First penalty for a public body for violation of the rules of the GDPR. What penalties can the President of GDPR impose for the infringement of personal data?

For what violations has the penalty been imposed?

Mayor Aleksandr Kujawski has been pointed out a number of violations related to the processing of personal data, including

1. making personal data available to subcontractors with whom no personal data outsourcing agreement has been concluded,
2. deficiencies in the register of processing activities, e. g. failure to include in certain processes information on the planned date of deletion of the processed personal data and recipients of personal data,
3. failure to conduct a risk analysis in connection with the broadcasting of the City Council sessions on YouTube and failure to implement appropriate technical and organisational measures for data protection by making and storing back-up copies of such recordings.

The amount of the administrative penalty

The total financial penalty imposed on the Mayor of Aleksandrów Kujawski amounted to PLN 40,000. It is worth remembering, however, that in accordance with the Personal Data Protection Act, the maximum administrative fines imposed on public entities are much lower than those imposed by the GDPR. The maximum penalty for public sector entities, research institutes and NBP is PLN 100.000 and for cultural institutions it is only PLN 10.000.

If similar infringements were committed by a private party, the maximum administrative penalty could be as high as EUR 20 000 000 and, in the case of a company, up to EUR 20.000.000 or up to 4% of its total annual worldwide turnover in the preceding business year (whichever is the higher). For minor offences, e.g. relating to the entrustment of personal data processing, the fine is up to EUR 10.000.000 and for a company up to EUR 10.000.000 or up to 2% of its total annual worldwide turnover in the preceding business year (whichever is the higher).

The penalty is converted into PLN according to the average EUR exchange rate as of 28 January of a given year.

What else besides a financial penalty?

The President of the Data Protection Office may also order, together with or even in place of an administrative penalty, that appropriate measures be taken, e. g. in the form of an administrative penalty:

1. limit or stop the processing of personal data (including temporarily),
2. inform the data subjects of the breach,
3. comply with requests from data subjects, e. g. to delete personal data,
4. to compile or supplement documentation on the protection of personal data,
5. implement appropriate organisational and technical measures to protect the data.

A reminder or warning may also be issued.

In the discussed decision, Mayor Aleksandrów Kujawski was obliged to undertake a number of activities adjusting data processing to the provisions of the ARO, including supplementing the register of processing activities with missing information, implementing policies on personal data retention and refraining from transferring personal data to a subcontractor until the conclusion of a personal data processing outsourcing agreement.

A breach of personal data protection rules does not always have to result in the imposition of an administrative financial penalty. Sometimes, however, the obligation to take additional measures may be as severe as a financial penalty, e. g. when the ban on processing personal data prevents the entity from functioning.