WSA Warsaw - II SA/Wa 1340/20: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 48: Line 48:
}}
}}


The Provincial Administrative Court of Warsaw held that a car rental company could not rely on [[Article 6 GDPR|Article 6(1)(f) GDPR]] to process a customer's personal data with the view of defending itself against or investigating future possible claims related to the car rental.
The Provincial Administrative Court of Warsaw held that a car rental company could not rely on [[Article 6 GDPR|Article 6(1)(f) GDPR]] to process a customer's personal data with the view of defending itself against or bringing future possible claims related to the car rental.


== English Summary ==
== English Summary ==

Revision as of 13:58, 13 October 2021

WSA Warsaw - II SA/Wa 1340/20
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 6(1) GDPR
Decided: 11.03.2021
Published:
Parties:
National Case Number/Name: II SA/Wa 1340/20
European Case Law Identifier:
Appeal from: PUODO
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Provincial Administrative Court of Warsaw held that a car rental company could not rely on Article 6(1)(f) GDPR to process a customer's personal data with the view of defending itself against or bringing future possible claims related to the car rental.

English Summary

Facts

An individual lodged a complaint with the supervisory authority against the company, claiming that the company had unlawfully processed his personal data in connection with a car rental contract (including by means of a copy/scan of his identity card and driving licence). The company stated that it obtained the complainant's personal data from the complainant himself in connection with the conclusion of the car rental agreement, including his first name, surname, address, identity card number, driving licence number and telephone number, which it currently processes in its IT system designed for comprehensive servicing of car rental companies. The company submitted that it currently processed the complainant's personal data solely for the purpose of possibly establishing, investigating or defending against claims related to the car rental, on the basis of Article 6(1)(f) GDPR.

Following an administrative investigation, the supervisory authority ordered the company to delete the complainant's personal data in terms of name, surname, address, identity card number, driving licence number. The DPA questioned the basis indicated by the Company for processing the complainant's personal data, as it did not appear from the evidence that the complainant had filed a claim against the Company or that the Company had asserted any claims against the complainant in court that would justify the Company's right to retain and process the complainant's personal data in connection with its safeguarding and assertion by the complainant or the Company. The Company appealed to the court.

Holding

The court dismissed the controller's appeal against the supervisory authority's decision. The court pointed out that the legal basis for the processing of personal data listed in the provision of Article 6(1)(f) GDPR applies when the controller does not have the consent of the data subject, there is no provision which could constitute a basis for the processing of personal data, and when the controller cannot rely on the performance of a contract, and yet the processing is to be considered lawful on account of the "legitimate interest" of the controller or a third party. This premise is of an additional nature, complementary to the other grounds of permissibility of processing.

In the opinion of the Court, the DPA correctly assumed that the prerequisite of necessity for purposes stemming from the legally justified interests pursued by the controller with regard to the processing of personal data of the complainant was not met because the factual findings do not show that the data subject filed a claim against the Company or that the Company pursued any claims against him in court which would justify the Company's right to keep and process his personal data in connection with securing and asserting claims. Thus, the Company processes his personal data for the aforementioned purpose only "as a backup" to protect itself against possible future and uncertain claims.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

 The President of the Personal Data Protection Office, hereinafter: "President of the Office", on [...] August 2019, received a complaint from M. P., hereinafter referred to as "complainant", about the processing of his personal data by D. sp. Z o.o. sp. k. with its seat in W., hereinafter referred to as the Company. The complainant accused the Company of unlawfully processing his personal data in connection with the car rental agreement concluded on [...] March 2018 (including a copy / scan of his ID card and driving license). on behalf of the complainant, his attorney, in a letter of [...] December 2018, requested that the Company cease processing his personal data, including further disclosure to other entities, and order the Company to delete his personal data from all databases of the Company. The Office took steps to explain the matter initiated by the complaint and agreed as follows: 1. The company operates in the area of renting passenger cars and delivery vans. 2. On [...] March 2018, the complainant concluded a car rental agreement with the Company [...] 3. The applicant received an SMS from a former collaborator containing a scan of the message sent from + [...]. This e-mail contained a scan of the applicant's identity card and a scan of the applicant's driving license. 4. The complainant used the services of another car rental company, ie B. Sp. z o.o. The complainant contacted a former collaborator and employees of B. Sp. z o.o. in order to determine who and for what purpose uses the scanned identity card and the scanned copy of the applicant's driving license. According to the attorney's statement quoted: "(...) the complainant has not been able to establish who and for what purpose is using the scans of his identity card and driving license". 5. The attorney of the complainant sent to the Company, by letters of [...] May and [...] June 2018, a request to refrain from processing the complainant's personal data in the form of a scan of the identity card and driving license, and requested information based on Article. 12 sec. 3 in conjunction joke. 15 sec. 1 and 2 of Regulation (EU) 2 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE.L.2016.119.1 and Journal of Laws L 127 of 23/05/2018, p. 2, hereinafter referred to as "Regulation 2016/679"); 6. The company, in a letter addressed to the complainant's attorney on [...] June 2018, indicated that it did not process the complainant's personal data in the manner questioned by him, i.e. by having a copy / scan of the complainant's ID card. 7. The company indicated that it obtained the complainant's personal data from him in connection with the conclusion of the car-brand [...] rental agreement on [...] March 2018, in terms of his name, surname, address, ID number, right number driving, telephone number, which is currently processed in the IT system, i.e. in the S. company program intended for comprehensive car rental services (explanations by the Company of [...] February 2019) 8. The company indicated that the employee of the company did not make a scan or photocopy of the applicant's ID card and driving license, thus it did not make them available to third parties (explanations by the company of [...] February 2019). by decision of [...] March 2020 no. [...], pursuant to Art. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2018, item 2096 as amended), hereinafter: "k.p.a.", in connection with joke. 7 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781, as amended), hereinafter: "u.o.d.o.", art. 6 sec. 1 Regulation 2016/679, ordered by D. sp.z o.o. sp. k. with its registered office in W., deletion of MP's personal data in terms of name, address, ID card number, driving license number. As for the processing of the complainant's personal data in the form of a copy / scan of the identity card and driving license by the Company, the President of the Office stated that the conducted proceedings did not show that the Company or its employee had made a copy / scan of the complainant's identity card and driving license, because there was no proof of this fact. At the same time, he pointed out that this statement was based solely on the complainant's assumption. The prerequisites for the lawfulness of the processing of personal data are set out in Art. 6 sec. 1 of Regulation 2016/679. The processing of personal data is authorized when any of the conditions listed in art. 6 sec. 1 of Regulation 2016/679. Processing was admissible due to the conclusion and performance of the car rental contract of [...] March 2018 to which the complainant was a party. The company argued that it is currently processing the complainant's personal data only for the purpose of possible determination, investigation or defense against claims related to car rental, pursuant to Art. 6 section 1 lit. f of Regulation 2016/679. The President of the Office questioned the basis for the processing of the complainant's personal data indicated by the Company, because the collected evidence does not show that the complainant had filed a claim against the Company, or that the Company pursued any legal claims against the complainant that would justify the right Companies to keep and process their personal data in connection with their protection and investigation by the complainant or the Company. In the opinion of the President of the Office, there is therefore no fulfillment of the condition of necessity indicated by the Company for purposes resulting from the legitimate interests pursued by the administrator regarding the processing of the complainant's personal data. The premise of art. 6 sec. 1 lit. f of Regulation 2016/679 applies to an already existing situation, in which the purpose resulting from the legitimate interests pursued by the administrator is the need to prove, the need to investigate or defend against an existing claim, and not a situation when data is processed in order to protect against a possible claim. The Office stated that since the conducted administrative proceedings did not show that the complainant, apart from the present proceedings, brought any claim against the Company, the Company processes the complainant's personal data in the above-mentioned only "in advance", in order to protect himself against possible future and uncertain claims of the applicant. He pointed out that the applicant had only announced but had not followed up on his announcements regarding the referral of the case to court. Hence, the Company cannot process the complainant's personal data only in order to secure itself against a possible future and uncertain claim of the complainant. there is currently a dispute between the complainant and the Company regarding the obligation relationship, there is no purpose justifying the processing of the complainant's personal data within the meaning of Art. 6 sec. 1 lit. f of Regulation 2016/679 In these conditions, the President of the Office, recognizing the processing of the complainant's personal data for the purpose of securing and investigating or defending against possible, future and uncertain claims as redundant and inconsistent with the applicable provisions on the protection of personal data, ordered the Company to stop processing personal data the complainant in the above-mentioned By letter of [...] June 2020, D. sp. z o.o. sp. k. with its seat in W. brought a complaint to the Provincial Administrative Court in Warsaw against the decision of the President of the Office of [...] March 2020, No. [...], alleging its violation: 1. art. 6 sec. 1 lit. f in conjunction with motif 4 in connection with with recital 39 of Regulation 2016/679, due to the ordering of the complaining company to delete MP's personal data in the scope of name, address, ID card number, driving license number due to the recognition that the condition for the necessity of data processing for purposes resulting from legally justified is not met interests pursued by the administrator due to the lack of an existing claim between the parties, in a situation where the criterion of the necessity of data processing should be included within reasonable limits imposed by the needs of business transactions and create the possibility of securing the legal interests of the applicant company as an entity providing paid vehicle rental services and making vehicles available to tenants constituting the property of the Company, in view of the possibility of exposing the Company to loss or loss of benefits due to the tenant's actions or omissions and the necessity to pursue claims before a common court or other in the future body, 2. art. 7, art. 77, art. 80, art. 107 § 3 of the Code of Administrative Procedure, against: a. lack of exhaustive collection of evidence in the case by the authority, if only due to the lack of collecting evidence in the form of the number of court proceedings pending by D. sp.z o.o. sp.k. in W. against the tenants of the complaining Company, on the fact that there is a real necessity to secure the interests of the complaining Company as an entity renting vehicles, justifying the necessity to process the data of the lessees in an appropriate scope, b. failure to exhaustively consider the entirety of the evidence collected in the case by the authority due to the omission of the circumstances of the minimum scope of data processed by the complaining Company pursuant to Art. 6 sec. 1 lit. f of Regulation 2016/679; the Company applied for the revocation of the contested decision in its entirety and the award of reimbursement of the costs of the proceedings, including the costs of legal representation according to the prescribed standards. of the complaining Company, the premise of the necessity of data processing for purposes resulting from the legitimate interests pursued by the administrator has not been met, due to the recognition that the premise of art. 6 sec. 1 lit. f of Regulation 2016/679 applies to an already existing situation, in which the purpose resulting from the legitimate interests pursued by the administrator is the need to prove the need to investigate or defend against an existing claim, and not a situation when data is processed in order to protect against a possible claim. on the complaint, the President of the Office upheld the position contained in the appealed decision of [...] March 2020. In the opinion of the authority, the allegations of the complaint are unfounded and do not deserve to be considered. the judiciary, inspecting decisions issued by public administration bodies in terms of their compliance with the law, examining whether the provisions of substantive law were correctly applied and procedural provisions in administrative proceedings were complied with. The court may revoke the contested decision only in the case of finding an infringement of the law. The provision of art. 145 of the Act of August 30, 2002 - Law on proceedings before administrative courts (i.e. Journal of Laws of 2019, item 2325, as amended), hereinafter: "ppsa", defines in which situations decisions or rulings When assessing the contested decision in the light of the above criteria, the Court stated that the complaint should not be taken into account. It should be recalled that from May 25, 2018, the Act of May 10, 2018 on the protection of personal data (Journal of Laws 2018 No. U. of 2019, item 1781), hereinafter: "PDA", as well as Regulation 2016/679, which is directly applicable. Pursuant to Art. 4 point 1 of Regulation 2016/679, personal data means information relating to an identified or identifiable natural person ("the data subject"). An identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person, while pursuant to Art. 4 point 2 of Regulation 2016/679, the processing of personal data means an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise making available, adjusting or combining, limiting, deleting or destroying. In addition, it should be noted that in accordance with Art. 4 point 7 of Regulation 2016/679, "controller" means a natural or legal person, public authority, unit or other entity that alone or jointly with others determines the purposes and methods of personal data processing. 5 sec. 1 of Regulation 2016/679, including them in the form of the basic obligations of the administrator. Its content shows that personal data must be: a) processed in accordance with the law, fairly and in a transparent manner for the data subject (lawfulness, fairness and transparency), b) collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes (purpose limitation), c) adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization), d) correct and, if necessary, updated, and personal data that are incorrect in the light of the purposes of their processing, must be immediately removed or rectified (correctness), storage), f) processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures (integrity and confidentiality). In accordance with paragraph 2 of the discussed provision, the controller is responsible for compliance with the above rules and must be able to demonstrate compliance with them (accountability). It should be noted that the processing of personal data is considered legal if their controller meets at least one of the conditions set out in Art. 6 sec. 1 of Regulation 2016/679, i.e.: a) the data subject has consented to the processing of his personal data for one or more specific purposes, b) the processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject before concluding the contract, c) processing is necessary to fulfill the legal obligation incumbent on the controller, d) processing is necessary to protect the vital interests of the data subject or another natural person, e) processing is necessary for the performance of a task carried out in the public interest or as part of the exercise of public authority entrusted to the administrator, f) processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except where overriding these interests have the interests or fundamental rights and freedoms of people may the data subject require the protection of personal data, in particular when the data subject is a child. The legal basis for the processing of personal data mentioned in the provision of art. 6 sec. 1 lit. f GDPR applies in a situation where the controller does not have the consent of the data subject, there is no provision that could constitute the basis for the processing of personal data and when the controller cannot rely on the performance of the contract, and yet the data processing should be considered as legal due to the "legitimate interest" of the administrator or a third party. This condition is additional, complementing the other grounds for the admissibility of processing. 6 sec. 1 lit. f of the Regulation 2016/679 requires cumulative fulfillment of two positive conditions. First, there must be a legitimate interest that is pursued by the controller or by a third party. Secondly, it is necessary to verify whether the processing of personal data is necessary to achieve the goal resulting from legitimate interests. Therefore, the mere existence of such interests is not enough, but their implementation must additionally require the processing of personal data. Next, it is necessary to assess whether the negative condition in the form of the prevailing interests or fundamental rights and freedoms of the data subject, which are of overriding nature, is not met. against the legitimate interests of the administrator or a third party. The application of this negative premise is, in fact, to balance two rights protected by law, i.e. the legitimate interest of the controller or a third party, on the one hand, and the interests, fundamental rights and freedoms of the data subject, on the other. It follows from the wording of recital 47 that in order to establish the existence of a legitimate interest, a careful assessment would have to be made in each case, including an assessment of whether, at the time and in the context in which the personal data are collected, the data subject has reasonable grounds to expect that the data may be processed for this purpose; therefore, if the controller wants to use this basis for data processing, it should balance test, i.e. assess whether the interest of the controller or a third party in favor of data processing is legitimate, whether the processing is necessary to achieve the purpose resulting from this interest, and then consider whether the interests or fundamental rights and freedoms of the person whose the data concern does not outweigh the legitimate interest of the controller or a third party. The key factor for the President of the Office to issue a decision ordering the Company to delete the complainant's personal data is that the Company has not demonstrated, apart from the necessity to protect claims that may arise in the future, any other legally justified basis for further processing of the complainant's personal data. The company, referring to Art. 6 sec. 1 letter f of Regulation 2016/679, indicated protection against future uncertain claims as the sole basis for the processing of the complainant's personal data in the Company's computer program. justified interests pursued by the administrator regarding the processing of MP's personal data, because it does not appear from the factual findings that the mentioned one would make a claim against the Company, or that the Company pursued any legal claims against him, which would justify the Company's right to save and process his data personal data in connection with their securing and pursuing claims. Thus, the Company processes his personal data in the above-mentioned only "in advance", in order to protect against possible future and uncertain claims. The President of the Office is right that the premise under Art. 6 sec. 1 lit. f of Regulation 2016/679 applies to an already existing situation, in which the purpose resulting from the legitimate interests pursued by the administrator is the need to prove, the need to investigate or defend against an existing claim, and not a situation when data is processed in order to protect against a possible claim. legalizing premises included in Art. 6 sec. 1 of Regulation 2016/679, allowing the processing of personal data, leads to the conclusion that the consent of the data subject will always legalize the processing of his personal data by the entity that obtained such consent. On the other hand, the consent of the data subject to the processing of his personal data is not required when the data controller is able to indicate a legal provision legalizing the activities referred to in art. 6 sec. 1 of Regulation 2016/679 Since, in the circumstances of the case, M. P. did not consent to the processing of his personal data by the Company, pursuant to art. 6 sec. 1 lit. a of Regulation 2016/679, and the data controller did not show any other basis for legalizing the processing activities, the President of the Office had the basis to order the Company to delete his personal data in terms of name, surname, address, ID card number, driving license number. the provision of Art. 7, art. 77 § 1 of the Code of Administrative Procedure, Art. 80 and art. 107 § 3 of the Code of Civil Procedure The President of the Office exhaustively collected and examined all the evidence. On the other hand, the statement of reasons for the contested decision contains indications of the facts which the authority found proven, the evidence on which it relied, and the reasons why other evidence was denied credibility with sufficient explanation of the legal basis of the decision. unjustified, pursuant to art. 151 of the AA, adjudicated as in the operative part of the judgment The case was examined in closed session pursuant to the order of the President of Division II of February 17, 2021, issued pursuant to Art. 15zzs4 paragraph. 3 of the Act of March 2, 2020 on special solutions related to the prevention, counteracting and combating COVID-19, other infectious diseases and crisis situations caused by them (Journal of Laws of 2020, item 1842, as amended) .