The Office for Personal Data Protection imposes subsequent penalties for failure to report a violation
Obligation to notify a breach of personal data protection
According to Art. 33 (1) GDPR, in the event of a breach of personal data protection, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Correct determination of whether a breach results in a risk of violating the rights or freedoms of natural persons and timely notifying of the incident to the supervisory authority is one of the most important obligations of each controller, failure to do so may result in imposing high administrative fines on him.
Failure to notify may cause negative consequences for individuals
The Office for Personal Data Protection has repeatedly emphasized the importance of a correct notification. Failure to notify the incident to the supervisory authority and inform individuals about the breach of personal data protection deprives them of the opportunity to assess the incident and take appropriate actions intended to minimize the potential negative effects. On the other hand, an uninformed authority cannot take an appropriate response, including a possible explanatory proceeding and verification of taking specific actions, including corrective actions. It should be remembered that the lack of notification cannot be justified by the lack of negative consequences for the natural person whose personal data we process, but by the very possibility of a high risk of violating the rights or freedoms of natural persons.
The supervisor may impose separate penalties for different but related breaches on the same entity
The supervisory authority imposed an administrative fine of PLN 60,000 on the Chief National Surveyor. The reason for its imposition was the failure to report a breach of personal data protection within the prescribed period, in the form of the publication of land and mortgage register numbers in GEOPORTAL, which lasted for over 48 hours in April 2022. Interestingly, this is the third administrative fine for this public body. The previous two fines, related to one conducted administrative proceedings, imposed in the maximum amount, in the case of public entities (PLN 100 thousand), resulted from the lack of cooperation with the supervisory body during control activities, e.g. UODO employees were denied access to premises, equipment and means used to process personal data, as well as access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks. Then, after the proceedings were conducted, a fine was imposed for providing personal data in the field of land and mortgage register numbers obtained from the land and building register (kept by starosts) without a legal basis in GEOPORTAL. It should be remembered that the penalty thresholds for private entities are much higher, and in one administrative proceeding, the supervisory authority may impose separate administrative fines for various violations of the regulations.
How to avoid penalties?
First of all, controller should develop adequate internal procedures and remember about regular training of employees. If you have any questions or concerns, please contact our Law Firm. Our lawyers will be happy to answer your questions, and will also help in the development of internal procedures governing the conduct in the event of a breach of personal data protection. Inquiries can be directed to: [email protected]