Further administrative fines for lack of cooperation with the DPA
The Personal Data Protection Office has imposed the administrative fines on controllers for failing to cooperate with the supervisory authority in the performance of its tasks and for failing to provide access to personal data and other information necessary for the performance of its tasks.
Effective monitoring and enforcement of the application of the General Data Protection Regulation ("GDPR") requires the supervisory authority to exercise its powers, including the right to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its task. In addition, the authority has the power to obtain access to any premises of the controller and the processor, including to any data processing equipment and means.
The controllers do not always make it possible to exercise these powers. Meanwhile, the cooperation with the supervisory authority is important and its lack hinders the performance of the tasks of the DPA and may cause excessive and unjustified prolongation of the proceedings and thus violate the rights of citizens related to the protection of their personal data. Lack of cooperation with the supervisory authority even forces the supervisory authority to resort to appropriate legal instruments, such as, among others, imposing an administrative fine for lack of cooperation. There are several situations related to lack of cooperation in which the authority may resort to such solutions.
Correspondence not collected in time
One of the cases where the supervisory authority may impose an administrative fine for failing to provide access to personal data and other information necessary for the performance of its tasks is the failure to collect correspondence from the supervisory authority.
In practice, the scheme of proceedings usually looks as follows: the Personal Data Protection Office receives a complaint about irregularities in the processing of the complainant's personal data by the controller. Within the framework of the initiated administrative proceedings, conducted in order to examine the lodged complaint, the supervisory authority requests the controller to respond to the content of the complaint and to provide answers to specific questions asked by the supervisory authority. The letters are sent to the administrator's registered office address, however, the Personal Data Protection Office receives the return of the aforementioned letter with the annotation "returned - not collected in time".
It can be assumed that an entity professionally involved in legal and economic transactions is aware that the action of not collecting the correspondence sent by the supervisory authority constitutes a breach of the basic obligations of an entrepreneur. Moreover, each organisational unit should ensure in its organisation such a circulation of documents and receipt of letters that the course of correspondence takes place continuously and uninterruptedly and only by authorised persons.
Letter collected, but no reaction
The Personal Data Protection Office also initiates ex officio administrative proceedings on imposing an administrative fine on the controller for failing to provide information necessary to resolve the proceedings. This happens when controllers do not provide answers to the questions contained in the letters, which are usually not very complicated and do not require specialist knowledge in the field of personal data protection. It should be underlined that ignoring the correspondence addressed by the supervisory authority to controllers also causes difficulties and unjustified prolongation of the proceedings conducted by the supervisory authority.
In the opinion of the Personal Data Protection Office, such an action of the controller indicates a clear lack of willingness for cooperation with the supervisory authority in order to establish the facts of the cases conducted. This is evidenced by the lack of response to requests addressed by the authority. Controllers, upon receiving a letter, know which authority is addressing the requests to them, what it concerns and what information is requested. Therefore, in the opinion of the Polish supervisory authority, a controller who does not respond to letters is making a conscious decision not to provide information to the data protection authority. Thus, it exposes itself to additional consequences in the form of administrative fines.
Disregarding one's obligations
Obstructing and preventing access to information requested by the supervisory authority from the controller, which is undoubtedly in the controller's possession, does not allow for a thorough examination of the case. The controller, by failing to provide the information necessary for the authority to perform its tasks - the substantive resolution of the case, breaches its obligation under the provisions of the GDPR. When the supervisory authority does not obtain from the controller the requested information necessary for the performance of the tasks of the supervisory authority, there is a breach of the provisions of the GDPR.
Such conduct also results in excessive and unjustified prolongation of the proceedings, which contradicts the basic principles of administrative proceedings such as the principle of thoroughness and rapidity of proceedings, which are set out in the Administrative Procedure Code.
Whenever there is a breach of data protection legislation, the supervisory authority responds according to the gravity of the specific breach, using its powers under the GDPR. Fines are one of the many tools at the Office's disposal. The imposition of administrative fines is not an end in itself, and the very initiation of proceedings for the imposition of an administrative financial penalty, should cause the controller to properly cooperate with the authority, e.g. provide information when requested by the authority.
These examples of lack of cooperation with the supervisory authority are reflected in several decisions of the President of the Polish supervisory. Below you will find links where you can read such decisions (in Polish) in detail: