The President of the Personal Data Protection Office approved the “Code of Conduct concerning the Protection of Personal Data Processed in Small Medical Facilities” developed by the Federation of Healthcare Employers’ Unions (FZPOZ) Zielona Góra Agreement.
The Polish SA, finding a violation of the Telecommunications Law, consisting in the failure to notify the personal data breach to the supervisory authority within 24 hours after having become aware of it and the failure to communicate the personal data breach to the subscriber without undue delay, imposed a fine of PLN 250,000 on P4 Sp. z o.o.
The Polish SA imposed an administrative fine of PLN 8,000 on the Mayor of the Commune of Dobrzyniewo Duże for failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The controller notified to the Polish SA a personal data breach which occurred as a result of a break-in in the employee's apartment and the theft of a laptop that contained a file with personal data. As a result, the loss of confidentiality of the personal data of the aforementioned individuals occurred.
The Personal Data Protection Office invites pupils of primary and secondary schools to a series of nationwide lessons under the slogan "#ODOlekcje" (#ODOlessons) which will be conducted by representatives of the Personal Data Protection Office and leaders of the UODO's educational programme "Your data - Your concern".
The Voivodeship Administrative Court in Warsaw, in a judgement of 31 August 2022, dismissed the complaint of the Fundacja Promocji Mediacji i Edukacji Lex Nostra (Lex Nostra Foundation for the Promotion of Mediation and Legal Education, hereinafter: Lex Nostra Foundation) against the decision of the Personal Data Protection Office (Polish SA) imposing an administrative fine for failing to notify the supervisory authority of a personal data breach without undue delay and failing to communicate the personal data breach to the data subjects.
The Personal Data Protection Office hosted representatives of the Personal Data Protection Agency of North Macedonia as part of a study visit entitled "Support for the implementation of the modernised data protection legal framework" from 10 to 14 October 2022.
The Polish Supervisory Authority prepared a publication "Processing of personal data by courts in the context of personal data protection", which answers the question of whether the President of the Polish Supervisory Authority is the competent authority to receive personal data breach notifications and to carry out inspections in the case of courts - and to what extent, if any.
The Personal Data Protection Office invites you to watch a webinar on technical safeguards for processing of personal data.
The Polish SA imposed an administrative fine of PLN 2.500 on the Sułkowice Cultural Centre. The reason for the decision was the controller's use of a processor without written contract and lack of verification whether the processor provides sufficient guarantees to implement appropriate technical measures.
As many as 70% of Poles declare that they do not know who should deal with the negative consequences of personal data breach such as data leakage, and a third of those who are aware of the incident believe that it must be done by the affected persons. Part of the respondents pointed to the Police, the Data Protection Authority and data protection officers, among others, and mainly expect them to provide detailed information about the incident and recommend further action. This is according to a survey conducted by ChronPESEL.pl and the company Krajowy Rejestr Długów BIG S.A. under the auspices of the Personal Data Protection Office.
We invite schools and educational institutions to participate in the thirteenth edition of the UODO educational programme "Your data - Your concern". Those wishing to do so are encouraged to read the recruitment details and fill in the application form.
The dynamic development of data processing requires ever faster supercomputers offering unprecedented computing power. Does such a solution pose a major threat to cyber security and fundamental human rights? This and other questions will be answered during the scientific conference 'Human beings in post-quantum reality' organised by the Personal Data Protection Office (UODO) in cooperation with the Chancellery of the Prime Minister, on 28th September 2022.
The Polish DPA invariably takes the view that copying of identity cards by financial institutions is legal only if undertaking of security measures to prevent money laundering and terrorist financing is necessary.
The UODO invites young people to take part in the 'Summer Academy for Personal Data Protection'. This is a series of webinars which are directed to young people and disseminate knowledge in the data protection field.
The Polish DPA imposed an administrative fine on the University Clinical Center of the Medical University of Warsaw. The reason for the decision was the failure to notify a personal data breach to the DPA and failure to communicate the personal data breach to the data subject.
The Voivodeship Administrative Court in Warsaw, in a ruling issued on July 1, 2022, dismissed Bank Millenium S.A.'s complaint against the Polish DPA’s decision imposing an administrative fine.
Following comments from UODO (hereinafter: Polish DPA), the provisions providing for the creation of a database of adult natural persons interested in purchasing solid fuel for their own household needs have been removed from the draft Act on special solutions to protect recipients of certain solid fuels in connection with the situation on the market for these fuels.
The Polish DPA has imposed another administrative fine of PLN 60,000.00 on the Surveyor General of Poland (GGK). The reason for this sanction was the failure to notify the personal data breach to the supervisory authority and to communicate it to the individuals whose personal data had been disclosed. The decision also orders to communicate the affected persons about the personal data breach.
Where does the biggest threat to personal data come from? How to react in case of a personal data leakage or a hacking attack, and how to react in case of phishing? A webinar organised by the Polish DPA on 12 July 2022 at 10.00 a.m. provided answers to these questions.
In September 2022, the Personal Data Protection Office is planning to hold a webinar on technical safeguards for processed personal data. We encourage you to ask questions on this topic, which will be answered during the event.
In June 2022, the implementation of the 12th edition of the nationwide educational program “Your data – Your concern” has ended. The past ten months have resulted in numerous undertakings and educational initiatives.
Every third Pole is afraid of personal data leakage. At the same time, less than half of us would know what to do in a such situation. And the biggest problems are faced by seniors, who do not have enough knowledge on who and how processes our personal data.
The Polish DPA found a violation of the provisions of GDPR by the Warsaw Centre for Intoxicated Persons. It consisted in recording and capturing sound (voice) in the surveillance system installed in the Centre. As it was proved in the administrative proceedings in this case, personal data was processed in this facility without a legal basis. As a result, the controller was fined with PLN 10 000.
“360 minutes on data protection, or personal data all round” is an educational initiative carried out by Primary School No. 360 from Warsaw, which was honoured with a special "Golden Pen" statuette and at the same time won the first place in the UODO President's competition for schools.
The Polish Data Protection Authority imposed an administrative fine of almost PLN 16 000 on Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. The reason for this decision was the failure to notify the Polish DPA of personal data breach consisting in the loss of an employee's work certificate.
A working group, consisting of Dutch, French, Lithuanian and Polish SAs and supported by the European Data Protection Board (EDPB), has looked into a series of complaints concerning potential infringements of the General Data Protection Regulation by Vinted UAB, the operator of the clothes sales website Vinted.com.
A child has the right to privacy and to protection of personal rights, therefore it is worth encouraging them to learn more about personal data protection. And as the experience of the “Your data – Your concern” programme shows, students also have good ideas on how to educate, for example, senior citizens about data protection.
90% of Poles declare that they know how to ensure the security of their personal data. Young people feel most confident. However, despite the conviction of their knowledge, they are the group that most often makes mistakes such as publishing photos of their documents on the Internet or sharing logins and passwords with third parties. That is the conclusion from the research conducted by the ChronPESEL.pl portal and the National Debt Register under the patronage of the Personal Data Protection Office.
The EDPB adopted the Guidelines on the calculation of administrative fines. Furthermore, the Board presented the Guidelines on the use of facial recognition technology in the area of law enforcement. Both documents, adopted on May 12th 2022, during the 65th plenary meeting, will now submitted for public consultation.
At the 64th plenary meeting, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published a Joint Opinion on the proposed Data Act.
We already know the laureates of this year's competitions for schools and students taking part in the 12th edition of the “Your data – Your concern” educational programme. The winning entries included advice for seniors in the form of podcasts, as well as lesson plans and games.
The EDPB members, at the meeting that took place on 27–28 of April 2022, have agreed to further enhance cooperation on strategic cases and to diversify the range of cooperation methods used.
The Day of New Technologies in Education will be held for the fourth time. It is an initiative of the Ministry of Education and Science, organised together with education superintendents, which aims to promote information and communication technologies used in work with students at school and outside school. The Personal Data Protection Office joins this event, which will be launched on April 29, 2022.
The fact that the controller limits itself to training the employees and omits the application of technical safeguards cannot be regarded as the implementation of appropriate technical or organisational measures. This is what the Voivodeship Administrative Court in Warsaw (WSA) stated, dismissing the complaint filed by the President of the District Court in Zgierz against the decision of the Polish Data Protection Authority.
The National School of Judiciary and Public Prosecution (KSSIP) did not apply adequate technical and organisational measures to ensure the security of data processing, the Voivodeship Administrative Court in Warsaw (WSA) confirmed.
A representative of the Personal Data Protection Office took part in the Data Protection Officers Forum organised by the Wielkopolska Centre for Local Government Education and Studies, which took place on 31 March 2022.
Since the beginning of the application of the GDPR, the Polish Data Protection Authority (Polish DPA), both in the course of its proceedings and in response to cases of non-compliance with the provisions concerning data protection officers (DPO) reported to it, has taken actions resulting from its powers set out in Article 58 of the GDPR. The supervisory authority's experience to date in this regard has been used to formulate a list of issues to which - together with the presentation of relevant evidence - the requested controllers and processors will have to refer.
Personal data protection, the right to privacy and the right to security are human rights that should accompany each of us, even in the most dramatic situations. Therefore, the Personal Data Protection Office (UODO) is closely monitoring the situation of refugees from Ukraine.
The President of the Personal Data Protection Office was pleased to learn that the Commissioner for Human Rights (CHR) had drawn attention to the problem of the disclosure of land and mortgage register numbers, which leads to the acquisition of much of the personal data contained in the registers.
"Consumers include us all" is the slogan for this year's World Consumer Rights Day, which falls on 15 March. Refugees from Ukraine are also consumers. It is with them in mind that the Personal Data Protection Office, together with the Office of Competition and Consumer Protection and other institutions, prepared useful information that will make shopping, travelling and using services in Poland easier.
The President of the Personal Data Protection Office invites students of schools participating in the 12th edition of the "Your data – your concern" program to take part in the competition entitled "Personal Data Protection on a Daily Basis". The task is to prepare a voice recording addressed to seniors on the principles of personal data protection. Additionally, in a separate competition, we will select the best educational initiative implemented in the current edition of the program.
An administrative fine of over PLN 4.9 million has been imposed on Fortum Marketing and Sales Polska S.A. for failing to implement appropriate technical and organisational measures to ensure personal data security and failing to verify the processor. In turn, the processor received a fine of PLN 250,000.00.
The President of the Personal Data Protection Office sent a letter to Ludmila Denisova, Ukrainian Parliament Commissioner for Human Rights, strongly condemning the unprecedented armed attack on Ukraine.
The supervisory authority imposed an administrative fine of over PLN 545,000 (EUR 120,000) on Santander Bank Polska S. A. The reason for this decision was that the Bank breached the provisions of the GDPR by failing to communicate the incident to the data subjects without undue delay. Thus, the Polish DPA ordered to communicate the situation and potential consequences related to it to these persons.
Failure to cooperate with the Polish Data Protection Authority by not providing access to personal data and other information necessary for the performance of its tasks resulted in an administrative fine imposed on Pactum Poland Sp. z o.o. The amount of over PLN 18 000 has already been paid.
New technologies are everywhere and are essential in today's world. However, it should be remembered that they bring not only the opportunity for development and other positive aspects, such as access to sources of knowledge, entertainment or social communication in real time, but also many risks.
How to prepare interesting classes with students of different ages on the key principles of personal data protection? Answers to this question were provided by the workshop for teachers organized by the Personal Data Protection Office. The meeting, which took place on January 31, 2022, was an event accompanying the conference "Personal Data Protection on a Daily Basis", which was organized as part of the 16th Data Protection Day.
This year the ‘Michal Serzycki’ Data Protection Award was awarded to Małgorzata Margulska-Haczyk and Xawery Konarski.
Some students, e.g. from the Commune Primary School (Gminna Szkoła Podstawowa) in Oława, will set off on an expedition "In the search for digital traces". Others, e.g. senior pupils of MIKRON in Łódź, will learn to explain in English how to protect personal data on the phone or on social media during English classes, using typical data protection vocabulary in this language for this purpose.
‒ Let education on the protection of privacy and safe processing of personal data be a permanent element of the everyday education process and a solid foundation for activities undertaken in educational institutions ‒ emphasised Jan Nowak, the President of the Personal Data Protection Office, in an open letter addressed to the participants of the 12th edition of the "Your data ‒ Your concern" educational program.
The Personal Data Protection Office will verify the processing of personal data by banks, as well as processors in the SIS and VIS systems. The entities processing data with the use of mobile applications may also be subject to inspection.
In the opinion of the Personal Data Protection Office, the position taken in the judgment of the Voivodeship Administrative Court (WSA) in Warsaw on the processing of personal data of a bank customer undermines the independence and autonomy of the supervisory authority.
Warsaw University of Technology was fined PLN 45,000 (approximately EUR 9,900), among other things, for not implementing the appropriate technical and organizational measures to ensure the ability for constant assurance of the confidentiality of processing services, also for the lack of regular testing, assessing and evaluating the effectiveness of measures. The University did not take into consideration the risk related to the processing of data within the application.
The Personal Data Protection Office informs that on January 28, 2022, the Data Protection Day will be organized for the sixteenth time. The topic of this year's event is "Personal Data Protection on a Daily Basis". The event will be held on-line.
The 21st Meeting of the Central and Eastern Europe Data Protection Authorities (CEEDPA) was held on December 16-17, 2021. The host of this year's event was the Polish supervisory authority – the Personal Data Protection Office.
On December 16, 2021 the European Data Protection Board has published the following statement.
"New Technologies in Medical Data Processing" is the title of a scientific conference organized by the Personal Data Protection Office. The event will be held online on Monday, November 29, 2021 at 10:00 am.
Given that they have received a significant number of complaints concerning the online clothing sales website vinted.com, operated by the Lithuanian company Vinted UAB, the supervisory authorities from France, Lithuania and Poland have entered into cooperation to investigate compliance of this website with GDPR. The supervisory authorities have jointly established a working group, facilitated by the EDPB, which held its first meeting on 8 November.
The obligation to communicate personal data breach to the data subject does not depend on the occurrence of adverse effects for such a person, but on the mere possibility of its occurring — stressed the supervisory authority in the decision imposing on Bank Millennium S.A. a fine of over 363 000 PLN (80 000 EUR).
Personal data protection at school, the principles of implementation and the schedule of the 12th edition of the nationwide educational programme "Your data – Your concern" as well as the presentation of interesting educational initiatives – these are the most important issues discussed during the online training for coordinators of the 12th edition of the programme.
With the conference in the series „RODO w edukacji” ("#GDPR in education"), which will take place on October 12, 2021 in Kutno, the Personal Data Protection Office will inaugurate the twelfth edition of the nationwide educational programme "Your data – Your concern".
The Personal Data Protection Office invites you to a scientific seminar entitled "Artificial Intelligence and Fundamental Rights". This online event will take place on September 20, 2021 at 9:00 am.
We invite schools and educational institutions to participate in the 12th edition of the UODO's educational program "Your data – Your concern". We encourage all interested parties to read the recruitment details and fill out the application form.
The President of the District Court did not secure the company data carrier, but only instructed his employees to do it themselves. Instead, it is the controller, and not the user of the carrier, who is responsible for implementing appropriate technical and organisational measures to ensure adequate data security. For lack of such measures the supervisory authority imposed on the President of the Court an administrative fine of PLN 10 000.
The Ombudsman for Children supports the cassation appeal of the President of the Personal Data Protection Office filed with the Supreme Administrative Court which regards the judgment of the Voivodeship Administrative Court in Warsaw, which allowed the processing of students’ biometric data by the Primary School in Gdańsk. The processing of these data took place while the meals were served to children.
The Warsaw University of Life Sciences has not implemented sufficient technical and organizational measures to ensure the security of personal data of applicants for studies - confirmed the Voivodeship Administrative Court in Warsaw in its judgment of May 13, 2021. The Voivodeship Administrative Court upheld the decision of the President of the Personal Data Protection Office imposing 50 000 PLN fine on the university.
Mediation Promotion and Legal Education Lex Nostra Foundation was punished with an administrative fine of over 13 000 PLN (3 000 EUR) for failing to notify the personal data breach to the supervisory authority without undue delay, and for failing to communicate the incident to the data subjects.
- Infoline (in Polish)
- 606-950-000
- Operates on weekdays from 10.00 a.m. – 2.00 p.m.
- Urząd Ochrony Danych Osobowych
- ul. Stawki 2, 00-193 Warszawa
- kancelaria@uodo.gov.pl
- Working hours of the office: 8 a.m. – 4 p.m.