NSA (Poland) - III OSK 4984/21: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 60: Line 60:
}}
}}


The Supreme Administrative Court clarified the notion of purely personal activity under [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]]. The publishing personal data in social media fell under the scope of the GDPR if the post was made accessible to unrestricted number of users.
The Supreme Administrative Court clarified the notion of purely personal activity under Article 2(2)(c) GDPR. Publishing personal data on social media falls under the scope of the GDPR if the post was made accessible to an unrestricted number of users.


== English Summary ==
== English Summary ==
Line 67: Line 67:
A court rendered a judgment in a case referring to a data subject. An individual, being a member of data subject’s family, published the judgement via their Facebook account and by placing its copy behind their car’s pane. The judgment was published in that way for 11 days.  
A court rendered a judgment in a case referring to a data subject. An individual, being a member of data subject’s family, published the judgement via their Facebook account and by placing its copy behind their car’s pane. The judgment was published in that way for 11 days.  


The data subject filed a complaint with the Polish DPA (UODO). The DPA dismissed the complaint. The personal data were published under [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]], i.e. for purely personal activity. Additionally, the individual and the data subject were related. Thus, the processing at stake fell outside GDPR’s scope of application.  
The data subject filed a complaint with the Polish DPA (UODO). The DPA dismissed the complaint as it considered that the personal data were published under [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]], i.e. for purely personal activity. Additionally, the individual and the data subject were related. Thus, according to the DPA, the processing at stake fell outside GDPR’s scope of application.  


The data subject brought an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The court repealed the DPA’s decision. By referring to case [[CJEU - C-101/01 - Lindqvist|C-101/01]] and [[CJEU - C-212/13 - Ryneš|C-212/13]], the court emphasised the exemption of purely private activity didn’t cover the processing which led to disclosing the data to unlimited number of people. Because the individual shared the data via Facebook, making it available to unlimited number of its users, [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] didn’t apply.
The data subject brought an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The court repealed the DPA’s decision. By referring to case [[CJEU - C-101/01 - Lindqvist|C-101/01]] and [[CJEU - C-212/13 - Ryneš|C-212/13]], the court emphasised the exemption of purely private activity didn’t cover the processing which led to disclosing the data to unlimited number of people. Because the individual shared the data via Facebook, making it available to unlimited number of its users, [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] didn’t apply.
Line 78: Line 78:
The court explained that the notion of purely personal activity was inherently limited. In particular, when the personal data were made accessible to an unrestricted number of people, for instance, social media users, it excluded the application of [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]]. The court based it reasoning on Recital 18 GDPR, case [[CJEU - C-212/13 - Ryneš|C-212/13]] and WP29 [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp163_en.pdf Opinion 5/2009].
The court explained that the notion of purely personal activity was inherently limited. In particular, when the personal data were made accessible to an unrestricted number of people, for instance, social media users, it excluded the application of [[Article 2 GDPR#2c|Article 2(2)(c) GDPR]]. The court based it reasoning on Recital 18 GDPR, case [[CJEU - C-212/13 - Ryneš|C-212/13]] and WP29 [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp163_en.pdf Opinion 5/2009].


In the case at stake, the individual published the judgment referring to the data subject via Facebook. The post shared in such a way that every Facebook user could has accessed it. Hence, the individual’s data processing was not exempted from application of the GDPR.
In the case at stake, the individual published the judgement referring to the data subject via Facebook. The post shared in such a way that every Facebook user could has accessed it. Hence, the individual’s data processing was not exempted from application of the GDPR.


== Comment ==
== Comment ==

Latest revision as of 14:17, 4 December 2024

NSA (Poland) - III OSK 4984/21
Courts logo1.png
Court: NSA (Poland)
Jurisdiction: Poland
Relevant Law: Article 2(2)(c) GDPR
Decided: 16.10.2024
Published:
Parties:
National Case Number/Name: III OSK 4984/21
European Case Law Identifier:
Appeal from: WSA Warsaw (Poland)
II SA/Wa 895/20
Appeal to: Unknown
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: w.p.

The Supreme Administrative Court clarified the notion of purely personal activity under Article 2(2)(c) GDPR. Publishing personal data on social media falls under the scope of the GDPR if the post was made accessible to an unrestricted number of users.

English Summary

Facts

A court rendered a judgment in a case referring to a data subject. An individual, being a member of data subject’s family, published the judgement via their Facebook account and by placing its copy behind their car’s pane. The judgment was published in that way for 11 days.

The data subject filed a complaint with the Polish DPA (UODO). The DPA dismissed the complaint as it considered that the personal data were published under Article 2(2)(c) GDPR, i.e. for purely personal activity. Additionally, the individual and the data subject were related. Thus, according to the DPA, the processing at stake fell outside GDPR’s scope of application.

The data subject brought an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The court repealed the DPA’s decision. By referring to case C-101/01 and C-212/13, the court emphasised the exemption of purely private activity didn’t cover the processing which led to disclosing the data to unlimited number of people. Because the individual shared the data via Facebook, making it available to unlimited number of its users, Article 2(2)(c) GDPR didn’t apply.

The DPA lodged a cassation appeal before the Supreme Administrative Court (Naczelny Sąd Administracyjny – NSA).

Holding

The Supreme Administrative Court dismissed the cassation appeal.

The court explained that the notion of purely personal activity was inherently limited. In particular, when the personal data were made accessible to an unrestricted number of people, for instance, social media users, it excluded the application of Article 2(2)(c) GDPR. The court based it reasoning on Recital 18 GDPR, case C-212/13 and WP29 Opinion 5/2009.

In the case at stake, the individual published the judgement referring to the data subject via Facebook. The post shared in such a way that every Facebook user could has accessed it. Hence, the individual’s data processing was not exempted from application of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Date of judgment

2024-10-16 final judgment

Date of receipt

2021-05-31

Court

Supreme Administrative Court

Judges

Arkadiusz Windak
Olga Żurawska - Matusiak
Tamara Dziełakowska /Presiding Rapporteur/

Symbol with description

647 Cases related to personal data protection

Thematic entries

Personal data protection

Related references

II SA/Wa 895/20 - Judgment of the Provincial Administrative Court in Warsaw of 2020-11-23

Accused body

Inspector General for Personal Data Protection

Content of the result

Caslation appeal dismissed

Referenced provisions

Journal of Laws 2019, item 2325, art. 184, art. 204 point 2
Act of 30 August 2002 - The Code of Administrative Court Procedure - consolidated text

Supreme Administrative Court, composed of: Presiding Judge: Tamara Dziełakowska (rapporteur) Olga Żurawska-Matusiak, Judge of the Supreme Administrative Court, Arkadiusz Windak, Clerk of the Court, Assistant Judge Adam Płusa, having considered on 16 October 2024, at a hearing in the General Administrative Chamber, the cassation appeal of the President of the Personal Data Protection Office against the judgment of the Provincial Administrative Court in Warsaw of 23 November 2020, file reference II SA/Wa 895/20 in the case of the complaint of A.T. on the decision of the President of the Personal Data Protection Office of [...] January 2020, No. [...] regarding the protection of personal data 1) dismisses the cassation appeal, 2) awards A.T. the amount of PLN 400 (four hundred) from the President of the Personal Data Protection Office as reimbursement of the costs of the cassation proceedings.

Justification

By decision of [...] January 2020, the President of the Personal Data Protection Office, on the basis of art. 105 § 1 of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended), hereinafter referred to as the "k.a.p.", discontinued the proceedings in the case of A.T.'s complaint about the unlawful processing of her personal data by P.L. (participant). The complainant argued that in the period from 16 to 27 September 2018, P.L. on Facebook he published the judgment of 29 November 2017 of the District Court in Wołomin, file reference V 729/17, with the personal data of the complainant, and on at least from 16 to 27 September 2018 he displayed the above-mentioned judgment in public behind the window of his car. In the opinion of the authority, there was no unlawful processing of data, because in accordance with Art. 2 sec. 2 letter b) of the GDPR, c Regulation of the European Parliament and of the Council of the EU 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ EU.L.2016.119.1, OJ L. 127 of 23.05.2018), hereinafter referred to as "Regulation 2016/679" or "GDPR", the provisions of this act do not apply to the processing of personal data by a natural person as part of activities of a purely personal or household nature, i.e. unrelated to professional or commercial activity. The authority indicated that in the course of the proceedings it was established that the complainant and the participant were connected by family ties, and what is more, the participant did not conduct business activity, and therefore the complainant's personal data were processed only for personal purposes. In connection with the above, the President of the Personal Data Protection Office had no competence to issue any order or impose an administrative penalty. As a result of considering the complaint against the above decision, the Provincial Administrative Court in Warsaw, by its judgment of 23 November 2020, file reference II SA/Wa 895/20, on the basis of art. 145 § 1 point 1 letters a and c of the Act of 30 August 2002 - The Law on Administrative Court Procedure (Journal of Laws of 2019, item 2325, as amended), hereinafter referred to as "p.p.s.a.", repealed the appealed decision and awarded the complainant from the authority the reimbursement of the costs of court proceedings. The justification stated that the authority, by violating the provisions of administrative procedure regarding the free evaluation of evidence, wrongly assumed that the participant processed the complainant's personal data as part of activities of a purely personal or household nature, and that therefore the provisions of the regulation did not apply. Referring to the content of the preamble and art. 2 sec. 1 and 2 of the GDPR explained that personal and household activities may include, among other things, correspondence and the storage of addresses, the maintenance of social ties, and internet activities undertaken as part of such activities. At the same time, it was noted that this regulation does apply to controllers or processors who provide the means to process personal data for the purposes of such personal and household activities.

The Court also referred to judgments of the Court of Justice of the European Union in which it was stated that the above-mentioned the exclusion of the application of the provisions of the regulation should not apply to the processing of personal data consisting in their publication on the Internet in such a way that they become accessible to an unlimited number of persons (judgment of 6 November 2003, C-101/01 in the LINDQVIST case, paragraph 43) and that if the processing extends even partially beyond the private sphere of the person performing it, it cannot be considered to be an activity of a purely personal or household nature (judgment of 11 December 2014, C-212/13, in the Frantiśek Ryneś vs. Urad pro ochranu osobnich udaju, paragraph 33).

Based on the above case law, the Court of First Instance assumed that the exclusion from the provisions of the GDPR would not apply in the case at hand, because the processing of the complainant's data consisted in making available a court judgment containing her data on the social networking site Facebook, and therefore there was a possibility of their further sharing by members of that social network.

The President of the Personal Data Protection Office filed a cassation appeal against the above decision, requesting that the contested judgment be set aside in its entirety and that the case be referred back to the Court of First Instance for reconsideration, that the costs of the proceedings be awarded, and that the cassation appeal be heard at a hearing. The decision was alleged to have violated the provisions of substantive law, i.e. Article 2, paragraph 2, letter c of Regulation 2016/679, through its erroneous interpretation consisting in assuming that, in the factual circumstances of the case in question, the complainant's personal data were not processed for the purposes of personal or household activities. In justifying the allegation of the cassation appeal, the authority noted that a constant element occurring both in purely personal activities or in data processing as part of household activities is the lack of formalisation of relations within the framework of the actions taken. This means that data processing undertaken by a natural person, not of a professional or commercial nature, but related to, for example, the pursuit of any hobbies, philanthropy or social and artistic activities, will be exempt from the rigours of the GDPR. On the other hand, entities under whose auspices the processing takes place will have the status of administrator. Moreover, the President of the Personal Data Protection Office takes the position that the unlimited availability of a profile on a social networking site does not in itself determine that the processing goes beyond the scope of personal or household processing. In order to consider that the processing goes beyond the above scope, it is necessary for the availability of data posted on the profile on the social networking site to be related to professional or commercial activity, which was not the case in this case.

In response to the cassation appeal, the complainant requested that it be dismissed and that the costs of the proceedings before the Supreme Administrative Court be awarded to her, maintaining her previous position in the case.

The Supreme Administrative Court considered the following:

Pursuant to art. 183 § 1 of the p.p.s.a., the Supreme Administrative Court shall examine the case within the limits of the cassation appeal, taking into consideration ex officio only the invalidity of the proceedings, the grounds for which have been enumerated in § 2 of art. 183 of the p.p.s.a. This means that if – as in the case at hand, there is no invalidity of the proceedings – the scope of the cassation proceedings is determined by the party filing the cassation appeal by citing the grounds for the cassation appeal and their justification.

When examining the cassation appeal filed in this case, the Supreme Administrative Court found that it lacked justified grounds and for these reasons did not merit consideration.

In the case at hand, the key issue is the answer to the question of whether the participant's activity consisting in making the complainant's personal data available on the Facebook website by publishing a penal order containing the complainant's data may fall within the scope of Regulation 2016/679 in the light of Article 2(2)(c) of that Regulation.

The provision cited above states that "[t]his Regulation shall not apply to the processing of personal data: c) by a natural person in the course of activities of a purely personal or household nature". This provision, in which the EU legislator referred to the concept of "purely personal and household activities", is complemented by recital 18 of the preamble to the Regulation, according to which "[t]his Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, that is to say without any connection with his professional or commercial activity. Personal or household activities may include, among others, correspondence and the storage of addresses, the maintenance of social ties, and internet activities undertaken in the context of such activities. However, this Regulation applies to controllers or processors who provide the means for processing personal data for such personal or household activities". An example of this type of processing, which – in principle – will not fall within the scope of application of the GDPR, may be the processing of data in private address notebooks, private computers or other private devices enabling automated data processing (e.g. smartphones, tablets) and, as indicated in the doctrine, the activity of natural persons on social networking sites, provided that it is not related to professional or commercial activity (P. Fajgielski [in:] Commentary to Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd ed., Warsaw 2022, art. 2).

As follows from the above, the above-mentioned recital 18, in addition to explaining that the processing of personal data by a natural person in the course of a purely personal or household activity is unrelated to a professional or commercial activity, expressly states that the regulation nevertheless applies "to controllers or processors who provide the means to process personal data for the purposes of such a personal or household activity", which means that entities processing data in the course of a personal or household activity who provide the means to process personal data are not covered by the exemption resulting from art. 2 sec. 2 lit. c GDPR. The interpretation of this provision by the authority presented in the case both in the contested decision and in the cassation appeal is therefore based on taking into account only the first and second sentences of recital 18, completely omitting the third sentence relating to the provision of the means to process personal data. It should be explained that "data processing means" in this case should be understood as the place or medium on which the data is located, i.e. the aforementioned private notebooks, calendars or electronic devices on which e.g. contact lists, telephone numbers, addresses and other personal data are stored. As long as these means (data processing by a natural person) are available only within the so-called privacy of the home or other private place (e.g. car) of the person processing, this is processing as part of activities of a purely personal and domestic nature. However, in a situation where, at the initiative of the entity processing, access to this type of "data processing means" is granted to a wider group, such activity will be protected under the GDPR. This is clearly indicated by the third sentence of recital 18 explaining the content of art. 2 sec. 2 letter c of the GDPR. It is also worth noting that a similar exclusion to art. 2 sec. 2 letter c GDPR was in the previously applicable regulation, i.e.: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ EU.L.1995.281.31) and on its basis, in the opinion adopted by the Article 29 Working Party, it was considered that the processing of data by users on social networking sites falls - in principle - within the scope of personal or household activities, unless access to these data is provided by persons other than those selected independently by the user, e.g. by adding to contacts (cf. Opinion 5/2009 of the Article 29 Working Party on social networking sites, adopted on 12 June 2009, WP 163). Although these guidelines do not constitute binding sources of generally applicable law, as indicated by the body, they present a certain interpretation of the provisions, which the Supreme Administrative Court shares.

To sum up the above, it should be considered that, as a rule, content published on social media by individuals is not covered by the GDPR regulation, provided that this activity is not of a professional or commercial nature and only entities selected by the person sharing it have access to it. In other words, if the processing extends even partially to the public sphere and is thus directed outside the private sphere of the person processing data in this way, it should not be understood as an activity of a purely "personal or household nature". This position was also presented in the judgment of the Court of Justice of the European Union of 11 December 2014, C-212/13, to which the Court of First Instance referred, among others.

In connection with the above, from the perspective of the analyzed case, it is of fundamental importance whether the complainant's data shared on the participant's portal were made available in an "open" manner enabling any person, even not among the persons permitted by the participant, to access the content posted there.

It is indisputable that the complainant's data was made available on the participant's Facebook social media profile and, as evidenced by the case material (including the complaint about unlawful processing of personal data of 10 May 2019), access to the content posted there was unlimited. Therefore, one cannot agree with the claims of the body complaining in cassation that the interpretation of personal or household activities is excessively rigorous. In the body's opinion, which is clearly evident from the cassation appeal, if the activity of a given person is related to the pursuit of a hobby, philanthropy or social activity, and in any case is not related to professional or commercial activity, then it is not within the scope of application of the GDPR. Such an interpretation is unfounded, because it would lead to the conclusion that only the activity of entrepreneurs (professional or commercial) is covered by the application of the GDPR, and this was certainly not the intention of the EU legislator. This position, as explained above, is confirmed by the third sentence of recital 18 of Regulation 2016/679, which indicates that the regulation will apply to natural persons processing personal data as part of their personal or home activities, provided that such data is made available externally. Moreover, legal doctrine even indicates a more far-reaching interpretation, according to which making data available even within a group, in the event of the possibility of further sharing by members of that group within a social network, will also go beyond the scope of the exemption referred to in Article 2 paragraph 2 letter c of the GDPR (D. Lubasz [in:] GDPR. General Data Protection Regulation. Commentary, ed. E. Bielak-Jomaa, Warsaw 2018, Article 2). Given that such a case is not the subject of the case, it is not necessary to refer to the presented view.

For the reasons given, the cassation appeal based on Article 184 of the Code of Administrative Procedure should be dismissed. The costs of cassation proceedings were decided on the basis of Article 204, point 2 of the p.p.s.a.