In September, the Polish DPA issued a decision fining a controller (a cultural institution) PLN 2500 for engaging a processor without concluding a data processing agreement in writing and without verifying whether the processor provided sufficient guarantees for the implementation of appropriate technical measures.
The fine was so low because under Polish law the maximum fine for infringement of data protection law that can be imposed on a public cultural institution is PLN 10,000. Thus, the fine imposed in this case was 25% of the maximum amount.
The DPA launched an investigation following a personal data breach notification by the controller. In the course of the investigation, it was established that the controller entrusted the processing of personal data to an accounting company without concluding a written data processing agreement. The processor was responsible for keeping accounting books, records, preparing reports about finance, taxes and social security and storing documentation.
The DPA’s findings included:
- violation by the controller of article 28(1) GDPR by not vetting the processor as to whether it provided sufficient guarantees to implement appropriate measures so that processing met the GDPR requirement, and
- violation by the controller of articles 28(3) and 28(9) GDPR for not concluding a data processing agreement in writing, including in electronic form.
This is yet another decision issued by the Polish DPA which shows how crucial it is for the controller to fulfil the obligation under article 28(1) of the GDPR, i.e. verifying whether the processor provides sufficient guarantees to implement appropriate technical and organizational measures so that processing meets the requirements of the GDPR. The DPA also underlined the importance of concluding the data processing agreement in writing, including in electronic form, to be compliant with article 28 (3) and (9) GDPR.