An administrative fine of more than PLN 85 000 imposed on an entrepreneur, conducting an economic activity in the field of health care, for the failure to comply with the order imposed on it in an administrative decision.
The Personal Data Protection Office (UODO) ordered the entrepreneur to communicate the breach of their personal data to its patients and to provide these persons with recommendations on how to minimize the potential adverse effects of the incident. The controller failed to do so, as the proceedings revealed, the purpose of which was to check whether the obligations imposed in the UODO’s decision had been fulfilled.
Consequently, the persons affected by the breach knew nothing about it. In the notification there meant to be information such as:
- a description of the nature of personal data breach;
- the name and contact details for the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of measures taken or proposed by the controller to be taken to address the personal data breach – including measures to mitigate its possible effects.
Properly fulfilling of this obligation would allow data subjects to understand what the breach of protection of their personal data consisted in, to learn the possible consequences of such an incident, and what actions they can take in order to mitigate its possible adverse effects.
Because the entrepreneur ignored the decision of supervisory authority, UODO decided to initiate an ex officio proceedings in the case of imposing an administrative fine. It should be noted that the entrepreneur, despite receiving from the Office detailed instructions concerning, inter alia, the correct wording of the communications and the form in which they should be delivered to patients, as well as the manner of documenting these actions, even at the stage of the proceedings in the case of imposing a fine did not present complete evidence, which would allow to acknowledge that the obligation resulting from the order of the decision was fulfilled by the entrepreneur.
