Mirosław Wróblewski, the President of the Personal Data Protection Office (UODO), has imposed two administrative fines on DPD Polska totaling over 11 million PLN. The decision follows an inspection that revealed irregularities regarding the outsourcing of data processing to third-party entities and deficiencies in the system for granting employee authorizations. The administrative proceedings leading to the penalization of the logistics operator were initiated ex officio following an audit at the company’s headquarters. This inspection focused on the processing of customer personal data, including names, addresses, phone numbers, signatures, and bank account numbers, in connection with the provision of courier services.
A primary point of contention between the supervisory authority and the company involved the role of so-called LNH carriers, which are external entities transporting parcels between DPD branches. DPD argued that parcel transport is merely a shipping service that does not involve data processing by the carrier, and therefore data processing agreements required by Article 28(3) of the GDPR were unnecessary. However, the President of UODO rejected this argument, noting that drivers from external companies participated in loading and unloading processes where they had direct access to address labels. Furthermore, because the transport was carried out using vehicles managed by these carriers, they exercised actual custody over the data. For the failure to conclude appropriate data processing agreements, the administrator was fined 6.251 million PLN.
The second pillar of the decision concerns the company’s internal procedures. The supervisory authority challenged the automated system used for granting data processing authorizations. At DPD Polska, authorizations were generated by an IT system after an employee passed a knowledge test on an educational platform. The UODO President determined that the resulting file was legally insufficient because it did not contain the employee’s full name, lacked the signature of the person granting the authorization on behalf of the administrator, and contained overly vague content. According to the office, such a solution cannot be considered an effective declaration of intent by the administrator. This was deemed a violation of Articles 29 and 32(4) of the GDPR, as well as a failure to implement the company’s own data protection policies under Article 24(2) of the GDPR. For these organizational failures, the company must pay 5.209 million PLN.
The total financial penalty amounts to 11.460 million PLN. This consists of 6.251 million PLN for the lack of processing agreements with LNH carriers under Article 28(3) of the GDPR and 5.209 million PLN for the failure to implement appropriate organizational measures regarding faulty authorizations under Articles 24(2), 29, and 32(4) of the GDPR. In the justification, the President of UODO emphasized that a data administrator is obligated to ensure that every processing operation occurs solely at its request and under full control, which was not maintained in this case. This decision, under reference number DKN.5112.1.2023, concludes the administrative process regarding this matter.
