Polish SA: administrative fine of 5 814 € for failure to designate a Data Protection Officer and failure to publish their contact details and to notify the supervisory authority

Background information

• Date of final decision: 18 October 2024
• National case
• Legal Reference (s): Article 37 (Designation of the data protection officer)
• Decision: Administrative fine,  Compliance order
• Key words: Administrative fine, Data protection officer, Legal obligation, Responsibility of the controller

Summary of the Decision

Origin of the case  

The obligation of designating a data protection officer (DPO) is incumbent on the controller under Articles 37(1)(a) and 37(7) of the GDPR. Under these provisions, public authorities or entities (with the exception of courts in their administration of justice), are required to designate a DPO, publish his or her contact details and notify the supervisory authority.

The District Building Supervision Inspectorate (PINB), as part of the proceedings initiated by the President of the Personal Data Protection Office, submitted a copy of the personal files of two persons who, in its opinion, had previously performed the function of the DPO at the PINB in Częstochowa, in the form of:

• a certificate of completion of the personal data protection training for DPOs,
• information clause on personal data processing,
• authorization to process personal data in traditional and IT systems,
• an order on the introduction of a Security Policy for personal data processing in the District Building Supervision Inspectorate, and
• the scope of activities to perform the function of the DPO on the basis of a verbal oral of the controller.

Key Findings 

In the opinion of the President of the Polish Supervisory Authority (SA), the wording appearing in the above-mentioned documents can only indirectly prove that the persons indicated therein perform the function of the DPO within the controller’s structure. These documents do not prove that there has been an effective designation to the position of DPO. The holding of the function of DPO based on an oral instruction from the controller does not constitute an effective designation.

In order to demonstrate the effectiveness of such a designation to the supervisory authority, the controller should strive to ensure that a legal act (e.g. internal regulation, resolution, delegation of duties) or the contract with the person who is to perform the function of DPO clearly indicates the designation of a specific person to be a DPO. For evidentiary purposes, it is essential that such a designation be in writing. It is also necessary that the responsibilities are precisely assigned to him/her in accordance with the provisions of Articles 38 and 39 of the GDPR.

In the case of the PINB in Częstochowa, the controller complied with the formalities and effectively designated a specific person to act as the DPO only on 4 March 2024, which is after the Polish SA's proceeding. The following day, the controller notified the President of the Personal Data Protection Office. However, by the date of the decision (18 October 2024), he had not published the contact details of the aforementioned person. Currently, the contact details of the DPO are published on the controller's website.

Decision 

The President of the Personal Data Protection has imposed a 5 814 € of administrative fine on the District Building Control Inspector in Częstochowa for infringement of Article 37 of the GDPR.

The effective designation and publication of the DPO's contact details constitute an important guarantee for the personal data protection of data subjects. This is due to the role of the DPO and the wide range of tasks assigned to him/her under Articles 38 and 39 of the GDPR.

For further information: national decision (Polish)