Poland

Main takeaways


  • Fines can be imposed on authorities and public entities, but with significant limitation of such fines.
  • DPA works on the basis of published focus topics. Recently, the DPA's main focus seems to be the processing of data in mobile applications (e.g., for videoconferencing and chat applications) and the security measures used by the companies to protect personal data.
  • Limited transparency regarding GDPR fines, as decisions are only published in certain cases (aggregated information is provided in DPA annual reports). DPA usually publishes the higher fines as “hot topics” as well as fines that can be a good “lesson” for others, even if they are relatively low. Fines > Damages: So far, fines appear to be more significant than damages due to high costs and comparably low amounts of damages awarded, to date. The significance of damage claims is likely to increase in future.

Fining practice

Trend: to date, have the national data protection authorities in Poland focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?

It cannot be clearly stated whether the Polish data protection authority – the President of the Personal Data Protection Office (“Urząd Ochrony Danych Osobowych”, “UODO”) deliberately focuses on certain types of violations. However, recently we have observed that the UODO’s has increased its activity in terms of imposing fines for violations involving insufficient technical and organisational measures to ensure information security, and insufficient fulfilment of data breach notification obligations. In view of this trend, businesses should consider reviewing their implemented security measures and internal processes as regards personal data breaches. We have also observed that the UODO imposed fines/corrective measures more frequently owing to failures to cooperate with the UODO. Therefore, companies should not ignore any letters from the UODO.

Fines imposed in Poland have so far covered a fairly balanced range of sectors, in particular the financial sector, the insurance sector, telecommunications and public sector entities.

The UODO carries out inspections in accordance with its annual audit plans and outside the scope of its audit plan. Each year the UODO publishes its Sectoral Inspection Plan (“Plan”). According to the Plan for 2023, the UODO intends to focus its inspections on:

  • Businesses that process personal data using mobile applications;
  • Businesses that process personal data with the use of internet (web) applications;
  • Authorities processing personal data in the Schengen Information System and the Visa Information System.

Given that last year's Sectoral Inspection Plan focused on compliance with the rules on the exchange and protection of personal data in mobile applications, it seems that the UODO has recently focused its attention on modern companies, for which video conferencing and chatting applications have become an integral part of daily business.

Overall, what was the most significant fine in Poland to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

According to the publicly available information, the highest GDPR fine in Poland to date was imposed on Fortum Marketing and Sales Polska S.A. (an energy and gas provider) ("Fortum"), on 19 January 2022, in the amount of PLN 4,911,732 (approx. EUR 1,067,767) for failing to implement appropriate technical and organisational measures to ensure personal data security and for failing to verify the processor. In turn, the processor, PIKA sp. z o.o. (“PIKA”), received a fine of PLN 250,000 (approx. EUR 54,348)

Summary – background

The UODO commenced its investigation, following a notification of a data breach from Fortum. The data breach concerned the copying of a customer database by unauthorised third parties. The data breach happened when the processor, PIKA, was introducing changes in the ICT environment. Because the server on which the database was deployed lacked appropriate configurations to ensure the security of data transmitted from the new server to other ICT components, the unauthorised persons copied Fortum's customer database. The controller found out about the incident not from the processor, but from two independent Internet users who notified it that they had unauthorised access to the database.

Findings of the UODO

The UODO found that Fortum did not carry out audits, including inspections, to verify that PIKA had correctly fulfilled its obligations under the GDPR. The processor acted contrary to generally recognised ISO standards, while also acting contrary to the provisions of its own "Security Policy" which refers to said standards.

Additionally, the UODO found that the technical and organisational measures applied by Fortum only met the requirements specified in Article 32 of the GDPR to a very limited extent. Fortum did not enforce its own agreement with the processor, did not follow its own practice of implementing changes to the IT environment based on internal regulations, and did not audit the processor with regard to its activities, in order to improve the functioning of the service.

The customer database contains personal data such as residence information, personal identification numbers, ID numbers and series and agreement dates. The data breach concerns about 137,314 of Fortum’s customers.

Fortum has appealed the UODO decision but there is as yet no publicly available information on the outcome of the appeal proceedings.

Gdansk old town

Organisation of authorities, procedure and publicising of fine proceedings

How is the data protection authority organised in Poland? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

  • In Poland there is one central Data Protection Authority - the UODO.
  • The UODO is appointed by the Sejm (the lower house of the Polish Parliament) subject to the approval of the Senate (the higher house of the Polish Parliament).
  • In 2021 the UODO’s budget was PLN 39,246,000 (approx. EUR 8,350,000) and it employed 267 people at the end of 2021.
  • In addition, a violation of some rules, e.g. direct marketing, may result in action being taken by other authorities, such as the President of the Office for Competition and Consumer Protection or the President of the Office for Electronic Communications.

How does a fine procedure work in Poland? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

  • Fines can be directly imposed by the UODO as part of administrative proceedings, which are single instance.
  • In general, the UODO carries out inspections resulting in fines/corrective measures in accordance with its annual audit plans and outside the scope of its audit plan. However, quite frequently, inspections are commenced as the consequence of ongoing general administrative proceedings owing to a complaint made by an individual person or a breach notification.
  • The procedure usually starts with a formal notification to the relevant entity on the opening of proceedings regarding a particular entity (i.e. a non-public notification). In the course of the proceedings, the UODO contacts the controller/processor to obtain the relevant information.
  • The entity subject to inspection has the opportunity to present its view on the factual and legal aspects of the case before the UODO issues its final decision.
  • Not all proceedings end with a financial penalty. The UODO more often imposes corrective measures on the entities in the form of a “reprimand” ("upomnienie").
  • The decisions of the UODO may be appealed to the competent administrative courts (the Provincial Administrative Court; "Wojewódzki Sąd Administracyjny").

When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?

Funds from administrative fines constitute State budget revenue. They are not contributed to the UODO itself.

Is there a common, official calculation methodology of fines in Poland (such as the fining models in the Netherlands or Germany)?

  • The UODO has not adopted one common, official calculation methodology for fines. As the UODO stresses, each case is examined individually, analysing the factual and legal situation as of the date of the decision.
  • However, the UODO relies on the Guidelines 04/2022 on the calculation of fines under GDPR, and it even confirms this on its official website.

Can public authorities be fined in Poland? If they can: Where does this money go?

Yes, public authorities may be fined by the UODO. A limitation on administrative fines for public bodies was introduced at up to PLN 100,000 (approx. EUR 21,740), or up to PLN 10,000 (approx. EUR 2,174) for cultural institutions.

In Poland, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

  • No comprehensive publication of fines, as the UODO is not obliged to publish each fine.
  • The decisions are published if the UODO deems it justified by the public interest. Publicly available decisions can be accessed online (only available in Polish here).
  • If the UODO issues a decision establishing that a violation has occurred, units within the public finance sector, research institutes and the National Bank of Poland must provide public information as to the actions taken to implement the decision. 
  • As a general rule, fined entities are not anonymised by the UODO in its publications. However, due to the privacy of an individual or business confidentiality, the UODO may decide to anonymise the data.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2021?

  • Each year the UODO publishes a report on its activities. The reports provide aggregated information on the total number of cases and fines. They are available online here (in Polish only).
  • In 2019 the UODO issued 1369 administrative decisions, including 8 decisions imposing fines of a total amount of PLN 3,167,160.50 (approx. EUR 673,864.00). In total, there were 6,039 data breach notifications and 9,304 data subject claims.
  • In 2020 the UODO issued a total of 1,866 administrative decisions, including 11 decisions imposing fines of a total amount of PLN 3,446,800.20 (approx. EUR 733,362.00). In total, there were 7,507 data breach notifications and 6,442 data subject claims.
  • In 2021 the UODO issued a total of 2,082 administrative decisions, including 18 decisions imposing fines of a total amount of PLN 2,198,007.00 (approx. EUR 467,661.00). In total, there were 12,946 data breach notifications and 8,318 data subject claims.
  • The information for 2022 has not yet been published by the UODO.
City panorama, Warsaw skyline

Other legal consequences of non-compliance

Does Poland have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

  • The possibility of bringing a class action for a personal data protection breach is not clear-cut in Poland. Under the Polish Class Actions Act it is possible to bring claims for compensation (of a pecuniary nature) based on Article 82 of the GDPR in declaratory proceedings/class action. However, it is not possible to pursue class actions claims for reparations of a non-pecuniary nature based on Article 79 of the GDPR, in conjunction with the violation of personal interest.
  • However, at this time, no declaratory proceedings/class action claims have been initiated in Poland for damages or compensation related to a personal data breach. Therefore, it is difficult to clearly establish the possibility of lodging declaratory proceedings / a class action claim based on a breach of data protection regulations.
  • In addition, the infringement of data protection regulations may simultaneously infringe the collective interest of consumers. In this case, the matter shall be handled by the Office for Competition and Consumer Protection. If such a violation is proven, it will be possible to start declaratory proceedings / a class action claim.

What is more relevant in Poland: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

  • At present, fines issued by UODO are much more relevant than private litigation regarding data protection infringements, which is relatively rare. Most likely, this is due to the high litigation costs paired with low claims for damages.
  • Nonetheless, we notice an increase in the enforcement of data subjects' rights which will likely bring about more litigation in this area in the near future.

Key contacts

Tomasz Koryzma
Partner
Head of IP/TMC, Poland and Head of IP, CEE
Warsaw
T +48 22 520 8479
Adriana Zdanowicz - Lesniak
Senior Associate
Warsaw
T +48 22 520 5542
Damian Karwala
Counsel
Warsaw
T +48 22 520 8338