NSA - III OSK 4558/21: Difference between revisions

From GDPRhub
No edit summary
Line 52: Line 52:
}}
}}


The Supreme Administrative Court held that in order to assess whether the controller has a legitimate interest in processing the data, it is irrelevant whether this interest is pursued by the controller against payment or free of charge.  
The Supreme Administrative Court held that, when assessing a controller's legitimate interest, [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], is irrelevant whether this interest is pursued by the controller against payment or free of charge.  


== English Summary ==
== English Summary ==

Revision as of 08:39, 14 December 2021

NSA - III OSK 4558/21
Courts logo1.png
Court: NSA (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(f) GDPR
Article 17(1)(d) GDPR
Decided: 30.11.2021
Published:
Parties:
National Case Number/Name: III OSK 4558/21
European Case Law Identifier:
Appeal from: WSA
II SA / Wa 2837/19
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Supreme Administrative Court held that, when assessing a controller's legitimate interest, Article 6(1)(f) GDPR, is irrelevant whether this interest is pursued by the controller against payment or free of charge.

English Summary

Facts

The controller is a foundation that makes personal data, obtained via the National Court Register, available on its website for the purpose of supporting the development of democracy through the dissemination of citizen's rights in the scope of access to public information and re-use of public sector information. The data subject is someone whose personal data is processed by the foundation. This personal data includes their name, surname, data of birth, gender, PESEL registration number, information on functions the data subject had in several (private) entities, and information on their value of shares in these entities. The controller provides a free, and a paid version of its website. The free version displays only personal data that are linked to current, ongoing activity of the data subject in several entities, and the shares they hold in those entities. The paid version displays also past activities of the data subject. In this case, the data subject's personal data was only accessible via the paid version of the website.

The data subject submitted an erasure request, pursuant to Article 17(1)(d) GDPR, but the foundation rejected this request. The data subject then filed a complaint with the DPA (UODO) but it rejected this complaint since it found that the controller has a legitimate interest to process the personal data, Article 6(1)(f) GDPR, and the data subject's interests or fundamental rights and freedoms did not override the controller's interest. The data subject did not accept this outcome and brought the action before court, claiming, inter alia, that the controller had no legal basis to process the data. Hence, they did not object to the processing, pursuant to Article 21 GDPR, but purely questioned its lawfulness. After the Court dismissed the appeal, the data subject brought the action before the Supreme Administrative Court.

Holding

The Supreme Administrative Court dismissed the appeal, since it held that the processing was lawful. Consequently, the erasure request that was based on the processing being unlawful, Article 17(1)(d) GDPR, was also rejected.

The Court emphasised that the key factor for the assessment of the case was the fact that the personal data processed by the controller in the circumstances of the case in question came from an open public register, namely the National Court Register, and from a nationwide official journal for the publication of announcements or notices, namely the Monitor Sądowy i Gospodarczy (Judicial and Economic Monitor). Thus, the foundation lawfully obtained data subject's personal data. Moreover, the Court held that the controller pursued a legitimate interest, Article 6(1)(f) GDPR, which is to support the development of democracy by promoting citizens' rights of access to public information and re-use of public sector information. This interest arises from the law, exercising the right to public information, the right to re-use public sector information, as well as leading to the strengthening of the broadly understood security of economic turnover.

The Court pointed out that the data subject's personal data concerning their past activity in business, may still be of public interest. Moreover, it is irrelevant whether this interest is pursued free of charge, or for a fee, since the GDPR has neither introduced such a requirement, nor a distinction. The charging of a fee for the provision of information which is of a historical nature (not current records), although indeed providing a revenue opportunity for the foundation, does not exclude the fact that it continues to pursue a legitimate interest which demonstrates both the lawfulness and the appropriateness of processing the data subject's personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

 By the appealed judgment of October 19, 2020, the Provincial Administrative Court in Warsaw (reference number II SA / Wa 2837/19) dismissed the complaint of the WS against the decision of the President of the Personal Data Protection Office of [...] October 2019 regarding the processing of personal data In the justification of the above judgment, the Court of first instance indicated that WS filed a complaint to the Personal Data Protection Office against the processing of his personal data by the Foundation [...] with its seat in W. (hereinafter referred to as the Foundation) for the needs related to the functioning of the website [. ..], available at [...]. The complainant also objected to the processing of his personal data and asked for the obligation of the data controller - the Foundation [...] to delete the principal's personal data and to cease processing them, in particular to delete and cease processing of all his personal data. determined that the Foundation processes the complainant's personal data as a current member of the organs and partner, as well as a former member of the organs and partner in the foundation, limited liability company in liquidation, limited partnership, limited liability company sp. k., general partnership and a number of limited liability companies. personal data was obtained by the Foundation "(...) from a publicly available source, i.e. from the website of the Minister of Justice kept for the National Court Register (...) and the Court and Economic Monitor (...)" - the Foundation's letter of August 21 2019. The scope of the complainant's personal data obtained by the Foundation included the information disclosed in the National Court Register information about it: name, surname, PESEL registration number, information on the functions performed in the bodies of entities entered in the National Court Register and information on the number and value of shares in these entities. The authority found that the Foundation had been processing the complainant's personal data until now in the scope of: name, surname, PESEL number, information on functions in entities disclosed in the National Court Register (including the period of their performance), information on the number and value of shares in these entities and the period of having them, as well as information resulting from the PESEL number, i.e. date of birth, age and gender with the functioning of the website [...] and made available on this website (except for the PESEL number, which is not subject to disclosure). The authority stated that "(...) the Foundation provides personal data on the website [...] for the purpose resulting from the Foundation's subject of activity, which is supporting the development of democracy by promoting citizens' rights in the field of access to public information and the re-use of public sector information (...) ". At the same time, the Foundation informed that these data - to the extent that they constitute a message about the complainant's current (continued to date) activity in entities subject to entry in the National Court Register (about the functions performed in their bodies or about the shares held in them) are processed, including made available to website users in its free version. On the other hand, the complainant's personal data, to the extent that they constitute a communication about the complainant's past, historical (not continued) activity in entities subject to entry in the National Court Register (about the functions performed in their bodies or about the shares held in them), are processed, including those made available to website users in its paid version. The authority stated that "(...) the Foundation currently provides the Complainant's data in the paid version of the website [...] in the field of name, surname, information about the function in the entity disclosed in the National Court Register (including the duration), the number and value of shares held (if it occurs), in terms of gender (via a graphic icon) and to the extent identical to the scope of data provided in the excerpt from the National Court Register - by enabling, via the website, to download and access excerpts from the National Court Register of entities in whose structures the Complainant is present (...) The scope of the Complainant's data provided by the Foundation in the paid version of the website [...] apart from the fact that it includes the Complainant's data in the free version, now includes historical data, i.e. the Complainant's data disclosed in previous entries to the National Court Register concerning entities in whose structures the Complainant was disclosed (...) ". The Foundation emphasized that the complainant's personal data in question, both in terms of their scope and content, corresponded to the data disclosed in the National Court Register. The Foundation processes the complainant's PESEL number for identification purposes - this number is subject to automatic analysis "(...) in order to obtain information about the year of birth of persons whose data is processed, which allows the Foundation to introduce the functionality of displaying the year of birth of persons with the same names and surnames (to distinguish them from other persons with the same name appearing in the National Court Register (...) "- the Foundation's letter of 18 June 2019 addressed to the applicant's attorney. , open and transparent public authority and civic involvement. Using the rights guaranteed in the Act on access to public information and the Act on the re-use of public sector information, the Foundation collects publicly available data sets and makes them available to citizens on websites run by the Foundation. behind Within the scope of its statutory activity, it supports the development of democracy by promoting citizens' rights in the field of access to public information and creates IT solutions that allow citizens to more easily access data provided by the state. The implementation of its legitimate interest as the administrator of personal data finds its economic and legal justification in the context of the statutory activity of the organization. The personal data presented on the website was obtained from the National Court Register. In a letter of June 18, 2019, the Foundation refused to accept the request of the party to "remove personal data from the website [...]". By decision of [...] October 2019, the President Personal Data Protection Office pursuant to art. 104 § 1 of the Code of Civil Procedure, Art. 7 sec. 1 in conjunction joke. 60 of the Act of May 10, 2018 on the Protection of Personal Data (consolidated text, Journal of Laws of 2019, item 1781) and Art. 6 sec. 1 lit. f and art. 57 sec. 1 lit. a and lit. f of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE.L.2016.119.1 and Journal of Laws UE.L.2018.127.2 - hereinafter referred to as GDPR) refused to accept the application. Referring to the Act of August 20, 1997 on the National Court Register (text one Journal of Laws of 2019, item 1500), the authority stated that the Foundation processes the same scope of information about the complainant as the scope of his data disclosed in the National Court Register, which means that it also processes (but does not publish) the complainant's PESEL number . On the other hand, each entity that processes the PESEL number of a specific person also processes information on the date of birth (age) and sex (Article 15 (2) of the Act of 24 September 2010 on population records, uniform text in Journal of Laws of 2019, item 1397). In the opinion of the authority, the objectives and tasks of the Foundation are undoubtedly legally justified, and the fact that it carries out its activities in a partially paid manner proves that it pursues a commercial and informational goal at the same time, using the instruments permitted by law. The implementation of the Foundation's goals depends on the processing of personal data disclosed in publicly available registers, including the complainant's personal data, as a person performing specific functions in entities subject to entry in the Register. At the same time, in the opinion of the authority, there are no grounds to assume that the implementation of the legitimate interest of the administrator (the Foundation), consisting in conducting activities related to the dissemination of the content contained in the National Court Register / Monitor, had to give way to overriding interests or fundamental rights and freedoms of the complainant, requiring personal data protection. The complainant's personal data processed by the Foundation are publicly available data, and the scope of the complainant's personal data published on the website is adequate (not excessive) in the context of the information purpose pursued (these data are in fact published in a narrower scope compared to the scope of data disclosed in the National Court Register - they do not include the PESEL number), but their content is consistent with the content of the data disclosed in the National Court Register. The authority also found no grounds to question the legality of obtaining and further processing by the Foundation in the set created for the purposes of the website's operation of the PESEL number information in order to clearly distinguish the complainant from other persons with the same name and surname. the information service on the applicant's sex "(...) by means of a graphic icon (...)", the authority indicated that information of this type resulted from his name. in entities subject to entry in the National Court Register, the authority indicated that this participation remains a fact, and information on the complainant's activity in broadly understood economic transactions may still remain in the sphere of public interest. For the same reason, this information is still published in the National Court Register. Taking into account the public nature of the above-mentioned information (which - due to the irremovability of the data disclosed in the National Court Register - still publicly available in this Register), their substantive correctness and informative value, the fact that they are currently historical in nature does not affect the possibility of their further processing (including publishing) by the Foundation . This is supported by Art. 6 sec. 1 lit. f GDPR and the Act of February 25, 2016 on the re-use of public sector information (Journal Of Laws 2019, item 1446) The request of the party to stop processing the questioned data did not deserve to be taken into account in the opinion of the authority. The complainant's personal data are still necessary in the context of the purposes pursued by the Foundation (no prerequisite from Article 17 (1) (a) of the GDPR), the basis for their processing is the legitimate interest pursued by the administrator (Article 6 (1) (f)) GDPR), and not the consent of the complainant (no prerequisite from Article 17 (1) (b). The process of processing the complainant's personal data is carried out in a legal manner (there is no premise from Article 17 (1) (d) of the GDPR) and there is no provision that would oblige the Foundation to remove the questioned personal data. Moreover, the complainant did not object to the processing of his personal data, as he claims that the Foundation has no legal grounds at all to process his data - due to failure to meet any of the conditions of Art. 6 sec. 1 GDPR. A complaint against the above decision was filed by W. S., alleging violation of Art. 6 sec. 1 lit. f and art. 17 point 1 lit. d GDPR, art. 5 sec. 1 of the Act on the re-use of public sector information in connection with Art. 4 point 2 of the GDPR. In response to the complaint, the authority appealed for its dismissal. The Provincial Administrative Court in Warsaw dismissed the above-mentioned complaint pursuant to art. 151 in connection with joke. 119 point 2 and art. 120 of the Act of August 30, 2002 - Law on proceedings before administrative courts (consolidated text, Journal of Laws of 2019, item 2325). In the opinion of the Court, the authority made full factual findings necessary for its decision. He duly considered all the circumstances relevant to the outcome of the case, correctly interpreted the provisions of the GDPR and applied them correctly, reasonably refusing to accept the party's request. The justification of the contested decision meets all the requirements of Art. 107 § 3 of the Code of Civil Procedure On the other hand, the allegations of the complaint are unjustified. In the opinion of the Court of first instance, the authority correctly stated that the processing by the Foundation of publicly available personal data of the complainant, as a person performing certain functions in entities subject to entry in the National Court Register, including their publication, is based on Art. 6 sec. 1 lit. f GDPR. The Court considered correct the decision of the authority on the legality of the processing of the complainant's personal data on this basis by the Foundation, as well as on the adequacy of the data processed, based both on the objectives of the Foundation's activities (including, in particular, on supporting democracy by promoting citizens' rights in the field of, inter alia, re-use) public sector information that allows citizens to more easily access data provided by the state), as well as sources of obtaining personal data then processed by the Foundation (National Court Register, Monitor Sądowy i Gospodarczy). Due to the processing of the complainant's personal data disclosed in publicly available registers, consent to their processing was not required. The fact that the Foundation provides data in a paid form, which is raised by the complainant, does not change it. The issue of offering commercial data processing by the Foundation does not affect the existence of a condition for the processing of such data by the Foundation pursuant to art. 6 sec. 1 letter f of GDPR. How unfounded did the court of first instance find the allegation of infringement of Art. 5 sec. 1 of the Act on the re-use of public sector information in connection with joke. 4 point 2 (as well as article 4 point 1) of the GDPR, as the Act on the National Court Register does not restrict the re-use of this information. In the opinion of the Court of first instance, there were no grounds to order the Foundation to delete the complainant's data. The authority also correctly stated that the complainant did not object to the processing of data referred to in Art. 21 paragraph 1 GDPR, because he did not refer to reasons related to his particular situation, and questioned the lawfulness of their processing pursuant to art. 6 sec. 1 lit. f GDPR. A cassation appeal against the above judgment was lodged by W. S., appealing against it in full and accusing him of: - violation of substantive law: 1. art. 6 sec. 1 lit. f of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (GDPR) through its improper application in the present case and a statement that processing is necessary for the purposes of the legitimate interests pursued by the administrator of the Foundation [...] in a situation where the website [...] should be considered a de facto commercial website, focused on profit and gaining benefits property, which, in the opinion of the attorney of the complainant, is in contradiction with the declared objectives of the administrator that he should act to support the certainty and transparency of business transactions in a situation where he offers a commercial development of data that is publicly available anyway, which in some way (creating the impression that that only on this website are these data available and should be bought) it even limits the transparency of economic transactions o, and thus is contrary to the purposes allegedly given by the administrator as justification for data processing, 2. art. 17 point 1 lit. d GDPR by improper application and recognition by the Court that there are no grounds to oblige the personal data administrator to immediately delete the complainant's data, if in this case the complainant's data are processed unlawfully, i.e. contrary to Art. 6 sec. 1 lit. f GDPR, 3. art. 5 sec. 1 of the Act on the re-use of public sector information in connection with Art. 4 sec. 1 of the GDPR due to its incorrect interpretation and application in the present case and the statement that the personal data controller in the present case legally processes personal data in a situation where this provision only provides a basis for the use of personal data and not for processing, because in the light of Art. 4 point 1 of the GDPR, in the light of the provisions, the use of personal data is a narrower concept than processing, and therefore, even if the administrator of personal data was to be considered to have the right to use personal data, it is only in the scope of data use, and not in the scope of their processing, 4. art. 5 sec. 5 of the Act on Foundations in connection with joke. 5 sec. 1 lit. b of the GDPR by its failure to apply in this case, while the economic activity conducted by the Foundation [...] in the form of paid access to KRS data as part of the website [...] does not constitute activity in the dimensions that serve the implementation of its statutory goals, because the analysis of the statute and activities of the Foundation [...] show that the processing of KRS data as part of a de facto commercial website [...] is not necessary for the purposes of the legitimate interests pursued by the administrator, constituting an activity focused solely on profit, thus limiting transparency of business transactions, which is contrary to the statutory objectives given by the administrator as the justification for data processing, - violation of the provisions of the procedure, if this breach could have a significant impact on the result of the case, i.e .: 5. art. 145 § 1 point 1 letter a and c P.p.s.a. by failing to apply it and, consequently, dismissing the complaint in a situation where the circumstances of the case showed that the President of the Personal Data Protection Office violated the substantive law, which had a significant impact on the result of the case. as a whole, or to remand the case to the Provincial Administrative Court in Warsaw and to award him the reimbursement of the costs of the proceedings, including the costs of legal representation according to the prescribed standards. The complainant submitted a declaration that the hearing was waived and consented to the hearing of the case in closed session. The response to the cassation complaint was submitted by the President of the Personal Data Protection Office, motioning for its dismissal. a cassation appeal within the limits set out in Art. 183 § 1 P.p.s.a. and not recognizing the cases of invalidity of the proceedings listed in § 2 of this article, at the outset, it was necessary to emphasize the fact that the personal data processed by the Foundation in the circumstances of this case come from an open public register, such as the National Court Register, and from a national daily newspaper official, intended for publishing announcements or announcements, such as Monitor Sądowy i Gospodarczy. Thus, the complainant's personal data from both current and previous entries were obtained legally by the Foundation (Article 8 (1) and (2), Article 10 (1), Article 12 (1) and Article 13 of the Act of August 20, 1997 on the National Court Register, consolidated text: Journal of Laws of 2019, item 1500, as amended), which in the circumstances of the case raised no doubts. In the complainant's view, however, their processing was illegal, in breach of Art. 6 sec. 1 lit. f GDPR. According to this provision: "[p] processing is lawful only in cases where - and to the extent in which - at least one of the following conditions is met: f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child ". As stated in the doctrine, a legitimate interest is an interest resulting (even indirectly) from legal provisions, in a situation where these provisions do not regulate the admissibility of data processing, but only indicate an interest (e.g. a right) for the implementation of which data processing is necessary. The basis for the admissibility of processing included in the commented provision is not, however, unconditional, as it is constructed as a mechanism of weighing interests. It requires the legitimate interest of the data controller (or a third party) to be placed on one scale, and on the other - the fundamental rights and freedoms of the data subject which require protection (P. Fajgielski. Commentary to Regulation 2016/679 on the protection of natural persons in connection with with the processing of personal data (...) - commentary to art. 6 - points 28, 31, 33, publ. LEX / el). Pointing to the purpose of the Foundation's activities, the Court of first instance and the body earlier, correctly recognized that it pursues the legitimate interest referred to in Art. 6 sec. 1 point f of GDPR, which is supporting the development of democracy by promoting citizens' rights in the field of access to public information and the re-use of public sector information. This interest results from the provisions of the law, implementing the right to public information (Article 61 (1) of the Constitution of the Republic of Poland, Article 1 (1) of the Act of 6 September 2001 on access to public information, uniform text, Journal of Laws 2020, ., item 2176), the right to re-use public sector information (the Act of February 25, 2016 on the re-use of public sector information), as well as leading to strengthening the broadly understood security of economic transactions. As rightly pointed out by the authority in response to the cassation complaint, the complainant's personal data relating to his past participation in entities subject to entry in the National Court Register as information about the complainant's activity in trade may still remain in the sphere of public interest. It does not matter whether this interest is carried out free of charge or for a fee, because the above-mentioned the regulation (GDPR) introduced neither such a requirement nor a distinction. The collection of fees for providing information that is historical (not up-to-date entries), although it does provide the Foundation with the possibility of obtaining income, does not exclude the possibility that it continues to pursue a legitimate interest, which proves both the lawfulness and adequacy of the processing of the complainant's personal data obtained from open sources. For this reason, the allegations of violation of Art. 6 sec. 1 lit. f GDPR (objection 1) and art. 5 sec. 5 of the Act on Foundations in connection with joke. 5 sec. 1 lit. b GDPR (objection 4). Regarding the latter, it should be noted that the foundation may conduct business activities in the sizes that serve to achieve its goals. In the circumstances of the present case, however, it has not been shown that its purpose is only to obtain income, and not to perform the statutory tasks described above, and the allegation of violation of Art. 5 sec. 1 of the Act of February 26, 2016 on the re-use of public sector information in connection with Art. 4 sec. 1 GDPR (objection 3). As the Court of first instance rightly stated when analyzing this issue, the provision of Art. 6 above of the Act of February 26, 2016 indicates cases where the right to re-use is subject to restrictions, including, inter alia, when this access is limited under other laws. The Act on the National Court Register does not contain such a limitation. On the contrary, in Art. 12 sec. 1 of the Act of 20 August 1997 on the National Court Register introduces the principle that "[d] ans contained in the Register may not be removed from it, unless the law provides otherwise", and anyone interested in accessing data contained in the National Court Register may exercise their the right through the Central Information, which provides, free of charge, in generally available ICT networks, up-to-date and complete information on entities entered in the Register and a list of documents contained in the directory (Article 8 (2) in connection with Article 4 (4a) of the Act on the National Register Referring to the allegation of violation of Art. 17 sec. 1 lit. d GDPR, however, it should be noted that this provision specifies the rights of the data subject, who has the right to request the administrator to immediately delete his personal data in the event that these data were processed unlawfully. However, in view of the above findings as to the lawfulness of the processing by the Foundation of the complainant's personal data, there were no grounds for ordering the Foundation by the authority to delete the complainant's data. Consequently, the allegation of violation of Art. 145 § 1 point 1 lit. a and c P.p.s.a. (objection 5). The control carried out by the Court of first instance did not infringe any of the provisions of substantive law mentioned in the cassation appeal. On the other hand, the complainant did not formulate the allegations of infringement of the provisions of the procedure, which could be assessed in the light of Art. 145 1 point 1 lit. c P.p.s.a. Bearing in mind the above, the Supreme Administrative Court pursuant to art. 184 P.p.s.a. dismissed the cassation appeal, examined in closed session pursuant to art. 182 § 2 P.p.s.a. due to the relevant request of the applicant to abandon the hearing and the lack of objection in this respect by the authority.