DPA President does not agree with questioning of his independence by the Court
In his letter to the President of the Supreme Administrative Court (the NSA), the President of the Personal Data Protection Office (the Polish SA) expresses his deep concern about the dangerous direction of NSA's interpretation of the competence and the constitutional status of the supervisory authority in the light of the rights of data subjects whose personal data have been infringed.
In the opinion of the President of Polish SA, the NSA undeniably and precedently contests the independence of the supervisory authority, as well as undermines its competence and the substantive qualifications of its employees, necessary to perform the tasks for which the authority was established.
The case concerns the NSA's ruling on the penalty imposed by the Polish SA on the company Morele.net. It is clear from the ruling, that the reason for revoking the decision of the President of Polish SA in the Morele.net case was the authority's rejection of the request for an expert opinion in the context of technical and organisational measures applied by the company.
The employees of the Polish SA have many years of experience, often more than 20 years, in controlling and investigation against processors. There has been created, during this period, the unique institutional knowledge of the authority, on which all its employees rely and which guarantees the possession of expertise allowing for an independent assessment of the application of technical and organisational measures in IT systems without the need for expert assistance. Moreover, contrary to the NSA's assertions, the assessment of the application of technical and organisational measures by the DPA under the GDPR is not a novelty. Significantly, prior with the entry into force of the GDPR, the NSA did not contest the competence of employees of the then Polish data protection authority - GIODO to control and conduct proceedings against processors in IT systems, including in systems strategic from the point of view of the state's interests, e.g. the PESEL register.
It should be recalled that in 2019, the Polish SA imposed a fine of more than PLN 2.8 million on the company Morele.net. According to the Polish SA, the technical and organisational measures applied by the company were not appropriate to the existing risk related to their processing, as a result of which the data of approximately 2 million 200 thousand people fell into the wrong hands. In the imposing fine, the supervisory authority stated that the violation that occurred in this case was of a significant and serious nature and affected a large scale of people.
By its ruling, the NSA completely disregarded the rights of more than 2 million 200 thousand users whose personal data was breached as a result of the company's activity, and who may also suffer severe consequences related to gaining unauthorised access to their data. In the opinion of the Polish SA, the rights of data subjects should be an important value in the case under consideration, especially as the authority stressed that in the facts of the case, the risk involved the threat of using a method known as phishing, aimed at extorting data, including bank account credentials, by impersonating the company in text messages and using the fact that the customer had made an order.
It is also worth recalling that the Voivodship Administrative Court in Warsaw in 2020 dismissed Morele.net's complaint and found that the decision on the penalty imposed on the company was justified. At the time, the Court shared the supervisory authority's view that the technical and organisational measures applied by the company proved ineffective to protect customers' personal data.
If the position of the NSA expressed in the above-mentioned judgment, questioning the competence of the Polish SA and undermining its independence, were to be accepted as correct, it would in practice mean that the authority would be prevented from independently functioning and resolving personal data protection issues in IT systems used for data processing and would lead to deprivation of effective protection of the rights of persons whose data are processed, guaranteed by the provisions of the Treaty on the Functioning of the European Union, the Charter of Fundamental Rights of the European Union and the GDPR.