Administrative penalties in the amendment of the personal data protection law - dilutions on the background of polish law and the law of the European Union

Размещено на http://www.allbest.ru/

University of Warmia and Mazury

Administrative penalties in the amendment of the personal data protection law - dilutions on the background of polish law and the law of the european union

Karolina Szelqgowska, M.Sc., Faculty of Law and Administration, Doctoral School

Poland

Abstract

This article discusses the basic assumptions and functions of administrative sanctions, limiting the sif to one type - financial sanction. The study comprehensively approximates the rules of conduct in the field of imposing and imposing administrative fines, taking into account the provisions of the Polish Administrative Procedure Code, the Polish Act on the Protection of Personal Data of May 10, 2018 and the Data Protection Regulation 2016/679 of April 27, 2016. The theoretical layer of the study was enriched by presenting selected decisions of supervisory authorities regarding the imposition of a penalty and formulating de lege ferenda postulates.

Keywords: administrative pecuniary penalties, regulation on the protection of personal data , prawo ochrony danych osobowych.

Abstract

Szelqgowska K.

Administrative monetary penalties in the amendment to the data protection law - solutions on the background of the polish law and the European Union law

The problem of this scientific article focus on the issue of administrative monetary penalties. The literature recognizes the increasing use of administrative monetary penalties by public administration bodies. Considering that, the effectiveness of this means the legislator more often decides to place regulations constituting administrative monetary penalties in subsequent substantive law acts. The practice of public administration bodies also shows that these bodies very often use administrative monetary penalties as a consequense of a breach of the law by failure to perform a legal duty or violation ofprohibition. This research discus the basic assumptions and objectives of administrative monetary penalties in the data protection law, and then describes the procedure for imposing them. The theoretical layer was enriched by, among others first practical experience and de lege ferenda postulates.

Keywords: administrative monetary penalties, General Data Protection Regulation, data protection law.

Анотація

Желяговська К.

Адміністративні грошові стягнення в поправці до закону про захист даних - рішення на тлі польського законодавства та закону Європейського Союзу

Проблема цієї наукової статті зосереджується на питанні адміністративних грошових стягнень. У літературі визнано все більш широке використання адміністративних грошових стягнень органами державного управління. Враховуючи це, ефективність цього означає, що законодавець частіше приймає рішення про розміщення нормативно-правових актів, що становлять адміністративні грошові стягнення, у наступних актах матеріального права. Практика органів державного управління також показує, що ці органи дуже часто застосовують адміністративні грошові стягнення як наслідок порушення закону через невиконання законного обов'язку або порушення заборони. У цьому дослідженні обговорюються основні припущення та цілі адміністративних грошових стягнень у законі про захист даних, а потім описується процедура їх застосування. Теоретичні напра- цювання були збагачені, серед іншого, першим практичним досвідом та постулатами «de lege ferenda».

Ключові слова: адміністративні грошові стягнення, Загальне положення про захист даних, закон про захист даних.

Problem formulation. This research paper focuses on around the issue of administrative sanctions, limiting to one kind - a financial sanction. For years, he has been referring to the comments? to the more and more common use of administrative sanctions and fines by public administration bodies. Thus, the effective implementation of the goals set, as well as the ease in the execution of this penalty, means that financial penalties are established in subsequent acts of substantive law. The reasons for a broader reflection on the application of administrative fines were the recent implementation of the EU regulation on the protection of personal data, under which completely new conditions for imposing administrative fines were introduced.

Purpose of research. The aim of this scientific study is to analyze the current regulations in the field of imposing and imposing administrative fines at the national (Polish) and European level and to assess whether the adopted legislative solutions effectively prevent violations of the law in the data protection sector. personal. In order to implement the research assumptions, the work was enriched with a few de lege ferenda postulates and the first experiences of the practice of applying new regulations.

Presentation of the main material. Personal data is commonly specified as "fuel of the economy" [40]. Happening? yes, because of the enormous role they play in many areas of life. Due to the constant technological progress, both private enterprises and public institutions can easily manage and use them in different ways and for different purposes in their activities [11]. It became a challenge however, ensuring adequate control over their processing. The authorities of the European Union - meeting the expectations of citizens - led to the adoption of a regulation on higher security standards, guaranteeing the right to privacy and data protection. The established law is uniform in all countries of the European Union. It is a convenience designed primarily for the citizens of the Community who will be able to simplify their rights in connection with data protection violations. Exactly on May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, entered into force, and the repeal of Directive 95/46 / EC (the general regulation on data protection), hereinafter referred to as «r.o.d.o» [7]. In order to adjust r.o.d.o. to the Polish legal order, it was also necessary to prepare a new national act on the protection of personal data. The act entered into force on May 10, 2018 [4] and in line with its scope, it complements the EU general regulation on data protection.

In the context of the changes that have occurred due to the remarks regulation 2016/679? one should ask, among other things, the formulation of the administrator definition. This term replaces the previous term (from the previous European regulation on the protection of personal data - Directive 95/46 / EC) "data controller". As a novelty in relation to the previous provisions should be considered the admissibility of the so-called co-administration. Until now, the regulations limited the concept of a data controller, excluding from its scope the element of possible joint administration, while under the current regulation, a controller is considered to be person? physical or legal, public authority, unit or another entity that determines the purposes and methods of personal data processing not only independently, but also jointly with others [7]. Due to the responsibility and scope of competences, the administrator's function is of key importance in the context of data protection. However, as noticed by the representatives of the doctrine, the newly introduced normative solutions regarding the definition of the administrator did not eliminate the problem of the mere assignment of the administrator status [8]. The implemented legal regulations in the field of personal data protection significantly increase the scope of obligations of entities collecting and using this data. In particular, worth paying attention to? for the obligation to appoint a data protection officer [34]. The tasks of inspectors are regulated by Art. 39 sec. 1 and 38 sec. 5 and 6 r.o.d.o. Pursuant to these provisions, pregnancy inspectors are primarily responsible for informing the administrator and processor, as well as employees who process personal data, about their obligations under the r.o.d.o. and monitoring compliance with the provisions of r.o.d.o. [7]. Other obligations include, inter alia, reformulating the clauses in the scope of obtaining consent for the processing of personal data, implementation of adequate procedures and data security measures, and reporting to the supervisory authority on identified breaches of personal data protection [7]. At the central level, a new supervisory authority has been appointed, competent for the protection of personal data - the President of the Office for Personal Data Protection, hereinafter "the President of the Personal Data Protection Office" [32]. The rules of appointment, dismissal and the term of office are regulated in Chapter 6 of the Personal Data Protection Act, hereinafter referred to as "u.o.d.o." [4]. Among the many powers vested in the President of the Personal Data Protection Office, the power to impose administrative fines is of particular importance in the context of the issues discussed. On the basis of the previously binding Act on the Protection of Personal Data, the only possible monetary sanction that the supervisory body, within the framework of its powers conferred on it, could impose on the data processor was the so-called a compulsory fine, in the amount determined in accordance with Art. 121 of the Act on enforcement proceedings in administration. Its maximum amount could not exceed PLN 10,000, and in relation to legal persons and organizational units without legal personality, it could not exceed PLN 50,000.

The penalty was characterized by however, with a low degree of effectiveness, because it could be imposed only when the subject did not comply? decisions issued in the decision. The new act changed the existing rules of imposing penalties, and also shaped their amount at an incomparably higher level. This is a deliberate action, to some extent "mobilizing" both private companies and public institutions, which so far have treated issues related to data processing in a marginal part, to greater protection of such sensitive information as data personal. This is mainly due to the right to privacy and information autonomy, which is enjoyed by every individual. Sometimes, the only, objectively possible path to enforce the above-mentioned guarantees is the application of high financial penalties. Mainly in this way, the Member States of the European Union are able to force the addressees of the legal norms provided for in the regulation to respect them. Sanctions of lighter nature, including all kinds of admonitions, are characterized by negligible effectiveness and to a small extent are able to prevent future violations from occurring.

Although the institution of administrative fines has been functioning in the Polish legal system for many years, it was only in 2017 that a legal definition of? this concept. Art. 189b of the Polish Code of Administrative Procedure provides expressis verbis that the administrative penalty of money means sanction specified in the act of a pecuniary nature, imposed by a public administration body, by way of a decision, as a result of violation of the law consisting in failure to comply with the obligation or violation of a prohibition on a natural person, legal person or organizational unit without legal personality »[2]. The quoted editorial unit is part of section IVa of the Code of Administrative Procedure, hereinafter referred to as: "k.p.a." laying down general rules for the imposition and imposition of administrative pecuniary penalties. The amendment introducing this section entered into force on June 1, 2017, under the Act of April 7, 2017 on the amendment of the Act - Code of Administrative Procedure and some other acts [3].

Proceedings leading to the imposition of a fine pursuant to the provisions of the Act on and r.o.d.o., is conducted in the administrative mode, therefore the provisions of Section IVa of the Code of Civil Procedure will apply in this case, moreover, Art. 1 points 1 and 2 of the Labor Code in connection with Art. 189a of the Code of Administrative Procedure It should be emphasized, however, that the direct application of the standards contained in this chapter may be limited in connection with the introduction of a detailed regulation of conduct, which is provided for in Art. 189a §2 of the Code of Civil Procedure (in accordance with the principle of lex specialis derogat legi generali) [31]. This is the case under the provisions of the Act on Public Procurement Law what is the conflict of law rule expressed in Art. 106 of the Act: «The provisions of Art. 189d-189f and art. 189k of the Act of June 14, 1960 - Code of Administrative Procedure shall not apply ». Admissibility to apply some provisions of the Labor Code has been disabled to allow direct application of the provisions of r.o.d.o. [16]. However, the other provisions, ie Art. 189a-189c and article. 189g and 189h (contrario reasoning) will be used. Introduction of regulations specifying directly, mutual relations between r.o.d.o., u.o.d.o. a k.p.a. should be considered fully justified. This relationship eliminates the application of those provisions of Section IVa, which are either a duplication of the provisions of r.o.d.o. or s ^ already separate in r.o.d.o. regulated or whose r.o.d.o. not foreseen [16].

Returning to the very concept of administrative pecuniary penalties, one should pay attention to the fact that on the semantic conditions that are related to? with this concept. This is because often pecuniary sanctions, which in fact are also administrative pecuniary penalties, were called differently, e.g. an increased fee, a sanction fee, an additional amount, an additional tax liability, as well as a penalty fee [30]. The existing practice in the field of different terminology was not conducive to maintaining the standards of correct legislation [6]. Hence, in the justification to the draft amendment to the Code of Administrative Procedure. It was emphasized that, in order to ensure legal clarity and terminological consistency, the financial ailments of an administrative nature established so far in numerous acts remained unchanged, while the new regulations were referred to only as "administrative fines" [31].

The correlate of the concept of punishment is sanction. It is assumed that the sanction is one of the features defining the law and also a guarantee of the effectiveness of the legal norm. The concept of sanctions, as well as the concept of punishment, is always associated with a certain ailment for the addressee. In other words, the sanction is an ailment for breach of the law, which determines the type and extent of the ailment [21]. M. Wincenciak defines the concept of administrative sanctions as negative (negative) consequences imposed by a public administration body by way of an act of applying the law on entities that commit? violation of administrative law [21]. Basically, the institution of administrative pecuniary penalties is classified as one of the types of administrative sanction next to the sanction of nullity and the sanction of execution [20]. In the doctrine of law, however, there are many other divisions based on various criteria. For this reason, the division of sanctions is free and not strongly methodological [17]. For example, the division based on the responsible entity criterion: i.e. natural persons, legal and non-legal persons and public administration bodies [15] or a division into absolutely indefinite, absolutely specified and relatively specified sanctions [12 ]. In the context of the institution in question, the most appropriate division will be the one based on the criterion of the severity of sanctions - pecuniary and non-pecuniary. Non-monetary sanctions are on the deterioration of the legal situation of the infringer by imposing an obligation or depriving him of the right. On the other hand, monetary sanctions also make the situation worse. the perpetrator, but by imposing the obligation to pay a fixed sum of money by way of an administrative decision. In recent years, monetary sanctions have been attributed to more and more practical value [18]. They are considered to be one of the most effective and efficient methods of ensuring the implementation of? administrative and legal obligations [9] [19; 21; 22; 23]. administrative fines legal

The approach to the issue of administrative pecuniary sanctions is caused by a clear tendency of lawmakers both in Poland and in many European Union countries to establish further administrative tort and pecuniary penalties for them [35]. The increase in regulations providing for administrative pecuniary penalties means that the sphere of influence of these sanctions includes: an increasing number of entities [19]. According to the "Analysis of the normative image of administrative tort" conducted under the supervision of D. Szumilo-Kulczycka, in 2016 administrative pecuniary penalties were regulated in 119 normative acts [19]. The analysis of the regulations in force shows that this number is constantly growing, and the amount of penalties is also rapidly increasing. A real example of this may be the fines laid down in the law on the protection of personal data, the amount of monetary sanctions provided for there by many are described as extremely repressive and even dissuasive. This is because gigantic penalties are to directly signal to entities on the personal data market that ignoring the provisions will have very serious consequences - primarily financial ones. It begs? however, in this context, the question is whether, by imposing monetary sanctions at an exorbitantly high level, the proportion between the culpability of violation and the severity of sanctions is not upset?

Chapter 11 of the Personal Data Protection Act is dedicated to administrative fines. In art. 101 - 108 "u.o.d.o", the legislator included the general conditions for imposing administrative fines [4]. As already mentioned, in Poland, the authority authorized to impose this type of sanctions is the public administration body - the President of the Personal Data Protection Office, while in some European Union countries, this right is vested in Denmark and Estonia. It is worth mentioning that apart from the power of the President of the Personal Data Protection Office to impose fines, he also has the power to apply the so-called repair permissions. These are complementary measures of a more lenient nature than administrative fines. The supervisor may apply them either concurrently with the imposition of a fine or (if it considers that the use of a substitute remedial power is sufficient to achieve the purpose of the penalty) instead. Include? to them, among others issuing warnings, reminders or ordering the data subject to be notified of a data breach. The full catalog of rights is included in Art. 58 sec. 2 r.o.d.o. [7]. The addressees of administrative sanctions, fines may be both personal data administrators and entities that process data on their behalf. They can be private entities (including natural persons, enterprises) and public entities. Possibility of punishing public entities, taking into account Art. 83 sec. 7 r.o.d.o. [7]. The EU bodies left the decision on the admissibility of punishing public entities in the hands of the member states.

The Polish legislator has decided to? to introduce such an opportunity. The threat of penalties of money in relation to public entities is provided for in Art. 102 of the AED and includes: public authorities, government administration bodies, state control and state protection authorities (including the Sejm, Senate, Council of Ministers, the Supreme Audit Office, the Financial Supervision Authority, the Police, Military Police), universities, National Health Fund, National Bank of Poland [4]. Although the catalog of sanctions specified in the regulation is closed, it can be extended to include sanctions established by national legislators [8]. Such a solution was indicated in recital 149 introducing to r.o.d.o. These can also be sanctions other than administrative fines, including criminal sanctions. "However, the imposition of criminal sanctions for violation of national laws and the imposition of administrative sanctions should not lead to multiple penalties" [7].

The issue that arouses controversy among entities potentially threatened with sanctions focuses on? around the amount of fines. On the basis of this Act, the division of the upper limit of its amount into public and private entities has been made. There is a significant disproportion between the two in favor of public entities. This is due to a very simple reason. Namely, imposing high fines on public bodies and entities will have a negligible impact on repression, as the income obtained from administrative fines constitutes the entire income of the State Treasury. It would be highly pointless, then, to impose horrendously high penalties towards? entities that are fully financed from the state budget. The money would in fact go to the same place [32]. However, it is worth signaling some modifications concerning the catalog of entities to which the lower fine will be applied, eg the National Bank of Poland. It is - admittedly - a state institution, but self-financing itself. Therefore, it is possible to accuse one of the three main directives on the application of financial penalties under the r.o.d. it is financed entirely from the state budget. The maximum amount of a fine that may be imposed on public entities listed in Art. 102 u.o.d.o amounts to PLN 100,000 [4]. This includes state and local government cultural institutions. Bearing in mind their main goal of activity - the dissemination and creation of equal access to cultural goods [1], it was decided to for a lower fine - up to PLN 10,000 [4]. Financial liability of non-public sector entities is taking shape? at a much higher level. The regulation indicates two thresholds for the amount of penalties. Their values ??are expressed in euros, so need to be converted into currency? Polish ^, based on the average rate published by the National Bank of Poland [4]:

- Prog 1: up to € 10,000,000, and for a company up to 2% of its total annual worldwide turnover for the previous financial year;

- Prog 2: up to € 20,000,000, and for a company up to 4% of its total annual worldwide turnover for the previous financial year [7].

Penalties imposed on natural persons who are not entrepreneurs have been specified in the amount - the maximum amount. On the other hand, financial penalties imposed on enterprises are determined according to the percentage of income, which allows for the application of an adequate penalty, directly proportional to the generated income. The introduced solution makes it practically impossible to estimate the maximum amount of the fine imposed on an enterprise. The financial penalty indicated in the threshold No. 1 is imposed on the basis of Art. 83 sec. 4 r.o.d.o. for committing? breaches of minor importance, such as the personal data administrator's neglect of the obligation to register processing activities under Art. 30 r.o.d.o. [10]. The prerequisites for imposing a penalty established in threshold No. 2 concern the more serious category of violations related to the basic principles of processing ordinary data and specific categories of data, including the conditions for obtaining consent, as well as violations of other obligations listed in Art. 83 sec. 5 r.o.d.o. and in individual provisions of the ordinance specifying these obligations [10]. A higher liability threshold also applies to the imposition of the so-called non-self-imposed penalties, i.e. those that are adjudicated in the event of non-performance of the orders referred to in Art. 58 sec. 2 r.o.d.o. (the issue of the so-called repair rights has already been discussed).

About whether to impose an administrative penalty? money, and if there are conditions for this, in what amount the supervisory authority decides on the basis of the directives of the penalty referred to in Art. 83 (2) r.o.d.o. The 11 circumstances defined in this provision are somehow helping the supervisory authorities to determine an adequate and proportionate penalty taking into account all the circumstances that have arisen on the basis of a specific case [16]. J. Luczak divided these circumstances into the following categories [8]:

* elements related to the breach incident (nature, severity, duration of the breach, degree of liability);

* behavior of the controller (processor) against the infringement (current attitude to compliance with the provisions on the protection of personal data);

* behavior of the controller (processor) after the breach (minimizing the damage, reporting the breach, compliance with remedial measures);

* the consequences of the breach (number of people injured and the extent of the harm suffered).

The above systematics should also take into account all other, incriminating or alleviating factors that may have an impact in the context of a given case, e.g. financial benefits achieved directly or indirectly in connection with the violation of or avoided losses. Apart from the circumstances specified in the provisions of r.o.d.o. first of all, it should be remembered that the application of both administrative pecuniary penalties and other sanctions should take place? respecting the principle of proportionality expressed in art. 5 sec. 4 of the Treaty on European Union, according to which the measures applied in EU law must be proportionate to the purposes for which they are applied [16]. In a similar vein, he speaks? The European Parliament and the Council of the EU. In recital 151 to r.o.d., it was emphasized that the sanctions imposed should be proportionate, effective and dissuasive [7; 13].

The settlement of the proceeding on imposing an administrative fine is always made by issuing an administrative decision by the President of the Personal Data Protection Office. In each case, the injured entity has the right to appeal against the issued decision. Pursuant to Art. 105 u.o.d.o., penalty becomes? due: after the lapse of 14 days from the date of lodging a complaint to the administrative court and in the second case, after the lapse of 14 days from the date of becoming final? decisions of the administrative court. As regards the enforcement of penalties and limitation periods, the general norms laid down in the Code of Administrative Procedure will apply. (Articles 189g., 189h., 189i., 189j. of the CCP). It is separate from Art. 189k. k.p.a. the issue of applying reliefs in terms of the execution of the penalty has been resolved. Based on Article. 105 u.o.d.o. The President of UODO "may, at the request of the punished entity, postpone the payment of the fine or divide it into installments due to the important interest of the applicant". It is always a public administration body that decides whether or not to accept the legitimacy of such an application, within the scope of its discretionary powers. Practice shows that this should be an objective circumstance, related to the existence of specific reasons on the part of the punished, including extraordinary situations, but also his situation? economic [14; 24; 25]. In the case of dividing the administrative fine into installments, interest is calculated separately for each installment [4]. An injured entity that conducts business activity is additionally entitled to submit an application for relief in the payment of an administrative fine.

At the end of the chapter dedicated to administrative fines in the Personal Data Protection Act, the Polish legislator, using the ability to autonomously impose sanctions, added penal provisions penalizing liability: for unlawful processing of personal data (Art.107 of the Act on Personal Data Protection) and liability for obstructing the conduct of control (Art.108 of the Act on Public Procurement Law). The first provision establishes criminal liability for unacceptable processing of personal data, or for processing them without authorization, which is punishable by a fine, restriction of liberty or imprisonment for up to 2 years. The provision covers all categories of data, excluding data, including of those in Art. 107 paragraph. 2 u.o.d.o., which contains particularly protected data concerning, inter alia, racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, sexuality or sexual orientation. In the event of a violation of data processing in this category, the liability of the infringing entity will be subject to a higher penalty of imprisonment - up to 3 years. The second of the criminal provisions (Art.108 of the Act on application of the provisions of u.o.d.o. i r.o.d.o. The committed crime is punishable by a fine, restriction of liberty or imprisonment for up to 3 years.

Summary

Relatively little time has passed since the regulations in question came into force. From May 25, 2018 (i.e. from the date of entry into force of the provisions of the Regulation on the Protection of Personal Data and the Polish Act on the Protection of Personal Data) to December 31, 2018, the Office for Personal Data Protection received over 3,000 persons. complaints and over 2.4 thousand. notifications [36]. By mid-2019, the number of complaints had increased to 4.5 thousand. First punishment? money in the amount of 943 thousand. zloty, the President of the Personal Data Protection Office imposed on the entity that processed personal data obtained from publicly available sources, including from the Central Register and Information on Economic Activity (CEiDG) for profit-making purposes, not fulfilling? with information obligation [37; 38]. Not much, because only a month later it was informed about another financial penalty in the amount of nearly PLN 56 thousand. zloty levied on the Dolnosl ^ ski Association of Pilki Noznej in connection with the unlawful disclosure of personal data of 585 people on the network, who were granted judicial licenses in 2015 [27]. The disclosed data included not only names and surnames, but also exact addresses of residence and PESEL numbers. In the opinion of the President of the Personal Data Protection Office, the disclosure of such a wide range of personal data posed a real threat of their unlawful use, e.g. for the purpose of contracting financial liabilities. As the press releases of the Office for Personal Data Protection indicate, public sector institutions, including local government units, were also subject to numerous inspections. For example, sanctions in the amount of 40 thousand. zl was punished the mayor of Aleksandrуw Kujawski [39]. Numerous irregularities revealed during the inspection concerned, among others, the lack of internal procedures regarding the review of resources available in the Public Information Bulletin in terms of determining the period of their publication, as well as the lack of backup copies of recordings of the city council meetings, which were available in the Public Information Bulletin only through posting a link to the channel on YouTube.

Few substantive decisions and well-established practice concerning the analyzed plane mean that the presented considerations are mostly theoretical. So far, in the European arena, there have been practically a few cases of the use of financial penalties in connection with the implementation of r.o.d.o. One of the first countries was Portugal. The sanction was imposed by the Portuguese Data Protection Authority - Comissao Nacional de Protecgao de Dados on the Barreiro-Montijo Hospital Center [38]. The irregularities concerned access to the patient's medical data management system. As a result of the inspection, it was found that the number of registered accounts with access to medical data of patients is more than three times higher than the number of doctors employed in this hospital. Due to failure to exercise due diligence in data processing and inaccuracies in authentication methods, a penalty was imposed on the hospital? with a total amount of EUR 400,000 [28]. In Germany, on the other hand, penalties? in the amount of 20,000 euros was levied on the dating site Knuddels.de. As a result of hackers' attack, 808,000 e-mail addresses and 1,872,000 logins and passwords were "leaked" from the website. The data was not encrypted well enough. The German supervisory authority decided to impose a relatively low fine, due to the quick reaction of the Internet portal against data leakage and immediate introduction of technical measures to improve data security [29]. In Austria, Datenschutzbehцrde - the Austrian data protection authority punished one of the entrepreneurs who used video surveillance in front of his company's building. The monitoring range covered an excessively wide sidewalk strip, which resulted in the processing of images of people who were not aware that they were in the monitored area [28]. On the other hand, the highest penalty so far, amounting to EUR 50 million, was imposed in France on Google for failure to provide users with sufficient explanation and transparency in relation to the data provided to advertisers [29]. To sum up, it is estimated that in the first year of operation of the provisions of r.o.d.o. fines were imposed in the total amount of EUR 114 million [26].

At the moment, it is difficult to clearly define or the ambitions that followed? the authorities of the European Union enacting the new law on the protection of personal data have been fulfilled. There is no doubt that the payment of a high penalty effectively affects the imagination? entities potentially at risk of being sanctioned and thus disciplined to comply with the law. The first cases of applying financial penalties show that the newly adopted regulations are not only dead regulations, but effective instruments guaranteeing the security of personal data protection. Emerging? Doubts regarding the disproportion between the culpability of the violation and the amount of the sanctions are perfectly justified, if only because of the axiological conditions of the concepts of "sanctions" and "punishments" in the legal system. If, however, a sufficient degree of protection of such sensitive information as our personal data can only be ensured by imposing and imposing high financial penalties - then such a measure should find full support and should not be questioned.

Bibliography

1. KonstytucjaRzeczypospolitejPolskiejz dnia 2 kwietnia 1997 r (Dz. U. Nr 78, poz. 483 z pozn. zm.). [in Polish].

2. Ustawa z dnia 14 czerwca 1960 r Kodekspostqpowania administracyjnego (tj. Dz. U. z 2020 r. poz. 256). [in Polish].

3. Ustawa z dnia 7 kwietnia 2017 r o zmianie ustawy - Kodeks postqpowania administracyjnego oraz niekto- rych innych ustaw (Dz.U. z 2017, poz. 935). [in Polish]. Ustawaz dnia 10 maja 2018 r o ochronie danych osobowych (tj. Dz. U. z 2019 r. poz. 1781). [in Polish].

4. Ustawa z dnia 21 lutego 2019 r o zmianie niektorych ustaw w zwiqzku z zapewnieniem stosowania rozpo- rzqdzenia Parlamentu Europejskiego i Rady (UE) 2016/679 z dnia 27 kwietnia 2016 r. w sprawie ochrony osob fizycznych w zwiqzku zprzetwarzaniem danych osobowych i w sprawie swobodnego przeplywu takich danych oraz uchylenia dyrektywy 95/46/WE (ogolne rozporzqdzenie o ochronie danych) (Dz.U. 2019 poz. 730). [in Polish].

5. Rozporzqdzenie Prezesa Rady Ministrow z dnia 20 czerwca 2002 r. w sprawie «Zasad techniki prawodaw- czej» (Dz. U. 2002 nr 100 poz. 908). [in Polish].

6. Rozporzqdzenie Parlamentu Europejskiego i Rady (UE) 2016/679 z dnia 27 kwietnia 2016 r. w sprawie ochrony osob fizycznych w zwiqzku z przetwarzaniem danych osobowych i w sprawie swobodnego przeplywu takich danych oraz uchylenia dyrektywy 95/46/WE (ogolne rozporzqdzenie o ochronie danych) (Dz. U. UE. L. z 2016 r. Nr 119, str. 1 z pozn. zm.). [in Polish].

7. Bielak-Jomaa, E. & Lubasz, D. (red.), RODO (2018). Ogolne rozporzqdzenie o ochronie danych. Komentarz. Warszawa. [in Polish].

8. Blachucki, M. (2015). Administracyjne kary pieniqzne w demokratycznym panstwie prawa. Warszawa. [in Polish].

9. Dmochowska, A. & Piotrowska, A. (2018). Ustawa o ochronie danych osobowych. Komentarz. Warszawa. [in Polish].

10. Dmochowska, A. & Zadrozny, M. (2018). Unijna reforma ochrony danych osobowych. RODO w praktyce z uwzglqdnieniem: wytycznych GR Art. 29, ustawy o ochronie danych osobowych z 2018 r. Warszawa. [in Polish].

11. Kazmierczyk, S. & Pulka, Z. (red.) (1999). Wstqp doprawoznawstwa. Wroclaw.

12. Litwinski, P. (red.) (2018). Rozporzqdzenie UE w sprawie ochrony osob fizycznych w zwiqzku zprzetwarza- niem danych osobowych i swobodnymprzeplywem takich danych. Komentarz. Warszawa. [in Polish].

13. Marcinkowski, B. (red.) (2019). Ustawa o ochronie danych osobowych. Komentarz, LEX. Warszawa. [in Polish].

14. Rot, H. (1998). Wst^p do nauk prawnych. Wroclaw. [in Polish].

15. Sakowska-Barylo (red.), Ogolne rozporzqdzenie o ochronie danych osobowych. Komentarz. Warszawa 2018. [in Polish].

16. Staniszewska, L. (2017). Administracyjne kary pieniepne, Studium z zakresuprawa administracyjnego mate- rialnego iprocesowego. Poznan. [in Polish].

17. Staniszewska, L. (2017). Dostosowanie administracyjnych kar pieniepnych do zasad demokratycznego panstwa prawnego (w:) Nowe instytucje procesowe w postepowaniu administracyjnym w swietle nowelizacji Kodeksupostepowania administracyjnego z dnia 7 kwietnia 2017 roku, red. Gronkiewicz A., Ziolkowska A. Katowice. [in Polish].

18. Szumilo-Kulczyka, D., Czarnecki, P., Balcer, P. & Leszczynska, A. (2016). Analiza obrazu normatywnego deliktow administracyjnych. Warszawa. [in Polish].

19. Szydlo, M. (2003). Charakter i struktura prawna administracyjnych kar pieni^znych. Studia Prawnicze, 4. [in Polish].

20. Wincenciak, M. (2008). Sankcje w prawie administracyjnym i procedura ich wymierzania. Warszawa. [in Polish].

21. Wyrok Trybunalu Konstytucyjnego z dnia 1 lipca 2014, sygn. SK 6/12, LEX nr 1480663. [in Polish]. Wyrok Trybunalu Konstytucyjnego z dnia 15 stycznia 2007, sygn. P 19/06, LEX nr 232287. [in Polish].

22. WyrokNSA z dnia 10 marca 2010, sygn. I FSK 31/08, LEX nr 537191. [in Polish]. Wyrok NSA z dnia 2 marca 2016, sygn. II FSK 2474/15, LEX nr 2017629. [in Polish].

23. Grodecka, M.. 114 mln euro wyniosly kary za lamanie RODO. Urzqdnicy dopiero siq rozkrqcajq.

24. Ojczyk, J. Zwiqzek sportowy ukarany za ujawnienie danych sqdziow.

25. Szweda-Bednarek, P. Podsumowaniepierwszegopolroczaobowiqzywania RODO.

26. Tomaszewska, J. & Cison-Kurdziel, A. Za naruszenie RODO slono siq placi. Mapa kar finansowych w Europie.

27. Zakiewicz-Zborska, K. «Dr Edyta Bielak-Jomaa: Uwaga, to prawo dotyczy wszystkich».

28. Uzasadnienie rzqdowego projektu ustawy o zmianie ustawy - Kodeks postqpowania administracyjnego oraz niektorych innych ustaw, druk 1183.

29. Uzasadnienie rzqdowego projektu ustawy o ochronie danych osobowych, druk 2410.

30. Uzasadnienie rzqdowego projektu ustawy o zmianie niektorych ustaw w zwiqzku z zapewnieniem stosowania rozporzqdzenia 2016/679, druk 3050.

31. Wytyczne dotyczqce inspektorцw ochrony danych («DPO»).

32. Stanowisko nr 16/2016 Porozumienia samorzqdцw zawodowych i stowarzyszen prawniczych oraz Rzecznika Praw Obywatelskich dotyczqce zmian kodeksu postqpowania administracyjnego w zakresie wprowadzenia regulacji sankcji administracyjnych oraz zbiegu odpowiedzialnosci administracyjnej z odpowiedzialnosciq karnq.

33. «UODO wkrцtce zacznie karac za nieprzestrzeganie RODO».

34. «Prezes UODO nalozylapierwszq karq pieniqznq».

35. «Pierwsze kary za nieprawidlowosci w obszarze ochrony danych osobowych».

36. «Prezes UODO nalozylpierwszq karq pieniqznq napodmiotpubliczny».

37. «Bielak-Jomaa: RODO toprzede wszystkim ochronaprywatnosci, nie absurdy».

Размещено на Allbest.ru