Limitation of liability for GDPR violation. The President’s of the PL SA appeal in cassation

Limitation of liability for GDPR violation. The President’s of the Personal Data Protection Office appeal in cassation to the Supreme Administrative Court

The President of the Personal Data Protection Office Mirosław Wróblewski lodged an appeal in cassation before the Supreme Administrative Court. He appealed against the judgment of the Voivodeship Administrative Court in Warsaw, which upheld Santander Bank Polska SA’s complaint in relation to the administrative fine of PLN 1 440 549 imposed by the President of the Personal Data Protection Office.

The present case concerns a violation of the GDPR provisions. The Bank did not notify the personal data breach to the President of the Personal Data Protection Office (Art. 33(1) GDPR) and did not communicate it to the data subjects (Art. 34(1) GDPR).

This case concerns the incident from 2018. Bank documents containing personal data were stolen and then abandoned in a dumpster.

In the course of the proceedings, the President of the Personal Data Protection Office found that the bank had unduly waived its obligations under Articles 33 and 34 of the GDPR and had not fulfilled them until the supervisory authority had issued its decision. In this situation, the President of the Personal Data Protection Office obliged the bank to communicate the breach to the persons affected of the breach and imposed a fine on the bank as the data controller.

The bank brought an action against that decision before the Voivodeship Administrative Court. The Court annulled the part of the decision relating to the administrative fine assuming that the statute of limitations for its imposition had expired.

The substance of the dispute and the reason for the appeal in cassation lodged by the President of the Personal Data Protection Office concern whether national provisions regarding the statute of limitations may apply to fines under the GDPR.

The GDPR does not provide for a limitation period for liability. Nor does it empower EU Member States to introduce such limitations in their national law.

It also needs to be resolved (in case it is considered that national limitation rules apply to fines under the GDPR) whether the limitation period should be counted from the expiry of the time limits under Article 33(1) (notification of a data protection breach) and Article 34(1) GDPR (communication of the data breach to the data subjects), or - as the President of the DPA maintains - only from the moment when these obligations were finally fulfilled (albeit done out of time limits prescribed).

The President of the Personal Data Protection Office emphasises presenting the grounds for the appeal in cassation that notification of a personal data breach (to data subjects and to the supervisory authority) is one of the key mechanisms for the protection of personal data in the European Union. Therefore, the interpretation according to which those obligations cease to apply on the expiry of those time-limits is incorrect.

This position is also confirmed by the guidelines of the European Data Protection Board.

Moreover, in the opinion of the President of the Personal Data Protection Office, the provision of the Polish Code of Administrative Procedure concerning a statute of limitations (Article 189g(1) of the Code of Administrative Procedure) does not apply at all to administrative fines provided for in Article 83 GDPR. Its application in this context may undermine the principle of primacy, effectiveness and uniformity of EU law. Therefore, the President of the Personal Data Protection Office asked the Supreme Administrative Court to consider making a request for a preliminary ruling to the Court of Justice of the EU in order to ensure a uniform interpretation of EU law and its relationship with national administrative law before examining the appeal in cassation.

The President of the Personal Data Protection Office is convinced that this case is of a precedent nature, as its resolution will affect the way in which the GDPR provisions are applied in Poland as regards the limitation period for administrative liability for violations of the personal data protection provisions in the context of the fines’ imposition, and thus will determine the powers of the supervisory authority and the effectiveness of the legal protection system in this area.

DKN.5131.59.2022