Polish SA imposed a fine for processing without legal basis

30 November 2022

Background information

  • Date of decision: 30/11/2022
  • Cross-border case or national case: National case
  • Legal references: Article 6 (1) GDPR (Lawfulness of processing), Article 5 (1) (a) GDPR (Principles relating to processing of personal data),  Article 9 (1) and (2) GDPR (Processing of special categories of personal data),  Article  58 (2) (d) and (i) GDPR, Article 83 (1-3) and (5) (a) GDPR (General conditions for imposing administrative fines)
  • Decision: Administrative fine
  • Key words: Consent, Lawfulness of processing, civil partnership

 

Summary of the Decision

 

Origin of the case

The Polish SA received information indicating that controllers may have infringed data protection provisions. The SA in the first instance undertook verification activities with regard to the controllers, however, due to the lack of sufficient cooperation with the supervisory authority in clarifying the circumstances of the case, the SA found it necessary to conduct an inspection. The scope of the inspection covered the processing by the controllers of personal data of clients and potential clients.

On the basis of the evidence gathered in the case, in the opinion of the Polish SA, the partners in the civil partnership, as controllers, infringed the provisions on personal data protection by processing without a legal basis the personal data of their potential customers, including data concerning their health status, in particular without having their consent to the processing of personal data.

 

Key Findings

The activity carried out by the partners of civil partnership consists in providing legal assistance in representing clients injured mainly in traffic accidents before insurance companies, before courts, as well as other entities, in order to obtain compensation, damages and pensions in their favour, as well as reimbursement of medical treatment and rehabilitation costs.

The partners obtained personal data and contacted potential customers on the basis of press releases, online publications, including content available on social media, as well as information provided or disseminated by charitable organisations.

As it was established in the course of the inspection, in the case of potential clients, i.e. persons to whom the partnership is only making an offer, the above consent is obtained only orally, and the obtaining of consents was not recorded in a manner which could constitute evidence for the supervisory authority of their granting (e.g. register of consents).

 

Decision

In the opinion of the Polish SA, the processing of personal data of potential customers, as done by the partnership, may take place  on the basis that can be demonstrated to the supervisory authority, including their explicit consent to the processing of sensitive data, in this particular case data on health status.

The Polish SA has imposed an administrative fine of approximately 10,000 EUR for infringing the provisions of the GDPR by partners in the civil partnership Kancelaria PIONIER. The Polish SA at the same time ordered to bring processing operations into compliance with GDPR provisions by ceasing to process the personal data of potential clients without a legal basis.

 

For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.