Processing of personal data by a data processor

The processing of personal data by a processor must be documented, i.e. there must be a contract, in accordance with Article 28, paragraph 3 of REGULATION 679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Date December 20, 2022 Poland

Basic information
Date of final decision: September 7, 2022
Operator: Cultural Center of the Municipality of Sułkowice
Legal reference: Requirements relating to the processor (Article 28(1)(3)(9))
Decision: Administrative fine

Summary of the decision

Origin of the case
Polish SA was notified about a personal data breach at the Cultural Center Sułkowice. In the course of the procedure, it was found that the operator, without a written contract, used a processor to whom it outsourced bookkeeping, record keeping and reporting (in the areas of finance, taxation and social security) or documentation storage.

Furthermore, the controller has not verified whether the processor provides sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing of personal data complies with the GDPR.

Key findings
Failure to verify the processor and its safeguards for processing in compliance with data protection regulations may entail consequences for individuals whose personal data have been entrusted to the processor, such as loss of personal data. Only after having examined the competence and suitability of the chosen processor, the controller may proceed to conclude an appropriate contract.

In the course of the case, the supervisory authority found that the controller did not have any document confirming the verification of the conditions of cooperation with the processor. In addition, requests to the controller for information, clarifications and return or access to the processed data were unsuccessful.

Decision
The Polish Personal Data Supervisory Authority imposed an administrative fine of PLN 2 500 on the Sułkowice Cultural Center.

The reason for the decision was the use by the controller of a processor without a written contract and the failure to verify whether the processor provides sufficient guarantees to implement adequate technical measures.

source https://edpb.europa.eu/news/national-