DPA decisions imposing administrative fines annulled

Two of the most severe fines ever imposed by the President of the Personal Data Protection Office (DPA) for violations of the General Data Protection Regulation (GDPR) have been overturned in court proceedings.

In both cases, the fines concerned a failure to implement adequate safeguards for personal data protection.

Over the past few months, administrative courts have overturned two decisions issued by the DPA imposing the most severe fines in Poland to date:

  • a fine of more than PLN 2.8 million imposed on Morele.net sp. z o.o. (final judgment of the Supreme Administrative Court issued in February 2023; III OSK 3945/21)
  • a fine of more than PLN 4.9 million imposed on Fortum Marketing and Sales Polska S.A. (non-final judgment of the Voivodship Administrative Court in Warsaw issued in October 2022; II SA/Wa 567/22).

In both cases, fines were imposed for violations that included failure to implement appropriate organizational and technical measures to secure personal data.

The courts had concerns about the manner in which the DPA conducted the administrative proceedings, finding, for instance in the first case, that the authority should have admitted evidence given by an expert witness as to the adequacy of data security measures. In the second case, the court found that the authority had not properly evaluated the evidence and had not established the facts of the case.

Therefore, during proceedings before the DPA regarding a lack of adequate safeguards, it is important for the party concerned to present arguments and evidence regarding the measures taken to secure personal data. For example, the evidence submitted could be risk analysis documentation or reports from external advisors.

It has to be demonstrated that the technical and organizational measures implemented were adequate in relation to the risks to the rights and freedoms of the data subjects. As the Supreme Administrative Court pointed out, it does not follow from the law that safeguards need to be effective in every case. Instead, the requirement is that the security measures be appropriate (adequate) in relation to the assessed degree of risk.

Author: Katarzyna Syska, Dominika Nowak-Byrtek

More from Traple Konarski Podrecki & Partners