Personal data protection in an accounting office (part 8) - What are the consequences of not complying with the Personal Data Protection Act?
---jakie-konsekwencje-braku-przestrzegania-ustawy-o-ochronie-danych-osobowych-poniesie-biuro-rachunkowe.jpg)
Personal data protection, registration of a data set, technical and organizational security measures are statutory requirements necessary to ensure reliable and legal information processing. Can failure to comply with the obligations of the Act on the Protection of Personal Data have negative consequences for the obligated accounting office? As it turns out, maybe - and quite a lot of it, but more on that later in the article.
Types of liability of the personal data administrator
The accounting office being the data administrator, as a result of improper implementation or the lack of a personal data protection procedure, may be held liable:
-
disciplinary,
-
administrative,
-
criminal,
-
compensation.
These proceedings may be initiated independently of each other.
Disciplinary proceedings and the protection of personal data
Pursuant to Art. 17 sec. 2 of the Act on the Protection of Personal Data, on the basis of the findings of the control, the inspector may request the initiation of disciplinary proceedings or other proceedings provided for by law against persons guilty of infringement and informing them, within a specified period, of the results of the proceedings and the actions taken.
According to the dictionary interpretation, disciplinary proceedings are investigations conducted by special committees aimed at determining the employee's guilt and imposing a penalty.
In practice, the completed proceedings may end with dismissal for the subordinate due to violation of basic employee duties.
Personal data protection and administrative proceedings
The act authorizes GIODO to perform authoritative administrative actions against entities violating the provisions on the protection of personal data.
The situation concerns the circumstances in which the inspector, on the basis of the inspection results, finds a breach of the provisions on the protection of personal data. Then he is entitled to apply to the GIODO for an order to restore the legal status, in particular:
-
remedying deficiencies,
-
supplementing, updating, rectifying, disclosing or not disclosing personal data,
-
applying additional measures to secure the collected personal data,
-
suspend the transfer of personal data to a third country,
-
securing data or transferring them to other entities,
-
deletion of personal data.
The order is issued in the form of an administrative decision. It should be added that further processing of personal data by an accounting office requires compliance with the provisions of GIODO. In practice, there may be circumstances that may expose the office to losses due to its closure for the duration of the proceedings.
Criminal proceedings and the issue of data protection
Criminal proceedings may prove to be the most severe for carefree accounting offices. The sanctions imposed in this mode are more tangible. People working in an accounting office may face a fine, restriction of liberty, and even imprisonment for a period of 3 years.
The first stage - initiation of the procedure - takes place pursuant to Art. 19 of the Act. According to it, if it is found that the act or omission of the head of an organizational unit, its employee or another natural person being the data controller meets the criteria of an offense specified in the Act, GIODO sends a notification of a crime to the body appointed to prosecute crimes, attaching evidence documenting the suspicion.
Culpable actions of accounting office employees and the penalty are presented in the table below:
|
Act |
Penalty |
|
Anyone who processes personal data in the filing system, although their processing is not permitted or the processing of which is not authorized (Article 49 (1) of the Act) | fine, restriction of liberty or imprisonment for up to 2 years |
|
Anyone who processes personal data in the filing system, although their processing is not allowed or the processing of which is not authorized, and the processing concerns data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union affiliation, data about health condition, genetic code, addictions or sexual life (Article 49 (2) of the Act) | fine, restriction of liberty or imprisonment for up to 3 years |
|
Anyone who, while administering a data filing system or being obliged to protect personal data, makes them available or allows access to them by unauthorized persons (Article 51 (1) of the Act) | fine, restriction of liberty or imprisonment for up to 2 years |
|
The action of the case is unintentional (Article 51 (2) of the Act) |
fine, restriction of liberty or imprisonment for up to one year |
|
Anyone who administers data, even unintentionally violates the obligation to protect them against unauthorized removal, damage or destruction (Article 52 of the Act) |
fine, restriction of liberty or imprisonment for up to one year
|
|
Whoever, being obliged to do so, does not submit a data filing system for registration (Article 53 of the Act) |
fine, restriction of liberty or imprisonment for up to one year |
