Key factors influencing GDPR fines imposed by the Polish supervisory authority – case study

The President of the Polish Personal Data Protection Office (PUODO) has issued eight decisions imposing administrative fines so far. The fine amounts vary from 460,00 EUR to 660.000,00 euro. Seven of the decisions concern private sector and one is addressed to the mayor of a small town (public sector). This paper analyses which of the mitigating and aggravating factors set forth in Article 83 of the GDPR are most commonly taken into account by the Polish supervisory authority when determining the severity of fines. The purpose of the paper is also to determine whether the attitude of the data controller during the inspection can have any impact on the imposition and the amount of a fine.