The President of the Personal Data Protection Office, after having found a personal data breach by the Warsaw University of Life Sciences (SGGW), imposed a fine on this entity in the amount of PLN 50 000.
On 3 September 2020, the Voivodeship Administrative Court (WSA) in Warsaw issued a judgment on Morele.net’s appeal against the decision of the President of the UODO imposing an administrative fine. The WSA dismissed the appeal and considered that the decision on the fine imposed on the company was justified.
Infringement of the principle of lawfulness of personal data processing and making intentionally available without a legal basis on the GEOPORTAL2 (geoportal.gov.pl) of personal data in the form of land register numbers obtained from the land and property registers are the reason for imposing an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (GGK).
The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.
Following the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the EDPB has adopted a ‘Frequently Asked Questions’ document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S. This document will be developed and complemented, along with further guidance, as the EDPB continues to examine and assess the judgment of the Court.
Jan Nowak, the President of the Personal Data Protection Office and Bartłomiej Chmielowiec, the Patient’s Rights Ombudsman, signed an agreement on mutual cooperation, the purpose of which is to support each other in the implementation of statutory tasks.
In its judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems delivered on 16 July 2020, the Court of Justice confirmed the high standard of personal data protection with regard to the transfer of personal data to third countries.
The President of the Personal Data Protection Office (UODO), after having conducted an administrative proceeding instituted ex officio in the case of imposition of an administrative fine, imposed a fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK).
The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 5 000 on an individual entrepreneur running a non-public nursery and pre-school.
The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 15 000 on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks.
Two years after the application of the General Data Protection Regulation (GDPR), the European Commission published an evaluation report on its implementation. According to the authors of the report, the GDPR strengthens the position of the citizen by providing a number of rights related to the protection of personal data and creates a new European system for managing and enforcing these provisions.
Today, a mobile phone is not only used to talk and communicate, but also has many other functions. It serves entertainment, allows you to settle many matters of everyday life. Many people download seemingly free applications to their mobile phones that do not require any payment. Is this indeed the case?
What a school year it was! Maybe a selfie with a school certificate? Or maybe proud parents intend to show off their kids' high marks on their own social media profiles? Be careful, because it's a real treat for "lovers of other people's data."
Implementation of the 10th edition of the nationwide educational program 'Your Data - Your Concern. Effective protection of personal data. Educational activity addressed to students and teachers" has come to an end. It was a unique, since the jubilee edition of the program. Many interesting projects and meetings were part of this edition. A lot of activities were going on!
In the 2019/2020 school year, schools and educational institutions participating in the 10th edition of the "Your Data ─ Your Concern" program have implemented 1 267 educational initiatives dedicated to the protection of personal data. Among them, there were activities which promoted the principles of secure use of personal data at and outside of school, especially in the virtual world. There were also undertakings addressed to teachers, parents and even seniors. School data protection officers have also actively supported many activities.
Creating personal e-mail addresses for teachers or students or recording the course of a lesson or teachers board in accordance with the principles of the GDPR - are the examples of questions that participants asked during online training entitled "Remote work and personal data protection - advice for teachers", which was organized on May 20, 2020 by the Personal Data Protection Office. The event was made possible thanks to the cooperation with the National eTwinning Office and took place as a part of the "Remote education with eTwinning" campaign.
New technologies have opened up completely new opportunities. Video conferencing and video calls are among the most popular ways of communication at the time of teleworking and online contacts with friends and family resulting from the current situation connected with reducing the spread of COVID-19.
In a situation where, for example a person's body temperature is measured, or data concerning his or her health is collected, and then this information is recorded, transmitted and collected, a special category of personal data will be processed.
In connection with repeated questions and doubts addressed to the supervisory authority regarding the collection of personal data of voters by the postal operator in order to organize the election of the President of the Republic of Poland, the President of the Personal Data Protection Office presents his position on the matter.
The President of the Personal Data Protection Office received from the State Poviat Sanitary Inspector in Gniezno (PPIS) an explanatory letter regarding the publication of personal data of persons who are in quarantine. The case is currently being examined by the UODO and any further actions of the Office will depend on its circumstances.
The President of the Personal Data Protection Office received a notification regarding a breach of personal data protection from the National School of Judiciary and Public Prosecution in Krakow. The case is currently being analyzed and complemented for additional materials and information that will explain all its circumstances.
During its 21st plenary meeting, the European Data Protection Board adopted a letter concerning the European Commission's draft Guidance on apps supporting the fight against the COVID-19 pandemic.
The President of the Personal Data Protection Office has consistently taken the view that copying identity documents by the representatives of the institutions subject to the law must be preceded by an analysis of purposefulness, verification whether such an action is actually necessary. The practice varies, that is why the President of the UODO addressed the Chairman of the Polish Financial Supervision Authority (KNF) with a request to consider issuing by that regulator relevant recommendations on verifying the identity of clients.
The European Data Protection Board, during its 20th plenary meeting which was held on 7 April 2020, granted its expert subgroups specific mandates to develop guidance on data processing aspects relevant to the rights and freedoms of data subjects in connection with the COVID-19 outbreak.
The President of the UODO on the basis of the Art. 70 para. 1 and 2 of the Act of 10 May 2018 on the Protection of Personal Data obliged the Surveyor General of Poland to limit the processing of personal data regarding land register numbers, ordering to stop their publication on the GEOPORTAL2 website (geoportal.gov.pl) until the issuing of the administrative decision which will conclude the proceedings in this case. The basis for issuing the decision is the plausible demonstration of infringement of the data protection provisions and the threat of causing serious and hard-to-remove consequences.
The European Data Protection Board is speeding up its guidance work in response to the COVID-19 crisis. Its monthly plenary meetings are being replaced by weekly remote meetings with the Members of the Board.
The President of the Personal Data Protection Office imposed a fine of PLN 20 000 on Vis Consulting Sp. z o.o. in liquidation with the seat in Katowice, a company from telemarketing industry, for making it impossible to conduct inspection. Additionally, the company’s owner is subject to criminal liability for this.
The protection of personal data applies to all of us. That is why we invite students to cooperate - we want to work together!
─ The GDPR is not an obstacle to distance education during the Coronavirus pandemic, it gives the possibility for schools to reasonably implement appropriate distance education methods and techniques, while at the same time respecting the basic data protection rules – said Jan Nowak, the President of the Personal Data Protection Office (UODO).
Recently, the Personal Data Protection Office receives applications for a public key certificate for devices (VPN) and for a public key certificate for the operator on the card. The President of the UODO is not competent to consider such applications.
The Chief Sanitary Inspector’s (GIS) recommendations issued on the basis of the Special Act on preventing COVID-19 may constitute a legal basis for processing personal data. The President of the UODO recommends that GIS and the State Inspection authorities use the support of their data protection officers (DPO) and declares full readiness to cooperate in this regard.
Following an inspection performed at the Warsaw University of Life Sciences (SGGW) in connection with the data protection breach, the President of the Personal Data Protection Office (UODO) initiated administrative proceedings.
On 19 March 2020 the EDPB has adopted a statement on the processing of personal data in the context of the COVID-19 outbreak
The President of the Personal Data Protection Office received a personal data breach notification from ID Finance Poland Sp. z o.o. with the seat in Warsaw.
Global Privacy Assembly set up a dedicated space on its website containing the statements on coronavirus issued by particular data protection authorities.
The Chair of the European Data Protection Board (EDPB) extends by six weeks the currently conducted public consultations on guidelines.
Due to the prevention of the spread of the COVID-19 virus and for the sake of safety of both citizens and employees of the Office, we kindly inform that the Personal Data Protection Office remains closed for the public.
On 12 March 2020 the President of the Personal Data Protection Offices issued a statement on coronavirus.
The President of the Personal Data Protection Office imposed a fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen.
Current challenges in educating children and young people on the subject of personal data protection and educational activities conducted by the Personal Data Protection Office in Poland were the theme of the meeting with school principals and teachers from the "#RODO in education" series, which took place on February 28, 2020 in Zamość.
By the judgment of 28th February 2020, the Voivodeship Administrative Court in Warsaw upheld the decision of the President of the Personal Data Protection Office imposing an administrative fine of PLN 55 750.50.
From 2nd March 2020 infoline staff will be available to all customers on one telephone number: 606-950-000. Our experts are available from Monday to Friday between 10.00-14.00.
Healthcare facilities are sending questions to the Personal Data Protection Office which relate to the situations in which patients request the necessary access code for the execution of e-prescriptions via phone call. Healthcare facilities have doubts as to whether they can make such information available by telephone. These requests often result from the fact that the patient lost the access code, which was provided to him or her in the form of a printout.
Updates are an integral part of the IT world, and hence it is important to be aware that regular updating of anti-virus and firewall software, browsers, as well as other applications and entire operating systems that we use on a daily basis is one of the key conditions for ensuring the secure and stable work of our computer.
As part of the main events which were organised within the framework of the 14th Data Protection Day, an Open Day at UODO was held. Persons interested in the subject of personal data protection could benefit from legal advice provided by UODO experts. The debates were also organised. Michał Serzycki Awards for the third time were given to the people with educational achievements in the field of personal data protection.
The Data Protection Officer's Handbook is a set of guidelines for DPOs on how to ensure compliance with the General Data Protection Regulation (GDPR). The manual which was developed as part of the "T4DATA" project is also available in Polish.
The entity collecting entrepreneurs’ personal data from open records for the purpose of providing commercial services is obliged to fulfil the information obligation directly in relation to those persons - stated the Voivodeship Administrative Court in Warsaw in the case of Bisnode company and thus agreed with the decision of the President of the Personal Data Protection Office (UODO) with regard to imposing a fine on the above entity.
After one and a half year of operation of the Personal Data Protection Office, the structure of the Polish data protection authority will change.
Although the implementation of the project "T4DATA - Training Data Protection Authorities and Data Protection Officers" is coming to an end, its results will also be disseminated in 2020 by the project’s partners. This was the conclusion of their final meeting which took place on 14 and 15 November 2019 in Rome.
The comments should be sent to the European Data Protection Board by 16th of January 2020 at the latest.
The President of the Personal Data Protection Office imposed an administrative fine of over PLN 201,000 for, inter alia, obstructing the exercise of the right to withdraw consent to the processing of personal data.
The President of the Personal Data Protection Office (“The President of the Office”) imposed first administrative fine of PLN 40,000 on a public entity for failure to comply with the GDPR. The reason for imposing the fine was that the mayor of the city did not conclude a personal data processing agreement with the entities to which he transferred data.
For two days the President of the Personal Data Protection Office hosted a high level delegation from the National Centre of Legislation and Legal Research of the Republic of Belarus, the House of Representatives of the National Assembly of the Republic of Belarus, the Operational and Analytical Centre under the President of the Republic of Belarus, the National Statistical Committee of the Republic of Belarus and the Ministry of Communications and Informatization of the Republic of Belarus.
We would like to kindly inform you that due to technical works, difficulties in contacting the Personal Data Protection Office might have occured in the period between October 11th and October 15th.
The Ministry of Family, Labor and Social Policy supports the position of the President of the Personal Data Protection Office (UODO) on conducting sobriety tests on employees.
The President of the Personal Data Protection Office imposed a fine in the amount of more than PLN 2,8 million on Morele.net.
The President of the Personal Data Protection Office initiated ex officio proceedings against PZU Pomoc (Assistance Service Company of PZU Insurance Company) responsible for the campaign "Holidays with PZU Safe Child".
According to the President of the Personal Data Protection Office (UODO), Art. 112b of the Banking Law Act does not allow banks to make photocopies and scans of clients' ID cards, e.g. to set up a bank account or to examine the customer's creditworthiness. In such situations, it is enough just to write down the data from ID card.
In connection with the suspicion of the infringement of the personal data processing, the President of the Personal Data Protection Office (UODO) initiated the ex officio proceedings against the Ministry of Justice and the National Council of the Judiciary (KRS).
The President of the Personal Data Protection Office (UODO) initiated two proceedings against the Chancellery of the Sejm (lower chamber of the Polish Parliament) based on a complaint by a natural person and ex officio in a case concerning the processing of judges’ personal data included in the list of judges supporting the candidates' application to the National Council of the Judiciary. Provisions in this case were issued on 29 July 2019.
It remains unclear to which documents and personal data collected under the “Blue Card” procedure victims of domestic violence and its perpetrators have access.
The partners’ fourth meeting was devoted to the summary of the done work within the framework of the "e-OpenSpace" project. It took place at the headquarters of the Personal Data Protection Office in Poland and was the last one that concerned the coordination of works on the project. The "e-OpenSpace" project will end in August 2019 after a two-year implementation period.
The European Data Protection Board welcomes comments on the Guidelines 3/2019 on processing of personal data through video devices.
The Personal Data Protection Office seeks to ensure that the PESEL – the national identification number - is not revealed in the electronic signature certificate or used as an identifier in digital services.
The Act on Public Documents, which comes into force, prohibits the making and trading of replicas e.g. of personal identity cards or driving licenses. According to the Personal Data Protection Office, not every copy of a public document will have the features of authenticity. Nevertheless, an entity that will copy for example an ID card may be responsible for processing too wide scope of personal data.
On 8 July 2019, the Communication of the President of the Personal Data Protection Office of 17 June 2019 concerning the list of the kind of processing operations which are subject to the requirement for a data protection impact assessment was announced in Monitor Polski.
In the current legal situation, employers cannot independently examine the sobriety of employees. This is determined by Art. 17 of the Act on Upbringing in Sobriety and Counteracting Alcoholism.
A few tips on how to take care of your personal data during the holidays and protect yourself against potential problems.
About 2 000 teachers and over 45 000 students from 335 educational institutions from all over the country took part in the 9th edition of the "Your Data - Your Concern" programme run by the Personal Data Protection Office. This school year 4 000 lessons were devoted to the protection of personal data and privacy as a part of the programme.
Registers of residents, video surveillance, Public Information Bulletin’s (BIP) resources and websites of offices – those are areas in which local government officials had problems while applying the General Data Protection Regulation (GDPR). Nevertheless, after one year of GDPR application, the balance for local self-government units is positive.
The 29th Edition of the Conference of European Data Protection Authorities, which took place on 8-10.05.2019 in Tbilisi, gathered representatives of Supervisory Authorities from the European Union and the Eastern Partnership Countries. This year’s edition of the Conference was organised by the Georgian Data Protection Authority.
The agreement delineates the principles, scope and form of cooperation between the President of the PDPO in Poland and the Data Protection Officer of Catholic Church
Ineffectual attempts to remedy a breach consisting in making public too broad of a scope of personal data are the main reason behind imposing a fine on the controller by the President of the UODO.
On March 27th, 2019, the Council of Europe issued a set of guidelines addressed to its 47 Member States. These principles aim at ensuring, both at legal level as well as in practice, a full compatibility of health-related data processing with human rights, especially with privacy and data protection.
The President of Personal Data Protection Office Dr. Edyta Bielak-Jomaa was awarded the title of ‘Personality of the Year 2019’.
In May and June this year, Personal Data Protection Office in cooperation with National Institute for Local Self-government will organize four local trainings entitled: "Changes in the protection of personal data in the light of the GDPR and the Act of 10 May 2018 on the Protection of Personal Data". The initiative is addressed to data protection officers as well as to the leading figures who perform this function in public administration.
The President of the Personal Data Protection Office (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.
The Bureau of the Committee of Convention 108 Committee is holding its 47th meeting in Paris, on 20-22 March 2019.
On March 15th the European Data Protection Board has published on its website the Opinion 5/2019 on the interplay between the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector as amended by Directive 2006/24/EC and Directive 2009/136/EC) and the GDPR, in particular regarding the competence, tasks, and powers of data protection authorities.
On the 15th of March 2019 the European Data Protection Board (EDPB) has published on its website the Statement 2/2019 on the use of personal data in the course of political campaigns.
The European Parliament voted in favour of ratification of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108) by the Member States. Recommendation in this case was supported by 624 MEPs in a vote cast on the 12th of March with only 12 votes against its adoption.
On Wednesday, February 27th, during the TOP President Gala, the Business Institute (Instytut Biznesu) has recognized the most interesting, inspiring, and best managers of 2018. One of the prizes was awarded to Dr Edyta Bielak-Jomaa, the President of the Personal Data Protection Office (UODO).
On February 25th 2019 the European Data Protection Board (EDPB) has published on its website a statement on FATCA – the US Foreign Account Tax Compliance Act.
On October 11, 2018 partners of the T4DATA project gathered to discuss the next steps of the initiative. The main topic of the discussion were the local trainings and a series of webinars which are going to be presented in 2019 to the Data Protection Officers working in the public sector.
Electronic space - a platform for the exchange of information by data protection authorities as well as the electronic space accessible to all interested parties, was the main topic of the third partners’ meeting held in Italy. Further documents are created and partners implement the project goals on time.
The change in the approach to personal data management, the organization of activities in this area, the increasing use of rights which are guaranteed by the GDPR are just a few examples of benefits that result from the application of the new law.
In connection with high likelihood of the withdrawal of the United Kingdom from the European Union without concluding international agreement regulating this issue, the President of the Personal Data Protection Office explained at press briefing on 17 January 2019 what would be the consequences thereof for the Polish data controllers and processors. She also gave advice on how to prepare properly for this.
10 tips for data controllers - how to apply the GDPR - experience from the first half of the year.
After complaints, questions and incoming signals analysis, the Personal Data Protection Office prepared 10 tips for data controllers in order to help them to apply the GDPR rules on a daily basis.
10 tips on how to exercise the rights guaranteed by the GDPR - experience from the first half of the year.
Based on the experience of the first six months of the application of the GDPR, the Personal Data Protection Office prepared 10 tips on how to use the rights guaranteed by the Regulation.
The Personal Data Protection Office’s Poland wide educational programme ,,Your data – your concern…”, launched in 2009 each year gathers more and more institutions. Also this year we will try to meet the growing demand for knowledge on personal data protection at educational institutions, both among teachers and students. The Personal Data Protection Office provides educational materials and specialised training for schools that will apply for the participation in this initiative.
The co-organisers of the Conference were the President of the Personal Data Protection Office and the European Law Students’ Association ELSA Poznań. During the event, the representatives of the Adam Mickiewicz University in Poznań, the University of Groningen, the European Commission, as well as legal offices presented selected personal data protection issues in the new legal order implemented by the General Data Protection Regulation (GDPR) applied as of 25 May 2018.
T4DATA project: TRAINING DATA PROTECTION AUTHORITIES AND DATA PROTECTION OFFICERS
Dear Ladies and Gentlemen,
Today on 25 May 2018, we begin to apply the provisions of the EU General Data Protection Regulation, that is the GDPR. Thus the two-year’s long adjustment period, in which everyone obliged to apply its provisions should start acting in a way fully compliant with those provisions, terminates. This day is a perfect occasion to share with you some reflections on the future of the Polish personal data protection system.
Along with the beginning of application of the General Data Protection Regulation (GDPR) on 25 May 2018, the obligation to notify personal data filing systems to registration shall terminate. This means that from that date personal data filing notifications, notifications of changes in the personal data filing system and requests for striking off in the register do not have to be sent to the Inspector General for Personal Data Protection.
- Infoline (in Polish)
- 606-950-000
- Operates on weekdays from 10.00 a.m. – 2.00 p.m.
- Urząd Ochrony Danych Osobowych
- ul. Stawki 2, 00-193 Warszawa
- fax. 22 531 03 01
- kancelaria@uodo.gov.pl
- Working hours of the office: 8 a.m. – 4 p.m.