Processing the Personal Data by A Processor Must Be Documented

The Polish Supervisory Authority (“SA”) has been notified of a personal data breach at the Sułkowice Cultural Centre. In the course of the proceedings, it was found that the controller without a written contract used a processor to which it outsourced the maintenance of accounting books, records, and preparation of reports (in the areas of finance, taxation, and Social Security) or storage of documentation.

Failure to verify the processor and its guarantees for processing in accordance with data protection regulations may entail consequences for individuals whose personal data has been entrusted to the processor, such as loss of personal data. Only after examining the competence and adequacy of the chosen processor can the controller proceed to conclude an appropriate contract.

In the course of the case, the supervisory authority found that the controller did not have any documents confirming the verification of the terms of cooperation with the processor.

The Polish SA imposed an administrative fine of PLN 2.500 on the Sułkowice Cultural Centre. The reason for the decision was the controller's use of a processor without a written contract and lack of verification of whether the processor provides sufficient guarantees to implement appropriate technical measures.

You can reach further information here.

Kind regards,

Zumbul Attorneys at Law

info@zumbul.av.tr