moreover, UODO discovered that Morele.net did not obtain relevant consents with respect to processing data from credit applications submitted between 2016 and May 2018.

The UODO decided that the organizational and technical measures of personal data protection used by Morele.net were not adequate to the existing risk associated with their processing, which resulted in data of approximately 2.2 million people fell into the wrong hands. There were no adequate and efficient procedures adopted to respond in the event of hacking incident. The UODO argued that the high punishment was required due to the serious nature of the infringement and wide range of data subjects affected. Even though Morele.net had infringed multiple GDPR provisions, UODO stated that the non-compliance with Art. 5 (1) item f of the GDPR (confidentiality obligation) was the most significant one. As stipulated in the justification of the UODO's decision, there is still a high risk of unlawful use of the disclosed data since reasons of the hackers' attack remain unknown. Once again, while calculating the fine, the UODO took into consideration also several mitigating circumstances, the most important of which being: smooth cooperation between Morele.net and the UODO, introducing certain measures reducing the breach, lack of evidence that affected data subjects suffered any damage resulting therefrom.

The decision to impose a fine on Morele.net is another one criticised by commentators as being too severe keeping in mind that Morele.net was a victim of an attack (the data was not leaked by its employees or otherwise by Morele.net). The authority however explained that the fine is a result of poor level of protection of personal data processed and lack of relevant procedures adopted in case of data breach. The UODO's supporters claim that considering that the breach concerned the data of approx. 2.2 million people and the fine amounted to PLN 2,830,410 (approx. EUR 660,000), it is easy to make a rough estimate that the fine for the breach with respect to one data subject amounts to slightly over PLN 1 (PLN 1.29; approx. EUR 0.30). Time will tell whether the fine will fulfil its preventive function and encourage companies to once again verify and strengthen their data protection safeguards.

In October 2019, for the very first time the UODO fined a local government institution – the office of the mayor of Aleksandrów Kujawski (a small Polish town of some 13,000 residents) for non-compliance with the GDPR. The UODO found that the mayor did not conclude relevant data processing agreements with server and software providers for the town's website containing public information (Public Information Bulletin; Biuletyn Informacji Publicznej). Moreover, despite being obliged to do so, the mayor did not carry out relevant risk analysis before using YouTube to transmit recordings of the city council's deliberations. Additionally, the UODO decided that the town lacked relevant internal policies and procedures regulating the publication periods for asset declarations. The fine amounted to PLN 40,000 (approx. EUR 9,400), which is 40 % of the maximum fine that can be imposed on a public entity in Poland. When deciding on the amount of the fine, the UODO took into account, among others, the duration of the infringements, the intentional nature of the infringements (the mayor was aware of the irregularities and nevertheless did not provide any remedies), as well as the lack of cooperation on the part of the mayor. This time, the UODO did not find any mitigating circumstances.  

Author: Daria Rutecka

1 https://gdpr.eu/article-14-personal-data-not-obtained-from-data-subject/