Processing the personal data by a processor must be documented
The Polish SA has been notified of a personal data breach at the Sułkowice Cultural Centre. In the course of the proceedings, it was found that the controller without written contract used a processor to which it outsourced the maintenance of accounting books, records and preparation of reports (in the areas of finance, taxation and Social Security) or storage of documentation.
In addition, the controller failed to verify whether the processor provides sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing of personal data complies with the GDPR.
The processor is supposed to meet guarantees to protect the rights of data subjects
The controller, when deciding to have the processing of personal data carried out by another entity, should verify whether the entity provides sufficient guarantees for the implementation of appropriate technical and organisational measures and that the processing will meet the requirements of the GDPR and protect the rights of data subjects.
Failure to verify the processor and its guarantees for processing in accordance with data protection regulations may entail consequences for individuals whose personal data has been entrusted to the processor, such as loss of personal data. Thus, the decision of which processor the controller should use, should not be taken with lack of basis. Only after examining the competence and adequacy of the chosen processor can the controller proceed to conclude an appropriate contract.
In the course of the case, the supervisory authority found that the controller did not have any documents confirming the verification of the terms of cooperation with the processor. In addition, requests to the controller for information, clarification and return or access to the processed data were unsuccessful.
The processor operates under a contract with the controller
Pursuant to Article 28 of the GDPR, a controller wishing to process data with the assistance of another entity shall use only such entities that provide sufficient guarantees for the implementation of appropriate technical and organisational measures.
The processing itself by the processor is carried out on the basis of a written contract between the controller and the processor. Such a contract shall specify, among other things, the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller.
The GDPR stipulates that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The controller, i.e. the entity that determines the means and purposes of processing, has the responsibility to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality").
As the Sułkowice Cultural Centre was the controller of the personal data being processed, it was therefore its responsibility to select a processor.
Taking all the circumstances into account, the supervisory authority found that imposing an administrative fine on the controller was necessary and justified by the gravity and nature and scope of the alleged personal data breach against the entity. And the administrative fine itself in the amount imposed will be effective and will cause the controller to pay due attention to the processing of personal data through and with the help of the processor in order to avoid further sanctions.