A short review of the Polish DPA’s enforcement of the GDPR
To date, the Polish Data Protection Authority (DPA) have issued 134 decisions and imposed GDPR fines in 5 cases. In 4 cases, the Polish DPA fined private companies and in one case, it fined a public institution.
The fines for the companies ranged from 13.000€ to 645.000€. Reasons for the fines were failures in protecting personal data on websites resulting in the unauthorised access of personal data, inadequate technical and organisational measures, and an insufficient fulfilment of information obligations according to Art. 14 GDPR.
It is also noteworthy that the Polish DPA has imposed a 9.350€ fine on the Mayor of a Polish small town. Under Art. 83 (7) GDPR, each member state of the EU may lay down rules on whether and to what extent administrative fines may be imposed on public authorities. The Polish legislators decided that non-compliant public authorities may receive a GDPR fine of up to 23.475€.
The Mayor received the GDPR fine since he failed to conclude a data processing agreement with the entities to which he transferred data in violation of Art. 28 (3) GDPR. Moreover, the Mayor violated the principle of storage limitation, the principles of integrity and confidentiality, the principle of accountability and furthermore kept an incomplete record of processing activities.
Recently, the Polish DPA also published the EU Project T4DATA’s Handbook for Data Protection Officers (DPO) in order to help define a DPO’s role, their competencies and main responsibilities.