Reporting an infringement of personal data protection

On 11/02/2019 by admin in Uncategorized @en

Telemarketers inviting you to free shows, e-mails with random offers, newsletters you have never subscribed to – if you have ever received messages or telephones containing unsolicited marketing or commercial material (so-called spam), read this article. Admittedly, until now all of the above has been prohibited under the applicable telecommunications law and the act on providing electronic services, but effective legal tools to combat the like were provided for only in May last year by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – commonly known as: the GDPR.

If you have not expressly consented to the processing of your personal data, the GDPR does give you the right to object to the use and transfer of this data to other entities and to request cessation of data profiling. At the same time, you may seek your personal data to be deleted from any databases and registers of the entity infringing your rights, in particular from mailing lists.

Therefore, in the first place address your request directly to the entity processing your data. Importantly, at this stage it is worth considering instructing a law firm specializing in the protection of personal data – this ensures higher effectiveness of actions and reduces the time needed for reaching a positive outcome of the case.

You should bear in mind that if the data controller does not act on your request, they should immediately, and not later than one month after receiving the request, inform you about the reasons for not taking action, as well as about the possibility of lodging a complaint to the supervisory body and using legal protection measures before court.

So, if your request turns out ineffective, you can file a formal complaint to the supervisory body, which in Poland is the President of the Office for Personal Data Protection. This results in initiation of proceedings, which may end with a decision ordering the restoration of the lawful state or the imposition of a fine on the infringing entity. The crucial part is that initiation of proceedings before the President of the Office for Personal Data Protection does not cost you a penny.

You can report an infringement through a proxy or a selected public benefit organization (although the regulations in this respect are quite restrictive since the activities of such organization may not be of a profit-bearing character, but fall within the area of protection of the rights and freedoms of data subjects, while its goals statutory regulations must lie in the broadly understood public interest).

Submitting the complaint may be done either traditionally or electronically.  The latter requires the complaint to be signed through a trusted ePUAP profile or to bear a qualified electronic signature.

The complaint should contain, among others: a detailed description of the violation and demands of the complainant indicating what kind of action they expect the authority to undertake (e.g. rectification or deletion of data, limitation of data processing, compliance with the information obligation, or transfer of data). In the case where you are able to evidence the circumstances described in the letter, such as: contracts, certificates, letters addressed to the infringing party or any other correspondence with the personal data administrator pointing to the infringement – it is worth attaching  such to the complaint.

The proceedings before the President of the Office for Personal Data Protection are conducted in the manner and pursuant to the principles provided for in the Code of Administrative Procedure, which, sadly, significantly formalizes the entire process by imposing, say, specific statutory time limitations. The character of the lawsuit is that of one-tier proceeding, at which end a decision is rendered. However, the decision may be challenged by addressing an appropriate complaint to the administrative court.

As a side note, it is worth noting that a claim for damages for personal data breach may not be the subject of proceedings before the President of the Office for Personal Data Protection. This issue can only be resolved before the competent court. For instance, transmitting unsolicited commercial material may also be seen as a violation of your personal rights, such as free access to correspondence and communication, as well as the right to privacy.

Written by:

Jędrzej Brzykcy

Consulting:

Mateusz Staszek, attorney