GDPR Case 029. The Polish supervisory authority imposed first administrative fine on a public entity

日期：31 October 2019

國家：波蘭

關鍵字：個人資料處理協議；資料儲存期限；處理者；當責性；資料完整性與機密性

GDPR：§5(1)(a) (lawfulness, fairness and transparency)、§5(1)(e) (storage limitation)、§5(1)(f) (integrity and confidentiality)、§5(2) (accountability)、§28(3) (data processing agreement)

裁決：行政罰鍰（PLN 40,000）、命令（刪除個人資料）

摘要：

(1) 波蘭監管機關對控管者 Aleksandrów Kujawski 市的市長處以行政罰鍰，因為該市在移轉個人資料前，未與市政廳公報布告欄（Public Information Bulletin (BIP)）的伺服器託管公司訂定個人資料處理協議（data processing agreement）；同時，也沒有與提供BIP軟體及資訊服務的公司訂定前述協議。

(2) 監管機關認為，控管者違反 GDPR §28 (3) 之規定，該條規定，當另一個實體（entity）代表控管者處理個人資料時，控管者必須與其簽定資料處理協議。

(3) 由於欠缺資料處理協議，控管者的市長在沒有法律依據的情況下，與處理者（processor）分享個人資料的行為，違反了處理行為的合法性原則（§5(1)(a)）以及保密原則（§5(1)(f)）。

(4) 除了前述違法行為外，監管機關同時發現，控管者並沒有針對 BIP 內容發布制定內部作業程序，以決定訊息的公告期限，例如，在 BIP 上可以找到可回溯至 2010 年即已公布的財產聲明，但依法律規定，該等資料的儲存期限，僅為 6 年；至於其他法律未規定儲存期限的個人資料，控管者也必須依其處理目的自行決定資料儲存期限，本件控管者因為犯了上述資料儲存期限的錯誤，因而違反 GDPR §5(1)(e)。

(5) 監管機關還發現，市議會的議事紀錄只能透過一個只在 BIP 上公布的 YouTube 連結取得，但是在控管者卻沒有保留這些資料的備份副本，因此，倘若儲存在 YouTube 上的資料遺失，就再也沒有辦法回復這些議事紀錄了，顯見控管者並沒有針對紀錄只保存在 YouTube 一事，進行風險評估，這違反了 GDPR §5(1)(f) 完整性與機密性原則（integrity and confidentiality）之規定。

(6) 由於資料處理登記上的瑕疵，控管者也違反 §5(2) 當責性原則（accountability），例如，控管者沒有紀錄所有的資料接收者（data recipients），也沒有針對資料刪除的計畫處理日期等事項，予以明確紀錄。

(7) 由於上述違法行為，監管機關因而對控管者的市場處理如上行政罰鍰，並命令控管者應刪除個人資料。

Reference

Article 28 (Processor)

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to Article 32;

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.