Tag: GDPR Fines

A short review of the Polish DPA’s enforcement of the GDPR

10. January 2020

To date, the Polish Data Protection Authority (DPA) have issued 134 decisions and imposed GDPR fines in 5 cases. In 4 cases, the Polish DPA fined private companies and in one case, it fined a public institution.

The fines for the companies ranged from 13.000€ to 645.000€. Reasons for the fines were failures in protecting personal data on websites resulting in the unauthorised access of personal data, inadequate technical and organisational measures, and an insufficient fulfilment of information obligations according to Art. 14 GDPR.

It is also noteworthy that the Polish DPA has imposed a 9.350€ fine on the Mayor of a Polish small town. Under Art. 83 (7) GDPR, each member state of the EU may lay down rules on whether and to what extent administrative fines may be imposed on public authorities. The Polish legislators decided that non-compliant public authorities may receive a GDPR fine of up to 23.475€.

The Mayor received the GDPR fine since he failed to conclude a data processing agreement with the entities to which he transferred data in violation of Art. 28 (3) GDPR. Moreover, the Mayor violated the principle of storage limitation, the principles of integrity and confidentiality, the principle of accountability and furthermore kept an incomplete record of processing activities.

Recently, the Polish DPA also published the EU Project T4DATA’s Handbook for Data Protection Officers (DPO) in order to help define a DPO’s role, their competencies and main responsibilities.

Germany: Telecommunications provider receives a 9.5 Million Euro GDPR fine

16. December 2019

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of 9.55 Million Euro on the major telecommunication services provider 1&1 Telecom GmbH (1&1). This is the second multimillion Euro fine that the Data Protection Authorities in Germany have imposed. The first fine of this magnitude (14.5 Million Euro) was imposed last month on a real estate company.

According to the BfDI, the reason for the fine for 1&1 was an inadequate authentication procedure within the company’s customer service department, because any caller to 1&1’s customer service could obtain extensive information on personal customer data, only by providing a customer’s name and date of birth. The particular case that was brought to the Data Protection Authority’s attention was based on a caller’s request of the new mobile phone number of an ex-partner.

The BfDI found that this authentication procedure stands in violation of Art. 32 GDPR, which sets out a company’s obligation to take appropriate technical and organisational measures to systematically protect the processing of personal data.

After the BfDI had pointed 1&1 to the their deficient procedure, the company cooperated with the authorities. In a first step, the company changed their two-factor authentication procedure to a three step authentication procedure in their customer service department. Furthermore, they are working on a new enhanced authentication system in which each customer will receive a personal service PIN.

In his statement, the BfDI explained that the fine was necessary because the violation posed a risk to the personal data of all customers of 1&1. But because of the company’s cooperation with the authorities, the BfDI set the fine at the lower end of the scale.

1&1 has deemed the fine “absolutely disproportionate” and has announced to file a suit against the penalty notice by the BfDI.