WSA Warsaw - 1592/23: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Poland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=WSA Warsaw |Court_Original_Name=Wojewódzki Sąd Administracyjny w Warszawie |Court_English_Name=Voivodeship Administrative Court in Warsaw |Court_With_Country=WSA Warsaw (Poland) |Case_Number_Name=1592/23 |ECLI= |Original_Source_Name_1=Centralna Baza Orzeczeń Sądów Administracyjnych |Original_Source_Link_1=https://orzeczenia.nsa.gov.pl/doc/1E4552705D |Original_...") |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 66: | Line 66: | ||
}} | }} | ||
A court | A court held that the phone number of a company’s CEO, used by a business partner as the company’s contact data, constituted data relating to a legal person and therefore fell outside the scope of the GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A company ( | A company (the controller) entered into contract with another company represented by its CEO (the data subject). | ||
The data subject claimed that after the conclusion of the contract between the companies, the controller processed their data for marketing purposes, as they received marketing calls from the controller. | |||
The data subject requested (via e-mail) the controller to delete their data under [[Article 17 GDPR|Article 17 GDPR]]. Nevertheless, the data subject received another marketing call. | The data subject requested (via e-mail) the controller to delete their data under [[Article 17 GDPR|Article 17 GDPR]]. Nevertheless, the data subject received another marketing call. | ||
Line 77: | Line 79: | ||
The data subject file a complaint with the Polish DPA (UODO). | The data subject file a complaint with the Polish DPA (UODO). | ||
During the proceedings, the controller explained that the data they processed were treated as | During the proceedings, the controller explained that the data they processed were treated as data of a legal person, not the data subject’s data. After the investigation, the DPA stated that the controller processed the data under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], since there was contractual relationship between the controller and the company represented by the data subject. Hence, the data provided with the controller served the purpose of facilitating the contract. | ||
Afterwards, the data subject filed another deletion request under [[Article 17 GDPR|Article 17 GDPR]], regarding all their data processed by the controller. The controller answered the request and asked the data subject to clarify whether they wished to close the account with the controller. If so, the data subject was asked to send written application to close the account and delete the data. Once again, the data subject received marketing call from the controller. The data subject’s data was eventually deleted once the DPA contacted the controller. | Afterwards, the data subject filed another deletion request under [[Article 17 GDPR|Article 17 GDPR]], regarding all their data processed by the controller. The controller answered the request and asked the data subject to clarify whether they wished to close the account with the controller. If so, the data subject was asked to send written application to close the account and delete the data. Once again, the data subject received marketing call from the controller. The data subject’s data was eventually deleted once the DPA contacted the controller. | ||
Line 88: | Line 90: | ||
=== Holding === | === Holding === | ||
The court upheld the appeal and | The court upheld the appeal and overruled the DPA’s decision. | ||
According to the court, the phone number for used for setting up the company account with the controller. The phone number was clearly inserted within the section ”client number”. Thus, the controller had no reasons to doubt that it was the company number. Consequently, the court found the GDPR was not violated, because it didn’t apply to processing of legal persons’ data. Additionally, the data subject was the CEO of the company and they had a choice not to disclose their number. | According to the court, the phone number for used for setting up the company account with the controller. The phone number was clearly inserted within the section ”client number”. Thus, the controller had no reasons to doubt that it was the company number. Consequently, the court found the GDPR was not violated, because it didn’t apply to processing of legal persons’ data. Additionally, the data subject was the CEO of the company and they had a choice not to disclose their number. |
Latest revision as of 07:00, 22 October 2024
WSA Warsaw - 1592/23 | |
---|---|
Court: | WSA Warsaw (Poland) |
Jurisdiction: | Poland |
Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 15 GDPR Article 17 GDPR |
Decided: | 10.04.2024 |
Published: | |
Parties: | |
National Case Number/Name: | 1592/23 |
European Case Law Identifier: | |
Appeal from: | UODO (Poland) |
Appeal to: | Unknown |
Original Language(s): | Polish |
Original Source: | Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish) |
Initial Contributor: | wp |
A court held that the phone number of a company’s CEO, used by a business partner as the company’s contact data, constituted data relating to a legal person and therefore fell outside the scope of the GDPR.
English Summary
Facts
A company (the controller) entered into contract with another company represented by its CEO (the data subject).
The data subject claimed that after the conclusion of the contract between the companies, the controller processed their data for marketing purposes, as they received marketing calls from the controller.
The data subject requested (via e-mail) the controller to delete their data under Article 17 GDPR. Nevertheless, the data subject received another marketing call.
The data subject file a complaint with the Polish DPA (UODO).
During the proceedings, the controller explained that the data they processed were treated as data of a legal person, not the data subject’s data. After the investigation, the DPA stated that the controller processed the data under Article 6(1)(b) GDPR, since there was contractual relationship between the controller and the company represented by the data subject. Hence, the data provided with the controller served the purpose of facilitating the contract.
Afterwards, the data subject filed another deletion request under Article 17 GDPR, regarding all their data processed by the controller. The controller answered the request and asked the data subject to clarify whether they wished to close the account with the controller. If so, the data subject was asked to send written application to close the account and delete the data. Once again, the data subject received marketing call from the controller. The data subject’s data was eventually deleted once the DPA contacted the controller.
The DPA issued the reprimand against the controller for unlawful processing of data for marketing purposes. For the DPA, after the second deletion request, there was no legal basis in place to process the data for marketing purposes.
The controller brought an appeal against the DPA’s decision before the Voivodeship Administrative Court in Warsaw (Wojewódzki Sąd Administracyjny w Warszawie).
The controller argued that, inter alia, they didn’t contact the data subject for marketing purpose but to discuss the update of the service’s fee. Moreover, the controller stated that the data subject didn’t mention it was his private phone number. It was then treated as the company number and the controller didn’t know which of the company’s employee would answered the phone. Lastly, the controller called upon Article 6(1)(f) GDPR, namely the possibility to sustain the contact with their client – the company represented by the data subject.
Holding
The court upheld the appeal and overruled the DPA’s decision.
According to the court, the phone number for used for setting up the company account with the controller. The phone number was clearly inserted within the section ”client number”. Thus, the controller had no reasons to doubt that it was the company number. Consequently, the court found the GDPR was not violated, because it didn’t apply to processing of legal persons’ data. Additionally, the data subject was the CEO of the company and they had a choice not to disclose their number.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Date of judgment 2024-04-10 final judgment Date of receipt 2023-08-11 Court Provincial Administrative Court in Warsaw Judges Ewa Radziszewska-Krupa Iwona Maciejuk /chairperson/ Joanna Kube /rapporteur/ Symbol with description 647 Cases related to personal data protection Thematic entries Personal data protection Accused body Inspector General for Personal Data Protection Content of the result The contested decision was repealed Referenced provisions OJ EU.L 2016 No. 119 item 1 art. 4 point 1, art. 6 par. 1 in connection with art. 21 par. 2 and 3, art. 17 par. 1 letter c, art. 14, art. 58 sec. 2 lit. b Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC Journal of Laws 2023 item 1634 art. 145 § 1 point 1 lit. c Act of 30 August 2002 - Law on proceedings before administrative courts - consolidated text Verdict The Provincial Administrative Court in Warsaw, composed of the following members: Presiding Judge of the Provincial Administrative Court Iwona Maciejuk, Judge of the Provincial Administrative Court Joanna Kube (rapporteur), Judge of the Provincial Administrative Court Ewa Radziszewska-Krupa, Clerk of the Court Senior Specialist Ewa Kielak-Niedźwiedzka, having considered the case of the complaint of M. sp. z o.o. sp.k. with its registered office in O. against the decision of the President of the Personal Data Protection Office of [...] May 2023, No. [...] regarding the processing of personal data, at the hearing on April 10, 2024, 1. quashes the contested decision; 2. awards the amount of PLN 680 (in words: six hundred eighty) from the President of the Personal Data Protection Office to the complainant M. sp. z o.o. sp.k. with its registered office in O. as reimbursement of the costs of the proceedings. Justification The President of the Personal Data Protection Office (hereinafter: "President of the Personal Data Protection Office", "authority") by decision of [...] May 2023, No. [...], on the basis of art. 104 § 1 of the Act of 14 June 1960, the Code of Administrative Procedure (consolidated text: Journal of Laws of 2023, item 775), hereinafter: "k.a.p.a." in connection with art. 7 of the Personal Data Protection Act of 10 May 2018 (consolidated text: Journal of Laws of 2019, item 1781), art. 6 par. 1, art. 17 par. 1, art. 21 par. 2 and 3 and art. 58 par. 2 letter b Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation) (OJ EU L 119 of 4 May 2016, p. 1, OJ EU L 127 of 23 May 2018, p. 2 and OJ EU L 74 of 4 March 2021, p. 35), hereinafter referred to as "GDPR", after conducting administrative proceedings on T.C.'s complaint about irregularities in the processing of his personal data by M. sp. z o.o. sp.k. with its registered office in O., consisting in the processing of the complainant's personal data for marketing purposes without a legal basis and failure to take into account the complainant's request to delete his personal data. The President of the Personal Data Protection Office issued M. sp. z o.o. sp.k. with its registered office in O. (hereinafter referred to as the "Company") a warning for violating art. 6 sec. 1 in connection with art. 21 sec. 2 and 3 and art. 17 sec. 1 letter c of the GDPR, consisting in the processing of T.C.'s personal data (hereinafter referred to as the "Complainant") for marketing purposes without a legal basis. In a letter dated [...] October 2019, the Complainant submitted a complaint to the President of the Personal Data Protection Office regarding irregularities in the processing of his personal data by the Company. He stated that on [...] August 2019, he expressed his will to remove his telephone number from the Company's systems by e-mail. On [...] October 2019, at 10:58, a telephone call was made from the Company to his number [...] with a commercial offer, the calling number is [...]. According to the Complainant, this means that the Company did not comply with his request, which constitutes a violation of art. 17 GDPR. The President of the UODO in the case at hand established that the Company obtained the complainant's personal data on the basis of an agreement for the use of the website with its client, i.e. P. sp. z o.o. The aforementioned client was represented by the complainant as the president of the management board, and in addition, his data was provided as data for sending parcels (name and surname) and telephone number. In the opinion of the President of the UODO, the Company was entitled to process the complainant's data, on the basis of art. 6 sec. 1 letter b of the GDPR, according to which processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject, before concluding the contract. The complainant voluntarily indicated his name and surname and telephone number when concluding the contract, acting as the president of the management board of P. sp. z o.o. (the Company's client). On [....] August 2019, the complainant sent electronic correspondence to the Company containing a request to delete all of his personal data. In response to the above. message the Company indicated that he had an active account, so it asked for a signed application to close the account and delete the data to be sent by scan or by post. On [...] October 2019, the complainant received another telephone call with a commercial offer from the Company. The Company deleted the complainant's personal data in terms of name, surname and telephone number after receiving a letter from the President of the UODO. According to the President of the UODO, the Company was not authorized to process the complainant's personal data for marketing purposes and, despite the complainant's request to delete his data, it continued to process them by contacting the complainant on [...] October 2019. In connection with the above, on the basis of art. 58 sec. 2 letter b of the GDPR, according to which each supervisory authority has the right to issue a warning to the administrator or processor in the event of a breach of the provisions of the GDPR through processing operations, the President of the UODO issued a warning to the Company regarding the identified breach of the provisions of art. 6 sec. 1 in connection with art. 21 sec. 2 and 3 and art. 17 sec. 1 letter c of the GDPR. The Company, in a letter dated filed a complaint with the Provincial Administrative Court in Warsaw against the decision of the President of the UODO dated [...] May 2023, No. [...], requesting its annulment and awarding the costs of the proceedings, including the costs of legal representation according to the prescribed standards. The Company alleged in the contested decision a violation of: • provisions of the procedure relevant to the resolution of the case, in particular art. 7 of the Code of Administrative Procedure and 7b of the Code of Administrative Procedure and 8 of the Code of Administrative Procedure, which resulted in an incorrect determination of the factual situation and then an incorrect application of the provisions of substantive law; • violation of the provisions of substantive law, i.e. art. 6 sec. 1, art. 17 sec. 1, art. 21 sec. 2 and 3 of the GDPR through their incorrect interpretation and incorrect application. The Company indicated that in the case in question, the President of the UODO assumed that the telephone number [...] belonged to the complainant, as a private person, and not to P. sp. z o.o., despite the fact that the facts state otherwise. At no stage of the case did the complainant prove that the aforementioned telephone number was his personal number, and not the number of P. sp. z o.o., in which he served as the president of the management board. The Company obtained this number not as the complainant's private number, but as a number for its client - P. sp. z o.o., which was provided when registering an account on the Company's portal. The Company did not agree with the body's finding that on [...] October 2019 it was supposed to contact the complainant in order to present him with a commercial offer. In its letter of [...] July 2020, the Company clearly indicated that it denied that it had contacted for marketing purposes - the conversation concerned updating the rates for shipments assigned to the account of P. sp. z o.o. on the Company's website (and not the complainant, who was not its client), so as to be able to receive more favorable conditions than before. The Company emphasized that on [...] October 2019, the contact was not directed to the complainant as a private person, but to the contact number of P. sp. z o.o. provided by it on the Company's website in connection with the performance of the contract between the Company and P. sp. z o.o. The role of the freight forwarder is to provide the principal with the best possible conditions for transport services, hence this contact falls within the framework of the proper performance of the contract, i.e. within the framework of 6 sec. 1 letter b of the GDPR. When calling this number, the Company did not have any knowledge of who exactly would be its interlocutor, because the contact was made with P. sp. z o.o. It emphasized that P. sp. z o.o. had an active account on the Company's website at that time, and the complainant, being its CEO, did not change the contact number, despite knowing that this number was assigned to his company's account. The Company stated that the President of the UODO based his findings of fact solely on the complainant's claim, without considering all the evidence, and above all without taking into account the complainant's role as the president of the management board of P. sp. z o.o. Out of the utmost caution, the Company indicated that the legal basis for the contact could also be the legitimate legal interest of the administrator in this case. In the justification of the contested decision, the President of the UODO indicated that such a legitimate interest could not have taken place, because the complainant was not a client of the Company. On the other hand, the President of the UODO omits the fact that the Company did not contact the complainant in this case, but with the company P. sp. z o.o. in accordance with the contact details held for it, which were, by the way, provided by the company itself. In this case - in the Company's opinion - there are grounds to establish the existence of such a legitimate legal interest, which allowed the Company to contact its client by phone. Moreover, in the Company's opinion, Article 21 sec. cannot be applied. 2 and 3 of the GDPR, due to the fact that the processing from the Company's perspective concerned its client P. sp. z o.o., and not a specific person. The Company also does not agree with the position of the President of the UODO that the request to remove the telephone number, submitted by the complainant, constituted an objection, referred to in art. 21 sec. 2 of the GDPR, because the e-mail correspondence contained in the case files clearly indicates that the Company treats the telephone number as its client's number, not the complainant's, and what is more, the Company indicated that the removal of this number can be done by submitting an application to close the account on the Company's website. In response to the complaint, the President of the Personal Data Protection Office requested its dismissal. In the procedural letter of [...] November 2023, the Company, in connection with receiving the response to the complaint, maintained the arguments of the complaint. The Provincial Administrative Court in Warsaw considered the following: The administrative court exercises control over the activities of the public administration in terms of compliance with the law within its jurisdiction, unless the acts provide otherwise, which results from art. 1 of the Act of 25 July 2002 - Law on the system of administrative courts (consolidated text: Journal of Laws of 2022, item 2492, as amended). The scope of this control is determined by art. 134 of the Act of 30 August 2002 - The Code of Administrative Court Procedure (Journal of Laws of 2023, item 1634, as amended), hereinafter referred to as "p.p.s.a." Pursuant to this provision, the Court shall decide within the limits of a given case without being bound by the allegations and motions of the complaint and the legal basis cited. In the Court's opinion, the complaint analyzed in this respect deserves to be upheld, because by issuing the contested decision, the President of the UODO violated the provisions of procedural law, i.e. Art. 7, Art. 77 § 1, Art. 80 and Art. 107 § 1 of the Code of Administrative Procedure to a degree that could have a significant impact on the outcome of the case. The GDPR establishes provisions on the protection of natural persons in connection with the processing of personal data and provisions on the free flow of personal data. This regulation protects the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data (Article 1(1) and (2)). Recital 14 of the GDPR explains that the protection provided by the GDPR applies to "natural persons, regardless of their nationality or place of residence, in relation to the processing of their personal data". According to the definition in Article 4(1) of the GDPR, "personal data" means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The second sentence of recital 14 of the GDPR explains that the GDPR does not apply to the processing of personal data relating to legal persons, in particular undertakings that are legal persons, including data on the company and legal form and contact details of the legal person. In connection with the above, the GDPR protects the personal data of identifiable natural persons and excludes data relating to legal persons from this protection. This results from the fact that entities other than natural persons do not have the right to privacy. The President of the UODO, ruling on the complaint, assumed that the Company was not entitled to process the complainant's personal data for marketing purposes and, despite the complainant's request to delete his data, continued to process them by contacting the complainant on [...] October 2019. In connection with the above, on the basis of Article 58 paragraph 2 letter b of the GDPR, according to which each supervisory authority has the right to issue a warning to the controller or processor in the event of a breach of the GDPR through processing operations, the President of the UODO issued a warning to the Company regarding the identified breach of the provisions of Article 6 sec. 1 in connection with art. 21 sec. 2 and 3 and art. 17 sec. 1 letter c of the GDPR. As the authority established, the Company obtained the complainant's personal data on the basis of an agreement for the use of the website with its client, i.e. P. sp. z o.o. The aforementioned client was represented by the complainant, as the president of the management board, and in addition, his data were provided as data for sending parcels (name and surname) and telephone number. The authority meant that the complainant voluntarily indicated his name and surname and telephone number when concluding the agreement, acting as the president of the management board of P. sp. z o.o. (the Company's client). It follows from the above that the President of the UODO assumed that this was a number belonging to the complainant, as a private person, and not to the company P. sp. z o.o., despite the fact that the disputed telephone number was provided when registering an account on the Company's portal - as a number for its client - the company P. sp. z o.o. According to the Court, determining whether the telephone number contacted by the Company on [...] October 2019 belonged to the complainant or to the Company's client, i.e. P. sp. z o.o. is crucial for the proper resolution of the case. The Company submitted to the case file a printout of the customer panel and a printout of the service regulations, which indicate both the fact of providing the telephone number and the obligation to provide the customer's telephone number (and not the client's employee or even its board member). In such a situation, it is difficult to clearly recognize that the number provided is the private number of the person setting up an account on the Company's portal for a client who is a separate legal entity. In light of the collected documentation, it was not possible to determine that the number provided was the personal data of a specific person, because it was the contact number of the Company's client, and this client is a legal person. According to the Court, the Company is right in stating that since it is not a telephone number of a natural person, but a contact number of a legal person, there can be no question of violating the provisions of the GDPR indicated in the contested decision of the President of the Personal Data Protection Office. The disputed processing of personal data, as contact data of a legal person, excludes their treatment in administrative proceedings based on the provisions of the GDPR, as exclusively personal data of a natural person. The findings made in the case only confirm that the telephone number on which the Company contacted the complainant is related to the legal person, because it was indicated as part of the conclusion of the contract. The fact that the complainant - the president of the company - was sent an offer intended for the company's Management Board does not change the fact that the company's data was used for this purpose. In such a situation, the telephone number cannot be considered data identifying a natural person, because it is used in the activities of the legal person, and thus it should be assumed that the disputed processing of the telephone number, constituting contact data of a legal person, excludes its treatment in administrative proceedings based on the GDPR, as exclusively personal data of a natural person. A legal person, as a subject of civil law, has been defined in the provisions of the Act of 23 April 1964 - the Civil Code (consolidated text: Journal of Laws of 2023, item 1610, as amended). Detailed regulations in this respect are contained in the Act of 15 September 2000 - the Commercial Companies Code (consolidated text: Journal of Laws of 2022, item 1467, as amended). One of the features of legal persons is their activity through bodies - in the case of a limited liability company or a joint-stock company, this is, among others, the management board. It is the management board that manages the company's affairs, using for this purpose "personal data concerning legal persons, in particular enterprises that are legal persons, including (...) contact data of the legal person" (recital 14 of the GDPR). The complainant, using his telephone number, as the president of the management board of the company indicated above, acts on behalf of the legal person. It should be noted that the complainant, as the company's CEO, is undoubtedly in a different professional situation than, for example, people with employee status, because he alone decided that his personal data should be indicated as the contact details of the entity he represents. It can be assumed that in a different factual situation it is possible to assign a telephone number the attribute of personal data, however, the factual situation of the case at issue does not provide grounds, at first glance, that it was possible to issue the contested decision in the case within the competence of the President of the UODO. In the light of the evidence collected in the case and taking into account the obligation of the authorities to act on the basis and within the limits of the law, there was no legal basis for the President of the UODO to issue the contested decision. Taking the above into account, the Voivodship Administrative Court in Warsaw, on the basis of art. 145 § 1 item 1 letter c p.p.s.a., ruled as in point 1 of the judgment. On the reimbursement of the costs of the proceedings, as in point 2 of the judgment, the Court ruled on the basis of art. 200 in connection with Article 205 § 2 of the aforementioned Act. The Court included in these costs the fee for the complaint (PLN 200), the remuneration of the attorney representing the complaining Company (PLN 480) and the stamp duty paid for the power of attorney document (PLN 17).