EURO 50 million infringing the GDPR! – not yet in Poland, but…

French personal data protection authority  has imposed a record fine of Euro 50 million on Google LLC for violations committed in its processing and usage of user data. Earlier decisions from similar institutions in other countries show that liability resulting from infringements of personal data protection law will be an increasingly common phenomenon in EU countries, including Poland.


Country Controlled entity Penalty amount Control result
Germany Knuddels (social network) Euro 200,000
  • incorrect storage of user passwords (no data encryption)
Portugal Barreiro-Montijo Hospital Euro 400,000
  • unauthorized access to patients’ clinical data
France Google Euro 50 million
  • non-transparent data processing
  • inadequate information provided to users
  • no valid consent to personalize advertisements

Who should be put under the microscope in Poland?

At the beginning of this year, the Office for Data Protection Authority (DPA) presented a sectoral control plan for the next twelve months. According to the DPA, the plan was developed on the basis of received questions, complaints and formal accusations concerning personal data law infringements.

Employers will be controlled as regards their processing of personal data acquired in connection with recruitment. All companies should, if they have not already done so, as quickly as possible evaluate:

  • the scope of data they collect during recruitment;
  • the applicable legal grounds for data processing;
  • the processing period;
  • the protection method.

Additionally, the approach of employers regarding data processing via the use of the video surveillance systems will be controlled, to confirm that employers are complying with new monitoring regulations that entered into force on 25 May 2018.

Industries to be controlled

The verification will cover public registers, the medical sector, education, urban video surveillance monitoring, law enforcement and the judicial system. Controls may also be expected in respect of private entities operating in banking, insurance and call-center sectors, as well as data brokers. Importantly, the DPA plans to review the profiling methods used by banks and insurers, which should be very significant for the customers of such institutions.

The telemarketing business has also led customers to raise many questions and concerns. Accordingly, despite a review having taken place of the operations of call-center companies in the autumn of last year, the DPA decided to re-examine this sector and data brokers as regards the legal grounds they rely upon to justify their processing of personal data.

The DPA will also control entities that provide health services; the review will cover the processing of patients’ personal data in connection with providing their medical records to them.

OPDP reviews (in some cases)

  • may be performed in the absence of the controlled person
  • the controller has the right to enter the company premises from 6:00 a.m. to 10:00 p.m.
  • the office may conduct staff interviews and request access to the documentation
  • can be performed with the assistance of the police
  • can be documented in the form of a recording
  • cannot last longer than 30 days

Entrepreneurs are obliged to provide appropriate conditions and measures to ensure the efficiency of the review procedure and to cover part of its costs.

Controls and penalties on the horizon

The President of the DPA has stated that the first severe GDPR-based fines will soon appear, which represents a real commercial risk for business operations. In order to properly prepare your employees for a potential review, it is worth familiarizing them with the competences and authorizations of the DPA. It is also a good idea to perform a simulated review, to assess how your staff may behave during a real review and to evaluate your business’s readiness for an actual visit of state officials.


How can we help you?

We help you to develop and implement procedures to apply during DPA
inspections and proceedings.

We advise you on the documentation you will require during a review and how to implement the accountability principle. We advise you on avoiding or significantly reducing the risk of an DPA review being conducted.
We train your managers, internal personal data protection supervisor and/or your dedicated teams on the appropriate actions
to take in the event of
an DPA review, and we perform
simulated reviews.
We help to protect you against civil claims initiated against natural persons.

We advise and represent you in all proceedings concerning data protection.

Back to