Poland’s Data Protection Regulator Hits DPD Polska With Over $2.75 Million in GDPR Fines

Key Takeaways

• Processing Agreements Are Mandatory: UODO found that DPD Polska violated Article 28(3) of the GDPR by failing to conclude personal data processing agreements with external LNH carriers involved in loading, unloading, and transporting shipments containing personal data.
• Transport Operations Still Involve Data Processing: The regulator rejected the company’s argument that transport contracts did not amount to personal data processing, emphasizing that access to address labels and shipment data triggers GDPR obligations.
• Invalid Employee Authorizations: Automatically generated “authorizations” issued after e-learning completion did not meet GDPR standards under Articles 29 and 32(4), as they lacked essential elements such as employee identification and a clear expression of the controller’s will.
• Organizational Measures Must Be Real, Not Theoretical: The authority found that DPD Polska failed to properly implement its own data protection policy in line with Article 24(2), particularly given the scale and sensitivity of the data processed.
• More Than $2.75 Million in Fines: The President of the Personal Data Protection Office imposed administrative fines totaling over $2.75 million (over PLN 11 million), including approximately $1.56 million (PLN 6.251 million) for the absence of processing agreements and approximately $1.30 million (PLN 5.209 million) for inadequate organizational measures.

Deep Dive

Poland’s data protection authority has fined DPD Polska more than $2.75 million (over PLN 11 million) after finding serious failures in how the courier company structured its relationships with external carriers and authorized staff to handle personal data.

In a recent decision, the President of the Personal Data Protection Office (UODO), Mirosław Wróblewski, concluded administrative proceedings that were launched ex officio following an inspection at the company’s headquarters. The review focused on how personal data was processed in the course of providing courier delivery services.

What emerged, according to the regulator, was not a single oversight but a combination of contractual and organizational gaps that ran counter to the requirements of the GDPR.

Transport Contracts Are Not a GDPR Loophole

A central issue in the case involved shipments moved between DPD Polska’s branches by so-called LNH external carriers. These carriers participated in loading and unloading parcels and had access to address labels containing personal data. In some cases, shipments were transported in vehicles not owned by DPD Polska and for which it had no other legal basis, with the external carriers authorized to dispose of those vehicles.

Despite this access, the company did not conclude personal data processing agreements with the carriers.

DPD Polska argued that such agreements were unnecessary because the contracts concerned transport operations, which it claimed did not amount to personal data processing by the LNH carriers.

The regulator disagreed. In its reasoning, the authority concluded that the carriers’ operational involvement and access to labeled shipments meant they were participating in personal data processing. By failing to conclude data processing agreements, DPD Polska breached Article 28(3) of the GDPR.

For that violation alone, the authority imposed a fine of approximately $1.56 million (PLN 6.251 million).

Automatic “Authorizations” Fell Short

The second major deficiency centered on internal governance. Under the company’s data protection policy, new employees were to be granted authorization to process personal data after completing mandatory e-learning on data protection principles. Once an employee passed the test, the IT system automatically generated a file suggesting that authorization had been granted.

However, the authority found that the generated document did not include essential elements such as the employee’s first and last name or the signature of the person granting authorization. In other words, it did not constitute a clear expression of the controller’s will.

The regulator concluded that this mechanism could not be regarded as a valid authorization to process personal data. That finding led to violations of Articles 29 and 32(4) of the GDPR. The authority also pointed to Article 24(2), noting that the company failed to properly implement its own data protection policy, which it was required to do given the scale of processing.

For failing to implement adequate organizational measures to ensure appropriate data security, the regulator imposed a further fine of approximately $1.30 million (PLN 5.209 million).

The Data at Stake

During the proceedings, the authority established that DPD Polska processed a broad range of personal data in the course of delivering parcels. This included first and last names, email addresses, telephone numbers, shipping and delivery addresses, redirection details, bank account numbers in the case of cash-on-delivery shipments, company names, parcel numbers, and handwritten signatures of both senders and recipients.

Given the scope of the data and the scale of operations, the President of UODO characterized the infringements as serious violations of the GDPR’s requirements around accountability, confidentiality, and controller responsibility.

The total fines amount to approximately $2.75 million (over PLN 11 million).

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.