Poland’s data protection authority has fined Toyota Bank Polska €132,000 for failing to ensure the independence of its DPO and neglecting to document profiling practices and conduct a DPIA.
On 18 December 2024, the Polish Data Protection Authority (UODO) imposed an administrative fine of €132,000 on Toyota Bank Polska S.A. for violations of key GDPR provisions. The investigation revealed serious shortcomings concerning the positioning of the Data Protection Officer (DPO), and the bank’s failure to document profiling activities and conduct an appropriate Data Protection Impact Assessment (DPIA).
The Polish Data Protection Authority found multiple GDPR violations at Toyota Bank Polska S.A., including inadequate organisational independence of the DPO.
The GDPR mandates that the Data Protection Officer must operate independently and report directly to the highest level of management. However, in this case, the DPO at Toyota Bank Polska was structurally subordinate to the Director of the security department—rather than the Management Board of the bank. Moreover, this Director simultaneously oversaw data processing activities, creating a clear conflict of interest and compromising the independence of the DPO as required under Article 38(3) GDPR.
The bank failed to account for profiling in the record of processing activities and DPIA.
Toyota Bank processes customer data for creditworthiness assessments through automated profiling, specifically the assignment of a credit score and risk category. Despite this, the bank neglected to document this profiling in its Article 30 records of processing activities. In addition, the bank failed to evaluate the risks associated with such profiling through a DPIA, contrary to the obligations set out in Articles 35(1) and 35(7) GDPR.
The administrative fine imposed on Toyota Bank Polska S.A. reflects the seriousness of the violations and highlights the importance of organisational accountability.
As a result of these findings, UODO issued two distinct fines: €60,000 for breach of Article 38(3) concerning the DPO’s position, and €72,000 for breaches of Articles 30(1) and 35(1,7) relating to the record of processing activities and DPIA obligations. The cumulative fine of €132,000 emphasises the regulator’s view that these were serious infringements with significant implications for data subjects’ rights and organisational accountability.
This case serves as a clear warning to controllers on both governance and transparency obligations.
The decision is a clear example highlighting the need for organisations to ensure that their DPOs are not only formally appointed, but also operationally independent and free from conflicts of interest. It also reaffirms the importance of maintaining accurate records of processing activities and conducting thorough impact assessments—particularly when profiling or automated decision-making is involved. Controllers must ensure full GDPR compliance not just in organisational policy, but also in practice.
