Background information
- Date of decision: 21 June 2023
- Cross-border case or national case: National case
- Legal references: art. 57 (1) (a) (h), art. 58 (2) (i), art. 83 (1-3), art. 83 (4) (a) art. 31, art. 83 (5) (e), art. 58 (1) (a)(e)
- Decision: Administrative fine
- Key words: Administrative fine, Cooperation with the supervisory authority, Third party access to personal data
Summary of the Decision
Origin of the case
The Polish SA received a complaint from a data subject concerning irregularities in the processing of their personal data by a service company, i.e. by making their personal data available to unauthorised persons. Due to the company’s failure to provide the information necessary to resolve the case, the Polish SA initiated ex officio administrative proceedings on imposing an administrative fine on the controller for failing to provide information necessary to resolve the proceedings.
Key Findings
On the basis of the content of the complaint, as well as the content of the documents attached to them, it follows that the company was a controller that processed the complainant's personal data (name and surname, phone number) in order to provide him/her with commercial information regarding its services. From the content of the complaint, it appeared that the company sent a message to the complainant's phone number, containing a link referring to a website, which, according to the complainant, could infect their phone with malicious software. In order to obtain the information necessary to investigate the complaint, the Polish SA requested the company twice in writing to respond to the contents of the complaint and to provide explanations by answering detailed questions about the case. The company did not provide explanations requested by the Polish SA. This state of affairs was not changed by the initiation of proceedings on imposing an administrative fine for failing to provide information necessary to resolve the case. In view of the above, the Polish SA concluded that the company failed to provide all information needed by the supervisory authority to perform its tasks.
Decision
The Polish SA has imposed the administrative fine of about EUR 7300 (PLN 33 012 PLN) on the company for failing to cooperate with the supervisory authority in the performance of its tasks and for failing to provide access to personal data and other information necessary for the performance of its tasks.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.