Court ruling confirms that an inspection by the DPA cannot be questioned or impeded
The court ruling confirms that the inspected entity cannot question the reasons for the inspection of the DPA or its scope.
The Voivodship Administrative Court in Warsaw confirmed the DPA’s decision to impose a fine of PLN 100,000 (around EUR 22,000) on the Surveyor General for preventing the DPA from conducting an inspection at the Surveyor General’s offices. The court underlined that an entity that is to inspected by the DPA cannot question the reasons for the inspection or its scope.
Background of the case
In March 2020 the DPA wanted to conduct an inspection of the Surveyor General (a public authority) and the Surveyor General did not agree to the inspection with respect to some of the issues. Therefore, the DPA’s agents could not gather information about personal data processing.
The DPA concluded that the Surveyor General prevented it from conducting an inspection and did not cooperate with the DPA. For that, the DPA imposed a fine of PLN 100,000 pursuant to Article 83(5)(e) GDPR. It is worth noting that PLN 100,000 is the maximum amount of a fine which can be imposed on a public authority in Poland.
The Surveyor General appealed the decision of the DPA, claiming, among other things, that its right to a fair trial was not guaranteed. The Surveyor General questioned many other elements of the DPA’s fining decision.
The court dismissed the appeal in February 2021 and stated that the appeal was completely unfounded. The court emphasized that an inspected entity – especially a public authority – cannot boycott and impede an inspection or challenge the powers of the DPA. The court stated that monitoring and enforcing the application of the GDPR is one of the main tasks of the DPA, and for that purpose it can obtain access from a data controller or a processor to any information necessary for the performance of this task, or obtain access to data processing equipment.
Therefore, it is important to bear in mind that in case of an inspection by the DPA, a data controller or processor should not try to impede it or question the scope of the inspection. Otherwise, such an entity would risk a hefty fine. If the inspected entity wanted to question anything about the inspection, the time to do so is during the administrative proceedings before the DPA that typically follow an inspection.