Background information
- Date of decision: 30/08/2022
- Cross-border case or national case: National case
- Controller: TIMSHEL
- Legal references: Article 58 (2) (i) and (1) (a) GDPR, Article 83 (1) (2) and (5) (e) GDPR (General conditions for imposing administrative fines)
- Decision: Administrative fine
- Key words: Administrative fine, Cooperation with the supervisory authority, Personal data breach
Summary of the Decision
Origin of the case
TIMSHEL notified a personal data breach to the supervisory authority by e-mail. However, the notification, which read "notification of personal data breach attached" did not include the said attachment in the dedicated form for such cases. Due to the lack of information necessary to assess the breach, the Polish SA initiated proceedings and requested the controller to provide the content of the notification of a personal data breach. The letter was addressed to the company via the postal service to the registered address disclosed in the National Court Register (NCR) for the entity. However, despite the fact that a misdelivery notice was sent twice, the letter was not received by the company. The company also failed to respond to a subsequent second request from the supervisory authority, which returned to the Polish SA with the notation "RETURN not collected in time."
Key Findings
The Polish SA addressed a letter to the company via the postal service to the controller’s registered address disclosed in the NCR. However, despite the fact that a misdelivery notice was sent twice, the letter was not received by the company. The company also failed to respond to a subsequent second request from the Polish SA, which returned to the authority with the notation "RETURN not collected in time". In this situation, the supervisory authority requested information from the registry court having jurisdiction over the company's registered office as to whether the company's pending application to disclose the change of its registered office address was on file at that court. The court confirmed that the company's registration file did not contain any pending application by the company for registration, including, in particular, an application to disclose a change in the address of its registered office.
As the supervisory authority subsequently determined, the company listed a different address for its registered office on its website than that disclosed in the NCR. The supervisory authority addressed the information on the initiation of proceedings to impose an administrative fine on the company both to its registered office address, as disclosed in the NCR, and to the established additional address. In the latter case, the letter was received by the controller, which was confirmed by the signature of the company's employee who took delivery. Nevertheless, the letter remained without any response from the company.
Decision
In connection with the lack of response to request for information, the Polish SA, imposed on TIMSHEL sp. z o.o. with its registered office in Warsaw an administrative fine of about EUR 7,100.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.