NSA - III OSK 4804/21: Difference between revisions

NSA - III OSK 4804/21
Court:	NSA (Poland)
Jurisdiction:	Poland
Relevant Law:	Article 5(1)(c) GDPR Article 9(1) GDPR Article 9(2)(a) GDPR
Decided:	10.10.2024
Published:
Parties:
National Case Number/Name:	III OSK 4804/21
European Case Law Identifier:
Appeal from:	WSA Warsaw (Poland) II SA/Wa 809/20
Appeal to:	Unknown
Original Language(s):	Polish
Original Source:	Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor:	w.p.

The Supreme Administrative Court found that a school obtained valid consent under Article 9(2)(a) GDPR for the usage of a fingerprint scanner for its canteen. According to the court, the valid consent rules out a violation of the data minimisation principle.

English Summary

Facts

A school (the controller) installed a fingerprint scanner by the entrance to the canteen. By scanning students’ fingerprints the device verified whether a meal was paid. The processing was based on their parents’ consent.

The Polish DPA (UODO) initiated ex officio proceedings against the controller.

During the proceedings, the controller explained they didn’t possess the students’ fingerprint samples. Such a sample was stored only within the fingerprint scanner. When a student ceased to eat in the canteen, their fingerprint stored in the fingerprint scanner was immediately deleted.

After investigation, the DPA found violations of Article 5(1)(c) GDPR and Article 9(1) GDPR. The controller processed the biometric data under Article 4(14) GDPR. Nevertheless, the processing of biometric data was not based on a valid consent under Article 9(2)(a) GDPR. The students not using the fingerprint scanner were treated differently, i.e., they had to verify their identity by telling their name and contract number while entering the canteen. For this reason, the DPA claimed the consent was not freely given. Moreover, the DPA stated that processing of the biometric data violated data minimisation principle, as the controller was able to use less privacy intrusive means. Hence, the controller was fined PLN 20,000. Additionally, the DPA ordered deletion of the students’ fingerprints data and a ban on its further processing.

The controller lodged an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The controller argued they didn’t process biometric data. Furthermore, the controller disagreed with the DPA that the parents’ consent was an inappropriate legal basis for the processing at stake.

The court upheld the appeal. For the court the interpretation of the data minimisation principle, relied upon by the DPA, was too strict. The controller proved the relation between the fingerprints processing and its purpose. Furthermore, the parents’ consent obtained by the controller was lawful and didn’t violate Article 9(1) GDPR and Article 9(2)(a) GDPR.

The DPA brought a cassation appeal before the Supreme Administrative Court (Naczelny Sąd Administracyjny – NSA).

Holding

The Supreme Administrative Court dismissed the cassation appeal.

According to the court, if the consent for data processing was compliant with the GDPR, in particular Article 9(2)(a) GDPR, the purpose of processing and the scope of collected data were lawful as well. The court stated that lawful consent guaranteed that the data minimisation principle was respected. Consequently, the processing based on the consent had to be scrutinised by verifying whether the consent was, inter alia, freely given, informed, unambiguous and explicit.

Since the controller obtained valid consent under Article 9(2)(a) GDPR, the DPA was unable to find a violation of the data minimisation principle. The court didn’t find any proof of discrimination of students not using the fingerprint scanner. All the students had access to the canteen and were served equally. Thus, the alleged violation of Article 9(2)(a) GDPR didn’t occur.

Also, the court found the fingerprints were stored exclusively in the fingerprint scanner. Fingerprints collected by the fingerprint scanner were combined with a specific number, which was transferred to a software. The software attributed the number with the students’ identity. As a result, the fingerprint scanner was unable to combine the fingerprint with the students’ identity; at the same time, the controller didn’t possess the data base of students’ fingerprints.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Date of judgment

2024-10-10 final judgment

Date of receipt

2021-05-11

Court

Supreme Administrative Court

Judges

Maciej Kobak /rapporteur/
Olga Żurawska - Matusiak /chairman/
Rafał Stasikowski

Symbol with description

647 Cases related to personal data protection

Thematic entries

Personal data protection

Related references

II SA/Wa 809/20 - Judgment of the Provincial Administrative Court in Warsaw of 2020-08-07

Accused body

Inspector General for Personal Data Protection

Content of the result

Caslation appeal dismissed

Referenced provisions

Journal of Laws 2019, item 1781 art. 5 sec. 1 letter c, art. 5 sec. 1 and 2, art. 17 sec. 1 letter a, art. 6 sec. 1 llit. a-f, art. 9 sec. 1 and sec. 2, art. 4 item 11
Act of 10 May 2018 on the Protection of Personal Data (consolidated text)

Sentence

The Supreme Administrative Court, composed of: Presiding Judge: Olga Żurawska - Matusiak, Judges, Judge of the Supreme Administrative Court, Rafał Stasikowski, Judge of the Provincial Administrative Court, Maciej Kobak (rapporteur), having considered on 10 October 2024, at a hearing in the General Administrative Chamber with the participation of the Ombudsman for Children, the cassation appeal of the President of the Personal Data Protection Office against the judgment of the Provincial Administrative Court in Warsaw of 7 August 2020, reference number Act II SA/Wa 809/20 in the case of the complaint of School X against the decision of the President of the Personal Data Protection Office of February 18, 2020, No. ZSZZS.440.768.2018.FT.MW.66936 regarding the processing of personal data, dismisses the cassation appeal.

Justification

By the judgment of August 7, 2020, reference number II SA/Wa 809/20, the Voivodship Administrative Court in Warsaw, after considering the complaint of School X (hereinafter: "the complainant" or "the school"), repealed the decision of the President of the Personal Data Protection Office (hereinafter: "the authority") of February 18, 2020, No. ZSZZS.440.768.2018.FT.MW.66936 regarding the processing of personal data.

The above judgment was issued in the following factual and legal circumstances of the case.

The President of the Personal Data Protection Office, upon receiving information about irregularities in the processing of personal data of the complaining school's students, consisting in collecting fingerprints of children using the school canteen's services, initiated ex officio explanatory proceedings.

In response to the authority's request, the complainant provided extensive explanations in letters dated 27 December 2018 and 30 September 2019. In the first of them, she stated, among other things, that she uses a biometric reader called the KPT Fingerprint and Transponder Controller, placed at the entrance to the school canteen, which identifies children taking meals in order to verify payment for the meal served on a given day. The complainant indicated that she obtains the biometric data of her students based on the written consent of the parent (legal guardian), and that she does not have any collection that would contain images of children's fingerprints.

According to the complainant's explanations, the parent had the option of giving consent to use the fingerprint reader or not giving it. The complainant also informed that after the termination of the contract for the use of school lunches in the canteen, the data needed for fingerprint identification, i.e. the sequence of bytes saved in the reader, is deleted.

As a result of the analysis of the evidence collected, the authority, by decision of February 18, 2020, No. ZSZZS.440.768.2018.FT.MW.66936, acting on the basis of

Article 104 § 1 of the Act of June 14, 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256, hereinafter referred to as: "k.a.") and Article 7, paragraphs 1 and 2, Article 60 and Article 102 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, as amended; hereinafter referred to as: "a.o.d.") in conjunction with Art. 5 par. 1 letter c, Art. 9 par. 1, Art. 58 par. 2 letter f, letter g and letter i and with Art. 83 par. 2 and 3, Art. 83 par. 5 letter a, Art. 83 par. 7 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46AA/E (General Data Protection Regulation) (OJ EU.L.2016.119.1, hereinafter referred to as "GDPR") ordered the complainant to delete personal data in the scope of digitally processed information on the characteristic points of the fingerprints of children using the school canteen services (point 1); to stop collecting personal data in the scope of digitally processed information on the characteristic points of the fingerprints of children using the school canteen services (point 2); and also imposed on the complainant a fine of PLN 20,000.00 for the infringement found in this decision (point 3).

The President of the UODO stated that – contrary to the explanations of the complainant – the data of students obtained by it, including information on characteristic points of fingerprints processed into a digital record, constitute biometric data within the meaning of the provision of art. 4 point 14 of the GDPR. The authority noted that as a result of comparing the biometric pattern registered on the device with the child's finger placed on the biometric reader, as well as other information (including the item number, first name, last name, class and the right to collect lunch), it is possible to identify the child.

The authority noted that the processing of a special category of personal data, to which biometric data belong, is regulated in art. 9 sec. 1 of the GDPR, according to which the processing of personal data revealing biometric data for the purpose of unambiguously identifying a natural person is prohibited.

On the sidelines, the President of the UODO emphasized that the rules for serving lunches posted on the website of the canteen run by the complainant introduce unequal treatment of students, because they clearly promote students with biometric identification.

In a letter dated 16 March 2020, the complainant, acting through the authority, filed a complaint against the above decision with the Provincial Administrative Court in Warsaw. Requesting its annulment and also for the supervisory authority to reimburse the costs of the proceedings in accordance with the prescribed standards, the complainant alleged a breach of substantive law - due to their incorrect interpretation by the supervisory authority.

In the justification of the complaint, the complainant stated that although the disputed decision of the authority seems controversial, especially in stating that parental consent cannot be a premise legalizing the processing of biometric data, immediately after its issuance, i.e. on 24 February 2020, it deleted personal data in the scope of digitally processed information on the characteristic points of the fingerprints of children using the school canteen services and stopped collecting personal data in the scope of digitally processed information on the characteristic points of the fingerprints of children using the school canteen services.

Regardless of the above, the complainant did not agree with the supervisory authority's statement in the contested decision that the data of students obtained by the complainant, including information on the characteristic points of fingerprints processed into a digital record, constituted biometric data within the meaning of Article 4, point 14 of the GDPR.

The complainant argued that she had attached to the complaint an opinion from a specialist in automatic identification systems, in which it was stated that the disputed personal data collected by her were not biometric data.

In response to the complaint, the authority requested its dismissal, maintaining its previous position. It stated that due to the nature of the processing (special technical processing), as well as the nature of the data themselves, which concern physiological and physical characteristics, it should be indicated that the information on the characteristic points of children's fingerprints processed into digital form constitutes biometric data, because it is used for automated verification of the authorization of a specific natural person.

The supervisory authority indicated that in such a situation, parental consent cannot be a premise legalizing the processing of biometric data, because consent is a basis legalizing the processing of personal data only when there are no other premises for such processing. According to the President of the UODO, recognizing the fact of consent by the children's parents as a circumstance legalizing the collection of data other than those indicated by the Polish legislator would constitute a circumvention of these provisions. In connection with the above, the supervisory authority found that the processing of students' biometric data by the complainant was inconsistent with the principle of minimization.

Taking into account the above findings, the authority found that in the case at hand there were grounds for imposing an administrative fine on the complainant. At the same time, it noted that when deciding on its imposition and determining its amount, it was guided by the content of Article 83 paragraph 2 of the GDPR, taking into account the individual circumstances of the case in question specified in detail in the contested decision.

In the judgment described at the beginning, the Provincial Administrative Court in Warsaw upheld the complaint.

The Court concluded that the supervisory authority, when issuing the decision, committed, first of all, a material breach of the provisions of the GDPR, in particular Article 5 paragraph 1 letter c and Article 9 paragraph 1 and paragraph 2 letters a of the GDPR - through their incorrect interpretation

and application, and consequently the erroneous finding that the complainant, by processing the biometric data of its students when they used the services of the school canteen, had committed both a breach of the principle of "data minimization" referred to in Article 5 paragraph 1 letter c of the GDPR, as well as a breach consisting in the processing of the above-mentioned sensitive data in breach of the prohibition of processing such data referred to in Article 9 paragraph 1 GDPR, due to the failure to meet - in the opinion of the supervisory authority - one of the conditions for lifting that prohibition, which was relied on by the complainant, and which consisted in expressing the express consent of the data subject (Article 9 paragraph 2 letter a of the GDPR). As a consequence of a material infringement of the provisions of the GDPR, the authority unjustifiably applied the powers arising from the provisions of Article 58 paragraph 2 letters f and g of the GDPR, ordering the complainant to delete the personal data in the scope of the information processed into digital form on the characteristic points of the fingerprints of children using the services of the school canteen, and also unjustifiably ordering the complainant to stop collecting the aforementioned biometric data of students.

At the same time, in the Court's opinion, the supervisory authority unjustifiably applied to the complaining School the power arising from the provisions of Article 58 paragraph 2 letter i in connection with Article 83 of the GDPR, imposing on the complaining party a fine of PLN 20,000.00.

In the Court's opinion, it is impossible to agree with the position presented by the supervisory authority that the above-mentioned written consent by the complainant did not prove that the controller of the disputed data met the condition referred to in Article 9 paragraph 2 letter a of the GDPR. In this situation, the Court found that - contrary to the position of the supervisory authority - the complainant did not violate the general prohibition of processing personal data established in the provision of Article 9 paragraph 1 of the GDPR, because it had express consent to the processing of students' biometric data given by their parents.

The interpretation of Article 5 paragraph 1 letter i presented by the supervisory authority is c GDPR

and the principle of data minimization expressed therein is, in the opinion of the Provincial Administrative Court, erroneous, as it unjustifiably omits a significant aspect of adequacy and appropriateness in its assessment, which consequently leads to an overly rigorous perception of this principle. The Court found that it is impossible to agree with the supervisory authority that the processing of students' biometric data by the complainant is inconsistent with the principle of minimization referred to in art. 5 sec. 1 letter c GDPR.

According to the Court, there is no doubt that the complainant, as the administrator of the disputed biometric data, justified during the explanatory proceedings the existence of a legitimate connection between the purpose of processing and the scope of data it plans to process, and also explained in a precise manner why the previously used data verification methods turned out not to meet the expectations.

The adjudicating panel found that the authority, by issuing the disputed administrative decision, committed a significant violation of the principle of the rule of law expressed in the provisions of art. 6 of the Code of Administrative Procedure and art. 7 in principia of the Code of Administrative Procedure and art. 7 of the Constitution of the Republic of Poland. The analysed action of the body also significantly violated the principle of citizens' trust in the bodies of the rule of law and the law applied by them, expressed in art. 8 of the Code of Administrative Procedure. There is no doubt that the principle of trust expressed in the above provision has a constitutional and EU context, and public administration bodies are obliged, within the framework of an interpretation consistent with EU law and the Constitution of the Republic of Poland, to take into account that the principle of trust, also in the procedural aspect, is a fundamental element of the principle of a democratic state of law and as such has its basis and source in art. 2 of the Constitution of the Republic of Poland.

The body filed a cassation appeal against the above judgment, challenging it in its entirety and accusing it of:

a) violation of the provisions of the procedure, i.e. art. 145 § 1 item 1 lit. c) the Act of 30 August 2002 - the Code of Administrative Court Procedure (Journal of Laws of 2019, item 2325, hereinafter referred to as: "p.p.s.a.") in conjunction with Art. 6, 7, 8 of the Code of Administrative Procedure and Art. 7 of the Constitution by erroneously finding that the body issuing the disputed decision had committed a significant breach of the rule of law and the principle of citizens' trust in the bodies of a lawful state and the law applied by them, which had a significant impact on the outcome of the case, resulting in the annulment of the contested decision.

b) violation of the provisions of substantive law, i.e.:

i. Art. 5 sec. 1 letter c) of the GDPR, specifying the principle of data minimization through its erroneous interpretation, consisting in the assumption by the Court of First Instance that the processing of children's biometric data for the purpose of their use of the school canteen is adequate for the purpose for which they are processed;

ii. violation of the provisions of substantive law, i.e. Art. 9 sec. 2 letter a of the GDPR, through its incorrect interpretation and incorrect application consisting in the assumption that the processing of children's biometric data for the purpose of their use of the school canteen is based on the voluntary consent of their parents (legal guardians);

Based on the above allegations, it was requested to set aside the contested judgment in its entirety and refer the case for reconsideration, to consider the cassation appeal at a hearing and to award reimbursement of the costs of the proceedings according to the prescribed standards.

The Supreme Administrative Court considered the following:

Pursuant to art. 183 § 1 of the p.p.s.a., the Supreme Administrative Court shall examine the case within the limits of the cassation appeal, taking into account ex officio only the invalidity of the proceedings. In the case under consideration, none of the circumstances resulting in the invalidity of the proceedings, as referred to in art. 183

§ 2 of the p.p.s.a., and none of the premises referred to in art. 189 p.p.s.a., which the Supreme Administrative Court considers ex officio when reviewing the judgment contested in the cassation appeal. Therefore, the Supreme Administrative Court has moved on to examine the cassation objections.

The cassation appeal is unfounded and as such is subject to dismissal. The cassation appeal is a formalized means of appeal defining the limits of the instance control exercised by the Supreme Administrative Court. The entity filing the cassation appeal is obliged to define its limits by correctly formulating the grounds for the appeal – the objections. The Supreme Administrative Court reviews the judgment of the court of first instance contested in the cassation appeal from the perspective of the violations of law raised therein. The possibility of conducting this review depends on the identifiability of these violations. In other words, the Supreme Administrative Court may conduct a review of the judgment of the court of first instance if the cassation appeal cites specific provisions of law which, in the opinion of the person filing the appeal, have been violated.

Before proceeding to the substantive assessment of the allegations raised in the cassation appeal, it is necessary to provide a set of facts and legal assessments that, due to the limits of the cassation appeal, remain undisputed in the sense that they are not subject to verification by the instance. It should therefore be considered undisputed that:

1. The school processed the children's biometric data while they were using the school canteen;

2. The biometric data included fingerprints processed into digital information about the characteristic points of the fingerprints;

3. The school processed the above biometric data based on the written consent of the children's parents;

4. The school processed the children's biometric data in order to verify whether they had paid for a meal in the canteen on a given day.

Taking into account the above undisputed elements of the factual and legal basis of the appealed judgment of the Provincial Administrative Court, the Supreme Administrative Court negatively verified the allegation of incorrect interpretation of Article 5 paragraph 1 letter c) of the GDPR. The cassation complainant sees the violation of this provision in the faulty assumption by the Provincial Administrative Court that the processing of children's biometric data for the purpose of their use of the school canteen is adequate for the purpose for which they are processed.

It should be noted at the outset that Article 5, paragraph 1 of the GDPR expresses the principles of personal data processing. This is a provision that specifies the obligations that lie with the personal data controller and additionally obliges him to always be able to demonstrate that he complies with them - Article 5, paragraph 2 of the GDPR. Assigning the attribute of "principles" to the provisions of Article 5, paragraph 1 of the GDPR means that these are normative directives (legal norms) of a special nature, defining the values and objectives of each process of personal data processing. For this reason, Article 5, paragraph 1 of the GDPR should be taken into account when interpreting the remaining provisions of the GDPR, so that the legal norms derived from their content are consistent with it

in a functional, systemic and axiological approach.

The basic principle of personal data processing is compliance

with the law - Article 5 sec. 1 lit a GDPR. The processing of personal data is lawful when it takes into account both the provisions of the GDPR and the provisions of national acts regulating this process. When processing personal data, the controller is therefore obliged to comply with the rigors resulting from all the provisions of the GDPR, including those derived from the other principles of personal data processing proclaimed in the provisions of art. 5 sec. 1 GDPR. The principle of minimizing personal data decreed in art. 5 sec. 1 lit c GDPR imposes on the controller the obligation to ensure that personal data are "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". Recital 39 of the GDPR explains that the implementation of this principle requires "in particular ensuring that the storage period of data is limited to a strict minimum. Personal data should only be processed where the purpose of processing cannot be reasonably achieved by other means. In order to prevent personal data from being stored for longer than is necessary, the controller should set a deadline for their deletion or periodic review." Several conclusions can be drawn from the above fragment of recital 39 of the GDPR.

Firstly, the principle of data minimisation limits the period of data processing only to the time in which it is necessary for the purpose of such processing.

Secondly, it decides on the admissibility of personal data processing only in such arrangements in which it is not possible to provide other reasonable ways of achieving the purpose of such processing. The EU legislator did not specify what is to be understood as a reasonable alternative to achieving the purpose of processing other than personal data processing. In the opinion of the Supreme Administrative Court, this is about indicating such actions that will allow for achieving a specific purpose without the need to process personal data, and at the same time do not generate substantially higher "costs" in terms of materials, finances, time and personnel than those that would have to be incurred if this purpose were achieved through the processing of personal data. In essence, it is about comparing the size of the broadly understood costs of two methods of achieving the same purpose: a method that includes the processing of personal data and a method that does not include such processing. From this perspective, the principle of data minimisation therefore requires that personal data not be processed in those configurations in which the purpose for which the processing was to be carried out can be achieved, using comparable resources, without the processing of personal data.

Thirdly, the principle of data minimization should also be understood in such a way that if the intended purpose cannot be achieved without processing personal data, then the data that is subject to processing must be adequate, relevant and limited for this purpose. In this approach, the principle of data minimization introduces a kind of proportionality rigor of data processing. It is therefore about: 1) that the controller obtains only the type of personal data whose processing is necessary to achieve the purpose of processing; 2) that the controller obtains personal data in the minimum sufficient quantity to achieve the purpose of processing;

3) that the controller processes them only in such a way that is necessary to achieve the purpose of processing; 4) that the controller processes personal data only for the time necessary to achieve the purpose of processing.

Taking into account the adopted assumptions justifies the conclusion that the principle of data minimization allows the processing of personal data only when it is necessary to achieve the purpose of processing and only to the extent, in quantity, in the manner and for the time that are necessary to achieve the purpose of processing. The above conclusion is directly confirmed by the content of art. 17 sec. 1 letter a of the GDPR, which entitles you to request the deletion of your personal data when they are "no longer necessary for the purposes for which they were collected or otherwise processed". The necessity of personal data for the purpose of processing thus expresses the essence of the regulatory function of the principle of data minimization.

In Article 6 paragraph 1 letters a-f of the GDPR, the EU legislator has indicated a closed list of conditions for the processing of personal data, clearly stipulating that for the assessment of the lawfulness of such processing, it is sufficient to meet "at least" one of them - Article 6 paragraph 1 in principle of the GDPR. Thus, the processing of personal data is lawful when:

a) the data subject has consented to the processing of their personal data for one or more specified purposes;

b) the processing is necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject before entering into a contract;

c) the processing is necessary to comply with a legal obligation to which the controller is subject;

d) processing is necessary to protect the vital interests of the data subject or another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, override those interests, in particular when the data subject is a child.

In the opinion of the Supreme Administrative Court, attention should be paid to the specific construction of the conditions for the admissibility of personal data processing. Namely, in Art. 6 sec. 1 lit. b-f GDPR defines the purposes of personal data processing, deciding that these are: performance of a contract (letter b), fulfillment of a legal obligation incumbent on the controller (letter c), protection of the vital interests of the data subject or another natural person (letter d), performance of a task carried out in the public interest or in the exercise of public authority entrusted to the controller (letter e), achievement of purposes resulting from legitimate interests pursued by the controller or by a third party (letter f).

The first condition legitimizing the processing of personal data, specified in art. 6 sec. 1 lit. a GDPR, has been constructed differently. It allows the processing of personal data when the data subject has consented to this processing for one or more specified purposes. Therefore, the processing of personal data on the basis of art. 6 sec. 1 lit. a GDPR requires the purpose of processing to be specified, but the GDPR itself does not identify this purpose. It allows the purpose (or purposes) of processing to be specified either by the data controller or the data subject. In both cases, the necessary action to establish that the processing is lawful is the consent of the entity whose personal data is being processed.

A similar solution was adopted for sensitive data, specified

in Article 9, paragraph 1 of the GDPR. In this case, the EU legislator introduced a general prohibition on the processing of personal data of this nature, while providing for enumerated exceptions that abolish it. Similarly to Article 6, paragraph 1 of the GDPR, the consent of the data subject was provided as the initial premise legalizing the processing of sensitive personal data - Article 9, paragraph 2, letter a of the GDPR. This consent has a qualified form, because apart from the features of voluntariness, specificity, awareness and unambiguity of the expression of will that it consists of, it should also be explicit. Express consent to the processing of sensitive personal data should therefore be direct consent, the content of which leaves no doubt that it concerns the processing of a specific type of personal data referred to

in Article 9, paragraph 1 of the GDPR. In the remaining drafting units of Article 9 paragraph 2 letters b-j of the GDPR, the EU legislator has indicated the conditions for the admissibility of the processing of sensitive personal data by focusing on a specific purpose or the manner of obtaining them: fulfilment of the obligations and exercise of specific rights by the controller or the data subject in the field of labour law, social security and social protection (letter b); protection of the vital interests of the data subject (letter c); processing is carried out within the framework of legitimate activities carried out, with appropriate safeguards, by a foundation, association or other non-profit entity with political, ideological, religious or trade union objectives, provided that the processing concerns only members or former members of that entity or persons maintaining regular contacts with it in connection with its purposes and that the personal data are not disclosed outside that entity without the consent of the data subjects (letter d); processing of personal data manifestly made public by the data subject (letter e); the establishment, exercise or defence of claims or in the course of the administration of justice by the courts (letter f); important public interest, based on EU or Member State law, which are proportionate to the purpose pursued, do not violate the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject (letter g); pursuit of preventive health or occupational health purposes (letter h); public interest in the area of public health (letter i); archival purposes

in the public interest, for scientific or historical research purposes or for statistical purposes (letter j).

It seems significant that only Article 9(2)(g) and (j) provide that the processing of sensitive personal data is to be proportionate to the purpose pursued. It seems that the principle of data minimisation is assumed to be of particular importance only in relation to the two categories of personal data indicated in these provisions. In relation to the processing of sensitive personal data based on the consent of the data subject, the legislator reserved, on the other hand, that it is not permissible where EU or Member State law provides that the prohibition on their processing cannot be lifted.

Systematic analysis of the content of Article 6(2) 1 and art. 9 sec. 1 and sec. 2 of the GDPR has shown that the purpose of processing personal data based on the consent of the data subject does not have to result from legal provisions. This is directly determined by art. 6 sec. 3 of the GDPR, which states that only the conditions for processing specified

in art. 6 sec. 1 letters c and e must be specified in EU law or in the law of the Member State to which the controller is subject. The purpose of processing, on the other hand, must be specific, explicit and legally justified – art. 5 sec. 1 letter b of the GDPR (principle of purpose limitation). In its case law, the European Court of Justice has explained that the requirement imposed by art. 5 sec. 1 letter b of the GDPR, according to which personal data must be collected for specific, explicit and legally justified purposes, means first of all that the purposes of processing must be specified at the latest at the time of collection of the personal data (specificity of purpose), then - that the purposes of such processing must be clearly specified (explicity of purpose) and finally - that the purposes of such processing should guarantee, among other things, the lawfulness of the processing of such data within the meaning of art. 6(1) or 9(2) GDPR (legal justification of the purpose) - see judgments of the ECJ of 24 February 2022, Valsts ieņēmumu dienests, C-175/20, EU:C:2022:124, paragraphs 64-66 and of 20 October 2022, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-77/21, EU:C:2022/472/10, paragraph 27.

The implementation of the purpose limitation principle takes on particular significance when the legal justification for the processing of personal data is the consent of the data subject - Article 6(1)(a) and Article 9(2)(a) GDPR. In such a configuration, the parties to the personal data processing process – the data subject and the data controller – when defining the purpose of this processing should take into account the rigors resulting from this principle – art. 5 sec. 1 letter b of the GDPR. The implementation of this requirement primarily burdens the data controller, because it is he who "must be able to demonstrate that the data subject has consented to the processing of his or her personal data" – art. 7 sec. 1 of the GDPR.

According to the definition contained in art. 4 item 11 of the GDPR, "consent" of the data subject means the voluntary, specific, conscious and unambiguous demonstration of will by which this person, in the form of a declaration or a clear confirmatory action, consents to the processing of personal data concerning him or her. In turn, recital 32 of the GDPR determined that consent should take the form of a declaration or conduct that clearly indicates in a given context that the data subject has accepted the proposed processing of his or her personal data. Consent should apply to all processing activities performed for the same purpose or

for the same purposes. If processing is for different purposes, consent is required for all of those purposes.

The attribute of "voluntariness" of consent assumes that data subjects have a real possibility of making a choice and exercising control over the process of their processing. As a rule, the GDPR states that if the data subject does not have a real possibility of choosing, feels forced to give consent or suffers negative consequences in the event of not giving it, the consent will be invalid - Recital 42 of the GDPR and Guidelines 5/2020 of the European Data Protection Board (available: https://www.edpb.europa.eu/sites/-default/files/files/file1/edpb_guidelines_202005_consent_pl.pdf). Additionally, Article 7 paragraph 4 of the GDPR requires that when assessing whether consent has been given freely, the greatest possible consideration be given to whether, among other things, the performance of a contract, including the provision of a service, is not dependent on the consent to the processing of data, if the processing of personal data is not necessary for the performance of that contract.

The specificity of consent means that it must relate precisely to a specific data processing and cannot be inferred from the content of an expression of will having a different purpose – judgment of the ECJ of 11 November 2020, Orange Romania, C-61/19, EU:C:2020:901, paragraph 38.

Consent to the processing of personal data must be considered informed when the controller provides the data subject with information on all the circumstances relating to the processing in an intelligible and easily accessible form and in clear and plain language, and the person concerned must be able to know, in particular, what type of data will be processed, who the controller is, for how long and in what manner the data will be processed and for what purposes. The said information must enable the person concerned to easily determine the consequences of the consent which he may give and ensure that such consent is given with full knowledge of the facts - see. ECJ judgment of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, point 74.

In the opinion of the Supreme Administrative Court, there is a strong normative correlation between the principle of purpose limitation (Article 5 paragraph 1 letter b of the GDPR)

and the construction of consent to the processing of personal data. Giving consent to the processing of personal data the features required by the provisions of the GDPR - voluntary, specific, aware and unambiguous (Article 4 paragraph 11) - is tantamount in its effects to determining the purpose of this processing in a specific, clear and legally justified manner (Article 5 paragraph 1 letter b). If the controller of personal data, in fulfilling its information obligation - Article 13 paragraph 1 GDPR – at the latest at the time of personal data collection, the data subject shall be informed of the purpose of data processing, the scope of the processed data, the method of data processing, the period of data processing and the data subject

in conditions of voluntary consent to this processing, it should be assumed that the principle of limiting the purpose of processing has been implemented.

The presented conditions for implementing the principle of limiting the purpose of data processing and the features that consent to data processing should have are of fundamental importance for determining the limits of application and standardization of the principle of data minimization. In the opinion of the Supreme Administrative Court, expressing consent to the processing of personal data in compliance with the rigors provided for in the provisions of the GDPR sets the framework for permissible actions of the personal data controller, which in principle cannot violate the principle of data minimization. By expressing consent to data processing, at the latest

at the time the controller starts collecting data, the data subject: accepts the purpose of data processing, accepts the type (scope) of data processed, accepts the amount of data processed, accepts the method of data processing, accepts the period of data processing. Expressing consent to the processing of personal data is therefore a kind of agreement between the data controller and the person whose data is being processed, the content of which is a joint assessment that in order to achieve the purpose accepted by these entities, the best solution will be to process, in an accepted manner, personal data specified in scope and quantity, for the necessary time. The entities of the data processing process (the controller and the person whose data is being processed) jointly formulate a subjective assessment that it will be consistent - among other things - with the principle of data minimization.

The assumption adopted in the context of the objection raised in the cassation appeal regarding the violation of art. 5 sec. 1 letter c of the GDPR is of cardinal importance. It excludes the possibility of challenging the content of the consent to the processing of personal data by the supervisory authority (PUODO). The Supreme Administrative Court does not share the position of the authority that it has the competence to challenge a correctly expressed consent to the processing of personal data by demonstrating that in order to achieve the purpose of processing indicated by the personal data controller, it is sufficient to take other actions that interfere with the personal data to a lesser extent or not at all. If the basis for the processing of personal data is the consent of the data subject and this consent is expressed in a manner consistent with the rigors of the GDPR, the supervisory authority may not question the purpose of processing adopted by the parties, the scope and amount of data processed, the method of their processing and the period of their processing. The listed processing parameters bindingly specify the parties to the process of processing personal data. The only exception to this rule is provided for in Article 9 paragraph 2 letter a of the GDPR, which excludes the possibility of expressing consent to the processing of so-called sensitive personal data if EU law or the law of a Member State provides that the prohibition of their processing cannot be waived. The body appealing in cassation did not demonstrate legal provisions that in concreto would exclude the possibility of expressing consent to the processing of children's biometric data by the school.

The Supreme Administrative Court does not share the body's position that approving the legal assessments of the Court of First Instance may lead to the collection of any personal data regardless of the purpose of processing. It should be emphasized once again that when processing personal data on the basis of the correctly expressed consent of the data subject, the parties to the data processing process agree on what data they consider necessary to achieve the adopted purpose of processing. If the supervisory authority does not demonstrate the defect of the consent itself or the provisions excluding the lifting of the ban on processing sensitive data (Article 9, paragraph 2, letter a in fine), it is not possible to formulate an allegation of violation of the principle of data minimization by inferring the lack of adequacy of the data processing process to the assumed purpose of processing.

The body appealing in cassation emphasizes that, in accordance with the provisions of Article 106 of the Education Law, in order to ensure the proper implementation of care tasks, in particular supporting the proper development of students, the school may organize a canteen. In the opinion of the authority, this circumstance indicates that the basis for the processing of children's personal data by the school in order to perform the task of running a canteen can only be Article 6, paragraph 1

let. e of the GDPR. According to the content of this provision, the processing of personal data is lawful, among other things, when it is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the administrator. This means that the school processes the student's personal data on the basis of legal provisions, performing its statutory tasks. According to the authority, when providing this service, the school may process only those personal data of the student that are necessary for the provision of the school canteen service. The Supreme Administrative Court generally agrees with the body appealing in cassation that the processing of personal data on the basis of art. 6 sec. 1 letter e of the GDPR takes place without the consent of the data subject, and therefore the control of the adequacy of the processed data to the purpose of processing indicated in the law (control of the implementation of the principle of data minimization) by the supervisory authority is permissible. It is necessary to be able to verify the proportionality of the processed data to the purpose of processing adopted by law. This is done by comparing the framework of personal data processing taken over by the administrator with the limits of permissible personal data processing set by the provisions of the GDPR and other legal acts. This does not mean, however, that the data subject cannot

in the framework of properly expressed consent, autonomously determine the scope and amount of data processed and the time and manner of their processing. The authority ignores the fact that the conditions legalizing the processing of personal data specified in Article 6, paragraph 1 and Article 9, paragraph 2 of the GDPR are independent and separable from each other. The independence and separability of the conditions for the processing of personal data specified in Article 6, paragraph 1 and Article 9, paragraph 2 of the GDPR means that each of these conditions independently and separately confirms the legality of this process. However, this does not mean that the conditions for the processing of personal data specified in these provisions cannot be cumulated. The admissibility of cumulating the conditions for the processing of personal data was directly determined by the EU legislator in Article 6, paragraph 1 of the GDPR, which stipulates that the processing of personal data is lawful when "at least" one of the conditions listed in this provision is met. In the content of Article 9, paragraph 1 2 GDPR, no similar reservation was made ("one of the following conditions is met"), however, in the opinion of the Supreme Administrative Court, there are systemic arguments in favour of allowing the accumulation of grounds for processing sensitive personal data, listed in art. 9 sec. 2 letters a-j of the GDPR. This is evidenced by the content of art. 17 sec. 1 letter b of the GDPR, which allows for the request to delete personal data when "the data subject has withdrawn the consent on which the processing is based in accordance with art. 6 sec. 1 letter a) or art. 9 sec. 2 letter a), and there is no other legal basis for the processing". The EU legislator therefore explicitly assumes that consent does not have to constitute the sole basis for the processing of sensitive personal data in a specific case. It may co-exist with the other grounds for processing such data, listed in art. 9 sec. 2 letters b-j of the GDPR.

The admissibility of processing personal data by the controller without the consent of the data subject based on one of the grounds listed

in art. 6 sec. 1 letter b-f or art. 9 sec. 2 letter b-j of the GDPR does not therefore exclude the processing of personal data based on consent, based on art. 6 sec. 1 letter a or art. 9 sec. 2 letter a of the GDPR, even if the purpose of such processing in both cases is the same. The presented position can also be expressed the other way round: if the data subject has effectively consented to their processing within the meaning of

art. 6 sec. 1 letter a or art. 9 sec. 2 letter a of the GDPR, it is unnecessary to seek the grounds for legitimizing this processing in the provisions of art. 6 sec. 1 letter b-f or art. 9 sec. 2 letter a. b-j GDPR – judgments of the ECJ of 4 July 2023, Meta Platforms and others, C-252/21, EU:C:2023:537, points 90-94 and of 4 October 2024, Autoriteit Persoonsgegevens,

C-621/22, publ. www.eur-lex.europa.eu.

The judgments of the Supreme Administrative Court cited in the cassation appeal

of 1 December 2009, I OSK 249/09 and 6 September 2011, I OSK1476/10 were not issued under the provisions of the GDPR, but under the no longer applicable Act

of 29 August 1997 on the Protection of Personal Data (Journal of Laws of 2002, No. 101, item 926, as amended). In light of the legal assessments presented above, the position expressed in these judgments does not find an adequate translation into the factual and legal conditions of this case. The risk of violating the principle of proportionality highlighted therein does not occur under the GDPR if the consent to the processing of sensitive personal data was effectively expressed and the personal data controller implements the rigors imposed on him/her related to the protection of such data.

Acceptance of the interpretation of Article 5 paragraph 1 letter c of the GDPR (but also Article 5 paragraph 1 letter b of the GDPR) presented in the cassation appeal in connection with Article 9 paragraph 2 letter a of the GDPR (but also Article 6 paragraph 1 letter a of the GDPR) would de facto be tantamount to systematically allowing the possibility of challenging the scope, method

and time of processing of his/her personal data accepted by the data subject in the consent expressed by him/her, if the supervisory authority is convinced that these data are inadequate (disproportionate) to the adopted method of processing. It should be emphasised once again that if the data subject, by virtue of the autonomy granted to them by the content of Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a of the GDPR, consciously, voluntarily, specifically, unambiguously, and in relation to sensitive data also expressly consents to the processing of their personal data, setting the "parameters" of this processing in a way that, in the opinion of this person, implements the principle of data minimisation decreed in Article 5 paragraph 1 letter b of the GDPR, then there is no basis for formulating different assessments in this respect. In such a case, the content of the data minimisation principle is "fulfilled" by the consent of the person whose personal data will be processed. All reservations raised by the body appealing in cassation regarding the proportionality of the processed data may in such a situation be verified as part of the assessment of whether the consent expressed to the processing of data has the attributes required by the provisions of the GDPR, i.e. whether it was conscious, voluntary, specific, unambiguous, and in relation to sensitive data also express. If the person expressing consent to the processing of their personal data did so freely, without pressure, broadly understood coercion, with awareness of the purpose, method and time of processing and the scope and amount of data shared, it cannot be alleged that the principle of data minimization has been violated, because they have some "objective" and "reasonable" criteria for implementation, which the consent in question does not meet. The argument supporting the adopted position can also be built on the content of art. 9 sec. 2 letter e of the GDPR, which abolishes the ban on the processing of sensitive personal data if they have been clearly made public by the person to whom they relate. The EU legislator therefore determines that the autonomy of the person sharing their data has the highest legitimizing power for the process of their processing. The obvious publication of their sensitive personal data is a form of expressing consent to their processing. In such a situation, it is difficult to require that the person to whom the data relates be aware of the purpose for which the entities that obtain this data will process it. It is also impossible to verify whether the personal data made public will be adequate for the purpose of their processing, because at the time of their publication it is not possible to determine whether they will be processed at all, and if so, for what purpose.

The considerations presented allow us to conclude that the EU legislator assumes that the will and autonomy of the person whose personal data is concerned has a fundamental impact on the understanding of the scope of regulation and application of the principle of data minimization (Article 5, paragraph 1, letter c of the GDPR), when the basis for their processing is the consent of that person.

In this state of affairs, it should be assumed that the parents' consent to the processing of their children's biometric data in the form of fingerprints, in order to verify payment for a meal at the canteen on a given day did not violate the principle of data minimization expressed

in Article 5, paragraph 1, letter c of the GDPR. By virtue of the autonomy granted, the parents clearly, consciously, voluntarily, specifically

and unambiguously specified what data of their children are to be processed, for what purpose and in what manner. It should also be added, which seems to have escaped the authority, that the children's fingerprints were recorded exclusively in the memory of the identification device. The school did not create a collection of children's fingerprint patterns in the computer system. The identification device assigned the fingerprint of a specific child to a corresponding number and only then was this number sent to the computer system, which linked it to the child's name and surname and the meal agreement number. Therefore, the school did not store digital images of the children's fingerprints on the computer server. They were located exclusively on the identification device, which could not assign a given fingerprint to the identity of a specific child.

The authority appealing in cassation argues that the Court of First Instance did not address the monitored defect of the consent expressed by the parents to the processing of data, which in its opinion excludes the justification for attributing to it the features of voluntariness. It highlights that the school's rules for serving meals discriminate against children whose parents have not given their consent to the processing of their fingerprints, because children based on biometric identification are admitted to the canteen first, and then the other children, one by one. In such a situation, the authority believes that the parents of the children were in a coercive situation, because the lack of consent to the processing of their children's biometric data placed them in a disadvantageous situation.

The Supreme Administrative Court confirms that the Court of First Instance did not address the issue in question in the justification of its judgment. However, there is no basis for qualifying the defect in question in the category of incorrect interpretation or incorrect application of Article 9 sec. 2 letter a of the GDPR. The Supreme Administrative Court assumes that despite the incorrect justification in the scope indicated by the authority, the judgment of the Provincial Administrative Court is in accordance with the law - Article 184 § 1 in fine p.p.s.a.

The authority filing the cassation appeal under the allegation of violation of Article 9 sec. 2 letter a of the GDPR attempts to undermine the consent expressed by the parents of children whose biometric data were processed by the school, by demonstrating that it does not have only one feature – voluntariness. The factual basis of the judgment adopted by the Provincial Administrative Court and disclosed in its justification shows that the consent to the processing of the children's biometric data was given in writing, in an agreement "on the use of lunches", in order to verify payment for a meal at the canteen on a given day. It is not disputed that the refusal to give consent to the processing of the child's biometric data did not result in the child not being provided with a meal. Verification of payment for the child's meal was then based on the surname and contract number. Therefore, the refusal to give consent to the processing of the child's biometric data did not result in the agreement on meals for the child at the school canteen not being fulfilled. The Supreme Administrative Court does not share the assessment of the body appealing in cassation that the consent to the processing of the children's biometric data was given under duress. This is evidenced by the school's rules for using the canteen, according to which children whose meal payment was verified using a fingerprint reader are admitted first. It is not disputed that some parents did not consent to the processing of their children's biometric data, and yet these children use the canteen, but the verification of payment for the meal intended for them takes longer, because it requires "manual" identification of the child in the system by name, surname and contract number.

The Supreme Administrative Court also notes that during the proceedings the school explained that it introduced biometric identification of payment for children's meals at the request of the Parents' Council, in order to streamline the process of using the canteen. The methods of verifying meal payment used so far, in the opinion of both the school and some parents, did not guarantee quick and smooth use of the canteen.

In the complaint filed with the Provincial Administrative Court, the school also stated that the provision on the rules for using the canteen, which was posted on the website: "students who do not have biometric identification, let everyone else through and wait at the end of the queue, and when all students with biometric identification enter the canteen, students without biometric identification are admitted one by one" was created during the implementation period (September 2015). After just a few months, in order to streamline the process of entering the canteen, the school launched a second computer station with a reader, and from that time on, all children lined up in one queue for the canteen. The school admitted that the failure to remove the fragment of the rules for using the canteen from the website, which was cited by the authority, was an oversight. The resulting priority of using the canteen by children with biometric identification did not occur in practice and was excluded by the provisions of the canteen regulations and meal agreements concluded with the children's parents. It results from point 4 of the canteen regulations attached to the complaint that "Grade 0 comes for meals under the supervision of a class teacher. Students from other classes line up." In turn, it results from the content of § 5 of Annex No. 1 to the Canteen Regulations - "Agreement on the use of lunches in the school canteen of Primary School No. 2 with sports departments" that the Regulations are an integral part of the agreement, and the parent signing the agreement accepts its content and undertakes to comply with it. It should therefore be assumed that it results from the content of both the meal agreement and the content of the Canteen Regulations that all children using the canteen, regardless of the method of verifying payment for the meal, line up in one queue. In the response to the complaint, the body did not refer to the circumstances in question at all. In this state of affairs, the Supreme Administrative Court found no grounds to assume that there was a violation of art. 9 sec. 2 letter a) in the case. a GDPR, through the erroneous assumption that the consent expressed by the parents to the processing of children's biometric data by the school for the purpose of verifying payment for the meal was not voluntary and, consequently, effective.

The dismissal of the allegations of violation of art. 5 sec. 1 letter c of the GDPR and art. 9 sec. 2 letter a of the GDPR determines the ineffectiveness of the allegation of violation of art. 6, 7, 8 of the Code of Administrative Procedure and art. 7 of the Constitution.

For the reasons given, the Supreme Administrative Court, acting under art. 184 of the p.p.s.a., dismissed the cassation appeal.