Background information
- Date of final decision: 7 September 2022
- National case
- Controller: Cultural Centre of Sułkowice municipality
- Legal Reference: requirements regarding processor (Article 28(1)(3)(9))
- Decision: Administrative Fine
Summary of the Decision
Origin of the case
The Polish SA has been notified of a personal data breach at the Sułkowice Cultural Centre. In the course of the proceedings, it was found that the controller without written contract used a processor to which it outsourced the maintenance of accounting books, records and preparation of reports (in the areas of finance, taxation and Social Security) or storage of documentation.
In addition, the controller failed to verify whether the processor provides sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing of personal data complies with the GDPR.
Key Findings
Failure to verify the processor and its guarantees for processing in accordance with data protection regulations may entail consequences for individuals whose personal data has been entrusted to the processor, such as loss of personal data. Thus, the decision of which processor the controller should use cannot be taken unjustifiably. Only after examining the competence and adequacy of the chosen processor can the controller proceed to conclude an appropriate contract.
In the course of the case, the supervisory authority found that the controller did not have any documents confirming the verification of the terms of cooperation with the processor. In addition, requests to the controller for information, clarification and return or access to the processed data were unsuccessful.
Decision
The Polish SA imposed an administrative fine of PLN 2.500 on the Sułkowice Cultural Centre. The reason for the decision was the controller's use of a processor without written contract and lack of verification whether the processor provides sufficient guarantees to implement appropriate technical measures.
For further information: decision in national language (PL)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.