
The Voivodeship Administrative Court dismissed the appeal brought by Toyota Bank Polska SA
The decision concerned two fines totalling PLN 576 220 imposed by the President of the Personal Data Protection Office on Toyota Bank Polska SA for incorrectly positioning the DPO and failing to include profiling in the documentation.
In this decision, the President of the Personal Data Protection Office, Mirosław Wróblewski, emphasised that Toyota Bank Polska S.A., as data controller, had led to a situation where the Data Protection Officer (DPO) was not fully independent in his duties. The President of the Personal Data Protection Office imposed a fine of PLN 261 918. However, for omitting profiling in the register of data processing activities and in the data protection impact assessment, it imposed a fine of PLN 314 302.
The proceedings were the result of an inspection carried out by the President of the Personal Data Protection Office. It was revealed that the DPO did not report directly to the bank’s top management, i.e. its board of directors, and worked as IT auditor/security officer in the security team and then in the security department, reporting directly to the director of that department. The duties of that director also consisted of managing the data processing operations and controlling the safeguards for that processing.
It also appeared that the bank profiled a large number of customer data in order to determine their creditworthiness. The Bank also processes the result of the ‘scoring’, i.e. the credit risk scoring and the assignment of the risk category defined by the Bank. It is the credit risk scoring and credit risk categorisation that involves profiling the data that should be and has not been included by the bank in the register of data processing activities. Furthermore, the bank did not assess the impact of profiling on the security of the processing of personal data.
In its judgment of 18 September 2025, the Voivodeship Administrative Court, in its oral recitals, shared the arguments of the President of the Personal Data Protection Office. That court held that: The President of the Personal Data Protection Office correctly assessed the situation, the factual and legal situation concerning the Data Protection Officer of Toyota Bank Polska. The DPO’s employment was contrary to the law and the President of the Personal Data Protection Office correctly assessed that the DPO was not directly subordinated to the highest management. The controller has not provided adequate means to ensure that the DPO does not receive instructions on how to perform the duties. In the view of the court, the failure to include profiling in the descriptive content of the register of processing activities constituted an infringement of the provisions of the GDPR (Article. 30 (1), 35 (1), (7).
Decision in Polish: DKN.5112.14.2022