UODO (Poland) - DKE.561.4.2026
How it connects
Related across sources
Full text
Emblem of the Republic of Poland Office for Personal Data Protection Portal of Judgments Availability BIP Content Metrics Judgments Legal acts History Decision logo Warsaw, 22 May 2026 Illegitimate Decision DKE.561.4.2026 Pursuant to Article 104 § 1 of the Act of 14 June 1960. Code of Administrative Procedure (Journal of Laws U. of 2025, item 1691), Article 7(1) and (2), Article 60 and Article 101 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws No. U. of 2019, item 1781, as amended) and Article 57(1)(a), Article 58(2)(i), Article 83(1) and Article 83(6) in conjunction with Article 58(2)(d) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/ Urz. EU L 119 of 04.05.2016, p. 1, OJ Urz. EU L 127, 23.05.2018, p. 2, and OJ Urz. EU L 74 of 4.03.2021, p. 35), after the administrative procedure initiated ex officio on the imposition on Mr B. E., zam.: ul. (...), (...)-(...) W., administrative monetary penalty, President of the Office for Personal Data Protection, stating Mr. B's failure to do so. E., zam. ul. (...), (...)-(...) W., order of the administrative decision of the President of the Office for Personal Data Protection of 21 October 2025, no. DS.523.6546.2024.( ...), imposes an administrative financial penalty on him in the amount of 26 711 zlotys (in words: twenty-six thousand seven hundred and eleven zlotys). Justification I. Facts 1. The President of the Office for Personal Data Protection, hereinafter referred to as the “President of the Office of Personal Data”, by the Administrative Decision of 21 October 2025, ref. DS.523.6546.2024.(...), hereinafter referred to as ‘Ordering Decision’, acting on the basis of Article 58(2)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 21 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 3, p. Urz. EU L 119 of 04.05.2016, p. 1, OJ Urz. EU L 127, 23.05.2018, p. 2, and OJ Urz. EU L 74, 4.03.2021, p. 35) (hereinafter referred to as ‘Regulation 2016/679’), ordered Mr B. E. zam. ul. (...), (...)-(...) W. (hereinafter also referred to as „Administratorem”“Controller” or “Obliged”), to cease the processing of personal data of the following persons (hereinafter collectively referred to as “Complainants”): 1) C. R. (2) (conjunction in W. at (...)) and represented by him: – P. F. (conj. in W. at ul. (...)), – Oh. S. (conj. in W. at ul. (...)), – F. E. and X. I. (conj. in W. at ul. (...)), – T. J. (conj. in W. at ul. (...)), – U. F. (conj. in W. at ul. (...)), – W. W. (conju. in W. at ul. (...)), – R. J. (conj. in W. at ul. (...)), (2) C. K., B. K. and E. K. (conju. in W. at ul. (...)), 3) W. B. (conju. in W. at ul. (...)), 4) G. K and C. K. (2) (conjunction in W. at ul. (...)), 5) E. I. (2) and E. I. (conj. in W. at ul. (...)), 6) G. J. (conj. in W. at ul. (...)), 7) I. J. (conj. in W. at ul. (...)), 8) A. C., F. C., I. C. and I. K. (conju. in W. at ul. (...)), 9) B. B., C. B. and J. B. (conju. in W. at ul. (...)), 10) W. I. (conjunction in W. at (...)) and C. R. (conj. in W. at ul. (...)), 11) C. S. (conj. in W. at ul. (...)), 12) H. E. (conj. in W. at ul. (...)), in terms of image and voice, by means of video monitoring beyond the boundaries of the property belonging to it, including the public road and the complainant’s real estate. The ordering decision was sent to Mr. B's address. E., indicated by the Complainants, i.e. to the following address: ul. (...), (...)-(...) W., which is also the address of the property on which the video surveillance devices beyond its borders, including the public road and the complainant’s real estate, were installed. After twice ineffective notification, the letter was returned to the UODO, but on the basis of the provision of Article 44 § 4 of the Code of Civil Procedure, it was considered to be served on Mr. B. E. as of 7 November 2025 2. Mr. B. E. did not file a decision ordering complaints to the Provincial Administrative Court in Warsaw, and therefore it became final on December 9, 2025. 3. In order to determine whether the obligation imposed by the Decision ordering Mr. B. E. made, President of UODO by letter of 10 December 2025, no. DKE.560.277.2025.(...) called on him to provide clarification in this regard and to provide evidence of the execution of the order formulated in that decision. Letter to Mr. B. E. was addressed to the following address: ul. (...), (...) (...) W., this is to the address of his place of residence. This letter is Mr. B. E. it was also instructed that the declaration of non-compliance with the order imposed by the President of the Office of the Office may result in the imposition of an administrative penalty on him, in accordance with Article 83(6) of Regulation 2016/679. The letter, after two notifications on December 15, 2025 and December 23, 2025, was not received by the addressee and returned to the sender with the annotation “RETURN did not take place on time”, so on the basis of the provision of Article 44 § 4 of the Code of Civil Procedure, it was considered to be served on Mr. B. E. as of 29 December 2025 4. In connection with the lack of response to the above-mentioned call, by letter of 21 January 2026, ref. DKE.560.277.2025.(...) was addressed to Mr. B. E. a reminder referred to in Article 15 § 1 of the Act of 17 June 1966 on enforcement proceedings in administration (Journal of Laws No. U. from 2026, item 268, as amended). In this letter, the President of UODO summoned Mr. B. E. to execute the order of the Ordering Decision and to document its execution under the threat of referral of the case to the path of administrative enforcement. The letter was sent to the above-mentioned address of Mr. B's residence. E.. After the two-time notification on January 27, 2026 and February 4, 2026, the letter was returned to the sender with the annotation “RETURN not taken on time”, so - pursuant to Article 44 § 4 of the Code of Civil Procedure - it was considered to be served on the addressee on 10 February 2026. Mr. B. E. did not respond to the reprimand to the President of the UODO and did not provide any evidence supporting the execution of the Ordering Decision. 5. On 28 December 2025, the Office for Personal Data Protection received a “complaint” of one of the Complainants – Mr. C. R. (2) - "for further unlawful processing of personal data through video monitoring despite the decision of the President of UODO". In this letter, the Complainant informed the President of UODO that “[p] despite the issue of the above decision and the expiry of the deadline for its implementation, the data controller did not comply with its content. The surveillance that was taken down by police officers, Mr. B. E. reinstalled cameras that still cover areas that do not belong to his property, including our properties and public space.” The complainant added to his letter a photographic documentation indicating Mr. B's failure to comply. E. order of the Ordering Decision. 6. On December 28, 2025, on https://(...), on the channel (...), material entitled “(...)” was published.[ 1] In this material, both Mr. C. R. (2), as well as other Complainants, indicate that Mr B. E. still - after the President of UODO issued the Ordering Decision - monitors the surroundings of his property, records his neighbors and uses surveillance footage in subsequent submissions to law enforcement agencies. II. Proceedings 7. Taking into account the circumstances established during the proceedings for the verification of the execution of the order order order, the President of the Office of Economic Service, by letter of 4 March 2026, ref. DKE.561.4.2026.(...) initiated administrative proceedings on the imposition on Mr B. E. administrative fine for non-compliance with the order imposed by the supervisory authority - pursuant to Article 58(2)(c) of Regulation 2016/679 - by decision of 21 October 2025 issued in the case for ref. DS.523.6546.2024.( ...). 8. A letter informing about the initiation of this proceeding was sent to Mr B. E. to the address of his residence, i.e. to the following address: ul. (...), (...) (...) W.. The letter contains the instruction that non-compliance with the order imposed by the supervisory authority is subject to an administrative penalty of up to 20 000 000 euro, pursuant to Article 83(6) of Regulation 2016/679. 9. By letter dated March 4, 2026 The President of UODO also called Mr. B. E. - in order to determine the basis for the administrative dimension of the monetary penalty in the present proceeding - to provide information on the income achieved by him for the year 2025., in the form of, for example, a copy of the tax information PIT-11, a copy of the tax return PIT-36 or PIT-37 or - in the absence of these or similar tax documents - a statement on the revenues and incomes achieved during this period. The organ also instructed Mr. B. E. that he may also provide other information about his financial situation or on the financial status, which may be relevant for the measurement of a penalty proportionate to the possibility of its payment by him. The President of UODO also informed Mr. B. E. that failure to provide such documents and information will result in the President of the Office of Personal Data Protection establishing the basis for the measurement of the penalty in an estimate - pursuant to Article 101a of the Act of 10 May 2018 on the protection of personal data (Journal of Laws No. U. from 2019, item 1781, as amended, hereinafter referred to as: “u.o.d.o.” 10. At the same time, the President of UODO informed Mr. B. E. that, if he provides, within 14 days from the date of service of the letter, the exhaustive explanations requested by the President of the Office of Education in a letter of 10 December 2025 and provide evidence of the execution of the Ordering Decision, that circumstance may mitigate the administrative penalty amount imposed in the present proceeding or may result in a waiver from its imposition. 11. The letter of 4 March 2026 informing about the initiation of this proceeding, after twice the notification on March 10, 2026 and March 18, 2026, was returned to the Office for Personal Data Protection with the annotation “RETURN did not take place on time”, so on the basis of Article 44 § 4 of the Code of Civil Procedure, it was considered to be served on Mr. B. E. on 24 March 2026 12. Until the date of this Decision, Mr B. E. did not respond to any of the persons referred to him, both in the procedure verifying the enforcement of the decision on the ref. DKE.560.277.2025.(...) as in the present proceedings, ref. DKE.561.4.2026.(...), letters of the President of UODO. Nor did he provide any evidence to support the execution of the order of the Ordering Decision. After considering all the evidence collected in the case, the President of the UODO weighed the following. III. Regulations 13. In accordance with Art. 60 u.o.d.o., proceedings for violation of data protection regulations are conducted by the President of UODO. In turn, Article 7(1) of the Civil Code provides that in matters not regulated in this Act for administrative proceedings before the President of the Office of Environmental Protection (including in proceedings concerning the imposition of an administrative penalty referred to in Chapter 11 of the Civil Code) the provisions of the Code of Civil Procedure shall apply. In accordance with Article 7(2) of the U.O.D.O., these proceedings are one-instance proceedings. 14. Stosownie do art. 57 ust. 1 rozporządzenia 2016/679, bez uszczerbku dla innych zadań określonych na mocy tego rozporządzenia, każdy organ nadzorczy na swoim terytorium (w tym Prezes UODO na terytorium Rzeczypospolitej Polskiej) między innymi monitoruje i egzekwuje stosowanie rozporządzenia (art. 57 ust. 1 lit. a) oraz prowadzi postępowania w sprawie jego stosowania (art. 57 ust. 1 lit. h). 15. Dla umożliwienia realizacji tak określonych zadań, Prezesowi UODO przysługuje szereg uprawnień naprawczych określonych w art. 58 ust. 2 rozporządzenia 2016/679. Przepis art. 58 ust. 2 lit i) rozporządzenia 2016/679 daje Prezesowi UODO uprawnienie do zastosowania, oprócz lub zamiast innych środków, o których mowa w art. 58 ust. 2 rozporządzenia 2016/679, administracyjnej kary pieniężnej na podstawie art. 83 tego aktu prawnego. 16. Zgodnie z art. 83 ust. 6 rozporządzenia 2016/679 nieprzestrzeganie nakazu orzeczonego na podstawie art. 58 ust. 2 tego rozporządzenia podlega administracyjnej karze pieniężnej w wysokości do 20 000 000 EUR, a w przypadku przedsiębiorstwa w wysokości do 4% jego całkowitego rocznego światowego obrotu z poprzedniego roku obrotowego, przy czym zastosowanie ma kwota wyższa. 17. Na podstawie wyrażonej w art. 5 ust. 2 rozporządzenia 2016/679 zasady rozliczalności administrator jest odpowiedzialny za przestrzeganie zasad określonych w ust. 1 tego przepisu (w tym - zgodnie z tzw. zasadą legalności - za przetwarzanie danych osobowych „zgodnie z prawem”) i musi być w stanie wykazać ich przestrzeganie. Zastosowanie zasady rozliczalności w niniejszej sprawie oznacza, że Przedsiębiorca zobowiązany jest - w szczególności w postępowaniu przed Prezesem UODO - udowodnić wykonanie nakazu decyzji, które to wykonanie byłoby równoznaczne z przywróceniem przetwarzania przez niego danych osobowych do stanu zgodnego z prawem. Takie implikacje zasady rozliczalności potwierdza doktryna prawa ochrony danych osobowych, zgodnie z którą: „Stwierdzenie, że administrator powinien być w stanie wykazać przestrzeganie zasad, odczytywać można jako nałożenie na administratora ciężaru dowodowego w zakresie przestrzegania zasad przetwarzania danych osobowych. W razie sporu z osobą, której dane dotyczą, albo z organem nadzorczym, administrator powinien być w stanie przedstawić dowody na to, że przestrzega zasad. Dowodami takimi mogą być przede wszystkim dokumenty dotyczące przetwarzania i ochrony danych.” (P. Fajgielski [w:] Komentarz do rozporządzenia nr 2016/679 w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i w sprawie swobodnego przepływu takich danych oraz uchylenia dyrektywy 95/46/WE (ogólne rozporządzenie o ochronie danych) [w:] Ogólne rozporządzenie o ochronie danych. Ustawa o ochronie danych osobowych. Komentarz, Warszawa 2018). 18. Oceniając czy, a jeśli tak, to w jakim wymiarze powinna być nałożona administracyjna kara pieniężna, organ nadzorczy ma obowiązek uwzględnić następujące okoliczności (przesłanki wymiaru kary) określone w art. 83 ust. 2 rozporządzenia 2016/679: a) charakter, wagę i czas trwania naruszenia przy uwzględnieniu charakteru, zakresu lub celu danego przetwarzania, liczby poszkodowanych osób, których dane dotyczą, oraz rozmiaru poniesionej przez nie szkody; b) umyślny lub nieumyślny charakter naruszenia; c) działania podjęte przez administratora lub podmiot przetwarzający w celu zminimalizowania szkody poniesionej przez osoby, których dane dotyczą; d) stopień odpowiedzialności administratora lub podmiotu przetwarzającego z uwzględnieniem środków technicznych i organizacyjnych wdrożonych przez nich na mocy art. 25 i 32; e) wszelkie stosowne wcześniejsze naruszenia ze strony administratora lub podmiotu przetwarzającego; f) stopień współpracy z organem nadzorczym w celu usunięcia naruszenia oraz złagodzenia jego ewentualnych negatywnych skutków; g) kategorie danych osobowych, których dotyczyło naruszenie; h) sposób, w jaki organ nadzorczy dowiedział się o naruszeniu, w szczególności, czy i w jakim zakresie administrator lub podmiot przetwarzający zgłosili naruszenie; i) jeżeli wobec administratora lub podmiotu przetwarzającego, których sprawa dotyczy, zostały wcześniej zastosowane w tej samej sprawie środki, o których mowa w art. 58 ust. 2 - przestrzeganie tych środków; j) stosowanie zatwierdzonych kodeksów postępowania na mocy art. 40 lub zatwierdzonych mechanizmów certyfikacji na mocy art. 42; k) wszelkie inne obciążające lub łagodzące czynniki mające zastosowanie do okoliczności sprawy, takie jak osiągnięte bezpośrednio lub pośrednio w związku z naruszeniem korzyści finansowe lub uniknięto straty. 19. Ponadto organ nadzorczy, zgodnie z art. 83 ust. 1 rozporządzenia 2016/679, zapewnia by stosowane administracyjne kary pieniężne były w każdym indywidualnym przypadku skuteczne, proporcjonalne i odstraszające. 20. Celem ustalenia podstawy wymiaru administracyjnej kary pieniężnej podmiot wobec, którego toczy się postępowanie zobowiązany jest na żądanie Prezesa UODO dostarczyć mu w terminie 30 dni od dnia doręczenia żądania danych niezbędnych do określenia tejże podstawy (art. 101 art. 1 u.o.d.o). Natomiast, w przypadku niedostarczenia tych danych przez podmiot podlegający ukaraniu, Prezes UODO ustala podstawę wymiaru administracyjnej kary pieniężnej w sposób szacunkowy, uwzględniając wielkość podmiotu, specyfikę prowadzonej przez niego działalności lub ogólnodostępne dane finansowe dotyczące podmiotu (art. 101a ust. 2 u.o.d.o.). 21. Zgodnie z art. 103 u.o.d.o. równowartość wyrażonych w euro kwot, o których mowa w art. 83 rozporządzenia 2016/679, oblicza się w złotych według średniego kursu euro ogłaszanego przez Narodowy Bank Polski w tabeli kursów na dzień 28 stycznia każdego roku, a w przypadku, gdy w danym roku Narodowy Bank Polski nie ogłasza średniego kursu euro w dniu 28 stycznia - według średniego kursu euro ogłoszonego w najbliższej po tej dacie tabeli kursów Narodowego Banku Polskiego. IV. Ocena prawna 22. Materiał dowodowy zebrany w sprawie obejmuje całokształt korespondencji wymienianej między Prezesem UODO a Administratorem w toku postępowania sprawdzającego o sygn. DKE.560.277.2025.(…). Obrazuje on próbę uzyskania przez Prezesa UODO od pana B. E. informacji o wykonaniu nakazu (pismo z 10 grudnia 2025 r. - zob. pkt 3 uzasadnienia niniejszej decyzji) oraz próbę doprowadzenia do dobrowolnego wykonania przez Zobowiązanego tego nakazu (upomnienie z 21 stycznia 2026 r. - zob. pkt 4 uzasadnienia niniejszej decyzji). W materiale dowodowym znajduje się również pismo Prezesa UODO z 4 marca 2026 r. (zob. pkt 7-10 uzasadnienia niniejszej decyzji) informujące pana B. E. o wszczęciu niniejszego postępowania w przedmiocie nałożenia na niego administracyjnej kary pieniężnej, która to kara ze swej istoty ma mieć charakter dyscyplinujący i naprawczy - w niniejszej sprawie ma na celu przede wszystkim doprowadzić do wykonania nakazu Decyzji nakazującej (i wykazanie tego przed Prezesem UODO). W związku z tym, że oba postępowania, zarówno postępowanie sprawdzające wykonanie Decyzji nakazującej (sygn. DKE.560.277.2025.(…)), jak niniejsze postępowanie w przedmiocie nałożenia kary za niewykonanie nakazu Decyzji nakazującej (sygn. DKE.561.4.2026.(…)), miały formę wyłącznie pisemną, pisma te obrazują w pełni (w sposób wyczerpujący) zarówno fakt skierowania do Zobowiązanego żądania wykonania nakazu Decyzji nakazującej oraz żądania udowodnienia tej okoliczności, jak i fakt niewywiązania się przez pana B. E. z tych obowiązków. Powyższe nie tylko pozwalało, ale i zobowiązywało Prezesa UODO, w stanie faktycznym istniejącym na dzień wydania niniejszej decyzji, do przyjęcia, że Decyzja nakazująca nie została przez pana B. E. wykonana. 23. It should be noted here, first, that the nature of the obligation imposed on Mr. B. E. in the Ordering Decision (to delete all personal data of the above-mentioned individuals, including their images and voices, from the monitoring system and to refrain from monitoring them in the future) determines the manner in which its implementation is determined in the proceedings before the President of the Personal Data Protection Office (UODO), in that it must be carried out with the participation of Mr. B. E.. Only the Obliged Party has the monitoring system through which he unauthorizedly obtains the data of the above-mentioned individuals, and only he can fulfill the obligation imposed on him by the President of the Personal Data Protection Office by indicating the date and method of permanent deletion of the data, the manner of performing the appropriate actions, and the manner of providing proof of their completion. The deletion of the personal data was to take place from the Obliged Party's internal resources, i.e., its monitoring system, to which—obviously—the President of the Personal Data Protection Office has no access. 24. Secondly, in addition to the above-mentioned practical aspect of demonstrating compliance with the Order, it is also important to note and emphasize the legal obligation on the Obliged Party, arising from the principle of "accountability" set forth in Article 5(2) of Regulation 2016/679, to demonstrate compliance with the fundamental principles of personal data processing, which include the principle of "lawfulness" of personal data processing (Article 5(1)(a) of Regulation 2016/679). There should be no doubt that the "lawfulness" referred to in this principle also means compliance with final rulings of the President of the Personal Data Protection Office, which are "corrective" in nature – intended to restore compliance with the law. This nature of the President of the Personal Data Protection Office's powers (including the power to order the controller to adapt processing operations to the provisions of Regulation 2016/679) is explicitly indicated by Article 58(2) of this legal act, which refers to the President's "corrective powers." In the procedural dimension, the principle of "accountability" should be derived from the principle that the burden of proving compliance with an order issued by the President of the Personal Data Protection Office (or, in the terminology used in Article 83(6) of Regulation 2016/679, compliance with an "order issued by a supervisory authority") rests with the addressee of the order – in this case, the Controller. Consequently, if the addressee of the order fails to demonstrate – when properly requested to do so – compliance with the obligation imposed on them, it should be assumed that they have not fulfilled that obligation. 25. The joint responsibility of a party for the course of the evidentiary proceedings and the consequences of their lack of cooperation with the administrative authority in determining the factual circumstances of the case are emphasized by administrative law doctrine and the case law of administrative courts, as presented below. 26. "Article 7 states that an administrative authority cannot limit itself to waiting for the party to present evidence confirming its request, but should actively seek to clarify the matter (see, e.g., judgment of the Supreme Administrative Court of 17 May 1994, SA/Lu 1921/93, LEX No. 26517; judgment of the Supreme Administrative Court of 4 June 1998, I SA/Kr 1052/97, LEX No. 33618; judgment of the Supreme Administrative Court of 25 June 1999, I SA 1551/98, LEX No. 48556). This does not exclude the party's obligation to contribute to ensuring the full and exhaustive collection and consideration of evidence – by submitting explanations or citing other evidence in the case (judgment of the Supreme Administrative Court of 4 December 1996, SA/Ld 2620/95, LEX No. 27407). In The case law even indicates that the obligation on the authorities to examine all circumstances relevant to the case cannot in any way justify the passivity of the interested party and does not release them from the obligation to cooperate with the authority in clarifying the matter (judgment of the Supreme Administrative Court of April 16, 2019, I OSK 1711/17). The party to administrative proceedings is obliged to prove the circumstances on the basis of which they derive favorable legal consequences for themselves (judgment of the Supreme Administrative Court of September 29, 2020, II OSK 1452/20, LEX no. 3075574). Therefore, the party should provide the authority with evidence concerning the circumstances, the demonstration of which is in their interest, under pain of negative procedural consequences for them. [...] The party cannot limit itself to formulating allegations as to the factual circumstances, expecting that in such a case the authority is obliged to seek evidence to prove these allegations. The obligation to collect and seek evidence, resting on administrative authorities, cannot be considered unlimited. It is impossible to demand that the authorities seek evidence indefinitely, or undertake a special investigation to discover evidence the existence of which is unknown or the discovery of which is extremely unlikely due to the passage of time.” (P. M. Przybysz [in:] Code of Administrative Procedure. Updated Commentary, LEX/el. 2024, art. 7., https://sip.lex.pl/#/commentary/587751055/754389/przybysz-piotr-marek-kodeks-postepowania-administracyjnego-komentarz-aktywowany?cm=URELATIONS). 27. It is also worth recalling here the thesis of the judgment of the Supreme Administrative Court of June 29, 2018, I OSK 274/18, according to which "[w]hile implementing the principle of objective truth (Article 7 of the Code of Administrative Procedure and Article 77 § 1 of the Code of Administrative Procedure), the authority is obliged to exhaustively collect and consider all evidence, the party is not released from the obligation to cooperate in clarifying the factual circumstances of the case. The party should present all information necessary to establish the factual circumstances of the case, as well as indicate evidence that, in its opinion, is relevant to the case and disclose the evidence in its possession" (Lex no. 2542783). In specific proceedings such as the present one, the subject of which is the assessment of the execution of an order involving the performance of operations in the controller's internal resources (databases), the above thesis has – in the opinion of the President of the Personal Data Protection Office – particular application. 28. Summarizing the above, it should be stated that Mr. B. E. – as the controller of the Complainants' personal data and as the addressee of the Injunction Decision – has failed to demonstrate compliance with the order contained in this decision, despite the requests addressed to him by the President of the Personal Data Protection Office (UODO) prior to the initiation of these proceedings. This allows us to conclude that the Obliged Party failed to comply with the order contained in the administrative decision of the President of the Personal Data Protection Office (UODO) addressed to him, reference number DS.523.6546.2024 (...), thereby violating the provisions of Article 58 paragraph 2 letter d) of Regulation 2016/679. Therefore, in the opinion of the President of the Personal Data Protection Office, there were grounds for imposing an administrative fine on Mr. B. E. – pursuant to Article 83 paragraph 6 of Regulation 2016/679 – for failure to comply with the order issued pursuant to Article 58 paragraph 2 of Regulation 2016/679. V. Conditions for Assessing Administrative Fines 29. Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, consideration is given to a number of circumstances listed in points a) to k) of the aforementioned provision. In deciding to impose an administrative fine on the Controller in this case and determining its amount, the President of the Personal Data Protection Office took into account the following aggravating circumstances affecting the assessment of the infringement (see paragraphs 30-44 of the justification for this decision): The nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing in question, the number of data subjects affected, and the extent of the damage they suffered (Article 83(2)(a) of Regulation 2016/679). 30. The infringement subject to an administrative fine in these proceedings (failure to comply with the order issued by the President of the Personal Data Protection Office pursuant to Article 58(2) of Regulation 2016/679) undermines the system intended to protect one of the fundamental rights of natural persons, namely the right to the protection of their personal data, or more broadly, the protection of their privacy. A crucial element of this system, the framework of which is defined by the provisions of Regulation 2016/679, are the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of natural persons' rights in this regard. To enable the implementation of these tasks, the supervisory authorities are endowed with a number of remedial powers, which are listed in Article 58(2) of Regulation 2016/679. The Controller's disregard for the order issued against it by the President of the Personal Data Protection Office (UODO), which is essentially a specific expression of the obligation provided for in Regulation 2016/679, constitutes a disregard for personal data protection regulations and the role of the President of the Personal Data Protection Office in the data protection system defined by Regulation 2016/679. 31. The gravity of the infringement assessed in this case (in an abstract sense, detached from the realities of this case) is emphasized by the EU legislator itself, who classified it as an infringement punishable by the higher of the two penalties provided for in Regulation 2016/679 – with a maximum penalty of up to EUR 20,000,000 or – in the case of an enterprise – up to 4% of its turnover from the previous financial year. Assessing infringements of Regulation 2016/679 solely by the level of their financial sanction, it should be noted that this legal act does not include "more serious" infringements punishable by a higher penalty. 32. In the individual context (in the circumstances of this specific case), the nature, scope, and purpose of the processing carried out by the Controller contrary to the order of the Injunction Decision have an aggravating impact on the gravity of the infringement. It should be stated, first and foremost, that the processing consisting in monitoring the complainants through video surveillance extending beyond the property owned by the Controller is an unlawful act, since in the Injunction Decision, the President of the Personal Data Protection Office ordered its cessation. The scope of this processing, despite its merely local nature, should be considered broad; virtually all members of the local community – the residents of (...) W. Street – are subject to (continuous, long-term) monitoring. Such action by the Controller, assessed in relation to the small size of this local community, should be assessed decisively negatively. It disrupts its functioning, profoundly interfering with the lives of its members and causing negative consequences both in the private sphere – individual, and in the social sphere. 33. It should be emphasized that the purpose of this type of processing is unlawful and results – in the opinion of the President of the Personal Data Protection Office – from the Controller's bad faith. Its broad scope demonstrates that this purpose is not the protection of the Controller's life, health, or property. Nor can it be the protection of public order, in particular the detection of crimes and offenses and the prosecution of their perpetrators, since this task does not fall within the competence of private entities (it is the exclusive competence of the relevant state authorities). The manner in which the Controller uses the surveillance footage, however, indicates that this processing is intended to harass the individuals subject to monitoring and hinder their normal functioning by, among other things, initiating large-scale (often unjustified) proceedings regarding alleged crimes and offenses committed by these individuals. 34. It should be emphasized that the failure to comply with the Order concerns a large number of individuals – relative to the size of the local community. The consequence of the violation found in this case (failure to comply with the order of the President of the Personal Data Protection Office) is the Controller's continued unlawful processing of the personal data of at least thirty individuals, a relatively large portion of the residents of the street where the monitoring in question is being used. The consequences of the Controller's actions for these individuals are clearly negative. They continue to suffer and accumulate non-pecuniary damage (harm) resulting from the continuous and ongoing surveillance, the recording of this surveillance in the form of recordings, and the use of these recordings by the Controller. 35. The Controller's use of video surveillance directed towards the public road and also covering adjacent properties, contrary to the order of the President of the Personal Data Protection Office set forth in the Ordering Decision, gives the individuals subject to monitoring a sense of constant surveillance and surveillance of their private lives, including their location data. The image and voice of the Complainants are recorded at their place of residence and in their daily residences and movements in connection with their normal use of the public road. Therefore, they are monitored every day during their ordinary daily activities. The Controller does not have the right to monitor the aforementioned areas using such an invasive method as the constant monitoring and processing of personal data of individuals who reside there – in every situation and every day. 36. The gravity of the infringement is further increased by the fact that the infringement is long-term – covering the period from December 9, 2025 (the date the Injunction Decision became final, by which date it should have been implemented) to the present. The nearly six-month, unjustified failure to comply with the Injunction issued by the President of the Personal Data Protection Office should be considered long-term and treated as another circumstance that has a negative impact on the amount of the imposed administrative fine. 37. Summing up the assessment of all the individual circumstances covered by the criterion indicated by the legislator in Article 83 paragraph 2 letter a) of Regulation 2016/679, it should be stated that their combined impact on determining the type and amount of the sanction imposed by the President of the Personal Data Protection Office is clearly aggravating. Unintentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679). 38. The Article 29 Working Party, in its Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 adopted on October 3, 2017, indicated that, in principle, "intention" encompasses both knowledge and deliberate action, in connection with the characteristics of a criminal offense, while "negligence" means the absence of intent to cause an infringement despite the controller's or processor's failure to exercise due care as required by law. Intentional infringements are more serious than unintentional ones, which does not mean that the latter—especially if they result from gross negligence on the part of the controller or processor—do not merit a negative assessment and financial sanction. 39. Since the Injunction Decision was not actually received by the Controller (it was deemed to have been delivered to it pursuant to Article 44 § 4 of the Code of Administrative Procedure), there are no grounds to conclude that the failure to comply with the Injunction was intentional. In the opinion of the President of the Personal Data Protection Office, the infringement committed by the Controller was unintentional. However, since it resulted from a gross and prolonged neglect of the obligation to receive official correspondence addressed to it, this circumstance should be assessed negatively and considered aggravating in the context of both the justification for imposing a fine on it and the determination of its amount. The gross nature of the Controller's negligence stems from the fact that it undoubtedly had knowledge of numerous ongoing proceedings involving it (most often initiated by it) (before law enforcement authorities and before the President of the Personal Data Protection Office). He should therefore have made reasonable efforts to respond to correspondence addressed to him within these proceedings, in order to fulfill his procedural obligations. Any consequences of failing to comply with this obligation—including the lack of knowledge of the content of the order issued by the President of the Personal Data Protection Office (UODO) in the Mandatory Decision—are the sole responsibility of the Controller and do not constitute a circumstance that could exclude his liability for the infringement found in this case. Categories of personal data affected by the infringement (Article 83 paragraph 2 letter g) of Regulation 2016/679). 40. First, it should be noted that the infringement found in this case, although formally concerning the Controller's failure to fulfill an obligation addressed to the President of the Personal Data Protection Office (failure to comply with his order), and not towards the data subjects, also relates to specific processing operations, and therefore to the specific personal data subject to such processing. The consequence of the Controller's failure to comply with the Injunction Decision is its continued processing—contrary to the order of the President of the Personal Data Protection Office—of specific personal data that can be assigned—in accordance with Article 83(2)(g) of Regulation 2016/679—to specific categories, and based on this classification, assessed in the context of determining the appropriate sanction for a breach involving such personal data. 41. Personal data in the form of the image and voice of specific individuals, as well as information locating their location at a specific time, are not special category data; they are not subject to the special processing requirements referred to in particular in Articles 9 and 10 of Regulation 2016/679. Nevertheless, in these specific circumstances, the image and voice of the Complainants, as well as information about their location at a specific time, processed in conjunction with their identifiable data (first name, last name, address) held by the Controller, should be considered somewhat sensitive data. Their processing in the manner used by the Controller, and for the purpose specified by it, results in a number of negative consequences for them – from the psychological discomfort associated with the feeling of being spied on by an unauthorized person to the stress and effort associated with having to participate in proceedings initiated by the Controller before law enforcement and judicial authorities. 42. The above justifies – in the opinion of the President of the Personal Data Protection Office – the finding that the sensitive nature of the personal data concerned by the breach (resulting from the context of the manner and purpose of their processing by the Controller) has an aggravating effect on the assessment of the breach assessed in this case. The degree of cooperation with the supervisory authority to remedy the breach and mitigate its potential negative effects (Article 83 paragraph 2 letter f) of Regulation 2016/679). 43. In assessing the Controller's cooperation with the President of the Personal Data Protection Office in these proceedings, it should be noted that the Controller did not engage in any cooperation with the President of the Personal Data Protection Office. In particular, the Controller did not respond to the correspondence addressed to him; He did not receive any correspondence, even though, as a result of the numerous complaints filed by individuals whose rights had been violated, he could have expected a request to the data protection authority to clarify the circumstances of the case. The Controller failed to provide the explanations and evidence requested by the President of the Personal Data Protection Office in his letters; therefore, he did not provide information that would allow for the enforcement of the Order, which could be considered an action to remedy the infringement and mitigate its potential effects. Actions taken by the Controller to minimize the harm suffered by data subjects (Article 83 paragraph 2 letter c) of Regulation 2016/679) 44. In this case, the President of the Personal Data Protection Office found that the Complainants suffered non-pecuniary damage (harm) resulting from the continued processing of their personal data through video surveillance, carried out contrary to the final order of the Order. The Controller did not take any action to minimize this harm. On the contrary, his continued unlawful processing of the Complainants' image and voice using the video surveillance system increases their (justified) discomfort, fear, stress, and sense of helplessness in the face of the Controller's unlawful actions. The Controller's failure to take such actions, which can be expected and required of a controller responsible for their conduct, constitutes a circumstance that has an aggravating effect on the President of the Personal Data Protection Office's assessment of the violation. 45. The remaining circumstances referred to in Article 83(2) of Regulation 2016/679 (see paragraphs 46-52 of the justification for this decision), after assessing their impact on the infringement found in this case, were deemed by the President of the Personal Data Protection Office to be neutral for his assessment, that is, as having neither an aggravating nor a mitigating effect on the amount of the imposed administrative fine. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by it (Article 83(2)(d) of Regulation 2016/679) 46. The infringement found in this case is unrelated to the organizational and technical measures implemented by the Controller to ensure personal data protection and processing security. Therefore, responsibility for these measures (for their condition, adequacy to the identified processing risks, effectiveness, etc.) cannot be the subject of the President of the Personal Data Protection Office's assessment of the infringement. Any relevant prior infringements by the controller or processor (Article 83 paragraph 2 letter e of Regulation 2016/679) 47. The President of the Personal Data Protection Office (UODO) has not identified any prior infringements of personal data protection committed by the Controller, in particular those involving non-compliance with an order issued by the President of the Personal Data Protection Office pursuant to Article 58 paragraph 2 of Regulation 2016/679. Therefore, there is no basis to treat this circumstance as an aggravating factor. Since such a situation (compliance with personal data protection regulations) is the norm—merely an expression of the Controller's compliance with its legal obligations—it cannot have a mitigating effect on the President of the Personal Data Protection Office's assessment of the infringement. How the supervisory authority learned of the breach (Article 83(2)(h) of Regulation 2016/679) 48. According to paragraph 99 of Guidelines 04/2022, "[w]here the supervisory authority has learned of the breach, for example, as a result of a complaint or in the course of proceedings, this element should, in principle, also be considered a neutral circumstance. The supervisory authority may consider this fact as a mitigating circumstance if the controller or processor has notified the breach on its own initiative before the supervisory authority has become aware of the matter." In this case, the President of the Personal Data Protection Office (UODO) obtained information about the breach during the proceedings he conducted ex officio to verify the implementation of the Order. This is – in the case of the breach assessed in this case – the standard way of obtaining information about it; it does not require any informational activities on the part of the Controller directed at the supervisory authority. Therefore, its activity in this regard (or lack thereof) is not subject to assessment by the President of the Personal Data Protection Office in the context of assessing the breach itself; It therefore has no impact (neither aggravating nor mitigating) on the type and severity of the sanction imposed for this violation. Compliance with previously applied measures in the same case, referred to in Article 58 paragraph 2 of Regulation 2016/679 (Article 83 paragraph 2 letter i) of Regulation 2016/679 49. The President of the Personal Data Protection Office did not apply any measures listed in Article 58 paragraph 2 of Regulation 2016/679 to the Controller in this case. Therefore, the Controller was not obligated to comply with them. The inability to assess the degree of compliance or non-compliance with such measures means that this premise is not subject to assessment in this case and does not affect the amount of the administrative fine imposed. Application of approved codes of conduct or approved certification mechanisms (Article 83 paragraph 2 letter j) of Regulation 2016/679) 50. The Controller does not apply any codes of conduct or approved certification mechanisms. The use of such self-regulatory instruments by controllers is not mandatory, therefore, their failure to apply them cannot be considered aggravating factors in assessing the infringement. If the Controller had implemented and applied an approved code of conduct or certification mechanism in practice, the supervisory authority could have found this to be to its advantage, given that these measures would guarantee a higher than standard level of personal data protection. Financial benefits achieved or losses avoided in connection with the infringement (Article 83 paragraph 2 letter k) of Regulation 2016/679) 51. The President of the Personal Data Protection Office did not find that the Controller had obtained any financial benefits or avoided any such losses due to the failure to comply with the Order. There are therefore no grounds to treat this circumstance as aggravating the Controller. The finding of tangible financial benefits resulting from the infringement of Regulation 2016/679 should be assessed decisively negatively. However, the Controller's failure to achieve such benefits is a circumstance that, by its very nature, cannot be considered mitigating. This is confirmed by the wording of Article 83(2)(k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to "achieved" benefits – those incurred by the entity committing the infringement. Other aggravating or mitigating factors (Article 83(2)(k) of Regulation 2016/679) 52. The President of the Personal Data Protection Office did not note any circumstances other than those described above that could affect the assessment of the infringement and the amount of the administrative fine imposed. VI. Determining the amount of the fine using the Guidelines 04/2022 53. In determining the amount of the administrative fine imposed on the Controller, who is a natural person, in this case, the President of the Personal Data Protection Office (UODO) could not apply the methodology presented by the EDPB in the Guidelines 04/2022. According to that document, "[t]he presented guidelines apply to all types of controllers and processors in accordance with Article 4(7) and (8) of the GDPR, with the exception of natural persons who are not entrepreneurs" (see point 9 of the Guidelines 04/2022). The above reservation applies to the Controller, who is not a business entity, and the processing of the data covered by the Order Decision serves the Controller's private, non-business purposes. The exclusion of the application of Guidelines 04/2022 in cases such as the present one is obvious, as the process of calculating an administrative fine presented in Guidelines 04/2022 is based on the turnover generated by the undertaking from its business activities. 54. Nevertheless, in the opinion of the President of the Personal Data Protection Office (UODO), the EDPB guidelines regarding the assessment by the supervisory authority of the circumstances referred to in Article 83(2) of Regulation 2016/679 (which the President of the UODO took into account when assessing the conditions for imposing the fine – see paragraphs 30-52 of the justification for this decision), as well as the EDPB general guidelines regarding the application of Article 83(1) of Regulation 206/679, i.e., the assessment of the principles of effectiveness, proportionality, and dissuasiveness of an administrative fine, remain valid – also in this case. 55. Referring to the principle of proportionality of administrative fines, the EDPB emphasizes that "the amount of the fine imposed should be proportionate to the infringement assessed overall, taking into account, in particular, the gravity of that infringement" (see point 138 of Guidelines 04/2022). Therefore, in assessing the infringement found in this specific case "as a whole," the President of the Personal Data Protection Office (UODO) first took into account its high gravity, resulting from the assessment of all the circumstances listed by the EU legislator in Article 83(2) of Regulation 2016/679. Many of these circumstances—constituting the "comprehensive" assessment of the violation—are "aggravating" for the Controller (supporting the imposition of a more severe sanction)—the nature of the violation, the scope and purpose of the processing carried out by the Controller, the number of affected individuals, the extent of the damage they suffered, the categories of personal data processed by the Controller in violation of the Injunction Decision, the gross negligence leading to the violation, and the Controller's lack of cooperation with the President of the Personal Data Protection Office (UODO) to remedy the violation, i.e., to comply with the Injunction Decision. However, in this case, there are no circumstances that the President of the Personal Data Protection Office could consider to the Controller's advantage. 56. A detailed assessment of all the circumstances that have and may have affected the assessment of the violation has been presented above (see paragraphs 30-52 of the justification for this decision). However, in assessing the gravity of the violation, it is necessary to highlight two negative aspects of the violation committed by the Controller. It should be noted that, by its single conduct—disregarding the legal order—the Controller violates both the powers of the President of the Personal Data Protection Office and the rights and freedoms of data subjects. 57. On the one hand, the Controller directly violates one of the fundamental corrective powers of the supervisory authority—the power to order the controller to comply with a data subject's request, as defined in Article 58(2) of Regulation 2016/679. This violation undermines the very foundation of the personal data protection system established by Regulation 2016/679, which provides—to ensure its effectiveness—a central role for supervisory authorities with specific corrective measures at their disposal, including the power to issue orders against controllers and processors, as well as sanctions to enforce these orders and, more broadly, to ensure the application of the provisions of Regulation 2016/679. 58. On the other hand, the Controller's actions violate the rights and freedoms of individuals whose data are being processed contrary to the order of the Injunction Decision. Although the infringement established by this decision essentially concerns the relationship between the Controller and the supervisory authority, and not between the Controller and the data subject, it also has consequences for the individuals whose data the Controller processes. These individuals have the right to expect that their personal data, or more broadly, their right to privacy, will be effectively protected by the supervisory authority, equipped with appropriate remedies and coercive measures. In particular, these individuals have the right to expect that the Controller will remedy the infringement immediately after the decision establishing it and ordering the restoration of the processing to a lawful state becomes final. Meanwhile, the continued processing of personal data in violation of the Injunction Decision results in a continued violation of their right to privacy and an increase in their non-pecuniary damage – discomfort, stress, and anxiety related to the loss of control over their personal data and constant surveillance, fear of the Controller using recordings of their participation in subsequent (often unfounded) reports to law enforcement authorities, stress related to participating in these proceedings, and a sense of persistent harassment related to these reports and proceedings. 59. Such a multifaceted violation of the legal order by the Controller justifies the assessment of the high gravity of the violation and, consequently, the need to impose a severe sanction. 60. Guidelines 04/2022 indicate that when determining the amount of an administrative fine, the supervisory authority verifies "whether the amount of the fine is proportionate to both the gravity of the violation and the size of the enterprise to which the entity that committed the violation belongs." In this context, the EDPB also refers to the judgments of the European Court of Justice in Cases C-387/97 and C-278/01, which indicate that a fine should be "proportionate to the financial capacity" of the fined entity (see point 139 of Guidelines 04/2022). These guidelines do not apply to situations where the perpetrator of the infringement is a natural person who is not a business. However, in the opinion of the President of the Personal Data Protection Office, it is appropriate, and of general importance for all types of controllers, to take into account – when assessing the proportionality of the penalty imposed on them – the "size" of the controller who is the perpetrator of the infringement. In the case of a natural person not conducting business activity, the "size" of the controller – in the opinion of the President of the Personal Data Protection Office – determines the scope and scale of their activities – both personal and those conducted in the field of personal data processing, while "financial capacity" determines the level of their income and their assets. Taking these circumstances into account allows for determining the severity of the penalty so that, on the one hand, it is effective and dissuasive (thereby fulfilling its objectives – see paragraphs 65-66 of the justification for this decision), and, on the other hand, its payment or enforcement does not come at the expense of satisfying the basic existential needs of the punished person. 61. In the present case – in order to determine the amount of the penalty in accordance with the principles set out in Article 83 paragraph 1 of Regulation 2016/679 – the President of the Personal Data Protection Office requested the Controller to provide information on his earnings or other income and his financial status, which information could be relevant to determining the amount of the penalty imposed on him (see paragraph 9 of the justification for this decision). 62. Due to the fact that the Controller failed to provide, at the request of the President of the Personal Data Protection Office, the financial data necessary to determine the basis for assessing the administrative fine, the President of the Personal Data Protection Office established this basis – in accordance with Article 101a paragraph 2 of the Personal Data Protection Office. - estimated. The President of the Personal Data Protection Office (UODO) assumed that the scale of the Controller's activities, both personal and personal data processing, is purely local. In terms of personal data processing, the scale of its activities cannot be considered small. Processing the personal data of even several dozen individuals in a small, local environment (the Complainants alone number 30, and undoubtedly, other individuals are also monitored – other residents of (...) W. Street, their families and guests, random passersby, etc.) is undoubtedly significant activity, disrupting the normal functioning of the local community. 63. The President of the Personal Data Protection Office (UODO) also deemed the Controller's financial and property situation to be average. Therefore, in estimating the basis for the penalty, the President of the UODO used as a reference point the average monthly salary in the national economy for 2025, which – according to the Announcement of the President of the Central Statistical Office of February 9, 2026 – was PLN 8,903.56[2]. Taking this into account, the high gravity of the infringement, and the requirement of proportionality of the imposed penalty, the President of the Personal Data Protection Office deemed it justified to impose an administrative fine on the Controller in an amount equivalent to three times the average monthly remuneration referred to above, i.e., PLN 26,711 (which corresponds to EUR 6,358 at the average euro exchange rate of January 28, 2026, of EUR 1 = PLN 4.2009). 64. The administrative fine in the amount indicated above, while being, in the opinion of the President of the Personal Data Protection Office, a proportionate penalty, will also fulfill the other functions provided for in Article 83(1) of Regulation 2016/679 – it will be an effective and dissuasive penalty. 65. Guidelines 04/2022 indicate that "a financial penalty may be considered effective if it achieves the objectives for which it was imposed. Such a goal may be to restore compliance with regulations, to punish unlawful conduct, or both." (see point 135 of Guidelines 04/2022). A crucial goal of the penalty imposed in this case is its restitutive purpose, consisting in "forcing" the Controller to comply with the order issued in the Injunction Decision to cease processing the personal data of the individuals indicated in that decision using video surveillance extending beyond the boundaries of the Controller's property. The prompt execution of the order issued by the President of the Personal Data Protection Office is important not only from the perspective of the authority, its powers, and the effectiveness of its actions, but above all, for the rights and freedoms of individuals subjected to unlawful monitoring – the right to privacy, the right to undisturbed use of one's property, and freedom from interference with one's private life. An important purpose of the fine, which the President of the Personal Data Protection Office (UODO) had in mind when imposing a fine that is burdensome for an individual, is its repressive purpose. In the opinion of the President of the UODO, a controller who persistently challenges the authority's actions aimed at protecting the rights and freedoms of others deserves a severe sanction. This demonstrates disregard for the rights and freedoms of others – those living with them in the local community – and, more broadly, for the social and legal norms regulating the life of that community. 66. Another purpose of the administrative fine – the preventive purpose – is related to the third function of the fine, also specified in Article 83(1) of Regulation 2016/679 – its deterrent function. As stated in the Guidelines 04/2022, "a fine is deterrent if it has a real deterrent effect," and "when imposing a fine, the supervisory authority shall take into account both the general and specific deterrent effect" (see paragraph 142 of the Guidelines 04/2022). Furthermore, as the EDPB rightly points out: "A fine is deterrent if it deters an individual from infringing the objectives and norms of Union law. In this case, it is not only the type and amount of the fine that matters, but also the likelihood of its imposition. Anyone who commits an infringement must fear that a fine will actually be imposed on them. In this sense, the criterion of the deterrent nature of the fine and the criterion of its effectiveness overlap" (see paragraph 143 of the Guidelines 04/2022). 67. The above EDPB guidelines clearly support the application of a more severe sanction, one that is more burdensome for the Controller. It is obvious that the more severe the sanction, the more likely it is to deter the recipient from repeating the same infringement (so-called specific deterrence) and to discourage others from committing the same infringement in the future (so-called general deterrence). The sanction is also proportionate, limited to three times the average monthly salary, as indicated above, and will not cause excessive financial harm to the controller. It is therefore proportionate to the infringement. 68. The severity of the sanction is particularly significant in the case of the specific infringement assessed in this case – failure to comply with an order issued by a supervisory authority, which does not involve a one-time and irreversible action (such as deleting personal data from the controller's data files or IT systems). Where the order requires—as in this case—to refrain from certain unlawful conduct in the future (to "cease processing personal data"), the controller—after temporarily complying with the supervisory authority's order—may at any time revert to the conduct that violates the order. Such conduct can only be prevented by a truly severe sanction and the threat of at least an equally severe penalty in the event of a repeated violation of the order issued by the supervisory authority. 69. Finally, the so-called general deterrent effect of a fine, or, in other words, the general deterrent effect of this type of sanction, is worth emphasizing in this case. The President of the Personal Data Protection Office (UODO) notes the large scale of the unlawful use of so-called "private surveillance"—or use in violation of Regulation 2016/679—of so-called "private surveillance," often used not as a means of protecting the life, health, or property of the user, but as a tool for resolving neighborly conflicts. Decisions by the President of the Personal Data Protection Office (UODO) ordering this method of personal data processing to comply with Regulation 2016/679 are sometimes ignored by controllers using surveillance. Orders by the President of the Personal Data Protection Office (UODO) are sometimes only partially or ostensibly implemented. There are also situations where, after only temporary compliance with the President of the Personal Data Protection Office's order, individuals revert to unlawfully processing the data of neighbors or other individuals through video surveillance. In this context, the penalty imposed in this case should have a general deterrent effect. It should inform controllers and processors that a breach consisting in failure to comply with a supervisory authority's order is a serious breach and will be subject to imminent and severe financial sanctions. 70. In summary, the President of the Personal Data Protection Office (UODO) finds that the amount of the administrative fine determined in the manner described above complies with the principles of proportionality, effectiveness, and dissuasiveness of the fine set forth in Article 83(1) of Regulation 2016/679, while not exceeding the legally established maximum fine for the infringement assessed in this case, i.e., PLN 84,018,000 (equivalent to EUR 20,000,000). The amount of the imposed fine – PLN 26,711 (equivalent to EUR 6,358) – represents only 0.03% of this amount. Taking the above into account, the President of the UODO ruled as set out in the operative part of this decision. [1] https://(…) [2] Announcement of the President of the Central Statistical Office of February 9, 2016, regarding the average wage in the national economy in 2025 (Journal of Laws of 2026, item 192) phone UODO hotline 606-950-000, open weekdays from: 10:00 AM to 2:00 PM uodo© UODO 2018 - 2025 All rights reserved. arrow-ui-linkUODO home page arrow-ui-linkReport an error Personal Data Protection Office ul. Stanisława Moniuszki 1A, 00-014 Warsaw kancelaria@uodo.gov.pl Office hours: 8:00 AM to 4:00 PM BIP | Privacy Policy UODO Portal 1.2.9 uses NeuroLex technology from Neurosoft Sp. z o. o.