Sułkowice Cultural Center – €529 Fine (Poland, 2022)

In May 2020, the Polish DPA received a notification of personal data breach caused by the Sułkowice Cultural Centre (the controller). The data breach affected 30 persons, including employees of the controller. The DPA initiated an investigation, in which it found that the controller entrusted the processing of personal data to an entity (the processor) without entering into a written data processing agreement. Moreover, they did not verify whether the processor provides sufficient guarantees of the implementation of appropriate technical and organisational measures in accordance with the GDPR. The processor was responsible for keeping accounting books and records as well as preparing reports. Therefore, they were entrusted with the processing of employee's and former employee's personal data, including names, dates of birth, bank account numbers, residence addresses, personal identification number (PESEL), email addresses, data on earnings and/or property, the mother's family names, series and numbers of ID cards, telephone numbers, and health data. Since the Polish DPA was not able to obtain information on any contract concluded between the controller and the processor with regards to the above-discussed processing operations, the DPA initiated ex officio administrative proceesings against the controller. First, the Polish DPA reiterated Article 28(1) GDPR, which prescribes that sufficient guarantees to implement appropriate technical and organisational measures must exist whenever the controller mandates data processing activities to be carried out on their behalf. Moreover, in line with Article 28(3) GDPR, a data processing agreement must be concluded between the controller and the processor, which stipulates the conditions of processing. Additionally, Article 28(9) GDPR requires the agreement to be in writing, including in electronic form. Second, the DPA clarified the roles of the entities involved in processing. As the employer and main administrator, the C