WSA Warsaw (Poland) - II SA/Wa 2227/19: Difference between revisions
No edit summary |
|||
Line 80: | Line 80: | ||
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. | The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. | ||
II SA / Wa 2227/19 - Judgment of the Provincial Administrative Court in Warsaw | |||
</ | Date of the judgment | ||
2020-09-15 judgment not final | |||
Date of receipt | |||
2019-09-27 | |||
Court | |||
Provincial Administrative Court in Warsaw | |||
Judges | |||
Agnieszka Góra-Błaszczykowska | |||
Joanna Kruszewska-Grońska | |||
Łukasz Krzycki / chairman rapporteur / | |||
Symbol with description | |||
647 Matters related to the protection of personal data | |||
Thematic slogans | |||
Personal data protection | |||
The appealed authority | |||
Inspector General for Personal Data Protection | |||
Result content | |||
The contested decision was annulled | |||
Cited regulations | |||
Journal of Laws 2018 item 1000 art. 1 clause 1, art. 1 clause 2, art. 34 sec. 2, art. 60, art. 98 sec. 1 | |||
Sentence | |||
Provincial Administrative Court in Warsaw composed of the following co<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>mposition: Chairman Ju<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>dge of the Provincial Administr<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ative Court Łukas<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>z Krzycki (s<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>pokesma<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>n), Judge of the Provincial Administrative <span class="tlid-translation-gender-indicator translation-gender-indicator"></span>Court Ag<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>nieszka Góra-Błaszczykowska, As<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>sessor of the Provincial Ad<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ministrative Court Joanna Kruszewska-Gro<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ńska, Court reporter, cle<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>rk Joanna Mazur, after examination at the hearing on Sep<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>tember 15, 2020. c<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ases from the complaint of<span class="tlid-translation-gender-indicator translation-gender-indicator"></span> J. Sp. z o.o. based in <span class="tlid-translation-gender-indicator translation-gender-indicator"></span>G. and TJ on the decision of the President of th<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>e Personal Data <span class="tlid-translation-gender-indicator translation-gender-indicator"></span>Protection Office of [...] July 2019,<span class="tlid-translation-gender-indicator translation-gender-indicator"></span> No. [...], [...] o<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>n issuing a reminder for irregularities in the processing of personal data 1 ) repeals the contested decision; 2) awards the President of the Personal Data Protection Office to J. Sp. z o.o. based in G. the amount of PLN 697 (say: six hundred and ninety-seven zlotys) as reimbursement of the costs of the proceedings; 3) orders the President of the Personal Data Protection Office to pay T. J. the amount of PLN 200 (say: two hundred) as reimbursement of the costs of the proceedings. | |||
Substantiation | |||
By the contested act, against the complaint of Mr. T. J., hereinafter referred to as the "Applicant", about irregularities in the processing of his personal data by J. Sp. z o.o., hereinafter referred to as the "Company" - recalling art. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended), hereinafter referred to as "K.p.a." and art. 5 sec. 1 lit. c and f, art. 6 sec. 1 and art. 58 sec. 2 lit. b of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (Official Journal of the European Union, L 119 of 4 May 2016), hereinafter referred to as "GDPR" - the Company was issued a reminder for irregularities in the processing of personal data, consisting in violation of art. 6 section 1, in connection with with art. 5 sec. 1 lit. c and f GDPR, by providing [...] August 2018 to persons in the waiting room of the deputy office with the Applicant's personal data in the scope of information about the termination of the employment contract without observing the notice period, hereinafter referred to as "Termination" (point 1 judgment). In the remaining scope, the conclusions of the complaint were refused (point 2 of the judgment). | |||
The following factual and legal circumstances of the case were cited in the justification for the decision: | |||
- the Applicant's complaint related to irregularities in the processing of his personal data by the Company; they consisted in disclosing his personal data to unauthorized persons; it was alleged that the employees of the Company - in the presence of third parties in the deputy's office (MP A.M.) - read the content of the Notice of Termination, using the Applicant's personal data; The Applicant indicated that - after his refusal to accept the Termination, the representatives of the Company left the letter containing the Termination unsecured, in the presence of persons residing in the deputy's office; therefore, the Applicant applied for all actions aimed at removing the indicated violations; he also asked the authority to consider initiating court proceedings against persons representing the Company for breach of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws, item 1000, as amended), hereinafter referred to as the "Data Act" , | |||
- in the course of the administrative procedure, the following facts were found: | |||
- The applicant was employed by the Company from [...] January 2006 to [...] August 2018; he is the chairman of the Company Organization [...] "[...]" in the Company; | |||
- The Company - via a courier - attempted four times to provide the Applicant with a Notice of Termination; he was exempt from the obligation to perform work while retaining the right to remuneration; | |||
- [...] in August 2018, two authorized representatives of the Company handed the Termination to the Applicant in the waiting room of the deputies' office; he refused to accept the letter; Company representatives, responding to the refusal to accept the letter, left it on the table next to the Applicant; | |||
- when handing over the letter, one of the Company's representatives told the Applicant that it was a Termination and was handed over to him because he did not receive letters from couriers; | |||
- in the appeal against the Termination to the District Court it was indicated that [...] on August 2018, the Company's representatives personally handed the Applicant a letter of Termination, | |||
- this case concerns data in the field of the so-called "ordinary data"; their processing is governed by Art. 6 sec. 1 GDPR; according to it, the processing of personal data is allowed only if one of the conditions indicated in this provision is met; catalog mentioned in art. 6 sec. 1 GDPR, the premises legalizing the processing of personal data is closed; each of them is autonomous and independent; the processing of personal data must also comply with the principles set out in Art. 5 sec. 1 GDPR; they include, among others data minimization (point c) as well as integrity and confidentiality (point f), | |||
- one of the Company's representatives, when handing over the Notice of Termination to the Applicant, said that it was a notice of termination and was handed over to him because he did not receive letters from couriers; The company - when terminating the employment contract - breached the principle of integrity and confidentiality; the authorized representative of the Company made the Applicant's personal data available to unauthorized persons staying at the deputy's office at that time; providing information on what is contained in the letter handed to the Applicant in the presence of other persons would be lawful provided that they had the appropriate authorization - provided for in Art. 29 GDPR; according to the collected evidence, third parties - present in the deputy's office during the termination of the termination to the Applicant - did not have such authorization; the representative of the Company - when handing in the Notice of Termination - did not have to - in the presence of unauthorized persons - indicate what the letter submitted by him concerns, so that the Applicant could read its content, | |||
- in accordance with the above, the provision of the Applicant's personal data in the manner indicated above took place in violation of the provisions on the protection of personal data (Article 5 (1) (c and f) of the GDPR), | |||
- referring to the disclosure of the Applicant's personal data by the Company, by leaving the Termination in an unsecured manner, in the presence of persons staying in the deputy's office, it was indicated: in accordance with art. 4 sec. 7 GDPR, the data controller is a natural or legal person, public authority, entity or other entity that independently or jointly with others determines the purposes and methods of personal data processing; under Art. 24 sec. 1 GDPR, the personal data controller - taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons of varying probability and seriousness - implements appropriate technical and organizational measures so that the processing takes place in accordance with the GDPR and to be able to demonstrate it; in line with this, the Company was the administrator of the personal data contained in this letter until the Notice was given to the Applicant; however, upon delivery of the termination notice, the Company ceased to be liable in relation to the personal data contained therein; at the time of delivery of the correspondence, the responsibility for its content rests with the addressee; At the same time, it cannot be considered that the Company - after providing the Termination issued under the provisions of the labor law, breached the obligation to properly protect personal data against unauthorized access; authorized representatives of the Company provided a letter containing personal data personally to the Applicant in the manner provided for in Art. 61 § 1 of the Act - Civil Code, in connection with with art. 300 of the Act - Labor Code; a declaration of will to be submitted to another person is submitted at the moment when it was reached in such a way that she could become familiar with its content; Therefore, it cannot be concluded that the Company has thus breached the obligations arising from the provisions of the personal data protection law, imposed on the personal data administrator, | |||
- administrative proceedings conducted by the President of the Personal Data Protection Office serve to control the compliance of data processing with the provisions on the protection of personal data and is aimed at issuing an administrative decision; these decisions serve to restore lawfulness, pursuant to Art. 58 sec. 2 lit. b GDPR, inter alia, by issuing a reminder to the administrator or processor in the event of a breach of the provisions of this Regulation by the processing operation; The company provided personal data in breach of the provisions on the protection of personal data; processing is currently not continuing; therefore - due to the right specified in Art. 58 sec. 2 lit. b GDPR - a reminder was given to the Company. | |||
In the complaint, the Company, represented by a professional attorney-at-law (case originally marked with reference number II SA / Wa 2325/19), alleged infringement of the provisions of: | |||
- proceedings that could have an impact on the outcome of the case: | |||
1912/5000 | |||
- Art. 7, in connection with with art. 77 § 1, art. 78 § 1 and 2 and article. 80 of the Code of Civil Procedure, by issuing a decision based on incomplete evidence and without a comprehensive assessment of the entire evidence material, as well as without conducting the evidence requested by the Company - from the testimony of a witness and a written statement on the course of the termination; this led to an erroneous determination that people present in the room where the service took place heard the words spoken to the Applicant about the termination of the employment contract; as a consequence, it was found that the Company violated Art. 5 sec. 1 lit. f GDPR - data integrity and confidentiality rules;<br />- Art. 107 § 3 of the Code of Civil Procedure by failing to indicate the evidence on which the determination was based that the persons present in the room where the Notice of Termination was delivered heard the words addressed to the Applicant regarding the termination of the employment contract<br />- Art. 8 § 1 and art. 11 of the Code of Civil Procedure, by failing to respond and omitting the statement of the Company's employee attached to the case files as well as statements and explanations of the Company; it showed that only the behavior of the Applicant - after informing him of the intention to terminate the employment contract - attracted the attention of people present in the room; thus, these persons could not hear the words spoken to the Applicant, which were considered to have provided personal data,<br />- substantive law which influenced the outcome of the case:<br />- Art. 4 point 1, in connection with with art. 2 clause 1 of the GDPR, by accepting that the information on the Termination itself - provided to the Applicant [...] August 2018 - without indicating the data identifying him - e.g. in the form of his first name, surname or other identifier, enabling the identification of the person or company name (Companies) - constituted personal data within the meaning of the GDPR; this led to the erroneous recognition that the Applicant's personal data had been made available, | |||
- Art. 4 point 2 of the GDPR, by mistakenly assuming that the mere disclosure of information about the termination of an employment contract to people staying at the place where this activity is performed - when it is not accompanied by the disclosure of the information that was already publicly disclosed on the Internet before [...] August 2018 r. - was a processing operation to which the provisions of the GDPR apply, | |||
- Art. 5 sec. 1 lit. c GDPR, in connection with with art. 61 § 1 of the Act - Code of Civil Procedure and Art. 300 of the Labor Code Act, by mistakenly assuming that: | |||
the authorized representative of the Company did not have to inform the Applicant what the letter was about, | |||
as a result of informing him about the letter provided to him - without simultaneously providing the Applicant's identification data (e.g. in the form of his first name, surname or other identifier or company name), the principle of data minimization was breached; | |||
- Art. 6 sec. 1 lit. c and f GDPR, by not applying and not accepting that - in the circumstances of the case - the possible provision of [...] August 2018 to persons staying in the deputy's office publicly available information about termination of the employment contract was necessary to fulfill the legal obligation incumbent on the Company ; it was the delivery of the Termination within the period provided for in Art. 52 § 2 of the Act - Labor Code and for purposes resulting from legitimate interests pursued by the Company, which was the termination of the employment contract with the Applicant. | |||
The above allegations were developed in the broad grounds of the complaint. It was emphasized, inter alia, that the activities of the Company's representatives [...] in August 2018, irrespective of the factual circumstances, could not lead to the disclosure of the Applicant's personal data within the meaning of the GDPR. The Applicant posted the information about the termination of the employment contract by the Company himself earlier - in the ICT network as publicly available. | |||
It was requested to revoke the contested decision and order the authority to reimburse the costs of court proceedings. | |||
In the complaint, the applicant alleged a breach of the law: | |||
- procedural - art. 7, 77 § 1 and article. 80 K.p.a .; he was seen in the non-exhaustive examination of the evidence gathered in the case and in his arbitrary and not free assessment, expressed in: | |||
- recognizing the Company's explanations as credible: | |||
as to four attempts to deliver the Termination via courier; this was to provide grounds for handing over the parcel in person by the Company's employees, in order to meet the deadlines for performing legal actions specified in the provisions - delivery of the Termination; meanwhile - in accordance with the provisions of the Act - Code of Civil Procedure - the submission of the letter to the Polish post office of the designated operator results in the act being performed on time; it is also customary to conduct such activities in employee matters by post; Therefore, there were no factual and legal grounds for delivering the letter by courier or in person via other employees who do not deliver the employer's correspondence on a daily basis; it was also possible to hand over the letter to the Applicant at the workplace; | |||
that [...] on August 2018, authorized representatives of the Company handed the Applicant the Termination notice in the waiting room of the deputy's office, the latter refused to accept the letter and its representatives - responding to the refusal - left it on the table next to the Applicant; meanwhile, from the statements of third parties - employees of the deputy's office in which the incident took place and the clients in this office (they are included in the case files) - it clearly follows that, e.g. the entire declaration of termination was read aloud with the disclosure of the grounds for the dismissal and the Applicant's personal data, the men who read the declaration did not introduce themselves, did not present the relevant authorizations, and after reading the termination letter, they were placed on one of the chairs in the office in a way that allows to read its contents outsiders (text face up); | |||
- groundless recognition that upon delivery of the Termination to the Applicant by the Company's representatives, it ceased to be responsible for the personal data contained in the letter and that it did not breach the obligation to properly protect personal data against unauthorized access; meanwhile, abandoning an unsecured letter on the chair in the deputies' office, despite the Applicant's express refusal to receive it, cannot be considered as any form of proper service; leaving a letter with the grounds for the dismissal and personal data of the Applicant unsecured, e.g. in an envelope, with text top, cannot be considered as proper securing and protection of personal data, | |||
- material: | |||
- Art. 58 sec. 2 lit. and in connection with with art. 83 of the GDPR, by not applying it and not imposing any administrative fine for violating the provisions of this regulation; the breach is evident, and the circumstances of the case - the type of data breached and the manner in which the breach took place and the entity that breached the provisions on the protection of personal data (the Company's legal advisor) - indicate grounds for impos<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ing a penalty in order to effectively prevent this type future events on the part of the Company; | |||
- Art. 98 sec. 1 of the Data Act, through its failure to apply and fa<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ilure to bring an action on behalf of the Applicant and on his behalf against the Company for claims for unlaw<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ful infringement of personal rights; meanwhile, the circumstances of the case and the assessment made by the authority clearly indicate the occurrence of violations of law on the part of the Company; this justifies bringing an action before a court. | |||
The above alleg<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ations were developed in support of the complaint. It was requested to revoke the contested decision in point 2, order the authority to reimburse the costs of court proceedings, and to admit and take evidence from the attached documents, for the circumstances indicated in the complaint. | |||
In replies to both complaints, the administration authority asked for their dismissal, maintaining the existing arguments. | |||
In an additional pleading (files 64-67, file no. II SA / Wa 2227/19), the Company argued with the Applicant's position as formulated in the complaint as to the actual circumstances of deliverin<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>g the Termination to him in the deputy's office. | |||
During the hearing (card 75), the Court joined the complaint of the Applicant (file number II SA / Wa 2227/19) and the Company (file number II SA / Wa 2325/19) for joint examination and settlement - pursuant to art. 111 § 2 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended). | |||
The court considered the following: | |||
The complaints deserve to be upheld, althou<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>gh not for the reasons raised in them. Court - in connection with Art. 134 § 1 of the Act - Law on Proceedings Before Ad<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ministrative Courts - is not bound by the charges and conclusi<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ons of the complaint. | |||
The allegations in the Company's complaint are correct when the authority's finding that in the case under examination there has been a disclosure of personal data within the m<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>eaning of the GDPR. However, the argument to confirm th<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>is thesis is wrong. | |||
When examining this case, the Court had the following formal and legal conditions in mind. | |||
Pursuant to Art. 1 clause 1 of the Data Act, its provisions apply to the protection of natural persons in connection with the processing of personal data to the extent specified in art. 2 and 3 GDPR, and - pursuant to art. 1 clause 2 points 4 and 5 of this Act - it defines, among others: the authority competent for the protection of personal data and the rules of the procedure in the case of infringement of provisions on the protection of personal data. | |||
This justifies the conclusion that the substantive legal framework, which is the property of the specialized body in question, is it according to Art. 60 of the Data Act, the President of the Personal Data Protection Office - exhaustively outline the provisi<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ons of the GDPR. | |||
The preamble to this act already shows that the general purpose of its establishment is to contribute to "the creation of an area of freedom, security and justice and economic union, to socio-economic progress, to the strengthening and convergence of economies in the internal market, as well as to the success of people. " (yes, item 2 sentence 2). On the other hand, in point 3 of the preamble - the nomenclature taken from the directive replaced by the GDPR was also used - it was indicated that the purpose of the regulation is "to harmonize the protection of fundamental rights and freedoms of natural persons in relation to processing activities and to ensure the free flow of personal data between Member States" and point 6 explicitly quotes the following reasons for adopting the regulation: "Rapid technological progress and globalization have brought new challenges in the field of personal da<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>ta protection. The scale of collecting and exchanging personal data has increased significantly. Thanks to technology, both private enterprises and public authorities can use personal data in their activities. Natural persons are increasingly making personal information available to the public and globally. Technology has changed the economy and social life and should continue to facilitate the free flow of personal data within the Union and their transfer to third countries and international organizations, and at the same time should ensure a high level of personal data protection. ". | |||
The goals of establishing a given regulation, as formulated by the legislator, justify the con<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>clusion that,<span class="tlid-translation-gender-indicator translation-gender-indicator"></span> in general, the GDPR is to contribute to better protection of personal data of citizens of European Union Member States. This regulation, however, does not constitute an act serving a full, framework regulation of the protection of rights in a given scope. It relates only to the data component that is subject to automatic processing or may be subject to such processing as a database of information about persons. | |||
Such conclusions will be directly confirmed by the normative content of the preliminary provisions of the GDPR. Pursuant to Art. 2 clause 1, this act applies only "to the processing of personal data in a fully or partially automated manner and to the non-automated processing of personal data which are part of a data set or are to be part of a data set". In turn - in relation to Art. 4 point 6 of the GDPR - a data set is "an ordered set of personal data available according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed". | |||
This means that the provisions of the GDPR do not apply to all personal data processing (disclosure is the form of processing - yes, Article 4 (3) of the GDPR), but only when it comes to those falling within the scope of a given regulation. This applies to data processed in a fully or partially automated manner, and the rest only if they constitute a collection or may be part of a data set. In turn, a potential set of data is only a set of data available according to specific criteria. This assessment is not changed by the fact that processing (including disclosure) may - pursuant to Art. 4 point 3 of the GDPR - occur automatically or otherwise. The wording of a given definition does not extend the scope of data subject to the provisions of the GDPR pursuant to Art. 2 clause 1 - when it comes to data processed in a manner other than automated, only those that constitute part of the data set or are to be part of the data set, within the meaning of art. 4 point 6 of the GDPR. | |||
A different understanding of the provisions of the GDPR would lead to conclusions that could not be attributed to a rational legislator - that a given regulation specifically regulates all the rules of personal data protection, to the extent where it may lead to, inter alia, for infringement of personal rights. Due to the fact that in the GDPR the competence to resolve cases on this basis was granted to specialized administrative bodies of the Member States (such as Article 58 (2) of the GDPR and Article 34 (2) and Article 60 of the Data Act, respectively), this would mean shaping alternative ways of protecting rights by all persons whose personal rights were breached, however disclosing their personal data in any way. | |||
In view of the above-mentioned conditions, it is justified to conclude that - in view of the articulated purposes of adopting the GDPR and the content of its preliminary regulations - this act applies to events related to the processing of information (collection, transfer, etc.), where it is possible to find information about people - their personal data - in particular as part of ICT systems. It does not apply to events related to the disclosure (and thus processing) of personal data in other situations - e.g. the use of the name and surname of a specific person when addressing him in a public place. Otherwise, also, for example, torts in the form of sending offensive words to a person named by name would be a case subject to examination by specialized administrative bodies under the procedures provided for in the GDPR. It is impossible to attribute to a rational legislator the intention to transfer this type of cases to administrative resolution. | |||
In the case under examination, its essential circumstances are beyond dispute, in that the subject of a complaint to a specialized authority were incidents in a public place (deputies' office). The difference between the parties, however, concerns the disclosure of personal data in the form of the Applicant's name and surname and information about the Termination regarding his person, and if so, whether it was legally permissible (in this context, also the issue of the circumstances of the unsuccessful delivery of the parcel by courier). | |||
In the case under examination, it is justified to state that the event in question was in no way related to the process of mechanical data processing or the use of data that could constitute a separate base as a set of information arranged according to certain criteria on the day of the event. | |||
If, according to the Applicant's claims, his name and surname were mentioned in the deputy's office and the fact that the Termination had been served on him, or if the document was left in a manner enabling the reading of its content to third parties, this clash may indeed constitute an infringement of his personal rights in terms of respect for privacy and data protection, related e.g. to professional life - if it actually happened and it was not justified by the circumstances of the case (the need to serve a letter, due to the adaptation of formal requirements). These issues are in fact in dispute between the parties. However, a specialized administrative body is not competent to deal with such a case. The processing of data in a given case (their possible disclosure) is not covered by the rules contained in the GDPR, which determine the framework of competence to settle cases under administrative procedure. The powers of the administration authority cannot be interpreted broadly in relation to the content of Art. 2 § 3 of the Act - Code of Civil Procedure. It follows that the competence of an administrative body must be indicated directly. With regard to the protection of personal rights within the meaning of Art. 23 and 24 of the Act - Civil Code - which include personal data - and common courts are competent. | |||
In this situation - in view of the indisputable facts, relevant in the context of assessing whether the administrative authority is competent to apply the measures provided for in the GDPR, in the light of the provisions of the Data Act - there were no grounds for a ruling on the merits. Therefore, the authority was also unable to exercise the powers specified in Art. 58 sec. 2 lit. and, in connection with with art. 83 GDPR or Art. 98 sec. 1 of the Data Act (see: Applicant's allegations). While adjudicating in the case, the authority violated the provision of substantive law which delineates its powers - Art. 58 sec. 2 lit. b GDPR - through its unjustified application, in relation to art. 2 clause 1, in connection with with ar<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>t. 4 point 6 of the Data Act. | |||
When issuing the judgment in the case, the Court had in mind that it was a decision to the detriment of the Applicant, who also lodged the complaint. The rule of art. 135 § 2 of the Act - Law on Proceedings Before Administrative Courts does not apply, however, when the act was challenged by two parties of conflicting interests, as in the case at hand. | |||
In view of the above-mentioned conditions, the issues raised in both complaints concerning the incorrect opinion of the parties regarding the circumstances of the delivery of the Termination, or whether its delivery resulted in the disclosure of personal data in view of the earlier dissemination of information on the Internet ( yes, the company's statement), and whether the disclosure of data was authorized under the applicable regulations (the need to communicate the employer's statement). The court also did not take evidence to establish the facts in a given scope (see: <span class="tlid-translation-gender-indicator translation-gender-indicator"></span>the Applicant's evidence motions). | |||
For the above-mentioned reasons, pursuant to Art. 145 § 1 point 1 lit. and of the Act - Law on proceedings before administrative courts, the ruling was as in item 1 of the ruling. The Court ruled on the reimbursement of the costs of the proceedings as in items 2 and 3 of the ruling. Pursuant to Art. 200 in connection with with art. 205 § 2 of the above Act and § 14 sec. 1 point 1 lit. c of the Ordinance of the Minister of Justice of October 22, 2015 on fees for the activities of legal advisers (Journal o<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>f Laws of 2018, item 265 as amended), the costs for the benefit of the Company include the remuneration of its attorney in the amount of PLN 480, entry court proceedings against a complaint in the amount of PLN 200 and PLN 17 due to stamp duty on the power of attorney. To the costs for the Appli<span class="tlid-translation-gender-indicator translation-gender-indicator"></span>cant - pursuant to art. 200 of the Act - Law on Proceedings Before Administrative Courts - court fees for the complaint in the amount of PLN 200 were included. | |||
When reconsidering the case, the administrative authority will take into account the legal assessment formulated in this justification. |
Revision as of 08:56, 3 November 2020
WSA Warsaw (Poland) - II SA/Wa 2227/19 | |
---|---|
Court: | WSA Warsaw (Poland) (Poland) |
Jurisdiction: | Poland |
Relevant Law: | Article 2(1) GDPR Article 4(6) GDPR |
Decided: | 15.09.2020 |
Published: | |
Parties: | |
National Case Number/Name: | II SA/Wa 2227/19 |
European Case Law Identifier: | |
Appeal from: | President of the Personal Data Protection Office |
Appeal to: | Unknown |
Original Language(s): | Polish |
Original Source: | Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish) |
Initial Contributor: | n/a |
The provincial administrative court decided that the public disclosure of the name and the content of the employment termination notice do not constitute disclosure within the meaning of the GDPR.
English Summary
Facts
The data subject's complaint concerned irregularities in the process of processing of his personal data by the company. They consisted in making his personal data available to unauthorised persons. It was alleged that the company's employees - in the presence of third parties located in the MP's office (public place) - read, using the applicant's personal data, the content of the statement on termination of the employment contract. The applicant indicated that - after refusing to accept the termination - representatives of the company left an unsecured letter containing the termination in the presence of persons in the MP's office; therefore, the applicant requested that all actions be taken to rectify the violations indicated. President of the Personal Data Protection Office has decided that the provision of personal data to the applicant in the above mentioned way was done in violation of the provisions of personal data protection Article 5 (1) (c) and (f) of the GDPR. Both parties filed a complaint against the President of the Personal Data Protection Office decision with the Provincial Administrative Court for Warsaw.
Dispute
The court considered whether the Polish DPA correctly applied Article 5(1)(c) and (f) of the GDPR and whether the GDPR provisions would be applied at all in the given situation.
Holding
The Provincial Administrative Court for Warsaw revoked the decision of the President of the Personal Data Protection Office. In its reasoning, the Court states that Article 2 (1) of the GDPR shall apply only "to the processing of personal data wholly or partly by automatic means and to the processing, other than by automatic means, of personal data which form part of a filing system or are intended to form part of a filing system". The Court stressed that under Article 4(6) of the GDPR, a data filing system is a structured set of personal data accessible according to specific criteria, whether that set is centralised, decentralised or dispersed on a functional or geographical basis. Thus, the court did not consider the name and surname and information contained in the notice of termination of the employment contract as a filing system within the meaning of the GDPR. The court therefore found that the provisions of the GDPR did not apply in the factual situation examined by it. When reconsidering the case, the administrative authority will take into account the legal assessment formulated in the justification of the Provincial Administrative Court for Warsaw.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
II SA / Wa 2227/19 - Judgment of the Provincial Administrative Court in Warsaw
Date of the judgment
2020-09-15 judgment not final
Date of receipt
2019-09-27
Court
Provincial Administrative Court in Warsaw
Judges
Agnieszka Góra-Błaszczykowska
Joanna Kruszewska-Grońska
Łukasz Krzycki / chairman rapporteur /
Symbol with description
647 Matters related to the protection of personal data
Thematic slogans
Personal data protection
The appealed authority
Inspector General for Personal Data Protection
Result content
The contested decision was annulled
Cited regulations
Journal of Laws 2018 item 1000 art. 1 clause 1, art. 1 clause 2, art. 34 sec. 2, art. 60, art. 98 sec. 1
Sentence
Provincial Administrative Court in Warsaw composed of the following composition: Chairman Judge of the Provincial Administrative Court Łukasz Krzycki (spokesman), Judge of the Provincial Administrative Court Agnieszka Góra-Błaszczykowska, Assessor of the Provincial Administrative Court Joanna Kruszewska-Grońska, Court reporter, clerk Joanna Mazur, after examination at the hearing on September 15, 2020. cases from the complaint of J. Sp. z o.o. based in G. and TJ on the decision of the President of the Personal Data Protection Office of [...] July 2019, No. [...], [...] on issuing a reminder for irregularities in the processing of personal data 1 ) repeals the contested decision; 2) awards the President of the Personal Data Protection Office to J. Sp. z o.o. based in G. the amount of PLN 697 (say: six hundred and ninety-seven zlotys) as reimbursement of the costs of the proceedings; 3) orders the President of the Personal Data Protection Office to pay T. J. the amount of PLN 200 (say: two hundred) as reimbursement of the costs of the proceedings.
Substantiation
By the contested act, against the complaint of Mr. T. J., hereinafter referred to as the "Applicant", about irregularities in the processing of his personal data by J. Sp. z o.o., hereinafter referred to as the "Company" - recalling art. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended), hereinafter referred to as "K.p.a." and art. 5 sec. 1 lit. c and f, art. 6 sec. 1 and art. 58 sec. 2 lit. b of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (Official Journal of the European Union, L 119 of 4 May 2016), hereinafter referred to as "GDPR" - the Company was issued a reminder for irregularities in the processing of personal data, consisting in violation of art. 6 section 1, in connection with with art. 5 sec. 1 lit. c and f GDPR, by providing [...] August 2018 to persons in the waiting room of the deputy office with the Applicant's personal data in the scope of information about the termination of the employment contract without observing the notice period, hereinafter referred to as "Termination" (point 1 judgment). In the remaining scope, the conclusions of the complaint were refused (point 2 of the judgment).
The following factual and legal circumstances of the case were cited in the justification for the decision:
- the Applicant's complaint related to irregularities in the processing of his personal data by the Company; they consisted in disclosing his personal data to unauthorized persons; it was alleged that the employees of the Company - in the presence of third parties in the deputy's office (MP A.M.) - read the content of the Notice of Termination, using the Applicant's personal data; The Applicant indicated that - after his refusal to accept the Termination, the representatives of the Company left the letter containing the Termination unsecured, in the presence of persons residing in the deputy's office; therefore, the Applicant applied for all actions aimed at removing the indicated violations; he also asked the authority to consider initiating court proceedings against persons representing the Company for breach of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws, item 1000, as amended), hereinafter referred to as the "Data Act" ,
- in the course of the administrative procedure, the following facts were found:
- The applicant was employed by the Company from [...] January 2006 to [...] August 2018; he is the chairman of the Company Organization [...] "[...]" in the Company;
- The Company - via a courier - attempted four times to provide the Applicant with a Notice of Termination; he was exempt from the obligation to perform work while retaining the right to remuneration;
- [...] in August 2018, two authorized representatives of the Company handed the Termination to the Applicant in the waiting room of the deputies' office; he refused to accept the letter; Company representatives, responding to the refusal to accept the letter, left it on the table next to the Applicant;
- when handing over the letter, one of the Company's representatives told the Applicant that it was a Termination and was handed over to him because he did not receive letters from couriers;
- in the appeal against the Termination to the District Court it was indicated that [...] on August 2018, the Company's representatives personally handed the Applicant a letter of Termination,
- this case concerns data in the field of the so-called "ordinary data"; their processing is governed by Art. 6 sec. 1 GDPR; according to it, the processing of personal data is allowed only if one of the conditions indicated in this provision is met; catalog mentioned in art. 6 sec. 1 GDPR, the premises legalizing the processing of personal data is closed; each of them is autonomous and independent; the processing of personal data must also comply with the principles set out in Art. 5 sec. 1 GDPR; they include, among others data minimization (point c) as well as integrity and confidentiality (point f),
- one of the Company's representatives, when handing over the Notice of Termination to the Applicant, said that it was a notice of termination and was handed over to him because he did not receive letters from couriers; The company - when terminating the employment contract - breached the principle of integrity and confidentiality; the authorized representative of the Company made the Applicant's personal data available to unauthorized persons staying at the deputy's office at that time; providing information on what is contained in the letter handed to the Applicant in the presence of other persons would be lawful provided that they had the appropriate authorization - provided for in Art. 29 GDPR; according to the collected evidence, third parties - present in the deputy's office during the termination of the termination to the Applicant - did not have such authorization; the representative of the Company - when handing in the Notice of Termination - did not have to - in the presence of unauthorized persons - indicate what the letter submitted by him concerns, so that the Applicant could read its content,
- in accordance with the above, the provision of the Applicant's personal data in the manner indicated above took place in violation of the provisions on the protection of personal data (Article 5 (1) (c and f) of the GDPR),
- referring to the disclosure of the Applicant's personal data by the Company, by leaving the Termination in an unsecured manner, in the presence of persons staying in the deputy's office, it was indicated: in accordance with art. 4 sec. 7 GDPR, the data controller is a natural or legal person, public authority, entity or other entity that independently or jointly with others determines the purposes and methods of personal data processing; under Art. 24 sec. 1 GDPR, the personal data controller - taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons of varying probability and seriousness - implements appropriate technical and organizational measures so that the processing takes place in accordance with the GDPR and to be able to demonstrate it; in line with this, the Company was the administrator of the personal data contained in this letter until the Notice was given to the Applicant; however, upon delivery of the termination notice, the Company ceased to be liable in relation to the personal data contained therein; at the time of delivery of the correspondence, the responsibility for its content rests with the addressee; At the same time, it cannot be considered that the Company - after providing the Termination issued under the provisions of the labor law, breached the obligation to properly protect personal data against unauthorized access; authorized representatives of the Company provided a letter containing personal data personally to the Applicant in the manner provided for in Art. 61 § 1 of the Act - Civil Code, in connection with with art. 300 of the Act - Labor Code; a declaration of will to be submitted to another person is submitted at the moment when it was reached in such a way that she could become familiar with its content; Therefore, it cannot be concluded that the Company has thus breached the obligations arising from the provisions of the personal data protection law, imposed on the personal data administrator,
- administrative proceedings conducted by the President of the Personal Data Protection Office serve to control the compliance of data processing with the provisions on the protection of personal data and is aimed at issuing an administrative decision; these decisions serve to restore lawfulness, pursuant to Art. 58 sec. 2 lit. b GDPR, inter alia, by issuing a reminder to the administrator or processor in the event of a breach of the provisions of this Regulation by the processing operation; The company provided personal data in breach of the provisions on the protection of personal data; processing is currently not continuing; therefore - due to the right specified in Art. 58 sec. 2 lit. b GDPR - a reminder was given to the Company.
In the complaint, the Company, represented by a professional attorney-at-law (case originally marked with reference number II SA / Wa 2325/19), alleged infringement of the provisions of:
- proceedings that could have an impact on the outcome of the case:
1912/5000
- Art. 7, in connection with with art. 77 § 1, art. 78 § 1 and 2 and article. 80 of the Code of Civil Procedure, by issuing a decision based on incomplete evidence and without a comprehensive assessment of the entire evidence material, as well as without conducting the evidence requested by the Company - from the testimony of a witness and a written statement on the course of the termination; this led to an erroneous determination that people present in the room where the service took place heard the words spoken to the Applicant about the termination of the employment contract; as a consequence, it was found that the Company violated Art. 5 sec. 1 lit. f GDPR - data integrity and confidentiality rules;
- Art. 107 § 3 of the Code of Civil Procedure by failing to indicate the evidence on which the determination was based that the persons present in the room where the Notice of Termination was delivered heard the words addressed to the Applicant regarding the termination of the employment contract
- Art. 8 § 1 and art. 11 of the Code of Civil Procedure, by failing to respond and omitting the statement of the Company's employee attached to the case files as well as statements and explanations of the Company; it showed that only the behavior of the Applicant - after informing him of the intention to terminate the employment contract - attracted the attention of people present in the room; thus, these persons could not hear the words spoken to the Applicant, which were considered to have provided personal data,
- substantive law which influenced the outcome of the case:
- Art. 4 point 1, in connection with with art. 2 clause 1 of the GDPR, by accepting that the information on the Termination itself - provided to the Applicant [...] August 2018 - without indicating the data identifying him - e.g. in the form of his first name, surname or other identifier, enabling the identification of the person or company name (Companies) - constituted personal data within the meaning of the GDPR; this led to the erroneous recognition that the Applicant's personal data had been made available,
- Art. 4 point 2 of the GDPR, by mistakenly assuming that the mere disclosure of information about the termination of an employment contract to people staying at the place where this activity is performed - when it is not accompanied by the disclosure of the information that was already publicly disclosed on the Internet before [...] August 2018 r. - was a processing operation to which the provisions of the GDPR apply,
- Art. 5 sec. 1 lit. c GDPR, in connection with with art. 61 § 1 of the Act - Code of Civil Procedure and Art. 300 of the Labor Code Act, by mistakenly assuming that:
the authorized representative of the Company did not have to inform the Applicant what the letter was about,
as a result of informing him about the letter provided to him - without simultaneously providing the Applicant's identification data (e.g. in the form of his first name, surname or other identifier or company name), the principle of data minimization was breached;
- Art. 6 sec. 1 lit. c and f GDPR, by not applying and not accepting that - in the circumstances of the case - the possible provision of [...] August 2018 to persons staying in the deputy's office publicly available information about termination of the employment contract was necessary to fulfill the legal obligation incumbent on the Company ; it was the delivery of the Termination within the period provided for in Art. 52 § 2 of the Act - Labor Code and for purposes resulting from legitimate interests pursued by the Company, which was the termination of the employment contract with the Applicant.
The above allegations were developed in the broad grounds of the complaint. It was emphasized, inter alia, that the activities of the Company's representatives [...] in August 2018, irrespective of the factual circumstances, could not lead to the disclosure of the Applicant's personal data within the meaning of the GDPR. The Applicant posted the information about the termination of the employment contract by the Company himself earlier - in the ICT network as publicly available.
It was requested to revoke the contested decision and order the authority to reimburse the costs of court proceedings.
In the complaint, the applicant alleged a breach of the law:
- procedural - art. 7, 77 § 1 and article. 80 K.p.a .; he was seen in the non-exhaustive examination of the evidence gathered in the case and in his arbitrary and not free assessment, expressed in:
- recognizing the Company's explanations as credible:
as to four attempts to deliver the Termination via courier; this was to provide grounds for handing over the parcel in person by the Company's employees, in order to meet the deadlines for performing legal actions specified in the provisions - delivery of the Termination; meanwhile - in accordance with the provisions of the Act - Code of Civil Procedure - the submission of the letter to the Polish post office of the designated operator results in the act being performed on time; it is also customary to conduct such activities in employee matters by post; Therefore, there were no factual and legal grounds for delivering the letter by courier or in person via other employees who do not deliver the employer's correspondence on a daily basis; it was also possible to hand over the letter to the Applicant at the workplace;
that [...] on August 2018, authorized representatives of the Company handed the Applicant the Termination notice in the waiting room of the deputy's office, the latter refused to accept the letter and its representatives - responding to the refusal - left it on the table next to the Applicant; meanwhile, from the statements of third parties - employees of the deputy's office in which the incident took place and the clients in this office (they are included in the case files) - it clearly follows that, e.g. the entire declaration of termination was read aloud with the disclosure of the grounds for the dismissal and the Applicant's personal data, the men who read the declaration did not introduce themselves, did not present the relevant authorizations, and after reading the termination letter, they were placed on one of the chairs in the office in a way that allows to read its contents outsiders (text face up);
- groundless recognition that upon delivery of the Termination to the Applicant by the Company's representatives, it ceased to be responsible for the personal data contained in the letter and that it did not breach the obligation to properly protect personal data against unauthorized access; meanwhile, abandoning an unsecured letter on the chair in the deputies' office, despite the Applicant's express refusal to receive it, cannot be considered as any form of proper service; leaving a letter with the grounds for the dismissal and personal data of the Applicant unsecured, e.g. in an envelope, with text top, cannot be considered as proper securing and protection of personal data,
- material:
- Art. 58 sec. 2 lit. and in connection with with art. 83 of the GDPR, by not applying it and not imposing any administrative fine for violating the provisions of this regulation; the breach is evident, and the circumstances of the case - the type of data breached and the manner in which the breach took place and the entity that breached the provisions on the protection of personal data (the Company's legal advisor) - indicate grounds for imposing a penalty in order to effectively prevent this type future events on the part of the Company;
- Art. 98 sec. 1 of the Data Act, through its failure to apply and failure to bring an action on behalf of the Applicant and on his behalf against the Company for claims for unlawful infringement of personal rights; meanwhile, the circumstances of the case and the assessment made by the authority clearly indicate the occurrence of violations of law on the part of the Company; this justifies bringing an action before a court.
The above allegations were developed in support of the complaint. It was requested to revoke the contested decision in point 2, order the authority to reimburse the costs of court proceedings, and to admit and take evidence from the attached documents, for the circumstances indicated in the complaint.
In replies to both complaints, the administration authority asked for their dismissal, maintaining the existing arguments.
In an additional pleading (files 64-67, file no. II SA / Wa 2227/19), the Company argued with the Applicant's position as formulated in the complaint as to the actual circumstances of delivering the Termination to him in the deputy's office.
During the hearing (card 75), the Court joined the complaint of the Applicant (file number II SA / Wa 2227/19) and the Company (file number II SA / Wa 2325/19) for joint examination and settlement - pursuant to art. 111 § 2 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended).
The court considered the following:
The complaints deserve to be upheld, although not for the reasons raised in them. Court - in connection with Art. 134 § 1 of the Act - Law on Proceedings Before Administrative Courts - is not bound by the charges and conclusions of the complaint.
The allegations in the Company's complaint are correct when the authority's finding that in the case under examination there has been a disclosure of personal data within the meaning of the GDPR. However, the argument to confirm this thesis is wrong.
When examining this case, the Court had the following formal and legal conditions in mind.
Pursuant to Art. 1 clause 1 of the Data Act, its provisions apply to the protection of natural persons in connection with the processing of personal data to the extent specified in art. 2 and 3 GDPR, and - pursuant to art. 1 clause 2 points 4 and 5 of this Act - it defines, among others: the authority competent for the protection of personal data and the rules of the procedure in the case of infringement of provisions on the protection of personal data.
This justifies the conclusion that the substantive legal framework, which is the property of the specialized body in question, is it according to Art. 60 of the Data Act, the President of the Personal Data Protection Office - exhaustively outline the provisions of the GDPR.
The preamble to this act already shows that the general purpose of its establishment is to contribute to "the creation of an area of freedom, security and justice and economic union, to socio-economic progress, to the strengthening and convergence of economies in the internal market, as well as to the success of people. " (yes, item 2 sentence 2). On the other hand, in point 3 of the preamble - the nomenclature taken from the directive replaced by the GDPR was also used - it was indicated that the purpose of the regulation is "to harmonize the protection of fundamental rights and freedoms of natural persons in relation to processing activities and to ensure the free flow of personal data between Member States" and point 6 explicitly quotes the following reasons for adopting the regulation: "Rapid technological progress and globalization have brought new challenges in the field of personal data protection. The scale of collecting and exchanging personal data has increased significantly. Thanks to technology, both private enterprises and public authorities can use personal data in their activities. Natural persons are increasingly making personal information available to the public and globally. Technology has changed the economy and social life and should continue to facilitate the free flow of personal data within the Union and their transfer to third countries and international organizations, and at the same time should ensure a high level of personal data protection. ".
The goals of establishing a given regulation, as formulated by the legislator, justify the conclusion that, in general, the GDPR is to contribute to better protection of personal data of citizens of European Union Member States. This regulation, however, does not constitute an act serving a full, framework regulation of the protection of rights in a given scope. It relates only to the data component that is subject to automatic processing or may be subject to such processing as a database of information about persons.
Such conclusions will be directly confirmed by the normative content of the preliminary provisions of the GDPR. Pursuant to Art. 2 clause 1, this act applies only "to the processing of personal data in a fully or partially automated manner and to the non-automated processing of personal data which are part of a data set or are to be part of a data set". In turn - in relation to Art. 4 point 6 of the GDPR - a data set is "an ordered set of personal data available according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed".
This means that the provisions of the GDPR do not apply to all personal data processing (disclosure is the form of processing - yes, Article 4 (3) of the GDPR), but only when it comes to those falling within the scope of a given regulation. This applies to data processed in a fully or partially automated manner, and the rest only if they constitute a collection or may be part of a data set. In turn, a potential set of data is only a set of data available according to specific criteria. This assessment is not changed by the fact that processing (including disclosure) may - pursuant to Art. 4 point 3 of the GDPR - occur automatically or otherwise. The wording of a given definition does not extend the scope of data subject to the provisions of the GDPR pursuant to Art. 2 clause 1 - when it comes to data processed in a manner other than automated, only those that constitute part of the data set or are to be part of the data set, within the meaning of art. 4 point 6 of the GDPR.
A different understanding of the provisions of the GDPR would lead to conclusions that could not be attributed to a rational legislator - that a given regulation specifically regulates all the rules of personal data protection, to the extent where it may lead to, inter alia, for infringement of personal rights. Due to the fact that in the GDPR the competence to resolve cases on this basis was granted to specialized administrative bodies of the Member States (such as Article 58 (2) of the GDPR and Article 34 (2) and Article 60 of the Data Act, respectively), this would mean shaping alternative ways of protecting rights by all persons whose personal rights were breached, however disclosing their personal data in any way.
In view of the above-mentioned conditions, it is justified to conclude that - in view of the articulated purposes of adopting the GDPR and the content of its preliminary regulations - this act applies to events related to the processing of information (collection, transfer, etc.), where it is possible to find information about people - their personal data - in particular as part of ICT systems. It does not apply to events related to the disclosure (and thus processing) of personal data in other situations - e.g. the use of the name and surname of a specific person when addressing him in a public place. Otherwise, also, for example, torts in the form of sending offensive words to a person named by name would be a case subject to examination by specialized administrative bodies under the procedures provided for in the GDPR. It is impossible to attribute to a rational legislator the intention to transfer this type of cases to administrative resolution.
In the case under examination, its essential circumstances are beyond dispute, in that the subject of a complaint to a specialized authority were incidents in a public place (deputies' office). The difference between the parties, however, concerns the disclosure of personal data in the form of the Applicant's name and surname and information about the Termination regarding his person, and if so, whether it was legally permissible (in this context, also the issue of the circumstances of the unsuccessful delivery of the parcel by courier).
In the case under examination, it is justified to state that the event in question was in no way related to the process of mechanical data processing or the use of data that could constitute a separate base as a set of information arranged according to certain criteria on the day of the event.
If, according to the Applicant's claims, his name and surname were mentioned in the deputy's office and the fact that the Termination had been served on him, or if the document was left in a manner enabling the reading of its content to third parties, this clash may indeed constitute an infringement of his personal rights in terms of respect for privacy and data protection, related e.g. to professional life - if it actually happened and it was not justified by the circumstances of the case (the need to serve a letter, due to the adaptation of formal requirements). These issues are in fact in dispute between the parties. However, a specialized administrative body is not competent to deal with such a case. The processing of data in a given case (their possible disclosure) is not covered by the rules contained in the GDPR, which determine the framework of competence to settle cases under administrative procedure. The powers of the administration authority cannot be interpreted broadly in relation to the content of Art. 2 § 3 of the Act - Code of Civil Procedure. It follows that the competence of an administrative body must be indicated directly. With regard to the protection of personal rights within the meaning of Art. 23 and 24 of the Act - Civil Code - which include personal data - and common courts are competent.
In this situation - in view of the indisputable facts, relevant in the context of assessing whether the administrative authority is competent to apply the measures provided for in the GDPR, in the light of the provisions of the Data Act - there were no grounds for a ruling on the merits. Therefore, the authority was also unable to exercise the powers specified in Art. 58 sec. 2 lit. and, in connection with with art. 83 GDPR or Art. 98 sec. 1 of the Data Act (see: Applicant's allegations). While adjudicating in the case, the authority violated the provision of substantive law which delineates its powers - Art. 58 sec. 2 lit. b GDPR - through its unjustified application, in relation to art. 2 clause 1, in connection with with art. 4 point 6 of the Data Act.
When issuing the judgment in the case, the Court had in mind that it was a decision to the detriment of the Applicant, who also lodged the complaint. The rule of art. 135 § 2 of the Act - Law on Proceedings Before Administrative Courts does not apply, however, when the act was challenged by two parties of conflicting interests, as in the case at hand.
In view of the above-mentioned conditions, the issues raised in both complaints concerning the incorrect opinion of the parties regarding the circumstances of the delivery of the Termination, or whether its delivery resulted in the disclosure of personal data in view of the earlier dissemination of information on the Internet ( yes, the company's statement), and whether the disclosure of data was authorized under the applicable regulations (the need to communicate the employer's statement). The court also did not take evidence to establish the facts in a given scope (see: the Applicant's evidence motions).
For the above-mentioned reasons, pursuant to Art. 145 § 1 point 1 lit. and of the Act - Law on proceedings before administrative courts, the ruling was as in item 1 of the ruling. The Court ruled on the reimbursement of the costs of the proceedings as in items 2 and 3 of the ruling. Pursuant to Art. 200 in connection with with art. 205 § 2 of the above Act and § 14 sec. 1 point 1 lit. c of the Ordinance of the Minister of Justice of October 22, 2015 on fees for the activities of legal advisers (Journal of Laws of 2018, item 265 as amended), the costs for the benefit of the Company include the remuneration of its attorney in the amount of PLN 480, entry court proceedings against a complaint in the amount of PLN 200 and PLN 17 due to stamp duty on the power of attorney. To the costs for the Applicant - pursuant to art. 200 of the Act - Law on Proceedings Before Administrative Courts - court fees for the complaint in the amount of PLN 200 were included.
When reconsidering the case, the administrative authority will take into account the legal assessment formulated in this justification.