Lack of procedures to protect the rights of publication participants-fine for Polskie Radio Szczecin

Lack of procedures to protect the rights of publication participants - administrative fine for Polskie Radio Szczecin.

Due to the lack of procedures to protect the rights of publication participants and the lack of technical means, the risk of, inter alia, unjust disclosure, in press material without the consent of the person concerned, of information and data relating to the private sphere of life was enormous.

Such information shall not be disclosed if it relates to persons who are not fulfilling public functions. One example of such situation is that from Radio Szczecin, in which, in a 2022 press article, a conviction for sexual harassment was described. The journalist revealed that parliament member’s son was the victim and did it in such a way that the child could be identified. Following the discovery of harassment, this person committed suicide. The case was investigated by the prosecutor.

In this context, the President of the Personal Data Protection Office, Mirosław Wróblewski, decided to carry out a comprehensive inspection to determine whether the violation of privacy in Radio Szczecin could be of a systemic nature. The inspection of the President of Personal Data Protection Office, revealed that there are many shortcomings in the protection of personal data.

The President of the Personal Data Protection Office, carried out an inspection in Polskie Radio Szczecin and found the following breaches:

1. Radio, as Controller, did not carry out a risk analysis for the processing of personal data in connection with its editorial activities (creation and publication of press material).

2. Nor did it comply with its own personal data protection documentation.

3. It also failed to implement data security measures to ensure the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and processing services due to:

• lack of clear and transparent rules on the handling of press material containing personal data, regulating the obligation to verify such material prior to publication in terms of personal data identifying natural persons whose publication may infringe the law or the rights and freedoms of natural persons;

• lack of encryption of personal data storage devices used outside the processing area;

4. Finally, it has not put in place appropriate technical and organisational measures to ensure that the effectiveness of the technical and organisational measures to ensure the security of personal data is regularly tested, measured and evaluated.

Following the inspection, on the basis of the issued decision, Polskie Radio Szczecin is to correct organisational and technical errors within 60 days. In addition, the President of the Personal Data Protection Office imposed an administrative fine of PLN 56 824.

The Decision of the President of the Personal Data Protection Office also states that, although many aspects of the activity of editing, preparing, producing or publishing press material and creating speech in the context of literary or artistic activities are not subject to the GDPR, certain obligations incumbent on controllers under the GDPR must be fulfilled in order to:

• address risks to the rights and freedoms of natural persons (Article 24(1) GDPR),

• ensure the security of data processing, including through pseudonymisation and encryption (Article 32(1,2) GDPR).

In its decision, the President of the Personal Data Protection Office also specifies what actions the Controller should have taken to ensure that the rights and freedoms of persons mentioned in press material are not infringed.

It also recalls that the Press Law provides, inter alia, that information and data relating to the private sphere of life may not be published without the consent of the person concerned, unless this directly relates to the public activity of this person.

The prohibition of publication therefore extends to all information relating to an identified or identifiable natural person, as is apparent from the definition of personal data in Article 4(1) GDPR.

According to that provision, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Compliance with the prohibition on the publication of personal data under personal data protection rules creates an obligation for the controller to implement appropriate security measures that guarantee the ability to ensure at all times the confidentiality, as well as the integrity, availability and resilience of the data processing systems and services used for the activity of editing, preparing, producing or publishing press materials.

However, during the inspection, the President of Personal Data Protection Office found that the verification of press material containing personal data, the publication of which may be subject to restrictions under the Press Law, is not carried out in Polskie Radio Szczecin on the basis of any principle of handling such material. The procedure or instruction was not adopted by the Company as a controller.

Nor did the Controller specify the rules in this regard in any other way.

In the view of the President of Personal Data Protection Office, the lack of a transparent procedure to verify the legality of press material intended for publication and whether it does not infringe the rights and freedoms of natural persons prior to their publication implies full discretion in that regard and a lack of control over whether, in any event, the publication of press material took place after the verification.

Both the lack of encryption of devices and storage devices used to process personal data transferred outside the processing area and the absence of adopted rules for the verification of press material prior to their publication in respect of the personal data contained therein confirm that the Company’s personal data security measures do not ensure the ability to ensure at all times the confidentiality, integrity, availability and resilience of systems and processing services referred to in Article 32(1)(b) GDPR.

As a result, personal data are still at risk in Polskie Radio Szczecin because it is a systemic error, rather than an individual error, relating to a specific situation. That is why the President of Personal Data Protection Office issued abovementioned order.

According to the President of Personal Data Protection Office, Mirosław Wróblewski, ‘the imposition of an administrative fine is necessary because the scale of omissions and infringements in Polskie Radio Szczecin was very large. If not for a weak financial situation of public regional broadcasters, it could be much higher. At the same time, I hope that this fine will be a lesson for journalistic activities to ensure that individuals’ personal data are properly safeguarded and that their privacy is respected’.

Decision in Polish: DKN.5112.10.2024