2 min read

Polish DPA Fines Entrepreneur for Ignoring Order to Notify Data Subjects

Read more

By DAC Beachcroft

|

Published 30 April 2021

Overview

The Polish Data Protection Authority (the “Polish DPA”) has imposed an administrative fine amounting to EUR 20,000 (PNL 85,000) on an entrepreneur for failing to comply with an order to notify data subjects of a personal data breach. This is the first fine imposed by the Polish DPA for non-compliance with an administrative order under the GDPR. The decision provides a useful reminder that data protection regulators can, and do, order data subject notification in spite of a controller concluding that the requisite threshold under Article 34 has not been met.

 

Background

The entrepreneur was undertaking an economic activity in the healthcare sector when a personal data breach occurred. The Polish DPA ordered the entrepreneur to communicate the breach to its patients and to provide them with recommendations on how to minimise the potential adverse effects of the incident.

The Polish DPA went so far as to provide the entrepreneur with the wording of the communication to data subjects, together with instructions on the method of delivery. However, the entrepreneur failed to notify data subjects which resulted in them being unable to understand the nature of the breach and the possible consequences.

In light of the entrepreneur’s failure to notify data subjects, the Polish DPA commenced ex officio proceedings to enforce compliance.

 

Decision

In deciding the fine, the Polish DPA took into consideration:

  1. the long duration of the breach, which increased the risk of adverse effects to the subjects affected by the breach;
  2. the intentional nature of the breach of the Polish DPA’s order to notify data subjects; and
  3. the unsatisfactory level of cooperation with the supervisory authority to remedy the breach (i.e. to follow the Polish DPA’s recommendations).

The entrepreneur’s failure to comply with the guidelines provided by the Polish DPA showed a total disregard for their data protection obligations as a controller.

 

Conclusion

The Polish DPA’s decision serves as a reminder that in case of non-compliance, the supervisory authority can, under Article 58 (2) GDPR, use its corrective powers to order administrative fines and/or the communication of a personal data breach to data subjects.

It also demonstrates that compliance with the recommendations of the supervisory authority is expected and will be enforced. This element of the decision serves as a reminder of the importance of keeping accurate records of the actions taken in notifying data subjects.