Toyota Bank Polska fined by Polish regulators equivalent of £110,000 for DPO and profiling failures

Toyota Bank Polska S.A, a bank based in Poland, has been fined a total of PLN 576,220 (roughly £110,000) by Polish Data Protection Authority (UODO) for two significant violations of Polish data protection regulations.

First, it was found that the bank’s Data Protection Officer (DPO) was situated within the IT security department and reported directly to the individual responsible for data processing operations. The risk is that the independence required of the DPO under Article 38(6) of GDPR is compromised. Article 36 states that while the DPO may fulfil other tasks and duties within the business, these must not cause any conflict of interest.

The issue here is that the individual the DPO is reporting to most likely makes key decisions about how personal data is collected, used and stored, and has a vested interest in the strategic outcomes of data use. This creates a conflict as the DPO may be pressured to overlook or downplay certain issues if there is a strategic benefit to keeping things the way they are. In addition to this, the DPO may lack the authority to challenge or change certain problematic practices. This is why under GDPR, the DPO must be independent and should ideally report directly to the highest level of management or board level.

The second violation was a failure to document profiling activities. Toyota Bank engaged in customer profiling activities to assess credit worthiness, assigning risk categories based on credit scores. This activity was neither detailed in the bank’s Record of Processing Activities (ROPA) or as required under Articles 30 and 25 of GDPR.

Article 30(2) states that a record of all categories of processing activities must be kept by the business, and Article 35 states that a Data Protection Impact Assessment (DPIA) must be completed whenever a processing activity takes place that may result in a high risk to the rights and freedoms of individuals, which includes profiling.

In GDPR, there is no set provision for calculating administrative fines such as this one. The fine of PLN 576,220 was considered based on the nature and gravity of each infringement, the degree of responsibility on the business and the degree of cooperation with the supervisory authority.

What are the key takeaways from this?

Following Brexit, most of the EU data protection legislation was carried over, including EU GDPR. This means that while this incident happened elsewhere, there are still some key points to take away from this:

DPO independence is critical: It is vital that the Data Protection Officer remains independent and away from any potential conflicts of interest. While Toyota Bank was confident that there was no risk in this situation and this aspect of the business’s structure was purely an administrative error, regulators still felt that the risk was enough to impose a significant fine. In your organisation, the DPO must report to high level management.

PRIVACY HELPER can offer expert outsourced DPO services, where we remain independent to your organisation, meaning we can advise solely based on legal requirements.

Proper documentation of processing activities is mandatory: All data processing activities, especially high-risk ones like profiling, must be documented in a Record of Processing Activities. This is a requirement under Article 30 of GDPR.

PRIVACY HELPER can either create or review your ROPA to ensure all your processing activities are correctly logged in line with regulatory requirements

Profiling and high-risk processing activities require risk assessment: Profiling activities, particularly ones that may affect the rights of individuals requires a Data Protection Impact Assessment to be completed. This is a requirement under Article 35 of GDPR.

If you need to complete one of these but don’t know where to start, PRIVACY HELPER can complete these assessments for you.

Ongoing compliance is essential: To ensure that standards don’t slip, you must regularly review your organisation’s governance structure to ensure that roles such as the DPO have the required independence and that all documentation remains up to date.

Next steps

Ensuring that you handle, process and store personal data in a way that’s in line with the law isn’t easy. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data compliance in your business.

For further details, refer to the European Data Protection Board’s official summary of the incident.

Dan Brooks-Tonkin

Dan Brooks-Tonkin is a Data Protection and Information Governance Apprentice at PRIVACY HELPER. PRIVACY HELPER is a pioneering data protection consultancy aimed at assisting companies in navigating the complexities of compliance with the new data protection legislation. Click here to learn about how PRIVACY HELPER can aid your business in an ever changing data protection landscape.