photo
20.04.2024

[UPDATED] The Supreme Administrative Court of Poland confirmed

The Supreme Administrative Court  of Poland confirmed that the processing of personal data within the framework of the Bulletin of Public Information is subject to the GDPR

The mayor of Aleksandrów Kujawski must pay a fine imposed by the President of the Personal Data Protection Office. On 28 February 2024, the Supreme Administrative Court of Poland in the case ref. no. II OSK 3839/21 dismissed the cassation appeal filed by the Mayor of Aleksandrów Kujawski and thus upheld the decision of the President of the Personal Data Protection Office of 2019 on the fine of PLN 40 thousand imposed in 2019 for violating the provisions of the General Data Protection Regulation.

In dismissing the complaint, the Supreme Administrative Court of Poland upheld the arguments raised by the President of the Personal Data Protection Office and agreed with the earlier judgment of the Voivodeship Administrative Court in Warsaw, ref. no. II SA/Wa 2826/19 of 26 August 2020.

The allegations of the President of the Personal Data Protection Office, with which the Supreme Administrative Court of Poland and earlier the Voivodeship Administrative Court agreed, concerned, inter alia, the fact that the controller did not conclude a data processing agreement with the company on whose servers the resources of  Bulletin of Public Information of the City Hall  in Aleksandrów Kujawski were located, as well as with the entity that provided the software for the creation of the Bulletin of Public Information and provided maintenance services in this area. The lack of such agreements violates Article 28(3) of the GDPR, according to which the controller is obliged to conclude a data processing agreement when it commissions the performance of services related to the processing of personal data. The dispute with the mayor of Aleksandrów concerned, inter alia the issue of whether the GDPR applies at all in such circumstances. The Supreme Administrative Court's ruling confirms that the exceptions excluding the application of the GDPR must be interpreted narrowly and limited only to what is necessary.

The Supreme Administrative Court of Poland also confirmed how important it is for controllers to have appropriate policies regarding the processing of personal data in the Bulletin of Public Information, as well as to determine the period for which data will be processed in the Bulletin of Public Information.

The Supreme Administrative Court of Poland agreed with the decision of the Personal Data Protection Office in terms of irregularities in connection with the publication of recordings of city council sessions on a YouTube channel. The controller who selected only the YouTube channel to upload the videos of the council meetings did not carry out a risk analysis. As a consequence, the controller did not have full control over the data contained in the recordings. On the other hand, the risk analysis could allow the controller to ascertain whether the data from this service can be recovered, whether it is possible to exercise the right of persons to access the data in any situation, whether it is necessary not to have copies of the recordings in other places, or what categories of data are processed in this place and to apply appropriate protection measures, such as data anonymisation.

The Supreme Administrative Court of Poland’s ruling has very important consequences for controllers.

  • In the first place, controllers should remember about the necessity of concluding data processing agreements when data processing services or operations are carried out by another entity.
  • Secondly, it is very important to determine how long the data will be processed for specific purposes, especially in a situation where it does not result directly from the provisions of law. Where the law regulates this issue, data should not be processed for longer than the maximum period indicated by law.
  • Finally, the decision should make data controllers aware of the fact that when assessing the operations of personal data processing and providing information through websites owned by other controllers, it is necessary to remember about the need to assess the risks involved, but above all to assess the roles of entities involved in these operations, i.e. to conduct a thorough risk analysis.

Conducting such a risk analysis, as well as having appropriate policies related to data processing operations, allows controllers to implement the principle of accountability set out in the GDPR. They can then easily demonstrate that the processing is carried out in accordance with the law, the principle of purpose limitation, the principle of time limitation of processing and the principle of confidentiality and data integrity.

Reasons for the judgment

This position is confirmed by the written justification of the judgment provided by the Supreme Administrative Court of Poland on 12 March 2024 (ref. no. III OSK 3839/21). The court agrees with the arguments of the President of the Personal Data Protection Office and the Voivodeship Administrative Court in Warsaw.

The Supreme Administrative Court of Poland points out that the right to the protection of personal data is a fundamental right, the protection of which is guaranteed by the primary law of the European Union - the Charter of Fundamental Rights of the EU and the Treaty on the Functioning of the European Union. The GDPR refers to this right. The legislator's intention was not to narrow the scope of personal data protection, but, on the contrary, to increase the scope of its application. Therefore:

  • Contrary to the Mayor's claims, the GDPR applies to personal data processed in the Bulletin of Public Information. The GDPR provides for exemptions, but they relate to national security.  Act on the Protection of Personal Data (Journal of Laws of 2019, item 1781, art. 6) provides for a similar provision. Such exclusions do not apply in the present case.
  • The fact that the Bulletin of Public Information system was organised in the Kuyavian-Pomeranian Voivodeship by the local government of the voivodeship does not change the fact that it is the Mayor who is the controller of the data on its Bulletin of Public Information. For this reason, it is subject to obligations under the GDPR. This follows from Article 9(2) of the Act of 6 September 2001 on Access to Public Information. The term 'public authorities' referred to in Article 4(1)(1) of that Act includes the bodies of local government units.
  • The fine set by the President of the Personal Data Protection Office is justified and determined in a proportionate manner. The factual findings of the President of the Personal Data Protection Office cannot be questioned. It also applied the relevant provisions of substantive law.

File reference, no. II OSK 3839/21