UODO (Poland) - DKE.561.3.2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKE...")
 
 
(3 intermediate revisions by 2 users not shown)
Line 10: Line 10:
|ECLI=
|ECLI=


|Original_Source_Name_1=UODO
|Original_Source_Name_1=Urzędu Ochrony Danych Osobowych - UODO
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKE.561.3.2020
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKE.561.3.2020
|Original_Source_Language_1=Polish
|Original_Source_Language_1=Polish
Line 17: Line 17:
|Type=Investigation
|Type=Investigation
|Outcome=Violation Found
|Outcome=Violation Found
|Date_Decided=06.07.2020
|Date_Decided=02.07.2020
|Date_Published=17.07.2020
|Date_Published=02.07.2020
|Year=2020
|Year=2020
|Fine=25000
|Fine=None
|Currency=EUR
|Currency=


|GDPR_Article_1=Article 31 GDPR
|GDPR_Article_1=Article 31 GDPR
|GDPR_Article_Link_1=Article 31 GDPR
|GDPR_Article_Link_1=Article 31 GDPR
|GDPR_Article_2=Article 58(1)(e) GDPR
|GDPR_Article_2=Article 58(1) GDPR
|GDPR_Article_Link_2=Article 58 GDPR#1e
|GDPR_Article_Link_2=Article 58 GDPR#1
|GDPR_Article_3=Article 58(1)(f) GDPR
|GDPR_Article_Link_3=Article 58 GDPR#1f






|Party_Name_1=Surveyor General of Poland
|Party_Name_1=
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 45: Line 43:
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Status=
|Appeal_To_Link=
|Appeal_To_Link=


Line 52: Line 50:
}}
}}


The President of the Personal Data Protection (UODO) imposed a fine of 100 000 PLN (approx. 25 000 EUR) on the Surveyor General of Poland for the failure to provide the supervisory authority with access to premises, data processing equipment and means, access to personal data and information required to conduct the inspection by the UODO. The UODO stated a violation of Article 31 and Article 58(1)(e) and (f) GDPR.  
The Surveyor General of Poland violated the provisions of the GDPR by failing to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The UODO notified the Surveyor General of Poland about a planned audit in the Central Office for Geodesy and Cartography. The audit concerned the the making available by the Chief Surveyor of the State of personal data from the land and building register through the GEOPORTAL2 website. The audit was planned to clarify the following questions:
beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations.  
 
1. The legal basis for the processing, including making personal data available.
2. Sources of obtaining personal data.
3. The scope and type of personal data made available.
4. The manner and purpose of sharing the personal data.
5.  Is the processing of personal data carried out on the basis of the authorisation given by the controller of personal data or the processor (Article 29 of Regulation 2016/679).
6. Has the Chief National Surveyor implemented appropriate technical and organisational measures to ensure an adequate level of security of data (Article 32, Article 24(1) and (2) of Regulation 2016/679).
7. Has the Chief National Surveyor appointed a Data Protection Officer (Article 37 of Regulation 2016/679).
 
The Chief National Surveyor declared that he will not sign the submitted authorisations and refused to give his consent to carry out inspection activities within the scope resulting from the submitted authorisations. According to his assessment, the inspection is to concern the land and mortgage register number, which is not a personal data within the meaning of the Act of 17 May 1989 on the Geodesic and cartographic law (Journal of Laws of 2020, item 276 as amended).
 
However, the Surveyor General of Poland consented to the performance of the inspection activities in the scope of determining whether appropriate technical and organisational measures have been implemented to ensure an adequate level of security of the data being subject to protection, and whether his Office has appointed a Data Protection Officer.  


=== Dispute ===
=== Dispute ===
The UODO provided that it was impossible to establish  it has not been established whether the Surveyor General of Poland has implemented appropriate technical measures to ensure data security, due to impossibility to gain access for the UODO inspectors to the IT systems used by the Surveyor General of Poland and to conduct the necessary inspections of the IT system during the inspection.
GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.
 
In view of the above, in the course of the inspection it was only established what organisational measures the Surveyor General of Poland used for data security and whether a Data Protection Officer was appointed.


=== Holding ===
=== Holding ===
In view of the declined consent to carry out full inspection activities and the expressive lack of will to cooperate, the UODO inspectors could not determine the legal basis, the technical and organisational measures to ensure data security on the website GEOPORTAL2. The UODO deemed the inspection to be thwarted by the Surveyor General of Poland.
THe UODO imposed an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK), because due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground the GEOPORTAL2 online portal (geoportal.gov.pl) enables access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security.
 
The UODO has therefore found a violation of Article 58(1) of the GDPR by  the Surveyor General of Poland and imposed an administrative fine of approx. 25 000 EUR.


== Comment ==
== Comment ==
''Share your comments here!''
This summary is based on the English summary of the Polish Data Protection Authority, which can be found here: https://uodo.gov.pl/en/553/1146


== Further Resources ==
== Further Resources ==
Line 91: Line 73:


<pre>
<pre>
Warsaw, 17 July 2020
Warsaw, 02 July 2020
DECISION
DECISION
DKE.561.3.2020
DKE.561.3.2020
Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Art. 7 section 1 and section 2, art. 60 and art. 102 paragraph. 1 point 1 and sec. 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) in connection with Art. 31, art. 57 sec. 1 lit. a), art. 58 section 1 lit. e) and f) and art. 58 sec. 2 lit. i) in connection with Art. 83 sec. 1 and 2, art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting the administrative procedure initiated ex officio regarding the imposition of the Chief Surveyor of the Country in Warsaw at ul. Wspólna 2, represented by attorneys PT and SK (Kancelaria [...]), an administrative fine, the President of the Office for Personal Data Protection, declaring an infringement by the Chief National Surveyor based in Warsaw at ul. Wspólna 2, the provisions of Art. 31 and 58 sec. 1 lit. e) and f) of Regulation 2016/679, consisting in failure to provide the President of the Office for Personal Data Protection, during the control of compliance with the provisions on the protection of personal data, ref. [...], access to premises, equipment and means for the processing of personal data and access to personal data and information necessary for the President of the Personal Data Protection Office to perform its tasks,


Pursuant to Article 104 § 1 of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7 section 1 and section 2, Article 60 and Article 102 section 1 point 1 and section 3 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 256). 1781) in connection with Article 31, Article 57 paragraph 1 point (a), Article 58 paragraph 1 points (e) and (f) and Article 58 paragraph 2 point (i) in connection with Article 83 paragraph 1 and 2, Article 83 paragraph 4 point (a) and Article 83 paragraph 5 point (e) of the Regulation of the European Parliament and of the Council of the EU 2016/679 of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting ex officio administrative proceedings to impose on the Chief Surveyor of the Country with its registered office in Warsaw at 2 Wspólna Street, represented by advocates P. T. and S. K. (Kancelaria [...]), an administrative fine, the President of the Office for the Protection of Personal Data, stating that the Head of the National Geodesist, with its registered office in Warsaw at ul. Wspólna 2, infringed the provisions of Article 31 and 58(1)(e) and (f) of Regulation 2016/679, consisting in the failure to provide the President of the Office for the Protection of Personal Data, in the course of controlling the observance of the provisions on the protection of personal data, ref. [...], access to premises, equipment and means for the processing of personal data and access to personal data and information necessary for the President of the Office for the Protection of Personal Data to carry out his tasks, as well as failure to cooperate with the President of the Office for the Protection of Personal Data during this inspection, imposes an administrative fine of PLN 100,000 (in words: one hundred thousand zlotys) on the Chief Surveyor of the Country with its registered office in Warsaw, Wspólna 2 Street.
imposes on the Chief National Surveyor based in Warsaw at ul. Wspólna 2, an administrative fine in the amount of PLN 100,000 (in words: one hundred thousand zlotys).
 
EXPLANATORY MEMORANDUM
 
On [...] February 2020. The President of the Office for the Protection of Personal Data (hereinafter referred to as "the President of the Office for the Protection of Personal Data") carried out an inspection of personal data processing in the Poviat Starosty in J. (Ref. No. of the control act [...]). The inspection concerned making available by the Starost of J., through the GEOPORTAL2 website (www.geoportal.gov.pl), personal data from the land and building register kept by the Starosts. During the inspection it was established that Starost J. does not publish personal data from the land and building register on this portal, but - on the basis of a relevant agreement - transfers them (including land and mortgage register numbers) to the Chief Surveyor of the Country, who then makes the obtained data available on GEOPORTAL2. Due to the above, the President of UODO decided that it is necessary to carry out an inspection of personal data processing in the scope of making personal data from the land and building register available through GEOPORTAL2 to the Chief Surveyor of the Country. The Chief National Surveyor was informed about the inspection planned for [...] March 2020 (marked as [...]) by telephone and in a letter delivered on that day by e-mail.
 
On [...] March 2020 the inspectors (employees of the Office for the Protection of Personal Data authorised by the President of the Office for the Protection of Personal Data) went to the Head Office of Geodesy and Cartography to start the planned inspection. The inspectors presented their service cards to the Chief Surveyor of the Country and submitted their personal authorizations, which defined the detailed scope of the inspection in the following way: "The inspection will include making available by the Chief Surveyor of the State through the GEOPORTAL website2, personal data from the land and building register, by establishing:
 
1. The legal basis for the processing, including making personal data available.
2. Sources of obtaining personal data.
3. The scope and type of personal data made available.
4. The manner and purpose of providing personal data to the bottom.
5. Is the processing of personal data carried out on the basis of the authorization given by the controller of personal data or the processor (Article 29 of Regulation 2016/679).
6. Has the Chief National Surveyor implemented appropriate technical and organisational measures to ensure an adequate level of security of the protected data (Article 32, Article 24(1) and (2) of Regulation 2016/679).
7. Has the Chief National Councillor appointed a Data Protection Officer (Article 37 of Regulation 2016/679).
 
As it results from the inspection protocol, signed by the inspectors and by the Chief Geodesist of the Country, drawn up on [...] March 2020, after presenting the legitimacy and submitting the authorizations to carry out the inspection, the Chief Geodesist of the Country declared that he will not sign the submitted authorizations and refuses to give his consent to carry out inspection activities within the scope resulting from the submitted authorizations. Justifying his position in this case, he indicated that according to his assessment, within the scope indicated in the inspection authorizations, the inspection is to concern the land and mortgage register number, which is not a personal data within the meaning of the Act of 17 May 1989. Geodesic and cartographic law (Journal of Laws of 2020, item 276 as amended), hereinafter referred to as the "Geodesic and cartographic law". On the submitted authorizations, the Chief Surveyor of the Country has made a written note of the content: "I refuse to give my consent to carry out control activities within the scope of the submitted authorisation (points 1 to 5) due to the lack of objectivity of the control, which I justify in my letter [...] of [...].03.2020, in the shortest possible way, it results from the fact that the scope of control is to focus on the land and mortgage register number, which is not a personal data within the meaning of the Geodetic and Cartographic Law. I request that the scope of control be clarified in accordance with the basis for its initiation". The Chief Surveyor of the State then declared that he agreed to carry out inspection activities only to the extent that this results from points 6 and 7 of the inspection authorisations. Only then did he sign the inspectors' personal authorisations by placing the words 'Signed in accordance with the declaration below' next to his signature. In accordance with the above mentioned statement, the Chief Surveyor of the Country presented to the inspection file a letter with the signature [...], which indicated, among other things, the legal basis for classifying the land and mortgage register number as the subject matter, i.e. Article 20(1)(1) of the Surveying and Cartographic Law and § 73 of the Regulation of the Minister of Regional Development and Construction of 29 March 2001 on the land and building registration.
 
In view of the unequivocally expressed lack of consent of the Chief Surveyor of the Country to perform inspection activities within the scope specified in points 1-5 of the registered authorisations, the inspectors abandoned the activities in this scope, making arrangements only within the scope specified in points 6 and 7 of the authorisations. Within the scope of control, to which the Chief Surveyor of the Country, who controls, among others, the following, has given his consent:


1. they questioned as a witness Mr. W. I. - Chief National Surveyor,
2. they have obtained a copy of the sample agreement with the starost on cooperation in the establishment and maintenance of common elements of the technical infrastructure for the publication of PZGiK data,
3. obtained copies of documents certifying the general organisational measures implemented by the Chief Surveyor of the country (not specifically related to the GEOPRTAL portal2) to ensure the security of protected data,
4. they obtained copies of documents confirming the appointment of Mr [...] as Data Protection Inspector in the Main Office of Geodesy and Cartography by the Chief Surveyor of the Country,
5. they questioned Mr. [...] - the Chief Specialist in the Department [...] in the Main Office of Geodesy and Cartography as a witness,
6. have obtained a printout of the Regulations of www.geoportal.gov.pl,
7. obtained copies of the Register of processing activities including risk analysis and assessment of the effects on data protection and the Register of categories of processing activities with risk analysis.


In the course of the inspection, the inspectors - due to the lack of consent of the Chief National Surveyor - did not assess the technical measures implemented to ensure the security of the protected data (including the data processed through the GEOPORTAL portal2), in particular they did not inspect the places, objects, media devices and IT systems used for data processing. Moreover, due to, inter alia, the refusal of the Chief National Surveyor to sign the protocol of testimony submitted on [...] March 2020. - the inspectors did not obtain full and binding explanations, having legal effect, of the subject matter covered by the inspection.
SUBSTANTIATION


Due to the lack of purpose of further inspection, caused by the lack of consent of the Chief Surveyor of the Country for inspection activities concerning the scope specified in points 1-5 of the registered inspection authorizations and lack of cooperation from his side in this scope, the inspectors decided to finish the inspection on March [...], 2020. On that day, the inspection report was drawn up by the inspectors, then signed by the Chief Surveyor of the Country (without any reservations).


In connection with the fact that it was impossible to control the processing of personal data from the land and building register on the GEOPORTAL2 portal by the Chief Inspectorate of the Country, the present proceedings were initiated ex officio in order to impose an administrative fine on the Chief Inspector of the Country for breach of Articles 31 and 58(1)(a) and (b) of the Act of Accession. e) and f) of Regulation 2016/679, consisting in the lack of cooperation with the President of PODO in the performance of his tasks, making it impossible to carry out inspections in the field of personal data processing, as well as not providing the President of PODO with access to premises, equipment and means for personal data processing and access to personal data and information necessary for the President of PODO to perform his tasks.
On [...] February 2020, the President of the Personal Data Protection Office (hereinafter referred to as the "President of the Personal Data Protection Office") inspected the processing of personal data in the Poviat Starosty in J. (reference number [...]). The inspection concerned the provision by Starost J., via the GEOPORTAL2 internet portal (www.geoportal.gov.pl), of personal data from the land and building register kept by starosts. In the course of the inspection, it was found that Starosta J. does not publish personal data from the land and building register on this portal, but - on the basis of an appropriate agreement - transfers them (including land and mortgage register numbers) to the Chief Surveyor of the Country, who then makes the obtained data available on the GEOPORTAL portal2 . Due to the above, the President of the Personal Data Protection Office (UODO) decided to carry out a personal data processing control in the scope of sharing personal data from the land and building register via the GEOPORTAL2 portal with the Chief National Surveyor. About the inspection planned for [...] March 2020 (marked with file reference [...]), the Chief National Surveyor was informed on [...] March 2020 by phone and in a letter delivered on that day by e-mail (e-mail).


The Chief Surveyor of the Country was informed about the initiation of the proceedings and the collection of evidence in the case by letter of [...] March 2020, delivered to him electronically via the ePUAP platform.
On [...] March 2020, the inspectors (employees of the Office for Personal Data Protection authorized by the President of the Personal Data Protection Office) went to the Main Office of Geodesy and Cartography to start the planned inspection. The inspectors presented the Chief National Surveyor with official ID cards and submitted personal authorizations, in which the detailed scope of the inspection was specified as follows: "The inspection will cover the provision by the Chief Surveyor of the Country via the GEOPORTAL2 website, personal data from the land and building records, by establishing:


By letter dated [...] April 2020. (delivered to the President of UODO [...] April 2020), the attorney of the Chief National Surveyor requested that the attorneys of the Chief National Surveyor be allowed to inspect the case file and make a photocopy of the files, or that a copy of the entire case file be made available electronically. In response to the request, copies of the entire case file were presented to the attorney of the Regional Surveyor by mail, by letter of [...] May 2020, delivered to the attorney [...] May 2020.
The legal basis for processing, including sharing personal data.
Sources of obtaining personal data.
The scope and type of personal data provided.
The manner and purpose of sharing the bottom passenger.
Is the processing of personal data carried out on the basis of an authorization granted by the personal data administrator or the processor (Article 29 of Regulation 2016/679).
Has the Chief Surveyor of the Country implemented appropriate technical and organizational measures to ensure an adequate level of security of the data protected (Article 32, Article 24 (1) and (2) of Regulation 2016/679).
Has the Chief Surveyor of the country appointed a data protection officer (Article 37 of Regulation 2016/679). "
According to the inspection report drawn up on [...] March 2020 and signed by the inspectors and the Chief National Surveyor, after presenting the identity card and submitting authorizations to conduct the inspection, the Chief National Surveyor stated that he would not sign the submitted authorizations and refused to consent to the inspection. control activities in the scope resulting from the submitted authorizations. Justifying his position in this case, he pointed out that, according to his assessment, from the scope indicated in the controlling authorizations, it follows that the control is to concern the land and mortgage register number, which is not a personal data within the meaning of the provisions of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276, as amended), hereinafter referred to as the "Geodetic and cartographic law". On the submitted authorizations, the Chief Surveyor of the country included a written annotation: "I refuse to consent to the inspection activities in the scope of the presented authorization (items 1 to 5) due to the irrelevance of the inspection, which I justify in the letter [...] of [...]. 03.2020 the shortest time is due to the fact that the scope of the inspection is to focus on the number of the land and mortgage register, which is not a personal data within the meaning of the Geodetic and Cartographic Law. I am asking for clarification of the scope of the control in accordance with the basis for its initiation. " The Chief Surveyor of the country then stated that he agreed to carry out control activities only to the extent specified in points 6 and 7 of personal authorizations. Only then did he sign the personal authorizations of the inspectors, placing the annotation "Signed in accordance with the declaration below" next to the signature. In accordance with the above-mentioned statement, the Chief Surveyor of the Country submitted a letter with the reference number [...] to the inspection files, in which it was indicated, inter alia, legal grounds for qualifying the number of the land and mortgage register as a given subject, that is art. 20 paragraph 1 point 1 of the Geodetic and Cartographic Law and § 73 of the Regulation of the Minister of Regional Development and Construction of March 29, 2001 on land and building records.


By letter dated [...] May 2020 (delivered to the President of UODO [...] May 2020), the attorney of the Chief Regional Surveyor presented the position of the Chief Regional Surveyor, indicating that 'the initiation and conduct of proceedings by the President of UODO in this case is pointless and should therefore be discontinued in full'. The attorney of the Chief Regional Surveyor argued in particular that:
Due to the unequivocally expressed lack of consent of the Chief Surveyor of the Country to carry out control activities in the scope specified in items 1-5 of personal authorizations, the inspectors withdrew from activities in this respect, making arrangements only in the scope referred to in items 6 and 7 of the authorization. Within the scope of control, for which the Chief National Surveyor has consented, controlling, among others:


1. "The scope of the inspection was pointless as it concerned the use of information which does not constitute personal data and in respect of which the Chief Inspectorate of the Country does not decide on the purposes and methods of processing (so he could not have the status of a data controller). The GKK did not thwart the inspection, but only questioned the scope of the inspection, which was to concern the processing of personal data in the form of a land and mortgage register number.
heard as a witness Mr. W. I. - Chief Country Surveyor,
2. "The inspection [...] was carried out not at the Chief Surveyor of the Country, but at the Chief Office of Geodesy and Cartography, which is a separate controller of personal data from the point of view of the provisions of the GDR.
obtained a copy of an exemplary agreement with the staroste on cooperation in the creation and maintenance of common elements of technical infrastructure regarding the publication of PZGiK data,
3. "The President of UODO unjustifiably considered that the Chief Surveyor of the Country - who took part in the inspection proceedings as a person representing the inspected person, i.e. the Chief Office of Geodesy and Cartography - did not cooperate with the President of UODO in the performance of his tasks'.
obtained copies of documents confirming the general organizational measures implemented by the Chief Surveyor of the Country (not particularly related to the GEOPRTAL2 portal) to ensure the security of the protected data,
4. "The President of UODO unjustifiably stated that the Chief Surveyor of the Country prevented the inspection of personal data processing at the controlled entity, i.e. the Main Office of Geodesy and Cartography.
obtained copies of documents confirming the appointment by the Chief Land Surveyor of Mr. [...] as the Data Protection Inspector at the Central Office of Geodesy and Cartography,
5. "The President of the UODO unjustifiably considered that the Chief Surveyor of the country did not provide the President of the UODO with access to the premises, equipment and means for processing personal data in connection with the control carried out in the Main Office of Geodesy and Cartography, and did not provide access to information necessary for the President of the UODO to perform his tasks".
heard as a witness Mr. [...] - Chief Specialist in the Department [...] at the Head Office of Geodesy and Cartography,
6. "Consequently, the President of the UODO unduly found that GGK could have infringed Articles 31 and 58(1)(e) and (f) of the GDPR."
obtained a printout of the Regulations of the website www.geoportal.gov.pl,
obtained copies of the Register of processing activities containing the risk analysis and impact assessment for data protection and the Register of processing activities categories with risk analysis.
During the inspection, the inspectors - due to the lack of consent of the Chief National Surveyor - did not assess the implemented technical measures to ensure the security of the protected data (including data processed via the GEOPORTAL2 portal), in particular, they did not inspect the places, objects, devices of carriers and IT systems for data processing. Moreover - due to, inter alia, against the refusal of the Chief Country Surveyor to sign the protocol of testimony made on [...] March 2020 - the inspectors did not obtain full and binding, legally effective explanations of the inspected party in the subject covered by the inspection.


After considering all the evidence gathered in the case, the President of UODO weighed the following.
Due to the ineffectiveness of further inspection, due to the lack of consent of the Chief Surveyor of the Country for inspection activities regarding the scope specified in points 1-5 of personal inspection authorizations, and the lack of cooperation on his part in this regard, the inspectors decided to terminate on [...] March 2020 control. On that day, an inspection protocol was drawn up by the inspectors, and then signed by the Chief National Surveyor (without any reservations).


According to Article 57(1)(a) of Regulation 2016/679, as the supervisory authority within the meaning of Article 51 of Regulation 2016/679, the President of the PPA has the task of monitoring and enforcing the application of the Regulation on its territory. Within the framework of his competences, the President of the PPA has the task, inter alia, of conducting proceedings for the application of Regulation 2016/679 (Article 57(1)(f)). In order to be able to carry out these tasks, the President of the PPA has a number of powers, as set out in Article 58(1) of Regulation 2016/679, to conduct proceedings, including the power to order the controller and processor to provide all information necessary for the performance of its tasks (Article 58(1)(f) of Regulation 2016/679). (Article 58(1)(a), the power to obtain from the controller and the processor access to all personal data and to all information necessary for the performance of their tasks (Article 58(1)(e)) and the power to obtain access to all premises of the controller and the processor, including the data processing equipment and means, in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f). Infringement of the provisions of Regulation 2016/679, as a result of the failure of the public authority, being the controller or processor, to ensure access to the data and information referred to above, resulting in a breach of the authority's powers specified in Article 58 (1)(f). The authority may - in accordance with Article 83(5)(e) in fine of Regulation 2016/679 in connection with Article 102(1) and (3) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "u.o.d.o.". - administrative fine of up to PLN 100,000.
Due to the fact that it was impossible to control the processing by the Chief Surveyor of the Country of personal data from the land and building register on the GEOPORTAL2 portal, this procedure was initiated ex officio to impose an administrative fine on the Chief Surveyor of the Country for violation of Art. 31 and art. 58 sec. 1 lit. e) and f) of Regulation 2016/679, consisting in the lack of cooperation with the President of the Personal Data Protection Office in the performance of his tasks, preventing the inspection of personal data processing, as well as failure to provide the President of the Personal Data Protection Office with access to premises, equipment and means used to process personal data , and access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks.


It should also be noted that the administrator and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of Regulation 2016/679. Failure to comply with this obligation is also at risk - pursuant to Article 83(4)(a) of Regulation 2016/679 in conjunction with Article 102(1) and (3) of the Polish Commercial Companies Code. - an administrative fine of up to PLN 100,000.
The Chief National Surveyor was informed about the initiation of the procedure and the collection of evidence in the case by a letter of [...] March 2020, delivered to him electronically via the ePUAP platform.


The "procedure laid down in EU or Member State law" indicated in Article 58(1)(f) of Regulation 2016/679 for the exercise of the power of the supervisory authority to obtain access to the premises of the controller and the processor, including the equipment and means of data processing, is, under Polish law, described in Chapter 9 of the Polish Commercial Companies Code. (Articles 78 - 91), the procedure of "control of the observance of personal data protection regulations". In accordance with Article 78 of the Polish Data Protection Act. The President of UODO carries out a control of the observance of the provisions on personal data protection (paragraph 1), and this control may be carried out "in accordance with the control plan approved by the President of the Office or on the basis of information obtained by the President of the Office or as part of monitoring the observance of the application of Regulation 2016/679". (paragraph 2). Controllers (authorized employees of the Office for the Protection of Personal Data) are entitled - as provided for in Article 84(1) of the Polish Data Protection Act. - right: 1. enter the land and buildings, premises or other premises from 6.00 a.m. to 10.00 p.m., 2. inspect the documents and information directly related to the subject matter of the inspection, 3. carry out an inspection of places, objects, devices, carriers and IT or ICT systems used for data processing, 4. demand written or oral explanations and questioning as a person's witness to the extent necessary to establish the facts, 5. have expert opinions and opinions prepared. The inspector shall establish the facts on the basis of evidence gathered (using the powers indicated above) in the inspection proceedings, in particular documents, objects, inspections and oral or written explanations and statements (Article 87 of the Polish Commercial Companies Code).
By letter of [...] April 2020 (delivered to the President of the Personal Data Protection Office on [...] April 2020), the representative of the Chief Surveyor of the Country requested that the representatives of the Chief Surveyor of the Country be able to inspect the case files and prepare their photocopies, or to provide copies of the entire case files by electronic means . In response to the request, copies of the entire case files were submitted to the representative of the Chief Surveyor of the Country by post, by letter of [...] May 2020, delivered to the representative on [...] May 2020.


Referring to the above mentioned provisions with regard to the facts of the present case, it should be stated that the President of UODO had the right to initiate and carry out with the Chief Surveyor of the Country an inspection of personal data processing; he also had a justification for making findings in this type of proceedings (inspection proceedings regulated in Chapter 9 of U.o.d.o.).
In a letter of [...] May 2020 (delivered to the President of UODO on [...] May 2020), the representative of the Chief Surveyor of the Country presented the position of the Chief Surveyor of the Country, indicating that "the initiation and conduct of proceedings by the President of UODO in this case is pointless and for this reason should be written off in full ”. The Plenipotentiary of the Chief Surveyor of the Country submitted in particular that


The control powers of the President of UODO were formulated - in the above mentioned provisions of Regulation 2016/679 and U.o.d.o. - broadly; their use is limited only to the purpose - checking whether the provisions on personal data protection are observed. It is worth noting that the condition for such a control is not even a justified suspicion of a violation. The legislator explicitly allows in Article 78(2) of the Polish Commercial Companies Code for the possibility to carry out the control 'in accordance with [...] the control plan', i.e. without prior information indicating the irregularities in the processing of personal data taking place in a particular entity, and even without information indicating whether the entity is processing personal data at all (the control of such an entity would have to establish such circumstance in the first place - before making further arrangements concerning e.g. legality and lawfulness of processing). General and broad definition of the task to be performed by the President of the PPA ("monitoring and enforcement of the application of the Regulation" referred to in Article 57(1)(a) of Regulation 2016/679, "control of compliance with the rules on personal data protection" referred to in Article 78(1) of the U.o.d.o.) leaves the President of the PPA to define both the circle of controlled entities and the scope of controls. This task should be understood broadly - not only as checking whether a specific entity in a particular case violates the provisions on personal data protection in a specific way, but also as a task undertaken in order to identify the types, areas of occurrence and scale of problems related to the application of the provisions on personal data protection (in particular Regulation 2016/679), eliminate them and prevent them in the future. In the context of the freedom left to the President of UODO to determine the entity subject to the inspection and the scope of the inspection, it should be stated that in the present case the President of UODO had a particularly justified basis for initiating and carrying out the inspection with the Chief Surveyor of the Country to the extent that he considered necessary for the performance of the task of monitoring the application of Regulation 2016/679. As a result of the inspection carried out on [...] February 2020 in the Poviat Starosty in J. (ref. act of control [...]) obtained information on transferring personal data from the land and building register (including land and mortgage register numbers) and further processing (making them available) through the GEOPORTAL portal2 to the Chief Surveyor of the Country by the Starost of J. The mere fact of having these data at the disposal of the Chief Geodesist of the Country constitutes a sufficient basis for carrying out an inspection at his premises for the purpose of - as stated in Article 87 of the Polish Commercial Companies Code. - only to gather evidence allowing to establish the factual state of the case (and not the legal assessment of this state, which - in the case of suspicion of an infringement - takes place in a separate administrative procedure). It follows from the essence of control understood in this way that the controlled entity cannot question - at the stage of initiation and conduct of control - its legitimacy and scope. As the Supreme Administrative Court rightly pointed out in the judgment of 3 March 2016 in the case ref. II OSK 1667/14 (concerning a fine imposed by the Chief Sanitary Inspector on the grounds of the Act of 25 August 2006 on food and nutrition safety (Journal of Laws of 2019, item 1252, as amended) in connection with preventing the official control of food): "The court of first instance and the authorities inspected in the administrative court proceedings are right that the plant inspected is not entitled to decide on the scope of inspection. This is the exclusive domain of the inspection bodies." (Lex No 2113109). This statement, in the opinion of the President of UODO, is of general significance and also applies to the control of compliance with the provisions on personal data protection. The place for questioning the legal assessment of the facts of the case (and this is what the Chief Surveyor of the Country in this case is actually about, in fact, questioning the scope of the inspection, related to the claim that the land and mortgage register number does not constitute a personal data) is a possible infringement procedure initiated on the basis of evidence gathered during the inspection procedure.
"The scope of the inspection was pointless, as it concerned the use of information that does not constitute personal data, and for which the Chief Surveyor of the Country does not decide on the purposes and methods of processing (thus, it could not have the status of a data controller). GKK did not prevent the inspection, but only questioned the scope of the inspection, which was to concern the processing of personal data in the form of a land and mortgage register number. "
"The inspection [...] was carried out not at the Head of the National Surveyor, but at the Head Office of Geodesy and Cartography, which, from the point of view of the provisions of the GDPR, is a separate administrator of personal data."
"The President of the Personal Data Protection Office groundlessly found that the Chief National Surveyor - who participated in the inspection proceedings as a representative of the inspected entity, ie the Central Office of Geodesy and Cartography - did not cooperate with the President of the Personal Inspectorate as part of his tasks".
"The President of the Personal Data Protection Office (UODO) groundlessly found that the Chief National Surveyor made it impossible to carry out an inspection in the field of personal data processing at the controlled entity, i.e. at the Central Office of Geodesy and Cartography."
"The President of the Personal Data Protection Office unjustifiably considered that the Chief National Surveyor did not provide the President of the Personal Data Protection Office with access to premises, equipment and means for processing personal data in connection with the control carried out at the Central Office of Geodesy and Cartography, and did not provide access to information necessary for the President of the Personal Data Protection Office. his tasks. "
“As a result of the above, the President of the Personal Data Protection Office unjustified that GGK could infringe Art. 31 and art. 58 sec. 1 lit. e) and f) GDPR. "
After considering all the evidence collected in the case, the President of UODO considered the following.


As shown above, the control powers of the President of UODO are limited by the purpose of the control, which is to check compliance with the provisions on personal data protection. The position of the Chief Surveyor of the Country expressed during the inspection, and developed in the letter of his proxy of [...] May 2020, that the data in the form of land and mortgage register numbers do not constitute personal data, is in fact a statement that the inspection (to the extent specified in points 1-5 of the registered inspection authorisations) did not fall within this objective. Such an assertion must definitely be regarded as incorrect. Without prejudging in this Decision the qualification of these data as personal data in the present case, it should be pointed out that, at the time the inspection was initiated, the President of the UODO had at least legitimate grounds for such qualification. This justification resulted from the consistently held position of the President of UODO and earlier the Inspector General for the Protection of Personal Data, as well as from the position of the doctrine and the jurisprudence of administrative courts (see the judgment of the Supreme Administrative Court of 18 February 2014 ref. I OSK 1839/12 - LEX no. 1449867, the judgment of the Supreme Administrative Court of 26 September 2018 ref. I OSK 276/17 - LEX no. 2737936, the judgment of the Supreme Administrative Court of 26 September 2018 ref. I OSK 11/17 - LEX no. 2573629). The actions of the Chief Surveyor of the State aimed at thwarting or hindering the inspection should therefore be considered inadmissible, in particular when these actions are based solely on the subjective legal assessment of the inspected person (even if they are supported by selected, unrepresentative voices of doctrine and court rulings). Such an action would lead to an unacceptable situation where, by making it impossible to establish the facts of the case, the inspected person deprives the independent reviewing authority of the possibility to make its own, reliable and comprehensive legal assessment of the situation, which could be subject to subsequent verification by the competent judicial and administrative authorities if necessary.
Pursuant to Art. 57 sec. 1 lit. a) Regulation 2016/679, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of art. 51 of the Regulation 2016/679 - its task is to monitor and enforce the application of this regulation on its territory. As part of his competences, the President of the Personal Data Protection Office is responsible, inter alia, conduct proceedings on the application of Regulation 2016/679 (Article 57 (1) (f)). In order to enable the performance of such defined tasks, the President of the Personal Data Protection Office has a number of provisions specified in art. 58 sec. 1 of Regulation 2016/679, the rights in the scope of conducted proceedings, including the right to order the administrator and the processor to provide all information needed to perform its tasks (Article 58 (1) (a), the right to obtain from the controller and the processor access to any personal data and any information necessary for the performance of its tasks (Article 58 (1) (e) and the right to access all premises of the controller and processor, including equipment and measures for data processing, in accordance with the procedures laid down in EU law or in the law of a Member State (Article 58 (1) (f)). Violation of the provisions of Regulation 2016/679, consisting in failure to provide access to the data and information referred to above by the public authority being the controller or processor, resulting in the violation of the authority's powers specified in art. 58 sec. 1 of Regulation 2016/679 (including the right to obtain personal data and information necessary to perform its tasks and to gain access to premises, equipment and means for data processing), and may be subject - in accordance with art. 83 sec. 5 letter e) in fine of the Regulation 2016/679 in connection with art. 102 paragraph. 1 and 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as "PDA" - an administrative fine of up to PLN 100,000.


In line with the above argumentation of the Chief National Inspectorate, the position put forward by his representative in his letter of [...] May 2020 that 'the scope of the control carried out is devoid of purpose, since it concerns the use of information [...] in respect of which the Chief National Inspector does not decide on the purposes and means of processing (and could not therefore have the status of data controller)' should be assessed. The assessment of whether the Chief Surveyor is a controller (or perhaps a co-controller, or possibly a processor) in the processing of data on the GEOPRTAL portal2 is an element of the facts to be determined during the inspection. At the moment of initiating the inspection, the President of UODO had information that in the GEOPORTAL2 portal, whose administrator is the Chief Surveyor of the Country, information which constitutes (or may constitute) personal data is processed, in particular the land and mortgage register numbers assigned to the properties presented in the portal. The above has been confirmed by the results of an inspection carried out in the Poviat Starosty in J. (file reference [...]), from which it appeared that the Chief Land Surveyor obtained data (including land and building register numbers) from the land and building register kept by the Starost of J., in order to further process them through the GEOPORTAL portal2. Additionally, it is worth pointing out that in the Rules and Regulations of the www.geoportal.gov.pl website (located on the website www.geoportal.gov.pl.) there is information directly indicating that the administrator of personal data processed in the GEOPORTAL2 portal is the Chief Surveyor of the Country ("The administrator of your personal data is the Chief Surveyor of the Country with its registered office in Warsaw, Wspólna 2, 00-926 Warsaw"). Such information justified the need to carry out an inspection of compliance with the regulations on personal data protection, among others, in order to determine the role of the Chief Surveyor of the Country in this data processing process. The position of the Chief Surveyor of the Country, presented in the letter of his proxy of [...] May 2020, also assumes erroneously that the entity subject to the control of the President of UODO may only be the entity which decides about the purposes and methods of processing, i.e. the controller (which - in his own opinion - is not the controller in the case under consideration). The Chief Surveyor of the Country seems not to notice that the obligation to provide access to personal data and information necessary for the performance of the tasks of the President of PODO and access to premises, equipment and means of data processing, referred to in Article 58(1)(e) and (f), lies not only with the controller, but also with the co-administrator and the entity processing personal data. Denying his role of the controller, the Chief Surveyor of the Country seems not to exclude that he processes personal data from the land and building register as a processor - on behalf of the controllers (starosts), on the basis of agreements which could in fact be assessed as the agreements referred to in Article 28(3) of Regulation 2016/679). The above uncertainty as to the role played in the process of processing in GEOPORTAL2 the data obtained from the land and building register, which could be removed in the course of the inspection, proves the legitimacy of carrying out the inspection at the Chief Surveyor of the Country to the full extent - specified in the inspectors' personal authorisations. Similarly, as far as the obligation to cooperate with the supervisory authority, specified in Article 31 of Regulation 2016/679, is concerned, it is addressed not only to the administrator but also to the processor.
It should also be pointed out that the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Art. 31 of Regulation 2016/679. Failure to comply with this obligation is also threatened - in accordance with Art. 83 sec. 4 lit. a) Regulation 2016/679 in connection with art. 102 paragraph. 1 and 3 of the Personal Data Protection Act - an administrative fine of up to PLN 100,000.


Referring to the last one, presented by the representative of the National Surveyor General in a letter dated [...] May 2020, the aspect justifying - in his opinion - the refusal to give consent for the inspection to be carried out by the President of UODO, i.e. to state that 'the inspection [...] was carried out not at the Head Surveyor's Office, but at the Head Office of Geodesy and Cartography, which from the point of view of the provisions of UODO is a separate controller of personal data', it should be noted that it is based only on the fact that in several places in the documents relating to the inspection (in the inspectors' personal authorisations, The President of UODO indicated the Main Office of Geodesy and Cartography as the place where the control activities were to be (were) carried out, due to the fact that it is in the Main Office of Geodesy and Cartography as an organizational unit with the help of which the Main Surveyor of the Country carries out his tasks, that personal data and sources of information, premises, equipment and means for the processing of personal data, access to which was necessary for the President of UODO to gather evidence in the case, are located. The analysis of the entire content of documents concerning the inspection (in particular those preparing the inspection - the inspection notice of [...] March 2020 and the personal inspection authorizations of [...] March 2020) shows unequivocally that the purpose of the inspection was related to the realization of the statutory task of the Chief Surveyor of the Country which is to create and maintain the GEOPORTAL portal2. This is evidenced by such statements as: "the scope of the inspection will include making available by the Chief National Surveyor...", "please prepare documentation concerning the processing of personal data by the Chief National Surveyor". (both from the notification of the inspection), "the inspection will include making available by the Chief National Surveyor...", "whether the Chief National Surveyor has implemented appropriate technical and organisational measures...", "whether the Chief National Surveyor has appointed a Data Protection Officer...". (the last three of the registered inspectors' authorisations). As indicated by the Chief National Surveyor's representative himself in his letter of [...] May 2020, the task of creating and maintaining the GEOPORTAL portal2 was formulated in the provisions of Article 5 of the Act of 17 May 1989. Geodetic and cartographic law (Journal of Laws of 2020, item 276 as amended) and Article 13.1 of the Act of 4 March 2010 on spatial information infrastructure (Journal of Laws of 2020, item 177 as amended). The latter provision stipulates that the Chief Geodesist of the Country creates and maintains a geoportal of spatial information infrastructure as a central point of access to services related to spatial data sets and services; however, it does not provide for any participation in this task for the Chief Geodesy and Cartography Office. The above provision defining competence and responsibility for the functioning of the GEOPORTAL2 portal, combined with the subject and scope of control indicated by the President of the UODO, should not leave (especially to the central authority competent in matters of geodesy and cartography) any doubt as to the definition of the entity subject to control. It should be additionally emphasized that the Chief Surveyor of the Country, both at the time of commencement and during the inspection, did not raise any reservations as to the identification of the entity to be inspected, although he had the opportunity to do so (by making a statement on the inspectors' personal authorizations about their lack of consent to carry out the inspection, by making such reservations to the minutes of the hearing as a witness or in the form of a reservation to the inspection report). In the opinion of the President of UODO, the reservation concerning the indication of the controlled entity was formulated by the Chief Surveyor of the country post factum - solely for the purpose of justifying the infringement of the provisions on personal data protection.
Indicated in art. 58 sec. 1 lit. f) of Regulation 2016/679 "the procedure laid down in EU law or in the law of a Member State" for the exercise of the supervisory authority's right to gain access to the premises of the controller and the processor, including equipment and means for data processing, is based on Polish law, described in Chapter 9 of the Act on Personal Data Protection (Articles 78 - 91), the procedure of "monitoring compliance with the provisions on the protection of personal data". Pursuant to Art. 78 uodo, the President of the Personal Data Protection Office (UODO) controls compliance with the provisions on the protection of personal data (paragraph 1), and this control may be carried out "in accordance with the control plan approved by the President of the Office or on the basis of information obtained by the President of the Office or as part of monitoring compliance with the application of Regulation 2016 / 679 ”(section 2). Controlling persons (authorized employees of the Office for Personal Data Protection) are entitled to - as provided for in Art. 84 sec. 1 of the Personal Data Protection Act - the right to: 1. enter the land and buildings, premises or other premises between 6.00 a.m. and 10.00 p.m., 2. access documents and information directly related to the scope of the inspection, 3. carry out inspections of places, objects, devices, data carriers and IT or teleinformation systems used for data processing, 4. demand to submit written or oral explanations and to interview a person as a witness to the extent necessary to establish the facts, 5. commission the preparation of expert opinions and opinions. The inspector determines the facts on the basis of evidence collected (with the use of the above-mentioned powers) in the control procedure, in particular documents,


Summarizing the above considerations, it should be stated that the justification for the refusal to give consent to the inspection of personal data processing by the Chief Surveyor of the country during the inspection, developed by his representative in the position presented to the President of UODO in his letter of [...] May 2020, does not deserve to be accepted in any point. The President of UODO had the right and justification to carry out an inspection with the Chief Surveyor of the Country. The scope of this inspection was within the objectives set out in Article 57(1)(a) of Regulation 2016/679 ('monitoring and enforcement of the Regulation') and Article 78(1) of the Polish Civil Code. ('monitoring of compliance with data protection rules'). The action of the Chief Surveyor of the Country as the inspected, consisting in the refusal to give consent to carry out the inspection within the scope specified in points 1-5 of the personal authorisations of the inspected persons, made it impossible to carry out inspection activities in this area to the full extent (in particular the inspection of IT and ICT systems in which personal data are processed by the Chief Surveyor of the Country, receiving in this respect the explanations of the Chief Surveyor of the Country, receiving explanations and testimonies of the employees of the Chief Surveyor of the Country, obtaining an insight into the documents constituting the basis for obtaining personal data processed in the GEOPORTAL portal2 - e.g. "the inspection of the data protection of personal data". The General Surveyor of the Country and the heads of district authorities). The refusal of the Chief Surveyor of the Country to carry out the inspection within the scope specified in points 1-5 of the registered authorisations of the inspected persons, which means a declaration of lack of any cooperation with the inspectors in this respect, caused the inspectors to withdraw from activities in this respect. The Supreme Administrative Court in the aforementioned judgment of 3 March 2016 in the case ref. II OSK 1667/14 rightly indicated that: "one should agree with the position that in order for the inspection to achieve its objective it requires at least a minimum degree of cooperation from the inspected party. That cooperation must relate to the full extent of the authority's powers'. In the present case, there was no cooperation on the part of the Chief Surveyor of the State in the field of control, which he arbitrarily considered to be unfounded.
Referring the above-mentioned provisions to the facts of the present case, it should be stated that the President of the Personal Data Protection Office had the right to initiate and conduct an inspection of the processing of personal data at the Chief National Surveyor; it also had a justification for making findings in this type of procedure (control procedure regulated in chapter 9 of the PDPA).


With reference to the above findings to the obligations imposed by the provisions of Regulation 2016/679 on the controller and processor, and concerning their relation to the supervisory body, it should be stated that the Chief National Inspectorate, in the course of the inspection proceedings under the heading [...], violated his action:
The control powers of the President of the Personal Data Protection Office (UODO) have been formulated - in the above-mentioned provisions of the Regulation 2016/679 and the Personal Data Protection Act - broadly; their use is limited only to the purpose - checking whether the provisions on the protection of personal data are complied with. It is worth noting that the condition for carrying out such an inspection is not even a justified suspicion that a violation has been found. The legislator expressly allows in Art. 78 sec. 2 uodo, the possibility of carrying out inspections "in accordance with [...] the inspection plan", i.e. without prior information indicating irregularities in the processing of personal data taking place in a specific entity, and even without information indicating whether a given entity processes personal data at all (control of such an entity would, however, first have to establish such a circumstance - before making further determinations regarding, for example, the legality and lawfulness of processing). General and broad definition of the task to be performed by the President of the Personal Data Protection Office ("monitoring and enforcement of the application of the regulation" referred to in Article 57 (1) (a) of Regulation 2016/679, "control of compliance with the provisions on the protection of personal data" referred to in Art. 78 sec. 1 UODO) leaves the President of UODO the freedom to define both the group of controlled entities and the scope of the inspections carried out. This task should be understood broadly - not only as checking whether a specific entity in a specific case violates the provisions on the protection of personal data in a specific way, but also as a task undertaken to identify the types, areas and scale of problems related to the application of the provisions on the protection of personal data. (in particular, Regulation 2016/679), their elimination and prevention in the future. In the context of the freedom left to the President of the Personal Data Protection Office in determining the entity subject to control and the scope of this control, it should be stated that in this case the President of the Personal Data Protection Office had a particularly justified basis to initiate and conduct an inspection at the Chief Surveyor of the country in the scope that he considered necessary for the implementation of the task of monitoring the application of the Regulation. 2016/679. As a result of the inspection carried out on [...] February 2020 in the Poviat Starosty in J. (reference number [...]), he obtained information about the provision of personal data to the Chief Surveyor of the Country by Starost J. land and mortgage registers) and their further processing (sharing) via the GEOPORTAL2 portal. The mere fact of having these data by the Chief Surveyor of the Country is a sufficient basis for conducting an inspection aimed at - as stated in Art. 87 of the PPA - only collecting evidence allowing to establish the facts of the case (and not the legal assessment of this status, which - in the case of suspected violations - takes place in a separate administrative procedure). From the essence of control understood in this way, it follows that that the inspected entity cannot question - at the stage of initiating and conducting the inspection - its legitimacy and its scope. As rightly pointed out by the Supreme Administrative Court in the judgment of March 3, 2016 in the case file no. II OSK 1667/14 (regarding the imposition by the Chief Sanitary Inspector, on the basis of the Act of August 25, 2006 on Food and Nutrition Safety (Journal of Laws of 2019, item 1252, as amended), a fine in connection with preventing official food control): "The court of first instance and the authorities inspected in administrative court proceedings are right that the plant under examination is not entitled to decide on the scope of the control. It is the exclusive domain of the controlling units. " (Lex No. 2113109). This statement - in the opinion of the President of the Personal Data Protection Office - has a general meaning and also applies to the control of compliance with the provisions on the protection of personal data. The place for questioning the legal assessment of the facts of the case (and in this case it is essentially the questioning by the Chief National Surveyor of the scope of the inspection, related to the statement that the land and mortgage register number does not constitute a personal o evidence collected during the control procedure.


1. Article 58(1)(e) of Regulation 2016/679, which requires him to ensure that the President of the PPA has access to all personal data and all information necessary for the supervisory authority to carry out its tasks,
As shown above, the inspection powers of the President of the Personal Data Protection Office are limited to the purpose of the inspection, which is to verify compliance with the provisions on the protection of personal data. The position of the Chief National Surveyor expressed during the inspection, and developed in his representative's letter of [...] May 2020, that the data in the form of land and mortgage register numbers do not constitute personal data, is in fact a statement that the inspection (to the extent specified in items 1 -5 personal controlling authorizations) did not fit this purpose. Such a claim should definitely be considered incorrect. Without prejudging the qualification of such data as personal data in the case at hand, it should be pointed out that at the time of initiating the inspection, the President of the Personal Data Protection Office had at least reasonable grounds to accept such a classification. This justification resulted from the consistent position of the President of the Personal Data Protection Office, and previously the Inspector General for Personal Data Protection, as well as the position of the doctrine and jurisprudence of administrative courts (see the judgment of the Supreme Administrative Court of 18 February 2014, ref. I OSK 1839/12 - LEX No. 1449867, judgment of the Supreme Administrative Court of 26 September 2018, reference number I OSK 276/17 - LEX no. 2737936, judgment of the Supreme Administrative Court of 26 September 2018, reference number I OSK 11/17 - LEX no. 2573629). In view of the above, the actions of the Chief National Surveyor aimed at thwarting or hindering the inspection should be considered unacceptable, in particular when these actions are based solely on the subjective legal assessment of the controlled entity (even if they are supported by selected, unrepresentative voices of the doctrine and court decisions). Doing so would lead to an unacceptable situation where
2. Article 58(1)(f) of Regulation 2016/679 requiring him to ensure that the President has access to all premises of the controller and the processor, including the equipment and means of processing, in accordance with the procedures laid down in Union or Member State law,
3. Article 31 of Regulation 2016/679 which requires him to cooperate with the President of UODO, at his request, in the performance of his tasks.
In connection with the above infringements of Regulation 2016/679, the President of the UODO concludes that in the present case there are grounds for imposing on the Chief National Surveyor, pursuant to Articles 83(4)(a) and 83(5)(a) and 83(5)(a) of Regulation 2016/679, the conditions for the imposition of the obligation under Article 83(4)(a) and 83(5)(b) of Regulation 2016/679 on the Chief National Surveyor are met. e) in fine of Regulation 2016/679 - an administrative fine for failure to ensure access by the Chief Surveyor of the State to premises, equipment and means for processing personal data and access to personal data and information necessary for the President of the PPA to perform his tasks, as well as for failure to cooperate with the President of the PPA during this inspection.


Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, a number of circumstances listed in points a) through k) of the aforementioned provision are addressed. When deciding to impose an administrative penalty payment on the Chief National Surveyor in the present case and when setting the amount of the fine, the President of the UODO took into account, among other things, the following aggravating circumstances affecting the assessment of the infringement:
Similar to the above argumentation of the Chief Surveyor of the Country, the position presented by his attorney in the letter of [...] May 2020 should be assessed that "the scope of the inspection is pointless because it concerned the use of information [...] for which the Chief Surveyor of the Country does not decide on the goals and methods of processing (therefore, he could not have the status of a data controller) ”. The assessment of whether the Chief National Surveyor performs the role of the administrator in the data processing on the GEOPRTAL2 portal (or maybe a co-administrator, or a processor) is an element of the facts that was to be determined in the course of the inspection. At the time of the inspection, the President of the Personal Data Protection Office had information that on the GEOPORTAL2 portal, whose administrator is the Chief Country Surveyor, the information that constitutes (or may constitute) personal data is processed, in particular the land and mortgage register numbers assigned to the real estate presented on the portal. The above was confirmed by the results of the inspection carried out in the Poviat Starosty in J. (reference number [...]), which showed that the Chief Surveyor of the Country obtained data (including the numbers of land and mortgage registers from the land and building records kept by Starost J. ) for further processing via the GEOPORTAL2 portal. Additionally, it is worth mentioning that in the Regulations of the website which showed that the Chief Surveyor of the Country obtained from the land and building records kept by Starost J., data (including land and mortgage register numbers) for further processing via the GEOPORTAL2 portal. In addition, it is worth mentioning that in the Regulations of the website which showed that the Chief Surveyor of the Country obtained from the land and building records kept by Starost J., data (including land and mortgage register numbers) for further processing via the GEOPORTAL2 portal. In addition, it is worth mentioning that in the Regulations of the websitewww.geoportal.gov.pl (posted on the website www.geoportal.gov.pl.) there is information directly indicating that the administrator of personal data processed on the GEOPORTAL2 portal is the Chief National Surveyor ("The administrator of your personal data is the Chief National Surveyor with its seat in Warsaw, ul. Wspólna 2, 00-926 Warsaw"). Such information justifies the need to carry out an audit of compliance with the provisions on the protection of personal data in order to determine the role of the Chief National Surveyor in this data processing process. The position of the Chief National Surveyor, presented in the letter of his representative of [...] May 2020, also erroneously assumes that the entity subject to the control of the President of the Personal Data Protection Office may only be the entity deciding on the purposes and methods of processing, i.e. the controller (which he - in his own opinion - in the case under consideration is not). The Chief Surveyor of the Country does not seem to notice that the obligation to provide access to personal data and information necessary to perform the tasks of the President of the Personal Data Protection Office and access to premises, equipment and means for data processing, referred to in Art. 58 section 1 lit. e) and f), rests not only on the controller, but also on the co-controller and the entity processing personal data. By denying his role as administrator, the Chief National Surveyor seems not to exclude that he processes personal data from the land and building register as a processor - on behalf of administrators (starosts), on the basis of contracts that could in fact be assessed as in art. 28 sec. 3 of the Regulation 2016/679). The above uncertainty as to the role played in the processing of data obtained from the land and building register in the GEOPORTAL2 portal, which could be removed in the course of the inspection, proves the legitimacy of carrying out the inspection at the Chief National Surveyor in the full scope - specified in the personal authorizations for inspecting - to the extent. Similarly, with regard to the provisions of Art. 31 of Regulation 2016/679, the obligation to cooperate with the supervisory authority, it is addressed not only to the controller, but also to the processor.


1. Nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).
that it is in the Head Office of Geodesy and Cartography as an organizational unit with which the Chief Surveyor of the country carries out his tasks, personal data and sources of information, premises, equipment and means for the processing of personal data, access to which was necessary for the President of the Personal Data Protection Office in order to collect evidence regarding. The analysis of the entire content of the documents relating to the inspection (in particular those preparing the inspection - the inspection notice of [...] March 2020 and the personal authorizations of the inspectors of [...] March 2020) shows unequivocally that the purpose of the inspection was related to the implementation of the statutory main task Country Surveyors, which is the creation and maintenance of the GEOPORTAL2 portal. This is evidenced by such phrases as: "the scope of the inspection will cover disclosure by the Chief Surveyor of the Country ...", "I am asking for the preparation of documentation regarding the processing of personal data by the Chief National Surveyor." (both from the notification of inspection), "the inspection will cover the disclosure by the Chief Surveyor of the Country ...", "whether the Chief Surveyor of the Country has implemented appropriate technical and organizational measures ...", "whether the Chief Surveyor of the Country has appointed a data protection officer ..." (the last three of the personal authorizations controlling). As the representative of the Chief National Surveyor himself pointed out in a letter of [...] May 2020, the task of creating and maintaining the GEOPORTAL2 portal was formulated in the provisions of Art. 5 of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276, as amended) and Art. 13 sec. 1 of the Act of March 4, 2010 on spatial information infrastructure (Journal of Laws of 2020, item 177, as amended). The latter provision states that the Chief National Surveyor creates and maintains a geo-portal of the spatial information infrastructure as a central access point to spatial data sets and services; however, it does not provide for any participation in this task for the Head Office of Geodesy and Cartography. The above provision specifying the competences and responsibilities in the field of the GEOPORTAL2 portal operation, in conjunction with the subject and scope of control indicated by the President of the Personal Data Protection Office, should not leave (especially to the central authority competent in matters of geodesy and cartography) any doubts as to the determination of the entity subject to control. It should also be emphasized that the Chief National Surveyor, both at the start of the inspection and during the inspection, did not raise any objections as to the indication of the inspected entity, although he had such a possibility (by submitting a declaration of disagreement to the inspection on personal authorizations of the inspectors, submitting such objections to the report of the hearing as a witness or in the form of an objection to the inspection report). In the opinion of the President of the Personal Data Protection Office, the objection to the indication of the controlled entity was formulated by the Chief Surveyor of the Country post factum - solely for the purpose of justifying his infringement of the provisions on the protection of personal data.  


An infringement that is subject to administrative pecuniary sanctions in this case undermines a system designed to protect one of the fundamental rights of the individual, which is the right to the protection of his or her personal data or, more broadly, to the protection of his or her privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of individuals' rights in this respect. In order to be able to carry out these tasks, supervisory authorities have been equipped with a number of inspection powers, administrative investigation powers and remedial powers. On the other hand, certain obligations are imposed on controllers and processors, correlated with the powers of the supervisory authorities, including the obligation to cooperate with the supervisory authorities and to provide those authorities with access to personal data and other information necessary for the performance of their tasks, as well as access to premises, equipment and means of processing personal data. The actions of the Chief Inspectorate of the Country in the course of the inspection under the heading [...], aimed at thwarting its performance within the scope indicated in points 1-5 and point 6 (as regards the technical measures implemented to ensure an appropriate level of security) of the registered inspection authorizations, and resulting in the lack of access to evidence indicating the legality and lawfulness of the processing by the Chief Inspector of the Country of personal data coming from the land and building register, should therefore be considered to be detrimental to the entire system of personal data protection, and therefore of great importance and reprehensible nature. The seriousness of the infringement is further increased by the fact that the infringement committed by the Chief National Inspectorate, albeit one-off (which took place on [...] March 2020), has had effects lasting until now. The lack of cooperation of the Chief Surveyor of the Country, expressed in the refusal to recognise the right of the President of UODO to control the compliance of his processing of personal data from the land and building register in the GEOPRTAL2 portal with the regulations, is current, which is confirmed by the position of the Chief Surveyor of the Country expressed in the letter of his proxy of [...] May 2020. Moreover, it should be pointed out as an aggravating circumstance that a violation of the rights of a public authority, i.e. the President of UODO, was committed by another public authority - the Chief Surveyor of the Country. In the opinion of the President of UODO, the public authority should be expected to have a special, greater understanding and respect for the actions taken by other authorities within the framework of their statutory tasks than in the case of private entities, and a greater degree of cooperation in the performance of these tasks.
Summarizing the above considerations, it should be stated that presented by the Chief Surveyor of the Country during the inspection, and developed by his attorney in the position presented to the President of the Personal Data Protection Office in a letter of [...] May 2020, the justification for refusing to consent to the inspection of personal data processing by him, it does not deserve approval at any point. The President of the Personal Data Protection Office had the right and justification to carry out an inspection at the Chief National Surveyor. The scope of this control fell within the objectives set out in Art. 57 sec. 1 lit. a) Regulation 2016/679 ("monitoring and enforcement of the application of the regulation") and in art. 78 sec. 1 uodo ("control of compliance with the provisions on the protection of personal data"). The operation of the Chief Surveyor of the country as the inspected person, consisting in refusing to consent to the inspection in the scope specified in points 1-5 of personal authorizations of the inspected persons, made it impossible to fully perform inspection activities in this area (in particular, inspection of IT and teleinformation systems in which the Chief Surveyor The country has personal data, collecting the explanations of the Chief National Surveyor in this regard, receiving explanations and testimonies from employees of the Chief Surveyor of the Country, obtaining access to documents constituting the basis for obtaining personal data processed on the GEOPORTAL2 portal - e.g. contracts linking the Chief Surveyor of the Country with the starosts). Refusal of the Chief National Surveyor to carry out an inspection in the scope specified in points 1-5 of personal authorizations for the inspected, denoting a declaration of the lack of any cooperation with the inspectors in this scope, caused the inspectors to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. caused the controllers to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. caused the controllers to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief National Surveyor in the field of control, which he himself arbitrarily considered to be groundless. that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief National Surveyor in the field of control, which he himself arbitrarily considered to be groundless.


2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).
Referring the above findings to the obligations imposed by the provisions of Regulation 2016/679 on the administrator and processor, and regarding their relationship to the supervisory body, it should be stated that the Chief National Surveyor, during the control procedure with reference number [...], by his actions he violated:


In the opinion of the President of UODO, there is an intentional lack of willingness on the part of the Chief Surveyor of the Country to cooperate in providing the authority with all the information (evidence) necessary to determine whether the data processing processes being subject to control have a legal basis and are processed in accordance with the law. The lack of consent of the Chief Surveyor of the Country to carry out the inspection and his declaration of non-cooperation in this respect has been expressed unequivocally and firmly. The argumentation presented to justify this position of the Chief Surveyor is, as shown above, completely unfounded and - in the opinion of the President of UODO - was largely created post factum in order to justify the unwillingness to submit to a justified and lawful examination by an independent supervisory body. Given that the Chief Surveyor of the Country is a public entity (and additionally a central body within the structure of the surveying and cartographic services), an entity which processes personal data of citizens on a large scale within the scope of its competence, it should also be assumed that he was (and still is) aware that his conduct may constitute a breach of the provisions of Regulation 2016/679, and agrees with this state of affairs.
art. 58 sec. 1 lit. e) Regulation 2016/679, imposing an obligation on him to provide the President of the Personal Data Protection Office with access to all personal data and all information necessary for the supervisory body to perform its tasks,
art. 58 sec. 1 lit. f) Regulation 2016/679, imposing an obligation on him to provide the President with access to all premises of the controller and the processor, including equipment and means for data processing, in accordance with the procedures set out in EU law or in the law of a Member State,
art. 31 of Regulation 2016/679, imposing on him the obligation to cooperate with the President of the Personal Data Protection Office, at his request, as part of his tasks.
In connection with the above violations of the provisions of Regulation 2016/679, the President of the Personal Data Protection Office states that in the present case there are grounds justifying the imposition of the Chief Surveyor of the Country - pursuant to Art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) in fine of Regulation 2016/679 - an administrative fine in connection with the failure by the Chief Surveyor of the Country to provide access to premises, equipment and means for the processing of personal data as well as access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks, as well as lack of cooperation with the President of the Personal Data Protection Office during this inspection.


3. Lack of cooperation with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679).
Pursuant to art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, it refers to a number of circumstances listed in points a) to k) of the above-mentioned provision. When deciding to impose an administrative fine on the Chief Surveyor of the country and determining its amount, the President of the Personal Data Protection Office (UODO) took into account the following circumstances aggravating the assessment of the infringement:


In the course of the present proceedings concerning the imposition of an administrative fine, the Chief Surveyor of the Country maintained his disagreement with the inspection in the disputed scope (based on the position denying the President of UODO the right to examine the processing of personal data from the land and building register in GEOPORTAL2). It also did not express any willingness to cooperate with the President of UODO in order to rectify the infringement, which could consist, in particular, in providing full and exhaustive explanations to the extent to which the inspection was thwarted.
Nature, gravity and duration of the infringement (Article 83 (2) (a) of Regulation 2016/679).
The breach subject to administrative pecuniary penalty in the present case undermines the system aimed at protecting one of the fundamental rights of a natural person, which is the right to the protection of his personal data, or more broadly, to the protection of his privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are supervisory authorities with tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the performance of these tasks, supervisory authorities have been equipped with a number of control powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors have been imposed specific obligations, correlated with the powers of supervisory authorities, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to personal data and other information necessary for the performance of their tasks, as well as access to premises, equipment and means used to process personal data. Activities of the Chief National Surveyor during the control with reference number [...], in order to prevent its implementation in the scope indicated in points 1-5 and in point 6 (with regard to technical measures implemented to ensure an adequate level of security) personal authorizations to inspect, and resulting in the lack of access to evidence indicating the legality and the lawfulness of the processing by the Chief Surveyor of the Country of personal data from the land and building register, therefore should be considered as harmful to the entire personal data protection system and therefore of great importance and reprehensible character. The gravity of the violation is additionally increased by the fact that the violation by the Chief National Surveyor, although a one-off (it took place on [...] March 2020), caused effects that have lasted until now. The lack of cooperation of the Chief Surveyor of the Country, expressed in the refusal to recognize the right of the President of the Personal Data Protection Office to control compliance with the provisions of the processing of personal data from the land and building records on the GEOPRTAL2 portal, is up-to-date, which is confirmed by the position of the Chief Surveyor of the Country expressed in the letter of his representative with on [...] May 2020. As aggravating, it should also be pointed out that the violation of the rights of the public authority, which is the President of the Personal Data Protection Office, was committed by another public authority - the Chief Surveyor of the Country. From a public authority,


The other conditions for imposing an administrative penalty payment set out in Article 83(1)(a) and (b) of the Treaty on the Functioning of the European Union The other prerequisites for imposing an administrative fine set out in Art. 83 par. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement by the President of UODO (including the following: any relevant previous breaches on the part of the controller or processor, the manner in which the supervisory authority learned about the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller or processor with the supervisory authority and not the relationship of the controller or processor with the data subject), could not be taken into account in this case (including: the number of persons harmed and the extent of the harm suffered by them, actions taken by the controller or processor to minimise the harm suffered by the data subjects, the degree of responsibility of the controller or processor taking into account the technical and organisational measures implemented by the controller or processor, the categories of personal data concerned by the breach).
Intentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679).
In the opinion of the President of the Personal Data Protection Office, the Chief National Surveyor has an intentional lack of will to cooperate in providing the authority with all information (evidence) necessary to determine whether the data processing processes subject to control have a legal basis and are processed in accordance with the law. Lack of consent of the Chief Surveyor of the country to carry out the inspection and his declaration of non-cooperation in this regard were expressed in an unambiguous and firm manner. The argumentation presented to justify this position of the Chief National Surveyor is, as it was shown above, completely unfounded and - in the opinion of the President of the Personal Data Protection Office - to a large extent was created post factum in order to justify the unwillingness to submit to a justified and lawful examination by an independent control body. . Considering


According to the wording of Article 83 paragraph 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Chief National Surveyor in these proceedings meets these criteria. It will discipline the Chief Surveyor of the Country to properly cooperate with the President of UODO in future proceedings conducted by the President of UODO with his participation. The maximum penalty imposed by the present decision, as specified in Article 102(1) of Ustawa o.o.d.o., is, in the opinion of the President of UODO, justified and proportional to the seriousness of the infringement found. The penalty will also serve as a deterrent; it will send a clear signal both to the Chief National Surveyor and to other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of UODO that disregarding the obligations related to cooperation with him (in particular, hindering the control of compliance with the provisions on personal data protection) constitutes a serious infringement and as such will be subject to financial sanctions.
Lack of cooperation with the supervisory authority to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679).
In the course of this proceeding concerning the imposition of an administrative fine, the Chief Surveyor of the Country maintained his refusal to carry out the inspection in the questioned scope (based on the position that the President of the Personal Data Protection Office refused the right to examine the processing of personal data from the land and building register on the GEOPORTAL portal2). He also did not express any willingness to cooperate with the President of the Personal Data Protection Office in order to remove the infringement, which could include, in particular, providing full and exhaustive explanations to the extent to which the inspection was frustrated.


In this case, the provisions of Art. 102 section 1 and 3 of the Polish Commercial Companies Code apply, according to which the amount of the administrative fine imposed - on the basis and under the conditions specified in Art. 83 of the Regulation 2016/679 - on a public finance sector unit within the meaning of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869 as amended), is limited to PLN 100,000.
The remaining conditions for the assessment of an administrative fine specified in Art. 83 sec. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement made by the President of the Personal Data Protection Office (including: any relevant prior infringements by the controller or processor, the manner in which the supervisory authority learned about the infringement, compliance with the previously applied the measures itself, the use of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (relating to the controller's or processor's relationship with the supervisory authority, and not the controller's or processor's relationship with the data subject), they could not be taken into account in the present case (including:


In view of the above, the President of the UODO ruled as in the operative part of this decision.  
Pursuant to the wording of Art. 83 sec. 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Chief National Surveyor in this proceeding meets these criteria. It will discipline the Chief National Surveyor to properly cooperate with the President of the Personal Data Protection Office in proceedings conducted in the future by the President of the Personal Data Protection Office with his participation. The penalty imposed by this decision, up to the maximum specified in Art. 102 paragraph. 1 UODO, the amount is - in the opinion of the President of the Personal Data Protection Office - justified and proportional to the seriousness of the infringement found. This penalty will also have a deterrent function;


The decision is final. A party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of UODO (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court shall suspend the execution of a decision on an administrative fine.
In this case, the provisions of Art. 102 paragraph. 1 and 3 of the PDPA, according to which the amount of the administrative fine imposed - on the basis and under the conditions specified in art. 83 of Regulation 2016/679 - per unit of the public finance sector within the meaning of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869, as amended), is limited to the amount of PLN 100,000.


Pursuant to Article 105 Section 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine should be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Voivodship Administrative Court, or from the date when the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. If the deadline for payment of the administrative fine is postponed or spread in instalments, the President of UODO charges interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Art. 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.
Considering the above, the President of UODO ruled as in the conclusion of this decision.  


The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warsaw). A proportionate fee should be filed against the complaint, pursuant to Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Art. 74 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine.


Pursuant to Art. 105 paragraph. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from the date the ruling of the administrative court becomes legally binding, to the bank account of the Personal Data Protection Office at NBP O / O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 paragraph. 2 of the above-mentioned Act, the President of the Personal Data Protection Office may, at a justified request of the punished entity, postpone the payment of the administrative fine or divide it into installments. In the event of postponing the payment of the administrative fine or dividing it into installments, the President of UODO shall charge interest on the unpaid amount annually, using a reduced rate of interest for late payment, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submitting the application.


</pre>
</pre>

Latest revision as of 09:51, 17 November 2023

UODO - DKE.561.3.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 31 GDPR
Article 58(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.07.2020
Published: 02.07.2020
Fine: None
Parties: n/a
National Case Number/Name: DKE.561.3.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Urzędu Ochrony Danych Osobowych - UODO (in PL)
Initial Contributor: n/a

The Surveyor General of Poland violated the provisions of the GDPR by failing to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks.

English Summary

Facts

beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations.

Dispute

GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.

Holding

THe UODO imposed an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK), because due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground the GEOPORTAL2 online portal (geoportal.gov.pl) enables access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security.

Comment

This summary is based on the English summary of the Polish Data Protection Authority, which can be found here: https://uodo.gov.pl/en/553/1146

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Warsaw, 02 July 2020
DECISION
DKE.561.3.2020
Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Art. 7 section 1 and section 2, art. 60 and art. 102 paragraph. 1 point 1 and sec. 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) in connection with Art. 31, art. 57 sec. 1 lit. a), art. 58 section 1 lit. e) and f) and art. 58 sec. 2 lit. i) in connection with Art. 83 sec. 1 and 2, art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting the administrative procedure initiated ex officio regarding the imposition of the Chief Surveyor of the Country in Warsaw at ul. Wspólna 2, represented by attorneys PT and SK (Kancelaria [...]), an administrative fine, the President of the Office for Personal Data Protection, declaring an infringement by the Chief National Surveyor based in Warsaw at ul. Wspólna 2, the provisions of Art. 31 and 58 sec. 1 lit. e) and f) of Regulation 2016/679, consisting in failure to provide the President of the Office for Personal Data Protection, during the control of compliance with the provisions on the protection of personal data, ref. [...], access to premises, equipment and means for the processing of personal data and access to personal data and information necessary for the President of the Personal Data Protection Office to perform its tasks,

imposes on the Chief National Surveyor based in Warsaw at ul. Wspólna 2, an administrative fine in the amount of PLN 100,000 (in words: one hundred thousand zlotys).

 

SUBSTANTIATION

 

On [...] February 2020, the President of the Personal Data Protection Office (hereinafter referred to as the "President of the Personal Data Protection Office") inspected the processing of personal data in the Poviat Starosty in J. (reference number [...]). The inspection concerned the provision by Starost J., via the GEOPORTAL2 internet portal (www.geoportal.gov.pl), of personal data from the land and building register kept by starosts. In the course of the inspection, it was found that Starosta J. does not publish personal data from the land and building register on this portal, but - on the basis of an appropriate agreement - transfers them (including land and mortgage register numbers) to the Chief Surveyor of the Country, who then makes the obtained data available on the GEOPORTAL portal2 . Due to the above, the President of the Personal Data Protection Office (UODO) decided to carry out a personal data processing control in the scope of sharing personal data from the land and building register via the GEOPORTAL2 portal with the Chief National Surveyor. About the inspection planned for [...] March 2020 (marked with file reference [...]), the Chief National Surveyor was informed on [...] March 2020 by phone and in a letter delivered on that day by e-mail (e-mail).

On [...] March 2020, the inspectors (employees of the Office for Personal Data Protection authorized by the President of the Personal Data Protection Office) went to the Main Office of Geodesy and Cartography to start the planned inspection. The inspectors presented the Chief National Surveyor with official ID cards and submitted personal authorizations, in which the detailed scope of the inspection was specified as follows: "The inspection will cover the provision by the Chief Surveyor of the Country via the GEOPORTAL2 website, personal data from the land and building records, by establishing:

The legal basis for processing, including sharing personal data.
Sources of obtaining personal data.
The scope and type of personal data provided.
The manner and purpose of sharing the bottom passenger.
Is the processing of personal data carried out on the basis of an authorization granted by the personal data administrator or the processor (Article 29 of Regulation 2016/679).
Has the Chief Surveyor of the Country implemented appropriate technical and organizational measures to ensure an adequate level of security of the data protected (Article 32, Article 24 (1) and (2) of Regulation 2016/679).
Has the Chief Surveyor of the country appointed a data protection officer (Article 37 of Regulation 2016/679). "
According to the inspection report drawn up on [...] March 2020 and signed by the inspectors and the Chief National Surveyor, after presenting the identity card and submitting authorizations to conduct the inspection, the Chief National Surveyor stated that he would not sign the submitted authorizations and refused to consent to the inspection. control activities in the scope resulting from the submitted authorizations. Justifying his position in this case, he pointed out that, according to his assessment, from the scope indicated in the controlling authorizations, it follows that the control is to concern the land and mortgage register number, which is not a personal data within the meaning of the provisions of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276, as amended), hereinafter referred to as the "Geodetic and cartographic law". On the submitted authorizations, the Chief Surveyor of the country included a written annotation: "I refuse to consent to the inspection activities in the scope of the presented authorization (items 1 to 5) due to the irrelevance of the inspection, which I justify in the letter [...] of [...]. 03.2020 the shortest time is due to the fact that the scope of the inspection is to focus on the number of the land and mortgage register, which is not a personal data within the meaning of the Geodetic and Cartographic Law. I am asking for clarification of the scope of the control in accordance with the basis for its initiation. " The Chief Surveyor of the country then stated that he agreed to carry out control activities only to the extent specified in points 6 and 7 of personal authorizations. Only then did he sign the personal authorizations of the inspectors, placing the annotation "Signed in accordance with the declaration below" next to the signature. In accordance with the above-mentioned statement, the Chief Surveyor of the Country submitted a letter with the reference number [...] to the inspection files, in which it was indicated, inter alia, legal grounds for qualifying the number of the land and mortgage register as a given subject, that is art. 20 paragraph 1 point 1 of the Geodetic and Cartographic Law and § 73 of the Regulation of the Minister of Regional Development and Construction of March 29, 2001 on land and building records.

Due to the unequivocally expressed lack of consent of the Chief Surveyor of the Country to carry out control activities in the scope specified in items 1-5 of personal authorizations, the inspectors withdrew from activities in this respect, making arrangements only in the scope referred to in items 6 and 7 of the authorization. Within the scope of control, for which the Chief National Surveyor has consented, controlling, among others:

heard as a witness Mr. W. I. - Chief Country Surveyor,
obtained a copy of an exemplary agreement with the staroste on cooperation in the creation and maintenance of common elements of technical infrastructure regarding the publication of PZGiK data,
obtained copies of documents confirming the general organizational measures implemented by the Chief Surveyor of the Country (not particularly related to the GEOPRTAL2 portal) to ensure the security of the protected data,
obtained copies of documents confirming the appointment by the Chief Land Surveyor of Mr. [...] as the Data Protection Inspector at the Central Office of Geodesy and Cartography,
heard as a witness Mr. [...] - Chief Specialist in the Department [...] at the Head Office of Geodesy and Cartography,
obtained a printout of the Regulations of the website www.geoportal.gov.pl,
obtained copies of the Register of processing activities containing the risk analysis and impact assessment for data protection and the Register of processing activities categories with risk analysis.
During the inspection, the inspectors - due to the lack of consent of the Chief National Surveyor - did not assess the implemented technical measures to ensure the security of the protected data (including data processed via the GEOPORTAL2 portal), in particular, they did not inspect the places, objects, devices of carriers and IT systems for data processing. Moreover - due to, inter alia, against the refusal of the Chief Country Surveyor to sign the protocol of testimony made on [...] March 2020 - the inspectors did not obtain full and binding, legally effective explanations of the inspected party in the subject covered by the inspection.

Due to the ineffectiveness of further inspection, due to the lack of consent of the Chief Surveyor of the Country for inspection activities regarding the scope specified in points 1-5 of personal inspection authorizations, and the lack of cooperation on his part in this regard, the inspectors decided to terminate on [...] March 2020 control. On that day, an inspection protocol was drawn up by the inspectors, and then signed by the Chief National Surveyor (without any reservations).

Due to the fact that it was impossible to control the processing by the Chief Surveyor of the Country of personal data from the land and building register on the GEOPORTAL2 portal, this procedure was initiated ex officio to impose an administrative fine on the Chief Surveyor of the Country for violation of Art. 31 and art. 58 sec. 1 lit. e) and f) of Regulation 2016/679, consisting in the lack of cooperation with the President of the Personal Data Protection Office in the performance of his tasks, preventing the inspection of personal data processing, as well as failure to provide the President of the Personal Data Protection Office with access to premises, equipment and means used to process personal data , and access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks.

The Chief National Surveyor was informed about the initiation of the procedure and the collection of evidence in the case by a letter of [...] March 2020, delivered to him electronically via the ePUAP platform.

By letter of [...] April 2020 (delivered to the President of the Personal Data Protection Office on [...] April 2020), the representative of the Chief Surveyor of the Country requested that the representatives of the Chief Surveyor of the Country be able to inspect the case files and prepare their photocopies, or to provide copies of the entire case files by electronic means . In response to the request, copies of the entire case files were submitted to the representative of the Chief Surveyor of the Country by post, by letter of [...] May 2020, delivered to the representative on [...] May 2020.

In a letter of [...] May 2020 (delivered to the President of UODO on [...] May 2020), the representative of the Chief Surveyor of the Country presented the position of the Chief Surveyor of the Country, indicating that "the initiation and conduct of proceedings by the President of UODO in this case is pointless and for this reason should be written off in full ”. The Plenipotentiary of the Chief Surveyor of the Country submitted in particular that

"The scope of the inspection was pointless, as it concerned the use of information that does not constitute personal data, and for which the Chief Surveyor of the Country does not decide on the purposes and methods of processing (thus, it could not have the status of a data controller). GKK did not prevent the inspection, but only questioned the scope of the inspection, which was to concern the processing of personal data in the form of a land and mortgage register number. "
"The inspection [...] was carried out not at the Head of the National Surveyor, but at the Head Office of Geodesy and Cartography, which, from the point of view of the provisions of the GDPR, is a separate administrator of personal data."
"The President of the Personal Data Protection Office groundlessly found that the Chief National Surveyor - who participated in the inspection proceedings as a representative of the inspected entity, ie the Central Office of Geodesy and Cartography - did not cooperate with the President of the Personal Inspectorate as part of his tasks".
"The President of the Personal Data Protection Office (UODO) groundlessly found that the Chief National Surveyor made it impossible to carry out an inspection in the field of personal data processing at the controlled entity, i.e. at the Central Office of Geodesy and Cartography."
"The President of the Personal Data Protection Office unjustifiably considered that the Chief National Surveyor did not provide the President of the Personal Data Protection Office with access to premises, equipment and means for processing personal data in connection with the control carried out at the Central Office of Geodesy and Cartography, and did not provide access to information necessary for the President of the Personal Data Protection Office. his tasks. "
“As a result of the above, the President of the Personal Data Protection Office unjustified that GGK could infringe Art. 31 and art. 58 sec. 1 lit. e) and f) GDPR. "
After considering all the evidence collected in the case, the President of UODO considered the following.

Pursuant to Art. 57 sec. 1 lit. a) Regulation 2016/679, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of art. 51 of the Regulation 2016/679 - its task is to monitor and enforce the application of this regulation on its territory. As part of his competences, the President of the Personal Data Protection Office is responsible, inter alia, conduct proceedings on the application of Regulation 2016/679 (Article 57 (1) (f)). In order to enable the performance of such defined tasks, the President of the Personal Data Protection Office has a number of provisions specified in art. 58 sec. 1 of Regulation 2016/679, the rights in the scope of conducted proceedings, including the right to order the administrator and the processor to provide all information needed to perform its tasks (Article 58 (1) (a), the right to obtain from the controller and the processor access to any personal data and any information necessary for the performance of its tasks (Article 58 (1) (e) and the right to access all premises of the controller and processor, including equipment and measures for data processing, in accordance with the procedures laid down in EU law or in the law of a Member State (Article 58 (1) (f)). Violation of the provisions of Regulation 2016/679, consisting in failure to provide access to the data and information referred to above by the public authority being the controller or processor, resulting in the violation of the authority's powers specified in art. 58 sec. 1 of Regulation 2016/679 (including the right to obtain personal data and information necessary to perform its tasks and to gain access to premises, equipment and means for data processing), and may be subject - in accordance with art. 83 sec. 5 letter e) in fine of the Regulation 2016/679 in connection with art. 102 paragraph. 1 and 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as "PDA" - an administrative fine of up to PLN 100,000.

It should also be pointed out that the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Art. 31 of Regulation 2016/679. Failure to comply with this obligation is also threatened - in accordance with Art. 83 sec. 4 lit. a) Regulation 2016/679 in connection with art. 102 paragraph. 1 and 3 of the Personal Data Protection Act - an administrative fine of up to PLN 100,000.

Indicated in art. 58 sec. 1 lit. f) of Regulation 2016/679 "the procedure laid down in EU law or in the law of a Member State" for the exercise of the supervisory authority's right to gain access to the premises of the controller and the processor, including equipment and means for data processing, is based on Polish law, described in Chapter 9 of the Act on Personal Data Protection (Articles 78 - 91), the procedure of "monitoring compliance with the provisions on the protection of personal data". Pursuant to Art. 78 uodo, the President of the Personal Data Protection Office (UODO) controls compliance with the provisions on the protection of personal data (paragraph 1), and this control may be carried out "in accordance with the control plan approved by the President of the Office or on the basis of information obtained by the President of the Office or as part of monitoring compliance with the application of Regulation 2016 / 679 ”(section 2). Controlling persons (authorized employees of the Office for Personal Data Protection) are entitled to - as provided for in Art. 84 sec. 1 of the Personal Data Protection Act - the right to: 1. enter the land and buildings, premises or other premises between 6.00 a.m. and 10.00 p.m., 2. access documents and information directly related to the scope of the inspection, 3. carry out inspections of places, objects, devices, data carriers and IT or teleinformation systems used for data processing, 4. demand to submit written or oral explanations and to interview a person as a witness to the extent necessary to establish the facts, 5. commission the preparation of expert opinions and opinions. The inspector determines the facts on the basis of evidence collected (with the use of the above-mentioned powers) in the control procedure, in particular documents,

Referring the above-mentioned provisions to the facts of the present case, it should be stated that the President of the Personal Data Protection Office had the right to initiate and conduct an inspection of the processing of personal data at the Chief National Surveyor; it also had a justification for making findings in this type of procedure (control procedure regulated in chapter 9 of the PDPA).

The control powers of the President of the Personal Data Protection Office (UODO) have been formulated - in the above-mentioned provisions of the Regulation 2016/679 and the Personal Data Protection Act - broadly; their use is limited only to the purpose - checking whether the provisions on the protection of personal data are complied with. It is worth noting that the condition for carrying out such an inspection is not even a justified suspicion that a violation has been found. The legislator expressly allows in Art. 78 sec. 2 uodo, the possibility of carrying out inspections "in accordance with [...] the inspection plan", i.e. without prior information indicating irregularities in the processing of personal data taking place in a specific entity, and even without information indicating whether a given entity processes personal data at all (control of such an entity would, however, first have to establish such a circumstance - before making further determinations regarding, for example, the legality and lawfulness of processing). General and broad definition of the task to be performed by the President of the Personal Data Protection Office ("monitoring and enforcement of the application of the regulation" referred to in Article 57 (1) (a) of Regulation 2016/679, "control of compliance with the provisions on the protection of personal data" referred to in Art. 78 sec. 1 UODO) leaves the President of UODO the freedom to define both the group of controlled entities and the scope of the inspections carried out. This task should be understood broadly - not only as checking whether a specific entity in a specific case violates the provisions on the protection of personal data in a specific way, but also as a task undertaken to identify the types, areas and scale of problems related to the application of the provisions on the protection of personal data. (in particular, Regulation 2016/679), their elimination and prevention in the future. In the context of the freedom left to the President of the Personal Data Protection Office in determining the entity subject to control and the scope of this control, it should be stated that in this case the President of the Personal Data Protection Office had a particularly justified basis to initiate and conduct an inspection at the Chief Surveyor of the country in the scope that he considered necessary for the implementation of the task of monitoring the application of the Regulation. 2016/679. As a result of the inspection carried out on [...] February 2020 in the Poviat Starosty in J. (reference number [...]), he obtained information about the provision of personal data to the Chief Surveyor of the Country by Starost J. land and mortgage registers) and their further processing (sharing) via the GEOPORTAL2 portal. The mere fact of having these data by the Chief Surveyor of the Country is a sufficient basis for conducting an inspection aimed at - as stated in Art. 87 of the PPA - only collecting evidence allowing to establish the facts of the case (and not the legal assessment of this status, which - in the case of suspected violations - takes place in a separate administrative procedure). From the essence of control understood in this way, it follows that that the inspected entity cannot question - at the stage of initiating and conducting the inspection - its legitimacy and its scope. As rightly pointed out by the Supreme Administrative Court in the judgment of March 3, 2016 in the case file no. II OSK 1667/14 (regarding the imposition by the Chief Sanitary Inspector, on the basis of the Act of August 25, 2006 on Food and Nutrition Safety (Journal of Laws of 2019, item 1252, as amended), a fine in connection with preventing official food control): "The court of first instance and the authorities inspected in administrative court proceedings are right that the plant under examination is not entitled to decide on the scope of the control. It is the exclusive domain of the controlling units. " (Lex No. 2113109). This statement - in the opinion of the President of the Personal Data Protection Office - has a general meaning and also applies to the control of compliance with the provisions on the protection of personal data. The place for questioning the legal assessment of the facts of the case (and in this case it is essentially the questioning by the Chief National Surveyor of the scope of the inspection, related to the statement that the land and mortgage register number does not constitute a personal o evidence collected during the control procedure.

As shown above, the inspection powers of the President of the Personal Data Protection Office are limited to the purpose of the inspection, which is to verify compliance with the provisions on the protection of personal data. The position of the Chief National Surveyor expressed during the inspection, and developed in his representative's letter of [...] May 2020, that the data in the form of land and mortgage register numbers do not constitute personal data, is in fact a statement that the inspection (to the extent specified in items 1 -5 personal controlling authorizations) did not fit this purpose. Such a claim should definitely be considered incorrect. Without prejudging the qualification of such data as personal data in the case at hand, it should be pointed out that at the time of initiating the inspection, the President of the Personal Data Protection Office had at least reasonable grounds to accept such a classification. This justification resulted from the consistent position of the President of the Personal Data Protection Office, and previously the Inspector General for Personal Data Protection, as well as the position of the doctrine and jurisprudence of administrative courts (see the judgment of the Supreme Administrative Court of 18 February 2014, ref. I OSK 1839/12 - LEX No. 1449867, judgment of the Supreme Administrative Court of 26 September 2018, reference number I OSK 276/17 - LEX no. 2737936, judgment of the Supreme Administrative Court of 26 September 2018, reference number I OSK 11/17 - LEX no. 2573629). In view of the above, the actions of the Chief National Surveyor aimed at thwarting or hindering the inspection should be considered unacceptable, in particular when these actions are based solely on the subjective legal assessment of the controlled entity (even if they are supported by selected, unrepresentative voices of the doctrine and court decisions). Doing so would lead to an unacceptable situation where

Similar to the above argumentation of the Chief Surveyor of the Country, the position presented by his attorney in the letter of [...] May 2020 should be assessed that "the scope of the inspection is pointless because it concerned the use of information [...] for which the Chief Surveyor of the Country does not decide on the goals and methods of processing (therefore, he could not have the status of a data controller) ”. The assessment of whether the Chief National Surveyor performs the role of the administrator in the data processing on the GEOPRTAL2 portal (or maybe a co-administrator, or a processor) is an element of the facts that was to be determined in the course of the inspection. At the time of the inspection, the President of the Personal Data Protection Office had information that on the GEOPORTAL2 portal, whose administrator is the Chief Country Surveyor, the information that constitutes (or may constitute) personal data is processed, in particular the land and mortgage register numbers assigned to the real estate presented on the portal. The above was confirmed by the results of the inspection carried out in the Poviat Starosty in J. (reference number [...]), which showed that the Chief Surveyor of the Country obtained data (including the numbers of land and mortgage registers from the land and building records kept by Starost J. ) for further processing via the GEOPORTAL2 portal. Additionally, it is worth mentioning that in the Regulations of the website which showed that the Chief Surveyor of the Country obtained from the land and building records kept by Starost J., data (including land and mortgage register numbers) for further processing via the GEOPORTAL2 portal. In addition, it is worth mentioning that in the Regulations of the website which showed that the Chief Surveyor of the Country obtained from the land and building records kept by Starost J., data (including land and mortgage register numbers) for further processing via the GEOPORTAL2 portal. In addition, it is worth mentioning that in the Regulations of the websitewww.geoportal.gov.pl (posted on the website www.geoportal.gov.pl.) there is information directly indicating that the administrator of personal data processed on the GEOPORTAL2 portal is the Chief National Surveyor ("The administrator of your personal data is the Chief National Surveyor with its seat in Warsaw, ul. Wspólna 2, 00-926 Warsaw"). Such information justifies the need to carry out an audit of compliance with the provisions on the protection of personal data in order to determine the role of the Chief National Surveyor in this data processing process. The position of the Chief National Surveyor, presented in the letter of his representative of [...] May 2020, also erroneously assumes that the entity subject to the control of the President of the Personal Data Protection Office may only be the entity deciding on the purposes and methods of processing, i.e. the controller (which he - in his own opinion - in the case under consideration is not). The Chief Surveyor of the Country does not seem to notice that the obligation to provide access to personal data and information necessary to perform the tasks of the President of the Personal Data Protection Office and access to premises, equipment and means for data processing, referred to in Art. 58 section 1 lit. e) and f), rests not only on the controller, but also on the co-controller and the entity processing personal data. By denying his role as administrator, the Chief National Surveyor seems not to exclude that he processes personal data from the land and building register as a processor - on behalf of administrators (starosts), on the basis of contracts that could in fact be assessed as in art. 28 sec. 3 of the Regulation 2016/679). The above uncertainty as to the role played in the processing of data obtained from the land and building register in the GEOPORTAL2 portal, which could be removed in the course of the inspection, proves the legitimacy of carrying out the inspection at the Chief National Surveyor in the full scope - specified in the personal authorizations for inspecting - to the extent. Similarly, with regard to the provisions of Art. 31 of Regulation 2016/679, the obligation to cooperate with the supervisory authority, it is addressed not only to the controller, but also to the processor.

that it is in the Head Office of Geodesy and Cartography as an organizational unit with which the Chief Surveyor of the country carries out his tasks, personal data and sources of information, premises, equipment and means for the processing of personal data, access to which was necessary for the President of the Personal Data Protection Office in order to collect evidence regarding. The analysis of the entire content of the documents relating to the inspection (in particular those preparing the inspection - the inspection notice of [...] March 2020 and the personal authorizations of the inspectors of [...] March 2020) shows unequivocally that the purpose of the inspection was related to the implementation of the statutory main task Country Surveyors, which is the creation and maintenance of the GEOPORTAL2 portal. This is evidenced by such phrases as: "the scope of the inspection will cover disclosure by the Chief Surveyor of the Country ...", "I am asking for the preparation of documentation regarding the processing of personal data by the Chief National Surveyor." (both from the notification of inspection), "the inspection will cover the disclosure by the Chief Surveyor of the Country ...", "whether the Chief Surveyor of the Country has implemented appropriate technical and organizational measures ...", "whether the Chief Surveyor of the Country has appointed a data protection officer ..." (the last three of the personal authorizations controlling). As the representative of the Chief National Surveyor himself pointed out in a letter of [...] May 2020, the task of creating and maintaining the GEOPORTAL2 portal was formulated in the provisions of Art. 5 of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276, as amended) and Art. 13 sec. 1 of the Act of March 4, 2010 on spatial information infrastructure (Journal of Laws of 2020, item 177, as amended). The latter provision states that the Chief National Surveyor creates and maintains a geo-portal of the spatial information infrastructure as a central access point to spatial data sets and services; however, it does not provide for any participation in this task for the Head Office of Geodesy and Cartography. The above provision specifying the competences and responsibilities in the field of the GEOPORTAL2 portal operation, in conjunction with the subject and scope of control indicated by the President of the Personal Data Protection Office, should not leave (especially to the central authority competent in matters of geodesy and cartography) any doubts as to the determination of the entity subject to control. It should also be emphasized that the Chief National Surveyor, both at the start of the inspection and during the inspection, did not raise any objections as to the indication of the inspected entity, although he had such a possibility (by submitting a declaration of disagreement to the inspection on personal authorizations of the inspectors, submitting such objections to the report of the hearing as a witness or in the form of an objection to the inspection report). In the opinion of the President of the Personal Data Protection Office, the objection to the indication of the controlled entity was formulated by the Chief Surveyor of the Country post factum - solely for the purpose of justifying his infringement of the provisions on the protection of personal data. 

Summarizing the above considerations, it should be stated that presented by the Chief Surveyor of the Country during the inspection, and developed by his attorney in the position presented to the President of the Personal Data Protection Office in a letter of [...] May 2020, the justification for refusing to consent to the inspection of personal data processing by him, it does not deserve approval at any point. The President of the Personal Data Protection Office had the right and justification to carry out an inspection at the Chief National Surveyor. The scope of this control fell within the objectives set out in Art. 57 sec. 1 lit. a) Regulation 2016/679 ("monitoring and enforcement of the application of the regulation") and in art. 78 sec. 1 uodo ("control of compliance with the provisions on the protection of personal data"). The operation of the Chief Surveyor of the country as the inspected person, consisting in refusing to consent to the inspection in the scope specified in points 1-5 of personal authorizations of the inspected persons, made it impossible to fully perform inspection activities in this area (in particular, inspection of IT and teleinformation systems in which the Chief Surveyor The country has personal data, collecting the explanations of the Chief National Surveyor in this regard, receiving explanations and testimonies from employees of the Chief Surveyor of the Country, obtaining access to documents constituting the basis for obtaining personal data processed on the GEOPORTAL2 portal - e.g. contracts linking the Chief Surveyor of the Country with the starosts). Refusal of the Chief National Surveyor to carry out an inspection in the scope specified in points 1-5 of personal authorizations for the inspected, denoting a declaration of the lack of any cooperation with the inspectors in this scope, caused the inspectors to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. caused the controllers to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. caused the controllers to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief National Surveyor in the field of control, which he himself arbitrarily considered to be groundless. that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief National Surveyor in the field of control, which he himself arbitrarily considered to be groundless.

Referring the above findings to the obligations imposed by the provisions of Regulation 2016/679 on the administrator and processor, and regarding their relationship to the supervisory body, it should be stated that the Chief National Surveyor, during the control procedure with reference number [...], by his actions he violated:

art. 58 sec. 1 lit. e) Regulation 2016/679, imposing an obligation on him to provide the President of the Personal Data Protection Office with access to all personal data and all information necessary for the supervisory body to perform its tasks,
art. 58 sec. 1 lit. f) Regulation 2016/679, imposing an obligation on him to provide the President with access to all premises of the controller and the processor, including equipment and means for data processing, in accordance with the procedures set out in EU law or in the law of a Member State,
art. 31 of Regulation 2016/679, imposing on him the obligation to cooperate with the President of the Personal Data Protection Office, at his request, as part of his tasks.
In connection with the above violations of the provisions of Regulation 2016/679, the President of the Personal Data Protection Office states that in the present case there are grounds justifying the imposition of the Chief Surveyor of the Country - pursuant to Art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) in fine of Regulation 2016/679 - an administrative fine in connection with the failure by the Chief Surveyor of the Country to provide access to premises, equipment and means for the processing of personal data as well as access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks, as well as lack of cooperation with the President of the Personal Data Protection Office during this inspection.

Pursuant to art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, it refers to a number of circumstances listed in points a) to k) of the above-mentioned provision. When deciding to impose an administrative fine on the Chief Surveyor of the country and determining its amount, the President of the Personal Data Protection Office (UODO) took into account the following circumstances aggravating the assessment of the infringement:

Nature, gravity and duration of the infringement (Article 83 (2) (a) of Regulation 2016/679).
The breach subject to administrative pecuniary penalty in the present case undermines the system aimed at protecting one of the fundamental rights of a natural person, which is the right to the protection of his personal data, or more broadly, to the protection of his privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are supervisory authorities with tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the performance of these tasks, supervisory authorities have been equipped with a number of control powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors have been imposed specific obligations, correlated with the powers of supervisory authorities, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to personal data and other information necessary for the performance of their tasks, as well as access to premises, equipment and means used to process personal data. Activities of the Chief National Surveyor during the control with reference number [...], in order to prevent its implementation in the scope indicated in points 1-5 and in point 6 (with regard to technical measures implemented to ensure an adequate level of security) personal authorizations to inspect, and resulting in the lack of access to evidence indicating the legality and the lawfulness of the processing by the Chief Surveyor of the Country of personal data from the land and building register, therefore should be considered as harmful to the entire personal data protection system and therefore of great importance and reprehensible character. The gravity of the violation is additionally increased by the fact that the violation by the Chief National Surveyor, although a one-off (it took place on [...] March 2020), caused effects that have lasted until now. The lack of cooperation of the Chief Surveyor of the Country, expressed in the refusal to recognize the right of the President of the Personal Data Protection Office to control compliance with the provisions of the processing of personal data from the land and building records on the GEOPRTAL2 portal, is up-to-date, which is confirmed by the position of the Chief Surveyor of the Country expressed in the letter of his representative with on [...] May 2020. As aggravating, it should also be pointed out that the violation of the rights of the public authority, which is the President of the Personal Data Protection Office, was committed by another public authority - the Chief Surveyor of the Country. From a public authority,

Intentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679).
In the opinion of the President of the Personal Data Protection Office, the Chief National Surveyor has an intentional lack of will to cooperate in providing the authority with all information (evidence) necessary to determine whether the data processing processes subject to control have a legal basis and are processed in accordance with the law. Lack of consent of the Chief Surveyor of the country to carry out the inspection and his declaration of non-cooperation in this regard were expressed in an unambiguous and firm manner. The argumentation presented to justify this position of the Chief National Surveyor is, as it was shown above, completely unfounded and - in the opinion of the President of the Personal Data Protection Office - to a large extent was created post factum in order to justify the unwillingness to submit to a justified and lawful examination by an independent control body. . Considering

Lack of cooperation with the supervisory authority to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679).
In the course of this proceeding concerning the imposition of an administrative fine, the Chief Surveyor of the Country maintained his refusal to carry out the inspection in the questioned scope (based on the position that the President of the Personal Data Protection Office refused the right to examine the processing of personal data from the land and building register on the GEOPORTAL portal2). He also did not express any willingness to cooperate with the President of the Personal Data Protection Office in order to remove the infringement, which could include, in particular, providing full and exhaustive explanations to the extent to which the inspection was frustrated.

The remaining conditions for the assessment of an administrative fine specified in Art. 83 sec. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement made by the President of the Personal Data Protection Office (including: any relevant prior infringements by the controller or processor, the manner in which the supervisory authority learned about the infringement, compliance with the previously applied the measures itself, the use of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (relating to the controller's or processor's relationship with the supervisory authority, and not the controller's or processor's relationship with the data subject), they could not be taken into account in the present case (including:

Pursuant to the wording of Art. 83 sec. 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Chief National Surveyor in this proceeding meets these criteria. It will discipline the Chief National Surveyor to properly cooperate with the President of the Personal Data Protection Office in proceedings conducted in the future by the President of the Personal Data Protection Office with his participation. The penalty imposed by this decision, up to the maximum specified in Art. 102 paragraph. 1 UODO, the amount is - in the opinion of the President of the Personal Data Protection Office - justified and proportional to the seriousness of the infringement found. This penalty will also have a deterrent function;

In this case, the provisions of Art. 102 paragraph. 1 and 3 of the PDPA, according to which the amount of the administrative fine imposed - on the basis and under the conditions specified in art. 83 of Regulation 2016/679 - per unit of the public finance sector within the meaning of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869, as amended), is limited to the amount of PLN 100,000.

Considering the above, the President of UODO ruled as in the conclusion of this decision. 

The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warsaw). A proportionate fee should be filed against the complaint, pursuant to Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Art. 74 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine.

Pursuant to Art. 105 paragraph. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from the date the ruling of the administrative court becomes legally binding, to the bank account of the Personal Data Protection Office at NBP O / O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 paragraph. 2 of the above-mentioned Act, the President of the Personal Data Protection Office may, at a justified request of the punished entity, postpone the payment of the administrative fine or divide it into installments. In the event of postponing the payment of the administrative fine or dividing it into installments, the President of UODO shall charge interest on the unpaid amount annually, using a reduced rate of interest for late payment, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submitting the application.