GDPR breach by a courier company
DPD Poland Ltd used transport services of external carriers without first concluding with them data processing agreements. The Company, as the personal data controller, has also not ensured that the processing takes place only on the instructions of the controller. Failure to appoint a person responsible for granting authorizations to process personal data constituted a violation of the company's data protection policy and the principles of confidentiality and accountability. The breaches of the personal data protection provisions, including the processing rules governed by them, were a prerequisite for the President of the Personal Data Protection to exercise the right to impose administrative fines of a total amount of over PLN 11 million.
The decision of the President of the Personal Data Protection Office, Mirosław Wróblewski, completed the administrative procedure initiated ex officio, which was preceded by the performance of inspection activities at the company’s registered office. The scope of the audit covered the processing of personal data in connection with the provision of courier delivery services.
In the course of the proceedings, it was demonstrated that the controller processed the following data during the parcel delivery process: first names, surnames, e-mail address, telephone number, addresses (sending, delivery, parcel redirection), bank account number (in the case of cash on delivery service), company name, parcel number and handwritten signature of the sender and the addressee.
The shipments were delivered between the branches of the company by external carriers (so-called LNH carriers). However, the controller has not concluded data processing agreements with these carriers required by the GDPR. The company argued that this was not necessary because the subject of the contract was a transport operation which, according to the company, did not involve the processing of personal data by LNH carriers. The President of the Personal Data Protection Office did not share the company's view, considering that by not concluding personal data processing agreements with the above-mentioned carriers, the company infringed Article 28 (3) GDPR.
The President of the Personal Data Protection noted in the grounds for the decision that, in accordance with the provisions of the agreements concluded with the LNH’s external carriers by the company, they were obliged to participate in loading and unloading parcels, thus having access to address labels containing personal data. In addition, the parcels were also transported in vehicles which the company did not own or for the use of which it had no other legal basis. In such cases, external LNH carriers were entitled to use those vehicles.
The controller did not grant employees effectively and correctly authorizations to process data. This has been established d in the content of the company's data protection policy. In the intention of the company, new employees were granted authorisations automatically by the IT system after they had received training on the principles of personal data protection on the electronic educational platform. Passing the test resulted in the automatic generation of a document with content suggesting that it is an authorization to process data, but not containing important elements such as the name of the employee and the signature of the person granting the authorization. In view of the above, the President of the Personal Data Protection Office considered that a document with unclear content automatically generated from the system could not be classified as a data processing authorisation. This, in turn, was a violation of Article 32(4) and 29 GDPR.
The President of the Personal Data Protection stated that there was a serious violation of the GDPR provisions.
- External carriers were involved in the processing of personal data during the transport of parcels and at the time of loading and unloading. However, in connection with the above-mentioned activities, no contracts entrusting the processing of personal data have been concluded with them.
- The data controller should ensure that the processing of personal data is carried out under the controller’s authority and on the controller’s sole instructions. One of the forms of demonstrating that this is indeed the case is to grant appropriate authorisations by the controller. Merely taking note of the pass of the data protection knowledge test and automatically generating an electronic file with a generic authorisation formula from the ICT system is not and cannot be regarded as a declaration of the controller’s will in this matter.
- The improper conduct of the company as a personal data controller was also manifested in the failure to implement the provisions of the data protection policy regarding the granting of authorisations, which the company was obliged to implement due to the scale of personal data processing (such an obligation was provided for in Art. 24(2) GDPR).
For the violation of the GDPR provisions - the failure to conclude a personal data processing agreement the President of the Personal Data Protection Office imposed a fine on the controller in the amount of PLN 6.251 million. For the second breach, consisting in failure to implement organisational measures to ensure adequate data security, the President of the Personal Data Protection Office imposed a fine in the amount of PLN 5.209 million.