Fining practice
Trend: Have the national data protection authorities in Poland focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
It cannot be clearly stated whether the Polish data protection authority – the President of the Personal Data Protection Office (“Prezes Urzędu Ochrony Danych Osobowych”, “UODO”) deliberately focuses on certain types of violations. However, we observe that the UODO has increased its activity in terms of imposing fines for violations involving insufficient technical and organisational measures to ensure information security, and insufficient fulfilment of data breach notification obligations. For example, in April 2024, the UODO published information about another significant fine imposed on one of the top banks in Poland, Santander (namely PLN 1,440,000, approx. EUR 334,884,000) for failing to report a personal data breach. In view of this trend, businesses should consider reviewing their implemented security measures and internal processes as regards personal data breaches. We also observe that the UODO more often imposes fines/corrective measures for non-cooperation with the UODO. Therefore, companies should not ignore any letters from the UODO.
Fines imposed in Poland have so far covered a fairly balanced range of sectors, in particular the financial sector, the insurance sector, telecommunications, and public sector entities.
The UODO carries out inspections in accordance with its annual audit plans and outside the scope of its audit plan. Each year the UODO publishes its Sectoral Inspection Plan (“Plan”). According to the Plan for 2024, the UODO intends to focus its inspections on:
- Businesses that process personal data with the use of internet (web) applications (continuation of the control from 2023);
- Private entities’ (businesses) compliance with the information obligation under Article 13 and 14 of the GDPR;
- Authorities processing personal data in the Schengen Information System and the Visa Information System.
Given that the last two plans for 2022 and 2023 also focused on compliance with the rules on the exchange and protection of personal data in mobile applications, it seems that the UODO has recently focused its attention on modern businesses, for which mobile solutions, including video conferencing and chatting applications have become an integral part of daily business. However, the UODO also stresses the importance of the clear, easy-to-understand, transparent Privacy Policies, so it seems that it took the message from the various EU cases (including Meta’s case) concerning how the Privacy Policies should look like to meet the GDPR standards. The UODO also supports the layered approach of the informational obligations.
Overall, what was the most significant fine in Poland to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
According to the publicly available information, the highest GDPR fine in Poland to date was imposed on Fortum Marketing and Sales Polska S.A. (an energy and gas provider) (“Fortum”), on 19 January 2022, to the amount of PLN 4,911,732 (approx. EUR 1,114,741) for failing to implement appropriate technical and organisational measures to ensure personal data security and for failing to verify the processor. In turn, the processor, PIKA sp. z o.o. (“PIKA”), received a fine of PLN 250,000 (approx. EUR 58,267).
Summary – background
The UODO commenced its investigation, following a notification of a data breach from Fortum. The data breach concerned the copying of a customer database by unauthorised third parties. The data breach happened when the processor, PIKA, was introducing changes in the ICT environment. Because the server on which the database was deployed lacked appropriate configurations to ensure the security of data transmitted from the new server to other ICT components, the unauthorised persons copied Fortum's customer database. The controller found out about the incident not from the processor, but from two independent Internet users who notified it that they had unauthorised access to the database.
Findings of the UODO
The UODO found that Fortum did not carry out audits, including inspections, to verify whether PIKA had correctly fulfilled its obligations under the GDPR. The processor acted contrary to generally recognised ISO standards, while also running contrary to the provisions of its own "Security Policy" which refers to said standards.
Additionally, the UODO found that the technical and organisational measures applied by Fortum only met the requirements specified in Article 32 of the GDPR to a very limited extent. Fortum did not enforce its own agreement with the processor, did not follow its own practice of implementing changes into the IT environment based on internal regulations, and did not audit the processor with regard to its activities, in order to improve the functioning of the service.
The customer database contained personal data such as residence information, personal identification numbers, ID numbers and series and agreement dates. The data breach concerned about 137,314 of Fortum’s customers.
Appeal proceedings
Fortum has appealed the UODO’s decision to the Provincial Administrative Court. As a result, the court of the first instance annulled the UODO’s decision in 2023. However, the UODO is contesting the court’s ruling and appealed against it to the Supreme Administrative Court, therefore it is not yet final.
Landmark 2024 decision
Another very recent landmark case from April 2024 concerns the UODO's decision to fine one of the largest Polish banks - Santander Bank Polska S.A. – PLN 1,440,000 (approx. EUR 334,884,000) for the lack of data breach notification. In this case the bank did not notify the data breach concerning a lost parcel with bank documents containing personal data such as PESEL numbers, bank usernames and passwords, ID numbers, etc.
Shortly after the parcel was lost by the courier, it was found by an identified person, who had taken it in directly to the police station and stated that he had not copied the documents found. Nevertheless, the UODO indicated that the security of personal data was more important than the interests of the data controller. Moreover, the lack of the data breach notification had prevented the affected persons from responding appropriately to the breach, which could have had serious consequences for them. It had also deprived the UODO of the opportunity to assess whether the bank had implemented appropriate safeguards to avoid such incidents in the future.
Organisation of authorities and course of fine proceedings in Poland
How is the data protection authority organised in Poland? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
- In Poland there is one central Data Protection Authority - the UODO.
- The President of the UODO is appointed by the lower house of the Polish Parliament (“Sejm”) subject to the approval of the Senate (the higher house of the Polish Parliament).
- In 2021 the UODO’s budget was PLN 39,246,000 (approx. EUR 9,149,000) and it employed 267 people at the end of 2021. While in 2022 the UODO’s budget was PLN 41,713,000 (approx. EUR 9,714,000) and it employed 243 people at the end of 2022.
- In addition, a violation of some rules, e.g. direct marketing, may result in action being taken by other authorities, such as the President of the Office for Competition and Consumer Protection or the President of the Office for Electronic Communications.
How does a fine procedure work in Poland? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
- Fines can be directly imposed by the UODO as part of administrative proceedings, which are single instance.
- In general, the UODO carries out inspections resulting in fines/corrective measures in accordance with its annual audit plans and outside the scope of its audit plan. However, quite frequently, inspections are commenced as the consequence of ongoing general administrative proceedings owing to a complaint made by an individual person or a breach notification.
- The procedure usually starts with a formal notification to the relevant entity on the opening of proceedings regarding a particular entity (i.e. a non-public notification). In the course of the proceedings, the UODO contacts the controller/processor to obtain the relevant information.
- The entity subject to inspection has the opportunity to present its view on the factual and legal aspects of the case before the UODO issues its final decision.
- Only some of the cases end with a financial penalty. The UODO more often imposes corrective measures on the entities in a form of a “reprimand” (“upomnienie”).
- The decisions of the UODO may be appealed to the competent administrative courts (the provincial administrative courts; “wojewódzkie sądy administracyjnne”). Later on, the lower administrative court’s ruling may be challenged in the court of second instance – the Supreme Administrative Court (” Naczelny Sąd Administracyjny”).
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
Funds from administrative fines constitute state budget revenue. They do not contribute to the UODO itself.
Is there a common, official calculation methodology for fines in Poland (such as the fining models in the Netherlands or Germany)?
- The UODO has not adopted one common, official calculation methodology for fines. As the UODO stresses, each case is examined individually, analysing the factual and legal situation as of the date of the decision.
- However, the UODO relies on the Guidelines 04/2022 on the calculation of fines under GDPR, and it even confirms this on its official website.
Can public authorities be fined in Poland? If they can: Where does this money go?
Yes, public authorities may be fined by the UODO. A limitation on administrative fines for public bodies was introduced at up to PLN 100,000 (approx. EUR 23,309), or up to PLN 10,000 (approx. EUR 2,331) for cultural institutions.
Funds from administrative fines constitute state budget revenue. They do not contribute to the UODO itself.
In Poland, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
- No comprehensive publication of fines, as the UODO is not obliged to publish each fine.
- The decisions are published if the UODO deems it justified by the public interest, in particular if by a fine the UODO can “send a message” to the Polish companies like e.g. in the Santander case. Publicly available decisions can be accessed online (only available in Polish here).
- If the UODO issues a decision establishing that a violation has occurred, units within the public finance sector, research institutes and the National Bank of Poland must provide public information as to the actions taken to implement the decision.
- As a general rule, fined entities are not anonymised by the UODO in its publications. However, due to the privacy of an individual or business confidentiality, the UODO may decide to anonymise the data.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?
Each year the UODO publishes a report on its activities. The reports provide aggregated information on the total number of cases and fines. They are available online here (in Polish only).
- In 2019 the UODO issued 1369 administrative decisions, including 8 decisions imposing fines of a total amount of PLN 3,167,160.50 (approx. EUR 737,758.40). In total, there were 6039 data breach notifications and 9304 data subject claims.
- In 2020 the UODO issued a total of 1866 administrative decisions, including 11 decisions imposing fines of a total amount of PLN 3,446,800.20 (approx. EUR 802,812.50). In total, there were 7507 data breach notifications and 6442 data subject claims.
- In 2021 the UODO issued a total of 2082 administrative decisions, including 18 decisions imposing fines of a total amount of PLN 2,198,007.00 (approx. EUR 511,963.90). In total, there were 12 946 data breach notifications and 8318 data subject claims.
- In 2022 the UODO issued a total of 2030 administrative decisions, including 20 decisions imposing fines of a total amount of PLN 7,850,861.00 (approx. EUR 1,828,488.65)
Currently, the UODO’s report for the year 2023 is not yet publicly available – however it should be published no later than by 31 August 2024.
Other legal consequences of non-compliance in Poland
Does Poland have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
- The possibility of bringing a class action for a personal data protection breach is not clear-cut in Poland. Under the Polish Class Actions Act it is possible to bring claims for compensation (of a pecuniary nature) based on Article 82 of the GDPR in declaratory proceedings/class action. However, it is not possible to pursue class actions claims for reparations of a non-pecuniary nature based on Article 79 of the GDPR, in conjunction with the violation of personal interest.
- However, at this time, no declaratory proceedings/class action claims have been initiated in Poland for damages or compensation related to a personal data breach. Therefore, it is difficult to clearly establish the possibility of lodging declaratory proceedings / a class action claim based on a breach of data protection regulations.
- In addition, the infringement of data protection regulations may simultaneously infringe the collective interest of consumers. In this case, the matter shall be handled by the Office for Competition and Consumer Protection. If such a violation is proven, it will be possible to start declaratory proceedings / a class action claim.
What is more relevant in Poland: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
At present, fines issued by UODO are much more relevant than private litigation regarding data protection infringements, which is relatively rare. Most likely, this is due to the high litigation costs paired with low claims for damages.
Nonetheless, we notice an increase in the enforcement of data subjects' rights which will likely bring about more litigation in this area in the future.
