UODO (Poland) - DKN.5112.10.2024: Difference between revisions
(→Comment: included reference to case law (already summarized)) |
No edit summary |
||
| Line 82: | Line 82: | ||
=== Holding === | === Holding === | ||
The DPA held that the controller failed to ensure the secure processing of personal data, in violations of Articles 24(1) and 32(1) and (2) GDPR. For this reason, the DPA fined the controller PLN 56,824 (€13,500). | The DPA held that the controller failed to ensure the secure processing of personal data, in violations of [[Article 24 GDPR#1|Articles 24(1)]] and [[Article 32 GDPR|32(1) and (2) GDPR]]. For this reason, the DPA fined the controller PLN 56,824 (€13,500). | ||
== Comment == | == Comment == | ||
'''On Article 85 GDPR and national derogations''' | '''On Article 85 GDPR and national derogations''' | ||
The controller’s journalistic activity was covered by GDPR derogations under Polish law<ref>See the Press Act (''Dz. U. z 2018 r. poz. 1914'', available [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001914/T/D20181914L.pdf here]) | The controller’s journalistic activity was covered by GDPR derogations under Polish law<ref>See the Polish Press Act (''Dz. U. z 2018 r. poz. 1914'', available [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001914/T/D20181914L.pdf here]) and the Polish Data Protection Act Dz. U. (''z 2019 r., poz. 1781'', available [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20190001781/T/D20191781L.pdf here]).</ref>. However, the DPA clarified that under [[Article 85 GDPR|Article 85 GDPR]], only specific GDPR provisions can be derogated under national law. In particular, the DPA pointed out that national law cannot provide for derogations to [[Article 24 GDPR|Articles 24]] and [[Article 32 GDPR|32]]. For this reason, controllers that engage in journalistic activities must still process personal data securely. | ||
and the Data Protection Act Dz. U. (''z 2019 r., poz. 1781'', available [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20190001781/T/D20191781L.pdf here]).</ref>. However, the DPA clarified that under [[Article 85 GDPR|Article 85 GDPR]], only specific GDPR provisions can be derogated under national law. In particular, the DPA pointed out that national law cannot provide for derogations to Articles 24 and 32. For this reason, controllers that engage in journalistic activities must still process personal data securely. | |||
'''On security and risk assessments''' | '''On security and risk assessments''' | ||
Revision as of 14:28, 15 April 2025
| UODO - DKN.5112.10.2024 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 24(1) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 06.03.2025 |
| Published: | |
| Fine: | 56,824 PLN |
| Parties: | An unnamed news outlet |
| National Case Number/Name: | DKN.5112.10.2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (in PL) |
| Initial Contributor: | cci |
The DPA fined a news outlet PLN 56,824 (€13,500) for failing to process personal data securely.
English Summary
Facts
The DPA carried out an ex officio investigation on a news outlet (the controller). The investigation concerned the security of the processing of personal data.
The investigation highlighted several issues with the controller’s operations:
- the controller did not carry out a risk analysis for the processing personal data;
- the controller’s data protection and IT security policies were not reviewed and updated;
- the controller did not encrypt the drives on its devices, in violation of its own IT security;
- the controller had no internal policies to ensure that personal data were published in accordance with Polish law.
At the time of the investigation, the controller was in liquidation and did not submit a defense.
Holding
The DPA held that the controller failed to ensure the secure processing of personal data, in violations of Articles 24(1) and 32(1) and (2) GDPR. For this reason, the DPA fined the controller PLN 56,824 (€13,500).
Comment
On Article 85 GDPR and national derogations
The controller’s journalistic activity was covered by GDPR derogations under Polish law[1]. However, the DPA clarified that under Article 85 GDPR, only specific GDPR provisions can be derogated under national law. In particular, the DPA pointed out that national law cannot provide for derogations to Articles 24 and 32. For this reason, controllers that engage in journalistic activities must still process personal data securely.
On security and risk assessments
The DPA also explained in some detail how controllers should determine the appropriate security measures for processing a personal data. The DPA described a two-step process: first, controllers must assess the level of risk associated with the processing of personal data, taking into account the criteria from Article 32(1) GDPR: after the risk assessment, controllers must adopt personal measures adequate to the risk level. Additionally, the controller's risk assessment needs to be documented, periodically reviewed, and updated if necessary. With regards to the risk assessment and the choice of security measures, the DPA referred to national case law[2].
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage they suffered [Article 83 paragraph 2 letter a) of Regulation 2016/679]. The breach of the provisions of Article 32 paragraphs 1 and 2 of Regulation 2016/679 by the Company in connection with the processing of personal data as part of its business of editing, preparing, creating or publishing press materials, without implementing appropriate technical and organisational measures based on a risk analysis, is of significant importance, due to the type of business it conducts and therefore the potential scope of data processing. It should be noted that the Company's activities are not limited to conducting (...) of a regional nature. The website www.(...).pl operated by the Company has a wider than local reach. Thanks to the Internet, the website is available globally (universally), which allows it to be visited and its resources used from different parts of the world. Although the main recipients of the content (...) may be residents of M. and its surroundings, the reach of the website is not limited to this region. The website can be visited by users from both Poland and abroad who are interested in content related to this region. However, thanks in particular to search engines and widely available translators, the website is currently available to practically everyone and everywhere. This type of processing involves a much greater risk for data subjects and means that a breach of the provisions of Regulation 2016/679 is of a serious nature and significant importance. A press release produced by the Company may reach an unlimited number of recipients, which consequently creates a higher risk related to the processing of personal data in the event of a breach of the security of such data. The lack of a procedure for verifying press materials before their publication, in terms of the data contained therein, entails the risk of unauthorized disclosure and use of such data against the will of the data subjects. And due to the nature of the activity and the scope of data processing, in the event of a breach, its removal and mitigation of any negative effects may be impossible to achieve. It should be emphasized that the Company is (...) and in connection with the activities it conducts, it is expected to apply higher standards, and above all, diligence in the context of personal data processing (vide (...), especially in the scope of obligations arising from the mission of public media and the obligation to be responsible for one's word). The violation of personal data protection regulations found in this case creates a high risk of negative consequences for any person who is of interest to the Company (...). Moreover, the lack of procedures for verifying press materials before their publication in terms of the protection of personal data to be made available may lead to the identification of the data subject and to their further dissemination through the mass media. As a result, this may result in damage to that person, both of a material and non-material nature, and even physical harm. It is also important that the processing of data in breach of the provisions of Regulation 2016/679 has been carried out since the date of application of the provisions of Regulation 2016/679, i.e. from 25 May 2018, and is still ongoing. It is therefore of a continuous and long-term nature, and therefore carries more serious risks in the area of violation of the privacy of persons whose data and information concerning them may have been published by the Company at that time, and whose identification may occur in various circumstances also in the future.
