Polish DPA fines non-public nursery and pre-school: Lack of cooperation with the supervisory authority

20 July 2020

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 5 000 on an individual entrepreneur running a non-public nursery and pre-school. 


Entrepreneur running a nursery and pre-school failed to provide the President of the UODO with access to personal data and other information necessary for the performance of its tasks - in this case for assessment whether the controller communicated a data breach to the data subject in accordance with the GDPR (Article 58(1)(e) of the GDPR). 


The controller notified to the President of the UODO a personal data breach, which consisted in losing access to personal data stored in the run private nursery and pre-school.


Given the lack of information necessary to carry out an assessment of the notification, the supervisory authority sent three requests to the entrepreneur to submit relevant explanations. Two of them weren’t collected on time, one was collected personally by the fined entity itself. The entrepreneur failed to respond to the requests of the President of the UODO. 


The obligation of an entrepreneur, that is an entity conducting professional business activity on the market, is to collect correspondence connected with the conducted activity. Course of action of the entrepreneur is incomprehensible, considering the fact that it notified a personal data breach to the President of the UODO and therefore should be expecting the DPA’s standpoint in this case.   


It is worth emphasizing that the activity conducted by the fined entity included the processing of personal data relating to children, who require special protection, since they can be less aware of the risk and consequences related to data processing.


When issuing the decision on imposing an administrative fine and determining its amount, the President of the UODO took into account as aggravating circumstances, among others, the severity of the breach and its duration, the intentional nature of the breach and the lack of cooperation of the controller with the supervisory authority. In view of the President of the UODO the imposed fine is proportional to the severity of the established breach and the possibility of paying the fine by the entrepreneurs without big detriment to the conducted activity. 


The fine imposed by the President of the Personal Data Protection Office is intended to discipline the entrepreneur in terms of proper cooperation with the President of the UODO, both in further course of the proceedings in the case of data breach notification, and in other possible future proceedings with participation of this entrepreneur conducted by the President of the UODO. It is a clear signal to all entities that disregarding their obligation to cooperate, on request, with the supervisory authority, especially by hindering access to information necessary for the performance of its tasks, is a serious infringement and as such is subject to fines. 


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.