The Polish supervisory authority imposes an administrative fine for not having data processing agree

To read the full press release click here

The President of the Personal Data Protection Office (“The President of the Office”) gave the first regulatory fine of PLN 40,000 on a public entity for inability to conform to the GDPR. The reason behind the fine was that the chairman of the city didn’t have a data processing agreement with third parties he shared data with.

The data processing agreement was not finished up with an organisation whose servers facilitated the resources of the Public Information Bulletin (BIP) of the City Hall in Aleksandrów Kujawski.

Such an agreement was additionally not closed with another organisation, which gave programming to make BIP and gave administration around there. The President of the Office inferred that Article 28 (3) of the GDPR had been breached.

This arrangement obliges the controller, for whom individual information preparing is performed by another entity, to finish up data processing agreement with him.

As an outcome of the not having the agreements, the city hall leader submitted the demonstration of sharing PII information without a legitimate/legal premise, which broke the rule of legality of preparing (Article 5(1)(a) of the GDPR) and the principal of confidentiality (Article 5(1)(f) of the GDPR).

Be that as it may, these are by all account not the only infringement built up during the control method directed by the President of the Office. It was discovered that there were no inward methods set up to audit the assets accessible in the BIP to decide the planning of their production. In the BIP the property affirmations from 2010 were accessible, among others, while the time of their stockpiling is six years, which results from the sectoral guidelines. On account of information whose maintenance period isn’t managed by law, the controller ought to decide it himself as per the reasons for which he is preparing them. Accordingly, the controller damaged the rule of capacity constraint, set out in Article 5(1)(e) of the GDPR.

It was additionally settled during the investigation that the recorded materials from the city gathering gatherings were accessible in the BIP just through a connection to a devoted YouTube channel. There were no back-up duplicates of these chronicles at the Municipal Office. Therefore, in the event of loss of information put away on YouTube, the controller would not have available to him the accounts. No risk analysis was completed for the production of accounts from executive gatherings only on YouTube. In this way, the standards of trustworthiness and secrecy were encroached (Article 5(1)(f) of the GDPR) just as the principle of accountability (Article 5(2) of the GDPR).

The principle of accountability was also broken regarding the deficiencies in the register of processing activities. For instance, it didn’t demonstrate all data recipients, nor did it show the arranged date of information removal for certain processing activities.

While forcing a punishment, the President of the Office considered the way that regardless of the anomalies found throughout the procedures, the controller didn’t evacuate them or execute arrangements planned for anticipating future encroachments. The controller likewise didn’t collaborate with the supervisory authority. Consequently, the President of the Office chose that there were no premises that could alleviate the measure of the fine.

Aside from the money related punishment, the President of the Office additionally requested the controller to make a move to cure the applicable encroachments inside 60 days