The subject of personal data processing concerns almost all entrepreneurs. While running a business, many day-to-day activities involve processing personal data of various persons, including potential and actual clients, business partners, and own employees.
In the course of data processing operations, data protection may be violated, e.g. through its leakage, loss, or unwanted modification. Such events require a quick and appropriate response from the company. Failure to act appropriately in case of data protection violations can lead to high fines for the company.
First of all: prevention
It is important to be aware of the threat and prepare the right procedures. They will be designed to prevent breaches, as well as regulate the rules of reacting already in the situation of a suspected incident. The next step will be to create a procedure in case a data breach is confirmed.
However, it is important to remember that even the best-drafted rules of procedure will not achieve their purpose if they are not applied in practice. Therefore, it is essential to familiarize the company’s staff with the procedures, as well as to conduct regular training on personal data processing.
As the practice after the entry into force of RODO shows, it is important not only to adequately secure the data but also to properly react to a breach. When observing the decisions issued for some time by the President of the Office for the Protection of Personal Data, one may notice certain tendencies in imposing fines.
Lack of adequate data security is an important basis for imposing fines, as in the case of Morele.net (a fine of approximately PLN 2.8 million). In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law.
For example, last month, the President of the Office for Personal Data Protection imposed an administrative fine of over PLN 136 thousand on ENEA S.A.! The reason was the failure to report a personal data protection breach. The Office found out about the breach from a person who had become an unauthorized recipient of personal data.
Also, late notification of an incident can be a reason for a fine, as happened in the Netherlands. The Dutch Data Protection Authority (AP) imposed on Booking.com a fine of 475,000 euros for late notification of the breach. Recall – the deadline to report a breach is 72 hours after the breach is discovered.
Keep in mind that reporting alone may not be enough to avoid or reduce the fine. It is equally important to cooperate with the supervisory authority in the course of inspection proceedings.
Recently, the President of the Office for Harmonization in the Internal Market (UODO) imposed a fine of PLN 21,000 on Anwara Sp. z o.o. for not cooperating with the supervisory body and not providing it with all the information necessary to fulfill its tasks during the proceedings.
A similar situation took place in the case of East Power (penalty of PLN 15 thousand). It should be stressed that administrative courts also accept the imposition of penalties for lack of cooperation. Last month, the Provincial Administrative Court in Warsaw dismissed a complaint filed by the Head Surveyor of Poland against the decision of the President of the Office for Competition and Consumer Protection (UODO) imposing a fine of PLN 100,000 for failure to carry out an inspection.
When a breach of personal data protection may cause a high risk of infringing the rights or freedoms of natural persons, appropriate steps have to be taken. It should be remembered that in such situations, it is necessary to inform the persons whose data have been affected by the incident along with the relevant circumstances and remedial measures.
The President of the Office of Electronic Communications (UODO) imposed a fine of PLN 25,000 on the Silesian Medical University. The university suffered a data protection breach of which the controller should notify not only the supervisory authority but also the persons affected by the incident.
In short: follow the recommendations
Thus, not only the breach itself but also the failure to notify in time when required can lead to a hefty fine. The same applies to the lack of cooperation with the President of the Office for Personal Data Protection during the inspection, which is confirmed by issued decisions. Also, the mere failure to comply with an order imposed by a previous decision may be a reason for imposing another fine, as the entrepreneur conducting business activity in the area of health care found out.
During the original proceedings, the President of the Office for Harmonization in the Internal Market (OCCP) ordered the entrepreneur to notify its patients about the breach of their data and to provide them with recommendations on how to minimize potential negative effects of the incident, which was not performed. For this reason, another fine was imposed, which amounted to over PLN 85 thousand.
It is worth noting that the amount of the penalty is determined by the authority and all circumstances of the proceeding have an impact on its amount. Various factors may be taken into account: the scale of the infringement, the attitude of the entrepreneur after the infringement, the cooperation with the authority, or remedial actions taken.
An entrepreneur who wants to evade the consequences of non-compliance with the RODO regulations should fulfill many obligations. They should perform a risk analysis and take actions adequate to ensure data security. And if – despite this – a data protection incident occurs, to react quickly and appropriately.