Recently, POPPD has often resorted to disciplinary measures against entrepreneurs who did not cooperate in the control proceedings, imposing 3 financial penalties of PLN 5,000 respectively, PLN 15,000, PLN and PLN 100,000. In two cases, the reason for the penalty was the failure to reply to the correspondence addressed to the inspected person - after the third unsuccessful request for an oral hearing, a penalty was imposed on passive traders. As much as 100,000. The National Chief Surveyor will have to pay PLN for refusing to give consent to the control activities.
POPPD explained that a lack of cooperation during the audit results in a lengthy procedure, which negatively affects the rights of the data subjects. For this reason, disciplinary measures are taken against the controlled entities in the form of penalties imposed. It is therefore worth knowing, in the event of an inspection, how the inspected entity should cooperate with the POPPD in order to avoid penalties.
What are his responsibilities?
According to the Personal Data Protection Act, it should be controlled:
- provide access to land and to buildings, premises or other premises - that is, wherever it operates and personal data may be processed - between 6:00 and 22:00,
- provide access to documents and information directly related to the scope of the control - this is mainly about documentation concerning the processing of personal data, e. g. policies, registers of processing activities, contracts, forms, clauses, etc. - The scope of the documents requested should be in line with the scope of the authorisation to carry out the inspection,
- make available for visual inspection (on-site visit) places, objects, devices, media and IT systems for storing data (e. g. external drives to verify their encryption, server rooms to verify security),
- provide written or oral explanations at the request of the inspectors (failure to collect a consignment with a call for explanations in connection with reporting a data protection breach by the inspector was the basis for imposing one of the penalties on entrepreneurs who do not cooperate with the POPPD),
- provide the inspector and persons authorised to participate in the inspection with the conditions and means necessary for the efficient conduct of the inspection, including making and certifying copies or print-outs of documents and information (e. g. provide, if necessary, a room to examine the documentation and conduct witnesses and access to the Internet).
Violation of the above obligations may expose the controlled person to sanctions by the PUODO.
What else should be kept in mind when checking?
- control may or may not be announced. Therefore, it is important to carefully examine the credibility and scope of the authorisations that the office's employees hold. Unfortunately, recently there have been cases of false checks
- people claiming to be PDPO officials - The check may cover not only controllers, but also entities entrusted with data processing
What is the risk of non-cooperation on control?
Lack of cooperation in the control of compliance with data protection regulations can result not only in a financial penalty. Making it difficult or impossible to carry out checks is also punishable by restriction of liberty or imprisonment of up to 2 years.
Please note that the responsibility for obstructing controls is not limited only to the administrator or his representatives. It covers all personal.
The same sanction threatens entrepreneurs who find it difficult to estimate the amount of the financial penalty imposed by the President of the Office for the Protection of Personal Data for breach of data protection rules. The amount of the penalty is calculated taking into account.