The Polish supervisory authority imposes its first penalty on a public entity

The penalty amounts to PLN 40,000, which is quite a lot given that according to Polish law the maximum administrative fine that may be charged on local authorities is PLN 100,000. 

The main charge given for the penalty was a breach of Article 28(3) GDPR – the city mayor did not sign a data processing agreement with the entity on whose servers the data from the Public Information Bulletin (Polish: BIP) website were stored, the provider of the software for creating the BIP website, and the provider of the software maintenance services. As a result, personal data were made available without legal grounds, which breached the principle of the lawful processing of personal data set out in Article 5(1)(a) GDPR and the principle of confidentiality set out in Article 5(1)(f) GDPR.

BIP is a standardised system of websites on which individual local government units must publish up-to-date information about themselves in order to ensure the general availability of public information.

The PDPO also found out that the data controller did not establish appropriate data retention rules. The BIP website contained declarations of assets dating back to 2010, whereas according to law such data may be processed for no more than 6 years.  This represented a breach of the storage limitation principle set out in Article 5(1)(e) GDPR, according to which the data controller may retain personal data for no longer than is necessary for the purposes for which the personal data are processed.

The proceedings conducted in the case concerned also revealed that the data controller did not make backup copies of recordings of the city council meetings; those meetings were published only on the YouTube channel, which, the PDPO believed, created a risk that the data would be lost one day. The data controller did not carry out a risk analysis in respect of publishing the recordings exclusively on YouTube, thus breaching the principle of integrity and confidentiality set out in Article 5(1)(f) and the principle of accountability set out in Article 5(2) GDPR.

Additionally, the Personal Data Processing Register was found to be incomplete. It did not include, e.g. some data recipients and the planned erasure of data for some data processing activities.

In his justification of the penalty amount the President of PDPO noted that there were no attenuating circumstances. During the proceedings the data controller neither cooperated with the supervisory authority nor removed the identified irregularities nor implemented any solutions to prevent data breaches in the future. The data processor was obligated by virtue of a relevant decision to remove the identified breaches within 60 days.