The public sector also pays for non-compliance with the GDPR …

Since the application of the GDPR, the President of the Office for Personal Data Protection (PUODO) has already imposed 4 administrative-financial penalties for non-compliance with personal data protection rules.

Public sector

A few days ago, PUODO imposed the first penalty on a public entity. A fine of PLN 40,000 was imposed on the mayor of Aleksandrów Kujawski, amongst other things for having failed to conclude a contract entrusting the processing of personal data.

Among the “offences” committed by the mayor PUODO also indicated :

•    the lack of a confidentiality rule;

•    failure to comply with the limited storage principle;

•    the absence of internal procedures for reviewing the resources available in BIP to determine the period of their publication,

•    infringement of the accountability principle due to missing processing activities in the register.

It should be noted that the penalty imposed by the PUODO is relatively high. Pursuant to the Personal Data Protection Act, the President of UODO may impose on public finance sector entities, research institutes and the National Bank of Poland a fine of up to PLN 100,000.

The maximum fine imposed on an operator may amount to EUR 20 million or up to 4% of its total annual global turnover from the previous financial year.

Private Sector

So far, PUODO has issued 134 decisions and imposed 3 financial penalties on private entities for violations of the GDPR:

•   in September 2019, a fine of over PLN 2.8 million was imposed on the e-commerce service morele net for insufficient security of personal data,

•   in April 2019, a fine of almost PLN 56,000 was imposed on the sports union for publishing the personal details of football referees on their website,

•   in March 2019, a fine of nearly PLN 1 million was imposed on a Bisnode entity for failure to comply with the information obligation.

To date, over 5,000 complaints been recorded in Poland about non-compliance with the GDPR’s provisions. This is one of the highest results in Europe.

This indicates that financial penalties are real and that data protection within organizations is an important issue. The management boards of companies recognize that they need to place more emphasis on compliance within their organizations.

Prevention pays

What should you do to avoid high penalties such as those described above and to be prepared for possible inspections by the PUODO? In accordance with the principle “Prevention is better than the cure”, it is necessary to ensure that your business complies with the provisions of personal data protection law.

As part of our services, we offer a comprehensive review of you company’s compliance with personal data protection rules, and not only from a legal perspective. Together with our business partner – the recognized technology company Seqred S.A. – we also provide IT security compliance verification with applicable requirements.

Please feel free to contact us so that our team can help you to verify your compliance with data protection regulations.