Background information
- Date of decision: 25 January 2023
- Cross-border case or national case: National case
- Legal references: art. 57 (1) (a) (h), art. 58 (2) (i), art. 83 (1-3), art. 83 (4) (a), art. 31, art. 83 (5) (e), art. 58 (1) (a)(e)
- Decision: Administrative fine
- Key words: Administrative fine, Cooperation with the supervisory authority, Third party access to personal data, Employment
Summary of the Decision
Origin of the case
The Polish SA received a complaint from a data subject concerning irregularities in the processing of his personal data by his employer, i.e. by making his personal data available to unauthorized persons. Due to the company's failure to provide the information necessary to resolve the case, the Polish SA initiated ex officio administrative proceedings on imposing an administrative fine on the controller for failing to provide information necessary to resolve the proceedings.
Key Findings
The complaint, which was the basis for the PL SA's subsequent investigation, concerned the employer's act of making the employee's personal data (name, address, salary, job title, bank account number) available to unauthorized persons. In order to obtain the information necessary to investigate the complaint, the Polish SA sent letters to the controller twice with a request to respond to the content of the complaint and to provide explanations regarding the investigated case. Both letters were received by the controller. However, the controller did not provide any explanations requested by the Polish SA. This state of affairs was not changed by the initiation of proceedings on imposing an administrative fine on the controller for failing to provide information necessary to resolve the case. In view of the above, the Polish SA concluded that the controller failed to provide all information needed by the supervisory authority to perform its tasks.
Decision
The Polish SA has imposed the administrative fine of about EUR 4000 (PLN 18 279) on the controller for failing to cooperate with the supervisory authority in the performance of its tasks and for failing to provide access to personal data and other information necessary for the performance of its tasks.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.