More penalties from the DPA

02 Nov 2022
Jakub Wietrzyński

The mentioned fine was 2,500. PLN and involved the Sulkowice Cultural Center, and the violation itself involved 30 employees. We can read on the Authority’s website that “the reason for the decision was the entrustment of personal data processing without a written entrustment agreement and without verifying that the processor provides sufficient guarantees for the implementation of appropriate technical measures.”

What exactly does this mean?

The authority thus spelled out two main reasons in the decision it issued:

  1. Failure to enter into a contract for entrustment of personal data processing.
  2. No verification of the processor.

In the text of the decision itself (, one can read that no contract was concluded between SOK and the processor, and that the processor kept the administrator’s books, records, prepared reports and kept the administrator’s records. Thus, a situation has occurred against which the normalization of the controller-processor relationship protects. SOK lost personal data, or more precisely, it had no way to regain access to all the personal data entrusted to the processor.

From the decision indicated, there are still a few mistakes that we particularly sensitize you to:

  • Beware of the use of private equipment by employees, as well as check whether this is a common occurrence at the processor.
  • Access to documents / systems / disk, must be secured and attention must be paid to the authorization process.
  • Records should be kept that can prove when and under what conditions collaborations and entrustments of personal data processing were entered into.
  • The obligation to provide sufficient guarantees for data security is an ongoing process. It doesn’t end when the signatures are put on the contract.

Thus, it would be sufficient for the Sulkowice Cultural Center to verify the processor before contracting the processor with personal data, and then enter into a personal data entrustment agreement.

But what is an entrustment agreement and verification anyway?

In accordance with RODO – Art. 28 – the controller may entrust the processing of personal data to another entity, but it must not look like “Company XX please perform such an assignment.” The indicated article says explicitly that processing is carried out on the basis of a written contract or other legal instrument. Thus, the entrustment agreement will be a document that will indicate the framework of the entrusted processing: subject matter, duration, nature, purpose, type of personal data, categories of persons whose data are processed, obligations and rights of the controller, and additional regulations to ensure the security of personal data and compliance with the Regulation.

In addition, the controller is required to use only such processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures. Thus, it is the administrator’s intention to check, before entering into a contract, at least the reputation and reliability of the processor, his knowledge of security measures and resources, and to assess the adequacy of the guarantees provided. For more on processor control, see our article:

How to protect yourself from an analogous punishment?

The easiest way is to lean on someone experienced, like our company Blue Energy, which specializes in supporting businesses in data protection and information security. However, if you yourself are managing RODO issues in your company, you should always remember to check whether entrustment of personal data processing is taking place and, by analogy, enter into an entrustment agreement. In addition, do not be afraid to ask questions of the entity that will process data on our behalf, you have the right to find out

what safeguards it employs, and then check whether they continue.

However, it should be noted that the leniency was influenced by measures taken to minimize the harm to data subjects. The conclusion is one, it is not worth sweeping problems under the rug.



See also

25 Jul
What about the whistleblowers? – first penalties and the third installment of the whistleblower protection bill.

Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on on the protection of Union law whistleblowers, is already in effect as of December 17, 2021. However, until today (25.07.2022), a law clarifying the requirements of the Directive on the protection of whistleblowers has not appeared in the Polish legal order.

Read more arrow
19 Apr
As an Administrator, can you choose the appropriate technical and organizational security measures necessary to ensure compliance with the GDPR?

The President of the Personal Data Protection Office imposed an administrative fine on the President of the District Court in Zgierz. The fine is not spectacular in terms of amount (PLN 10,000) and was imposed last year, but it is still worth paying attention to.

Read more arrow
Did not find what you are looking for?
Write to us arrow