Fine for Toyota Bank for improperly located DPO and failure to include profiling in documentation

The President of the Personal Data Protection Office, Mirosław Wróblewski has stated that Toyota Bank Polska S.A., as data controller, had led to the situation that the Data Personal Officer (DPO) was not fully independent in his work and has imposed an administrative fine of PLN 261 918 for this. Additionally, for failing to include profiling in the record of processing activities and data protection impact assessment, a fine of PLN 314 302 has been imposed.

The proceedings resulted from an inspection carried out by the President of Polish SA at Toyota Bank Polska S.A. concerning, inter alia, the profiling of customers’ and potential customers’ data.

During the inspection, it turned out that the Bank is profiling numerous customer data in order to determine their creditworthiness. The Bank also processes the result of the so-called credit score, i.e., the credit risk assessment and the assignment of a risk category defined by the Bank. It is the credit risk assessment and the assignment of a credit risk category that involves data profiling that should be and has not been included in the Bank’s record of data processing activities. In addition, the bank did not assess the implications of profiling for the security of the processing of personal data (lack of data protection impact assessment).

It has also appeared that the DPO did not report directly to the highest management of the Bank, i.e., Bank’s Management Board and DPO worked as IT auditor/security specialist in the security team and then in the security department, reporting directly to the Director of that department. Furthermore, Director’s duties also consisted of managing the data processing operations.

The Bank, in the course of the proceedings, assured the President of the Polish SA that the DPO, within the scope of his duties, was completely independent and that his location in the security department ‘has only been an administrative issue (e.g., acceptance of leave and setting of financial conditions)’. As regards the list of activities in the context of which data processing takes place, before the inspection, the bank started updating that record and eventually also included profiling.

However, the President of the Polish SA indicated in the decision that, at the time of the inspection, the Bank was in breach of the rules on the protection of personal data and that the law required that the consequences must be drawn from this. The activity of profiling is crucial, not least because of its large scale. Therefore, the scope, context and purposes of profiling should be explicitly covered by a data protection impact assessment.

While calculating the amount of the fine, the President of the Personal Data Protection Office applied the methodology adopted by the European Data Protection Board. In its view, the administrative fine applied, total sum of PLN 576 220, fulfil, in the established circumstances of the case, the functions referred to in the GDPR (Article 83 par 1), i.e., it will be effective, proportionate and dissuasive in this case.

The details of the case can be found in the decision of the President of the Personal Data Protection Office ref. no. DKN.5112.14.2022 (in Polish).