WSA Warszawa - II SA/Wa 2826/19

From GDPRhub
Revision as of 08:03, 4 November 2020 by ARapcewicz (talk | contribs)
WSA Warszawa - II SA/Wa 2826/19
Courts logo1.png
Court: WSA Warszawa (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 24 GDPR
Article 30(1)(d) GDPR
Article 30(1)(f) GDPR
Article 32(1)(b) GDPR
Article 32(1)(c) GDPR
Decided: 26.08.2020
Published:
Parties:
National Case Number/Name: II SA/Wa 2826/19
European Case Law Identifier:
Appeal from: UODO
[[[1]] ZSPU.421.3.2019]
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Provincial Administrative Court in Warsaw found that the fine of PLN 40 000 imposed by the UODO on the Mayor of Aleksandrów Kujawski is correct and agreed that the Mayor commited violations of personal data protection regulations found by the UODO (see: UODO - ZSPU.421.3.2019).

English Summary

Facts

On 18.10.2019 the Polish DPA - UODO imposed a fine of PLN 40,000 on the Mayor of Aleksandrów Kujawski. UODO found that the Mayor violated: 1. Article 5(1)(a) and Article 5(1)(f) in connection with Article 5(2) by making personal data available to certain entities without a legal basis (without agreements on entrusting personal data); 2. Article 5(1)(e) in connection with Article 5(2), i.e. the principle of storage limitation and Article 24 GDPR through the lack of appropriate policies concerning the processing of personal data in the BIP (Biuletyn Informacji Publicznej); 3. Article 5(1)(f) in conjunction with Article 5(2), i.e. the principles of integrity and confidentiality, the principle of accountability, and Article 24 GDPR by failing to carry out a risk analysis of the Mayor's use of the YouTube channel for the transmission of the recordings of the deliberations of City Council; 4. [Article 5 GDPR#1f|Article 5(1)(f)]] in conjunction with Article 5(2), i.e. the principles of integrity and confidentiality, and Article 32 GDPR by failing to implement appropriate technical and organisational measures to safeguard the data of natural persons in connection with the storage of the recordings of the sessions of the City Council exclusively on the YouTube servers, without making and backing up those recordings in the own resources of the City Council; 5. Article 5(2), i.e. the principle of accountability and Article 30(1)(d) and Article 30(1)(f) by not indicating in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the Municipal Council , all recipients of data and not indicating for these processing activities the planned date of data deletion in a manner ensuring data processing in accordance with the principle of limited storage.

Apart from imposing a fine, UODO ordered the Mayor to: 1. stop providing personal data without a legal basis, 2. implement policies defining data processing periods and ensuring compliance with data deletion deadlines, 3. carry out a risk analysis in connection with the publication of recordings of city council sessions and to implement appropriate organisational and technical measures in connection with the processing of personal data on the YouTube channel, 4. implement appropriate organisational and technical measures aimed at securing the data of natural persons coming from the recordings of city council sessions by ensuring the availability of backup copies, 5. include in the register of personal data processing activities, for the processing activities connected with the maintenance of BIP, information: about all data recipients to whom the data have been or will be disclosed and about the planned dates of data deletion.

The Mayor has lodged a complaint against the decision with the administrative court.


Dispute

Holding

The Provincial Administrative Court dismissed the complaint against the UODO's decision and agreed with the DPA on the infringements committed by the Mayor. It also considered that the fine imposed by the UODO was correct.

Comment

The Provincial Administrative Court did not find that the President of UODO, by issuing the decision, infringed substantive law to the extent that it affected the outcome of the case, or the provisions of the administrative procedure to the extent that it could have a significant impact on the outcome of the case.

The Mayor claimed, that the GDPR is not applicable in the present case and therefore it was not justified to impose a fine. The Court found that this allegation is unfounded and would result in the practical application of the rules of the GDPR being limited to a very narrow scope of Union law, which is absurd.

In the Court's view, the applicant, as a data controller, has not demonstrated that he complies with all the rules on the processing of personal data. The Court entirely shared the UODO's assessment of individual breaches of substantive law by the Mayor, i.e.: 1. the principles of lawfulness, fairness and transparency, integrity and confidentiality of data, because the Mayor has not previously concluded any agreements on the entrustment of personal data with the entities to which he disclosed personal data; 2. the principles of storage limitation and Article 24 GDPR through the absence of appropriate policies regarding the processing of personal data in the BIP of the Municipality in terms of their timeliness and purpose of publication and specifying the deadlines for the deletion of personal data; 3. the principles of integrity and confidentiality, the principles of accountability, and Article 24 GDPR (by failing to carry out a risk analysis of the Mayor's use of the YouTube channel for the transmission of recordings of the City Council's sessions); 4. the provisions of Article 32(1)(b) and Article 32(1)(c) - the controller has not provided the opportunity to restore the availability of personal data and, as a result, will not be able to ensure the confidentiality, integrity, availability and resilience of the processing systems and services; 5. the principles of accountability and Article 30(1)(d) and Article 30(1)(f)(by not indicating in the register of personal data processing activities, for activities related to the publication of information on the website of the BIP of the Municipality, all recipients of data and not indicating for these processing activities the planned date of data deletion in a manner ensuring data processing in accordance with the principle of limited storage).

The Court assessed that the fine of PLN 40,000 is adequate, proportionate and imposed in a correct manner. The UODO has duly justified the level of the penalty, taking into account the very long duration of the infringements, their intentional nature, the high degree of responsibility of the controller and his lack of cooperation with the authority after the initiation of proceedings.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><HEAD><META NAME="ROBOTS" CONTENT="NOARCHIVE"><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><META name="GENERATOR" content="IBM Software Development Platform"><META http-equiv="Content-Style-Type" content="text/css"><META name="Description"
	content="647 Matters related to the protection of personal data, the Inspector General for Personal Data Protection, The complaint was dismissed, II SA / Wa 2826/19 - Judgment of the Provincial Administrative Court in Warsaw of 2020-08-26, Central Base of Rulings of the Supreme (Supreme Administrative Court) and Provincial Courts (WSA) Administrative, Jurisprudence of the Supreme Administrative Court and the Provincial Administrative Court"><LINK rel="shortcut icon" href="/img/favicon.ico"><TITLE>II SA / Wa 2826/19 - Judgment of the Provincial Administrative Court in Warsaw of 2020-08-26</TITLE><LINK href="/css/Master3.css" rel="stylesheet" type="text/css"><LINK href="/css/info.css" rel="stylesheet" type="text/css"><LINK href="/css/opcje.css" rel="stylesheet" type="text/css"><LINK href="/css/orzeczenia2.css" rel="stylesheet" type="text/css"><LINK href="/css/printing.css" rel="stylesheet" type="text/css"
	media="print"><style type="text/css">
.lista-label,.info-list-label,.info-list-value,.noborder-tab {
	background-color: #f4f4f4;
}

.info-list-label-uzasadnienie .lista-label {
	background-color: #fff;
}

#warunek {
	display: inline;
}

.war_header {
	font-size: 120%;
	font-weight: bold;
	padding-right: 10px;
}
</style></HEAD><BODY><div class="tac"><div class="tal"><div class="tab"><TABLE id="header"><TBODY><TR><TD id="logo"><IMG src="/img/logo.gif" /></TD><TD id="desc"><H1 class="naglowek" title="CBO search form"><a href="/cbo/query">Central Database of Rulings of Administrative Courts</a></H1><table id="q-link"><tr><td> <span class="h-oper">Details of the judgment</span></td></tr></table></TD></TR></TBODY></TABLE><!-- Informacja o znalezionych dokumentach i dodatkowe linki -----------------------------------------><table class="top-linki"><tr><td></td><td align="right"> <a class="navl" href="javascript:window.print();">print</a> <a class="navl" rel="noindex,nofollow" href="/doc/1156394101.rtf">save</a> <a href="/cbo/find?p=1"><span class="navl">Back to list</span></a></td></tr></table><div id="opcje"><!-- System wewnętrzny - Ustawienia użytkownika --><!-- System publiczny - Informacje wykorzystywane przez google --><p style="font-weight: bold;"> 647 Matters related to the protection of personal data, the Inspector General for Personal Data Protection, The complaint was dismissed, II SA / Wa 2826/19 - Judgment of the Provincial Administrative Court in Warsaw of 2020-08-26, Central Base of Rulings of the Supreme (Supreme Administrative Court) and Provincial Courts (WSA) Administrative, Jurisprudence of the Supreme Administrative Court and the Provincial Administrative Court</p></div><div id="res-div" class="res-div-list"><!--  Nagłówek orzeczenia sygnatura i rodzaj orzeczenia ----------------------------------------------------------><div id="warunek"><p> <span class="war_header">II SA / Wa 2826/19 - Judgment of the Provincial Administrative Court in Warsaw</span></p></div><!-- Informacje o szczegółach orzeczenia -----------------------------------------------------------------------><table id="tab_wa556494-632104" class="info-list pb-none"
	cellspacing="1" cellpadding="0"><tr class="niezaznaczona"><td class="info-list-label"><table class="noborder-tab"><tr><td class="lista-label"> Date of the judgment</td></tr></table></td><td class="info-list-value"><table cellspacing=0 cellpadding=0 style="width: 100%"><tr><td> 2020-08-26</td><td
									style="width: 50%; text-align: right; padding-right: 5px; font-style: italic;"> invalid judgment</td></tr></table></td></tr><tr class="niezaznaczona"><td class="info-list-label"><table class="noborder-tab"><tr><td class="lista-label"> Date of receipt</td></tr></table></td><td class="info-list-value"> 2019-12-24</td></tr><tr class="niezaznaczona"><td class="info-list-label"><table class="noborder-tab"><tr><td class="lista-label"> Court</td></tr></table></td><td class="info-list-value"> Provincial Administrative Court in Warsaw</td></tr><tr class="niezaznaczona"><td class="info-list-label"><table class="noborder-tab"><tr><td class="lista-label"> Judges</td></tr></table></td><td class="info-list-value"> Agnieszka Góra-Błaszczykowska / rapporteur /<br/> Andrzej Kołodziej / chairman /<br/> Joanna Kube</td></tr><tr class="niezaznaczona"><td class="info-list-label"><table class="noborder-tab"><tr><td class="lista-label"> Symbol with description</td></tr></table></td><td class="info-list-value"> 647 Matters related to the protection of personal data</td></tr><tr class="niezaznaczona"><td class="info-list-label"><table class="noborder-tab"><tr><td class="lista-label"> The appealed authority</td></tr></table></td><td class="info-list-value"> Inspector General for Personal Data Protection</td></tr><tr class="niezaznaczona"><td class="info-list-label"><table class="noborder-tab"><tr><td class="lista-label"> Result content</td></tr></table></td><td class="info-list-value"> The complaint was dismissed</td></tr><tr class="niezaznaczona"><td class="info-list-label-uzasadnienie" colspan="2"><div class="lista-label"> Sentence</div><P> Provincial Administrative Court in Warsaw composed of the following composition: Chairman Judge of the Provincial Administrative Court Andrzej Kołodziej, Judge of the Provincial Administrative Court Agnieszka Góra-Błaszczykowska (spokesman), Judge of the Provincial Administrative Court Joanna Kube, Court reporter, court secretary Marcin Rusinowicz-Borkowski after the case was examined at the hearing on August 26, 2020. from the complaint of the Mayor A. against the decision of the President of the Personal Data Protection Office of [...] October 2019 no. [...] regarding the processing of personal data, dismisses the complaint</td></tr><tr class="niezaznaczona"><td class="info-list-label-uzasadnienie" colspan="2"><div class="lista-label"> Substantiation</div><P> The subject of the examination in this case was the complaint of the Mayor A. against the decision of the President of the Personal Data Protection Office, mark [...] of [...] October 2019, regarding the processing of personal data.</P><P> The complaint was submitted in the following facts of the case:</P><P> From [...] January to [...] February 2019, the inspectors authorized by the President of the Personal Data Protection Office (hereinafter referred to as: PUODO, authority) conducted an inspection at the Mayor A. (hereinafter referred to as: Mayor, complainants) compliance of the processing of personal data with the provisions on the protection of personal data, i.e. with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of May 4, 2016, p. 1 and Journal of Laws UE L 127 of May 23, 2018, p. 2, hereinafter: Regulation 2016/679) and the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781, hereinafter: the Personal Data Protection Act). The scope of the control covered the method of processing personal data by the Mayor as part of the process of sending correspondence and keeping the Public Information Bulletin (BIP), as well as the method of keeping a register of processing activities and documenting violations of personal data protection.</P><P> In the course of the inspection, oral explanations were collected from the employees of the Municipal Office in A. and the IT systems used to process personal data and the BIP website were inspected. The actual state of affairs was described in detail in the inspection report, which was signed by the Mayor. On the basis of the evidence collected in this way, it was found that in the process of processing personal data, the Mayor, as the administrator, violated the provisions on the protection of personal data. These shortcomings consisted in: 1) providing personal data to [...] Sp. z o. o. with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. without legal basis, ie without prior conclusion with the above-mentioned subjects of the personal data processing agreement referred to in art. 28 sec. 3 of Regulation 2016/679, in connection with the running of the BIP website of the Municipal Office in A. 2) the lack of internal procedures regarding the review of resources published in BIP in terms of ensuring data processing in accordance with the principle of limited storage, as a result of which on the BIP website of the Municipal Office in A. documents containing personal data are published for a longer period than required by law;</P><P> 3) failure to implement appropriate technical and organizational measures to protect the rights or freedoms of natural persons in connection with the storage of session recordings only on YouTube servers, without making copies of the sessions of the City Council A., which are in the office's own resources; 4) failure to conduct a risk analysis in connection with the Mayor's use of the YouTube channel in order to fulfill the legal obligation resulting from art. 8 sec. 2 of the Act of September 6, 2001 on access to information</P><P> public (Journal of Laws of 2019, item 1429, hereinafter: udip); 5) failure to indicate in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the Municipal Office in A., all recipients of data and failure to indicate for these processing activities the planned date of data deletion in a manner ensuring data processing in accordance with the principle of limited storage.</P><P> On [...] June 2019, the President of the Office for Personal Data Protection initiated ex officio administrative proceedings in order to clarify the circumstances of the case.</P><P> In response to the notification of the initiation of administrative proceedings, the Mayor, in a letter of [...] June 2019, informed the authority that, in the scope of deficiencies regarding the period of publication of documents in the Public Information Bulletin, he submitted a request to the Minister of Digitization for the interpretation of the provisions of the Act on access to public information and requested to suspend the proceedings until receipt of the above-mentioned interpretation. He pointed out that the Act on Access to Public Information clearly shows that disclosure of data concerns people in power, and not those who exercised power. Therefore, property declarations may be made available in BIP only for councilors exercising power for a period of 5 years, and therefore during the term of office, and after this period they should be removed from the BIP and stored in paper form for a period of 6 years in relation to the dates from the date of their submission and made available upon request in accordance with the principle of openness.</P><P> By the decision mark [...] of [...] October 2019, PUODO, acting pursuant to Art. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended, hereinafter referred to as the Code of Administrative Procedure), Art. 7 sec. 1, art. 60, art. 102 paragraph 1 point 1 of the Personal Data Protection Act and art. 57 sec. 1 lit. a), art. 58 sec. 2 lit. d) and i) in connection with with art. 5 sec. 1 lit. a), e) and f) and par. 2, art. 24 sec. 1 and 2, art. 28, art. 30 sec. 1 lit. d) and f) and Art. 32, as well as art. 83 sec. 1 - 3 of Regulation 2016/679, stated that the Mayor had violated the following provisions:</P><P> a) Art. 5 sec. 1 lit. a) and f) in connection with with art. 5 sec. 2 of the Regulation 2016/679, i.e. the principles of legal compliance and confidentiality, and art. 28 sec. 3 of Regulation 2016/679 by providing personal data to [...] Sp. z o. o with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. without legal basis, i.e. without prior conclusion with the above-mentioned subjects of personal data entrustment contracts referred to in art. 28 sec. 3 of Regulation 2016/679, in connection with the running of the BIP website of the Municipal Office in A.,</P><P> b) art. 5 sec. 1 lit. e) in connection with Art. 5 sec. 2, i.e. the rules for limiting storage and art. 24 of Regulation 2016/679 due to the lack of appropriate policies regarding the processing of personal data at the BIP of the Municipal Office in A. in terms of their timeliness and purposefulness of publication and specifying deadlines for deleting personal data,</P><P> c) Art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, the principles of correctness, and art. 24 of Regulation 2016/679 by failing to conduct a risk analysis related to the use by the Mayor of the YouTube channel to transmit recordings of the sessions of the City Council A.,</P><P> d) Art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, and art. 32 of Regulation 2016/679 by failure to implement appropriate technical and organizational measures to secure the data of natural persons in connection with the storage of recordings of the City Council sessions A. only on YouTube servers, without making and storing backup copies of these recordings in the own resources of the City Hall in A. ,</P><P> e) Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of accountability and art. 30 sec. 1 lit. d) and f) of Regulation 2016/679 by not indicating in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the City Hall in A., all recipients of data and failure to indicate for these processing activities the planned date of data deletion in a manner ensuring processing data in accordance with the principle of limited storage,</P><P> and ordered the Mayor to adjust the processing of personal data to the provisions of Regulation 2016/679, within 60 days from the date on which this decision becomes final, by:</P><P> 1) ceasing to provide personal data to [...] Sp. z o. o. with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K., without any legal basis, i.e. without the prior conclusion of personal data entrustment agreements with the above entities referred to in art. 28 sec. 3 of Regulation 2016/679, in connection with the running of the BIP website of the Municipal Office in A.,</P><P> 2) implementation of policies: - defining the periods of data processing at the BIP of the Municipal Office in A. in accordance with the law or necessary to achieve the purposes for which the data is processed, - ensuring compliance with the deadlines for data deletion,</P><P> 3) conducting a risk analysis in connection with the publication of recordings of the city council sessions and implementation of appropriate organizational and technical measures in connection with the processing of personal data on the YouTube channel in connection with the transmission of recordings of the city council sessions and the storage of recordings on YouTube servers,</P><P> 4) implementation of appropriate organizational and technical measures aimed at securing the data of natural persons from the recordings of the sessions of the City Council of A. by ensuring the availability of backups in the own resources of the City Hall in A.,</P><P> 5) inclusion in the register of personal data processing activities, for processing activities related to the keeping of BIP, information: a) about all data recipients to whom the data has been or will be disclosed, in accordance with art. 30 sec. 1 letter d) of Regulation 2016/679, b) about the planned dates of data deletion, in accordance with art. 30 (1) (f) of Regulation 2016/679.</P><P> for violation of the provisions of Art. 5 sec. 1 lit. a), e) and f), Art. 5 sec. 2, art. 28, art. 30 sec. 1 letter d) and f) and Art. 32 of Regulation 2016/679 imposed a fine on the Mayor in the amount of PLN 40,000.</P><P> In the justification of the decision taken, the authority indicated that the Mayor as the administrator of personal data is obliged to implement appropriate organizational and technical measures that will ensure that personal data will be processed in accordance with the law, factually correct, adequate for the purpose of obtaining and properly secured so that their processing does not violated the rights and freedoms of natural persons. It is also important that the administrator processes personal data only for the time necessary to achieve the purposes of obtaining data or for the time resulting from generally applicable provisions of law. In the absence of provisions regulating processing time, the controller should define the procedures governing the moment when data deemed unnecessary are deleted by him.</P><P> The inspection carried out in the case showed that the Mayor did not conclude data processing agreements with entities participating in the processing under BIP. The BIP resources of the Municipal Office in A. are located on the server of an external entity, located in [...] in T., which provides technical parameters for the maintenance of the BIP website of entities covered by the contract, including the Municipal Office in A., on the basis of a lease contract concluded between the Voivodship [...] and [...] Sp. z oo with its seat in T .. During the inspection, contract No. [...] of [...] July 2016, valid from [...] January to [...] December 2017, was presented. , Annex No. [...] of [...] March 2018 to contract No. [...] for the period from [...] January to [...] December 2018. The current contract was not presented between the Voivodship [...] and [...] Sp. z o. o. with its seat in T .. The presented contract and the annex no. [...] did not contain provisions regarding the processing of personal data in connection with the use of the server of an external entity by the City Hall in A.</P><P> During the inspection, it was found that in connection with the provision of software for the creation of the regional BIP, on [...] January 2015, an agreement was concluded between the Voivodship [...] and the consortium of entities: [...] SA with its seat in G. and [...] SA with its registered office in K .. The concluded contract does not include provisions regarding the protection of personal data, nor has there been an agreement on entrusting the processing of personal data related to the provision of maintenance services to the Municipal Office in A ..</P><P> In the course of the inspection, no contract between the Voivodship [...] and the Mayor was presented, no other legal instrument was shown which would indicate that the provision of the server and the provision of software for the creation of the regional BIP is carried out by the Voivodship [...] for the Municipal Office in A ..</P><P> PUODO found that the Mayor, in connection with the use of the server of an external entity, ie [...] Sp. z o. o. with its seat in T., where the BIP resources of the Municipal Office in A. are located and from the services of an external entity in the field of servicing the BIP website, i.e. a consortium of entities: [...] SA based in G. and [. ..] SA with its seat in K., has not entered into an agreement to entrust the processing of personal data with these entities, and thus breached Art. 28 sec. 3 of Regulation 2016/679.</P><P> If personal data is made available without a legal basis (without a previously concluded processing agreement), the principle of compliance with the law (Article 5 (1) (a) of the Regulation 2016/679) and the principle of confidentiality (Article 5 (1) (a)) are violated. f) Regulation 2016/679). The mayor did not comply with the above rules by commissioning the BIP with the above-mentioned entities without the prior conclusion of data entrustment agreements. Thus, it allowed for the lack of control over the correctness of the data processing process contained in the BIP and did not prove that it takes place in compliance with the requirements resulting from the provisions of the General Data Protection Regulation. In this respect, the mayor also violated the principle of accountability resulting from Art. 5 sec. 2 of Regulation 2016/679.</P><P> The authority further explained that in BIP of the Municipal Office in A. public information is made available on the basis of the obligation incumbent on the Mayor in this respect, resulting from Art. 8 sec. 2 udip The provisions of the Act on access to public information, as well as the provisions of the Regulation of the Minister of Internal Affairs and Administration of 18 January 2007 on the Public Information Bulletin (Journal of Laws of 2007, No. 10, item 68, hereinafter: the Regulation BIP), do not specify the period of providing information in the BIP, both the minimum and the maximum. However, the lack of periods for the processing of disclosed information (containing personal data) specified by law does not mean that such information can be processed indefinitely. Therefore, the administrator, in accordance with the principle of limited storage, resulting from art. 5 sec. 1 lit. e) of Regulation 2016/679, should in this respect be guided by the provisions resulting from other legal acts, which indicate the time during which personal data may be processed, and in cases where the law does not regulate the data retention period, after conducting analyzes, specify this period so that data processing is consistent with the purposes for which it was obtained. The principle of limiting the provision of personal data in time in BIP means that even if certain data correspond to the purpose for which they are collected, they should not be processed, including made available to other entities, without any time limitation. The timing of the processing should be the achievement of the purpose.</P><P> As a result of the inspection of the BIP website of the Municipal Office in A., it was found in particular that the documents posted there include documents containing personal data, i.e. property declarations and information on the results of recruitment for vacant positions. The oldest information concerns the recruitment conducted in 2012 and includes information on selected candidates in the scope of: name and surname and place of residence (i.e. the place where the person is staying with the intention of permanent residence). The oldest property declarations on the BIP website of the Municipal Office in A. concern 2010. Pursuant to Art. 24i of the Act of March 8, 1990 on the local government (Journal of Laws of 2019, item 506, hereinafter referred to as: the usg), the information contained in the property declarations of councilors is public, with the exception of the address of residence of the person submitting the declaration and about the location of the property. According to Art. 24h paragraph 6 of the Act, the declaration of assets is kept for 6 years. These provisions determine the lawfulness of processing, both in terms of collecting and publishing personal data contained in asset declarations. The publication of recruitment notices is governed by Art. 13 sec. 1 of the Act of November 21, 2008 on local government employees (Journal of Laws of 2019, item 1282, hereinafter referred to as: ups), according to which the announcement about a vacant clerical position, including a managerial clerical position, and the recruitment of candidates this position is placed in the BIP. Based on Article. 15 sec. 1 ups, immediately after the recruitment, information about the result of the recruitment is disseminated by placing on the information board in the unit where the recruitment was carried out, and published in the BIP for a period of at least three months. Thus, the legislator indicated the minimum date of publication of the selection results, without specifying a maximum period, while the legislator left the definition of the maximum date, i.e. the date after which he should remove these data from BIP, to the controller (the entity obliged to disclose the information). When determining the period of data processing in BIP, the administrator should take into account the legal provisions regulating the processing time, and in the absence of legal regulations, specifying the publication period, achieving the purpose of processing and the principle of limiting storage.</P><P> In the context of the above, the authority stated that the information published in the BIP, for which the date of publication does not result from legal provisions, should be assessed in accordance with the formal procedure (introduced by the administrator), ensuring a structured formation of the BIP, so that all information for which the purpose processing has been achieved, have been removed from the BIP. As it was established in the course of the inspection, an internal procedure for running the BIP has been implemented in the Municipal Office in A. However, it does not contain rules regarding the review of data published in BIP in terms of ensuring their processing in accordance with the principle of limited storage. Thus, the mayor violated the disposition contained in Art. 5 sec. 1 lit. e) and art. 24 sec. 2 of Regulation 2016/679.</P><P> The authority indicated that the evidence collected in the case showed that the Mayor did not specify in internal procedures the deadline for deleting the data published in the BIP, and did not develop procedures for reviewing data resources in the materials published in the BIP in terms of ensuring data processing in accordance with the principle of limiting storage. Due to the lack of such procedures, as found during the inspection, documents containing personal data are published on the BIP website of the Municipal Office in A. for a longer period than is necessary for the purposes for which the data are processed, and even for a longer period than it results from the provisions of the law specifying the period of storage of documents containing personal data, as is the case with property declarations. The effect of this is that an unlimited number of Internet users can access the data. This is because anyone who has access to the Internet, at any time and without any restrictions, can browse the BIP resources of the Municipal Office in A., and consequently have access to the personal data contained in these resources. Thus, the mayor violated art. 5 sec. 1 lit. e) of Regulation 2016/679.</P><P> Due to the fact that the internal procedure in question is to regulate activities essential for the processing of personal data, in order to ensure the implementation of the principle of limitation of storage, it should be treated as a data protection policy referred to in Art. 24 sec. 2 of Regulation 2016/679. Consequently, in the absence of this procedure, the authority found that the Mayor also violated this provision of Regulation 2016/679 in the context of the accountability principle expressed in Art. 5 sec. 2 of Regulation 2016/679.</P><P> Referring to the processing of personal data in connection with the publication of recordings from the session of the city council, the authority indicated that pursuant to Art. 20 paragraph 1b of the USG, the deliberations of the commune council are transmitted and recorded using video and sound recording devices. Recordings of the proceedings are made available in the Public Information Bulletin and on the website of the commune and in other customary way. The mayor, as the administrator, deciding to choose tools for data transmission on the Internet and recording them using video and sound recording devices, is responsible for the processing of this data and the implementation of the principles resulting from Regulation 2016/679, including demonstrating compliance with them (accountability). Therefore, the Mayor is responsible for ensuring the security of data processed along with the implementation of the right to access public information pursuant to art. 8 udip Pursuant to Art. 24 sec. 1 of Regulation 2016/679, the administrator (Mayor) is obliged to implement appropriate technical and organizational measures to ensure that the processing is carried out in accordance with this regulation and that he can prove it. The administrator is obliged to implement adequate technical and organizational measures, the selection of which is at the discretion of the administrator and should be preceded by an analysis of the risk of violating the rights or freedoms of natural persons.</P><P> In the course of the inspection, it was found that due to the obligation to transmit and publish the sessions of the City Council of A., a YouTube channel was created in BIP and an agreement was concluded with an external entity to broadcast the meetings of the City Council of A. on the Internet via the YouTube.com platform. The publication of personal data processed in connection with the recording and publication of the sessions of the City Council A. is carried out using the YouTube channel. On the BIP website of the Municipal Office in A., there is a link to a dedicated YouTube channel. The findings of the inspection show that upon the end of the recording of the session, the recording is automatically saved on the YouTube website, and no copy of the recording remains at the Municipal Office in A. Due to the lack of a copy of the session recording, in the event of loss of data posted on the YouTube website, the Mayor will lose access to the recording of the recording, and without having the appropriate technical and organizational measures corresponding to this risk, it is not possible to ensure the confidentiality, integrity, availability and resilience of the systems and processing services and the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident referred to in art. 32 sec. 1 lit. b) and lit. c) of Regulation 2016/679. The mayor did not indicate that there are procedures that would guarantee the protection of personal data processed on the YouTube channel.</P><P> In addition, the decision to use the YouTube channel was not preceded by an analysis of the possible risks arising from the use of this tool when processing the personal data of the participants of the City Council session. In particular, when deciding to use the YouTube channel, it was not taken into account that the administrator's use of resources and tools offered by external entities, in this case by the entity operating the YouTube channel, may be associated with a higher risk of breach of personal data protection due to the fact that the organizational and technical measures used to protect personal data published on YouTube have been defined and implemented by Google LLC (based in the USA), the owner of YouTube. The risk analysis for the processing of personal data in connection with their publication in the BIP is particularly important due to the fact that the Mayor uses the YouTube channel both for the purpose of transmitting data on YouTube from the City Council session and for the further storage of session recordings only on servers YouTube. The lack of risk analysis and the lack of procedures led to a breach of the accountability principle - Art. 5 sec. 2 of Regulation 2016/679.</P><P> In the opinion of the authority, the Mayor, in connection with the obligation to transmit and publish the recordings of the City Council session in BIP, without carrying out a risk analysis, did not implement appropriate security measures referred to in Art. 32 of Regulation 2016/679, corresponding to the risk of violating the rights or freedoms of natural persons. When processing data, the controller's obligation is to determine the risk taking into account the nature, scope and context of the data being processed, which results from Art. 24 sec. 1 of Regulation 2016/679. It does not appear from the findings of the inspection that organizational and technical measures were taken to secure the data of natural persons in connection with the storage of recordings of the City Council sessions only on YouTube servers by making backup copies of these recordings and storing them in the own resources of the City Hall in A. Thus, the administrator did not implement the appropriate organizational and technical measures referred to in art. 32 of Regulation 2016/679.</P><P> The inspection also revealed shortcomings in keeping the register of personal data processing activities. At the Municipal Office in A., a register of processing activities has been developed, which includes 54 processing activities. However, the register did not indicate the planned date of deletion of personal data by indicating a specific storage period, the register only referred to the uniform material list of files for communes. The sample cards from the register of activities sent by the Mayor, including the card on processing activities related to the publication of property declarations in the BIP, show that the planned date of deletion of data from BIP was specified by the Mayor for 5 years, which in the case of property declarations is inconsistent with the content of Art. . 24h paragraph 6 of the Act, the authority also found incorrect the position of the complainant (contained in the letter of 17 June 2019) regarding the disclosure of data of persons in power (and not those who exercised power) and the period of disclosure of these data, stating that the provisions of the act on municipal self-government that the storage period of such information is 6 years. It also does not matter whether the person who made the declaration still performs its function. The obligation to keep BIP and make public information available therein results from the provisions of the Act on access to public information. Since the legislator has decided that the property declarations are public (with the exception of the information about the place of residence of the person submitting the declaration and the location of the real estate), it should be considered that they constitute public information that is subject to publication in the Public Information Bulletin for the period resulting from the provisions of the act on municipal self-government, ie for a period of 6 years, regardless of whether the person is still a councilor or has ceased to be one. As a consequence, it is the 6-year period that should be indicated in the register of personal data processing activities kept by the Mayor as the planned date for the deletion of personal data contained in the property declaration.</P><P> In addition, not all recipients of data, including processors, were indicated in the register of processing activities, while contracts with entities providing the service of providing the server on which BIP resources are stored and the guarantee service in connection with the creation of a regional BIP were presented, which is binding access of these entities to personal data processed by the Mayor in connection with running the BIP. The register of processing activities does not indicate the entity running the YouTube channel where the recordings of the sessions of the City Council A are available. From art. 30 sec. 1 lit. d) of Regulation 2016/679, on the other hand, the obligation to list all recipients of data in the register of processing activities, regardless of whether they are established in a Member State of the European Union or in a third country. Thus, the authority concluded that the Mayor did not indicate all recipients of data in the register of personal data processing activities and did not indicate the planned date of data deletion for all processing activities, and thus violated art. 30 sec. 1 lit. d) and f) of Regulation 2016/679 and art. 5 sec. 2 of Regulation 2016/679, i.e. the accountability principle.</P><P> As a consequence, PUODO stated that the indicated violations prove that the Mayor does not process personal data in accordance with the principles resulting from art. 5 sec. 1 lit. a), e) and f) of Regulation 2016/679, which means violation of the accountability principle referred to in Art. 5 sec. 2 of Regulation 2016/679, pursuant to which the controller is responsible for compliance with the provisions of para. 1 and must be able to demonstrate compliance with them (accountability). The rules set out in Art. 5 sec. 1 of Regulation 2016/679 are the starting point for the performance of the administrator's obligations and the rights of data subjects, as well as for the assessment of the legality of these processes.</P><P> At the same time, PUODO stated that in the case under consideration, there were premises justifying the imposition of an administrative fine on the Mayor. In determining the amount of the fine, the authority took into account the circumstances of the case that had an aggravating effect on the amount of the imposed financial penalty: 1) the duration of the violations covered by the order specified in this decision (the irregularities found were not removed either during the inspection carried out at the Mayor's office or in the course of administrative proceedings),</P><P> 2) any previous violations by the administrator (making PIT-11 and PIT-37 forms available in the non-anonymised version on the BIP website - in this regard, a reminder was issued on [...] December 2018 and the decision maintaining it in force of [...] May 2019), 3) the intentional nature of the violation, 4) the violations found during the inspection concern persons whose data are included in the content of materials constituting public information, published in BIP of the Municipal Office in A., 5) high the level of the administrator's responsibility - in the absence of his actions aimed at ensuring an adequate level of data security and failure to implement appropriate data protection policies; 6) lack of cooperation of the administrator after the initiation of the procedure, which, in response to the notification on the initiation of administrative proceedings, did not refer to the violations indicated therein (except for the issue related to the retention period of data made available on the BIP website).</P><P> The authority also explained that when determining the amount of the administrative fine, it did not find grounds to believe that there were any mitigating circumstances affecting the final penalty.</P><P> In the complaint lodged against the above-mentioned decision with the administrative court, the complainant, represented by a professional attorney, applied for annulment of the contested decision in its entirety and for the administrative proceedings to be discontinued in this respect, or for the appealed decision to be revoked and the authority to issue a decision to discontinue the proceedings within 30 days. in this case and to order the authority to reimburse the applicant for the costs of proceedings in accordance with prescribed standards, including costs of legal representation. In the issued decision, the complainant alleged violation of the substantive law, i.e .:</P><P> 1.Art. 2 clause 2 lit. a) of Regulation 2016/679 by its improper application in connection with Art. 1 clause 1 in connection with Art. 168 of the Act on Personal Data Protection Act, which led to the issue of the contested decision finding an infringement of Art. 5 of Regulation 2016/679 outside the scope of its application, and as a consequence, unjustified imposition of an administrative fine;</P><P> 2. breach of Art. 28 sec. 3 of Regulation 2016/679 in connection with Art. 5 sec. 1 point a), point f) and art. 5 sec. 2 of Regulation 2016/679 and ordering the cessation of the disclosure of personal data to [...] sp. Z oo with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. and ordering the adjustment of the processing operation to the provisions of Regulation 2016/679, which in this respect was unenforceable on the day of its issuance and its impracticability is permanent and, consequently, an unjustified imposition of an administrative fine,</P><P> 3.Art. 5 sec. 1 point e) in connection with Art. 5 sec. 2, art. 24 of Regulation 2016/679 and art. art. 11b paragraph. 1 usg and art. 8 of the Code of Administrative Procedure, through its improper application;</P><P> 4.Art. 5 sec. 1 point f) in connection with Art. 5 sec. 2 and art. 24 of Regulation 2016/679, due to its improper application;</P><P> 5.Art. 5 sec. 1 point f) in connection with Art. 5 sec. 2 and art. 32 of Regulation 2016/679, through its incorrect application;</P><P> 6.Art. 30 sec. 1 point d) and f) in connection with Art. 5 sec. 1 point e) and art. 5 sec. 2 of Regulation 2016/679, by its improper application.</P><P> In support of his complaint, the complainant discussed in detail the above-mentioned allegations.</P><P> In response to the complaint, the authority requested the dismissal of the complaint, raising the arguments identical to those presented in the contested decision.</P><P> The Provincial Administrative Court in Warsaw considered the following:</P><P> The complaint could not be upheld.</P><P> Pursuant to art. 3 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325 as amended, hereinafter referred to as ppsa), administrative courts control the activities of public administration and apply measures specified in the Act . This means that when examining a complaint, the court assesses whether the appealed decision does not infringe the provisions of substantive law or the provisions of administrative proceedings. According to Art. 134 of the PPSA, the Court adjudicates within the limits of a given case, but is not bound by the allegations and conclusions of the complaint and the legal basis referred to therein.</P><P> The court, while inspecting the contested decision, did not find that the President of the Personal Data Protection Office, when issuing the decision of [...] October 2019, violated the provisions of substantive law to a degree that had an impact on the outcome of the case, or the provisions of administrative proceedings to a degree that could significantly affect the outcome of the case.</P><P> With regard to the first and the most far-reaching of the allegations, cited in the complaint, consisting in the violation of substantive law, ie Art. 2 clause 2 lit. a) of Regulation 2016/679 by its improper application in connection with Art. 1 clause 1 in connection with Art. 168 of the Act on Personal Data Protection Act, which led to the issue of the contested decision finding an infringement of Art. 5 of Regulation 2016/679 beyond the scope of its application and, consequently, the unjustified imposition of an administrative fine, the Court found the allegation unfounded.</P><P> The provision of art. 2 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 (Official Journal EU L No. 119, p. 1) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 4 May 2016, p. 1 and EU Official Journal L 127 of 23.05. 2018, p. 2, hereinafter: Regulation 2016/679) determines the material scope of application.</P><P> Paragraph 1 provides that the Regulation applies to the processing of personal data in a fully or partially automated manner and to the non-automated processing of personal data that are part of a data filing system or are to be part of a filing system.</P><P> However, paragraph 2. This regulation does not apply to the processing of personal data:</P><P> (a) in the course of an activity which falls outside the scope of Union law;</P><P> In the opinion of the Court, the allegations made by the complainant that the decision infringed the provisions of Regulation 2016/679 as regards their application to activities not covered by the provisions of the European Union are completely incorrect. The exclusions referred to in Art. 2 clause 2 lit. a of Regulation 2016/679, are exceptional and do not apply in the present case.</P><P> The interpretation of the above-mentioned exclusions must be made taking into account the systemic and purposeful interpretation. As the authority rightly pointed out in its response to the complaint, understanding the provision in the manner indicated by the complainant would cause that personal data would not be properly protected. The intention of the legislator was not to limit the application of personal data protection, but on the contrary, to increase its scope and application. The legislator, as the authority rightly notices, specifies the exclusions from the application of the provisions in Art. 6 of Regulation 2016/679. Interpreting the provisions in the manner adopted by the complainant would lead to an ad absurdum interpretation, where the application of the provisions of Regulation 2016/679 would be limited to a very narrow scope of EU law. Meanwhile, the introduction of the above-mentioned legal act was aimed at increasing, not drastically limiting, the protection of personal data.</P><P> The idea behind the legislation of the European Union is (inter alia) the protection of personal data; Moreover, under Polish law, these rights are provided with additional protection by the Constitution of the Republic of Poland. The claim of the complainant is completely illogical that although superior acts, such as the Constitution or the generally applicable principles of European Union law, provide for broad protection of personal data, the regulation narrows it only to an extremely narrow circle.</P><P> According to Art. 8 sec. 1 of the EU Charter of Fundamental Rights, everyone has the right to the protection of personal data concerning them; pursuant to Art. 16 sec. 1 TFEU, every person has the right to the protection of personal data concerning him. These fundamental rights are referred to in the GDPR in its first recital. The rules and regulations regarding the protection of natural persons with regard to the processing of their personal data may not - irrespective of their nationality or place of residence - violate their fundamental rights and freedoms, in particular the right to the protection of personal data (recital 2 of the GDPR).</P><P> As the authority aptly noted, the doctrine rightly states that the norm resulting from Art. 16 sec. 1 TFEU (and analogous to Article 8 of the EU Charter of Fundamental Rights) has the status of a directly effective standard, becoming an autonomous basis for the rights of individuals with regard to the protection of personal data. A directly effective treaty rule protects natural persons also in situations where they will not be able to benefit from the protection guaranteed by acts of secondary law. Art. 16 (2) TFEU unequivocally indicates that the rules on the protection of personal data set out in acts of secondary law will apply to personal data of natural persons processed by institutions, bodies, offices and agencies of the European Union and Member States, but only to the extent that these activities will help to apply European Union law.</P><P> Referring to the legal opinion annexed to the complaint, the Court indicates that it does not relate to the substance of the case and therefore was irrelevant to its decision.</P><P> Referring to the remaining objections of the complaint, it should first be pointed out that in the provision of Art. 5 of Regulation 2016/679, the rules for the processing of personal data have been formulated, to which the personal data administrator is obliged to comply and implement. In the actual state of the case, the administrator of personal data, i.e. the person obliged to process personal data in accordance with the law and to implement organizational and technical procedures for processing this data, is the Mayor. The rules set out in Art. 5 of the Regulation 2016/679 play an important role among the legal norms regulating the protection of personal data.</P><P> The rules specified in this provision are independent in nature and constitute binding legal norms that define specific standards of conduct in this respect. Of course, they may play a subsidiary role in relation to other provisions, especially in their interpretation and application of legal norms on the protection of personal data, but their function as superior standards over other provisions is equally important. The legislator emphasizes the special importance, defining as principles the legal norms appearing in Art. 5 of Regulation 2016/679. The authority is obliged to comply with the principles contained in this provision, and any exclusions are absolutely exceptional.</P><P> In art. 5 sec. 2 of the regulation in question indicates that the controller is responsible for compliance with the provisions of para. 1 and must be able to demonstrate compliance with them, this principle is referred to in the Regulation as "accountability". Taking into account all the norms of Regulation 2016/679, it should be emphasized that the controller has considerable freedom in the scope of the security measures applied, but at the same time is responsible for violating the provisions on the protection of personal data. The principle of accountability clearly shows that it is the data controller who should demonstrate and therefore prove that he complies with the provisions set out in Art. 5 sec. 1 of Regulation 2016/679.</P><P> In the opinion of the Court, the complainant, as the data controller who was burdened with the burden of proof, did not show that he complied with all the rules of personal data processing.</P><P> The court fully shares the authority's assessment of individual infringements of substantive law.</P><P> Violation of Art. 5 sec. 1 lit. a) and f) in connection with with art. 5 sec. 2 of the Regulation 2016/679, i.e. the principles of legal compliance and confidentiality, and art. 28 sec. 3 of Regulation 2016/679 was made by providing personal data to [...] Sp. z o. o. with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. without legal basis. The applicant had not previously concluded with the above-mentioned subjects of personal data entrustment contracts referred to in art. 28 sec. 3 of Regulation 2016/679, in connection with the running of the BIP website of the Municipal Office in A ..</P><P> The provisions of Art. 5 sec. 1 lit. a) and f) of Regulation 2016/679, the principles are defined as: a) the principles of legality, reliability and transparency, f) integrity and confidentiality of data (data security). In art. 5 sec. 1 lit. and Regulation 2016/679 sets out the requirements for the administrator of personal data in terms of their processing. In the present case, that provision has undoubtedly been infringed. The principle of lawfulness of data processing applies to the compliance of personal data processing with the provisions of law, contained in all normative acts regarding the processing of personal data, including the provisions of Regulation 2016/679. The complainant undoubtedly breached the provision of Art. 28 sec. 3 of this Regulation, thus breached the principle of legality.</P><P> Pursuant to Art. 5 section 1 lit. f of Regulation 2016/679, personal data must be processed in a manner ensuring their appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures. The controller of personal data is required to take proportionate measures to protect the data.</P><P> The "threats" listed in this provision, against which the administrator must protect himself, have the nature of an open directory, which is indicated by the term "including" used in this provision. The complainant violated both of the above principles by failing to comply with the provisions of Art. 28 (3) of Regulation 2016/679. This provision explicitly requires that the processing by the data processor on behalf of the controller takes place on the basis of a contract or other legal instrument. As the authority established in the evidentiary proceedings, in the contracts concluded by the complainant with entities that participated in the processing of personal data, there were no provisions regarding the processing of personal data and entrusting their processing.</P><P> For this reason, the allegation of the complaint that the authority breached the substantive law, ie Art. 28 sec. 3 of Regulation 2016/679 through its incorrect application. The complainant's failure to conclude contracts with entities that processed personal data, the administrator of which was the complainant, shall be charged to the personal data administrator who, despite his obligation, did not comply with the provisions on the protection of personal data. Therefore, the authority correctly assessed this situation from a substantive point of view, assuming a violation of Art. 5 sec. 1 lit. a) and f) in connection with with art. 5 sec. 2 and art. 28 sec. 3 of Regulation 2016/679.</P><P> The authority also correctly assessed the violation of Art. 5 sec. 1 lit. e) in connection with Art. 5 sec. 2, i.e. the rules for limiting storage and art. 24 of Regulation 2016/679 due to the lack of appropriate policies regarding the processing of personal data at the BIP of the Municipal Office in A. in terms of their timeliness and purposefulness of publication and specifying deadlines for deleting personal data. The principle referred to as "storage limitation" as defined in Art. 5 section 1 lit. 3 of Regulation 2016/679 stipulates that "personal data must be stored in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed". In addition, "personal data may be stored for a longer period as long as they are processed solely for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1), provided that appropriate technical measures are implemented. and organizational measures required by this Regulation to protect the rights and freedoms of data subjects ("storage limitation"). According to this principle, when the purposes for which personal data are processed, they should either be deleted or deleted.</P><P> Pursuant to the provision of Art. 24 sec. 1 of Regulation 2016/679 ", taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons of different probability and seriousness, the controller implements appropriate technical and organizational measures to ensure that the processing is carried out in accordance with this Regulation and to be able to demonstrate it. These measures shall be reviewed and updated as necessary. "</P><P> The court shares the authority's finding that the controller of personal data is responsible for implementing appropriate technical and organizational measures to ensure that the processing of personal data is lawful. Such technical measures have not been introduced, the authority has in no way ensured that all information, the purpose of which processing has been achieved, was deleted.</P><P> The allegation made in the complaint to the Court, concerning infringement of substantive law, ie Art. 5 section 1 lit. possibly related with art. 5 sec. 2 and art. 24 of Regulation 2016/679 and art. 11b paragraph. 1 of the Act on Municipal Self-Government and Art. 8 of the Code of Administrative Procedure, due to their improper application, basically boils down to the fact that the period for which the data are (may) be published in the Public Information Bulletin has not been specified, which, in the complainant's opinion, is a legal loophole. This objection is not relevant: as indicated above, although there are no explicitly indicated maximum periods after which personal data should be deleted, the principle of limiting the storage implies that personal data must be stored for a period not longer than it is necessary to the purposes for which the data is processed. The personal data controller determines the "necessary purpose" by implementing the appropriate procedure referred to in Art. 24 sec. 1 of Regulation 2016/679. Due to the lack of actions of the complainant in the described direction, the Court did not find in the present case a breach by the authority of Art. 8 kpa</P><P> The charge of infringement of Art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, the principles of correctness, and art. 24 of Regulation 2016/679 (by failing to conduct a risk analysis related to the use of the YouTube channel by the Mayor to transmit recordings of the sessions of the City Council A.).</P><P> In the context of the provisions referred to in the previous paragraph and the content of the facts of this justification, it should be emphasized once again that the administrator of personal data is obliged to process them in a manner ensuring adequate security, including protection against unauthorized or unlawful processing and accidental loss, destruction. or damage, by appropriate technical or organizational measures.</P><P> The complainant alleges infringement of substantive law, ie Art. 5 sec. 1 lit. fw conj. with art. 5 section 2 and art. 24 of Regulation 2016/679, through their improper application, due to the fact that the failure to conduct a risk analysis may not prove that the personal data controller has breached the provisions of the Regulation, because conducting such an analysis is optional and cannot mean that the appropriate measures have not been implemented technical and organizational so that the processing takes place in accordance with the provisions of Regulation 2016/679. The necessity to introduce such a procedure should be analyzed on a case-by-case basis in a specific case: in these proceedings, the data controller has not proved that failure to conduct a risk analysis is unnecessary, the Court has no doubts that the implemented procedures did not fully ensure the security of personal data. In the opinion of the Court, the implementation of such an analysis would minimize the risk of deficiencies in the processing of personal data, it is from this perspective that the possible need to create an appropriate procedure for the security and protection of personal data should be considered.</P><P> In the contested decision, the authority also accused the applicant of violating Art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, and art. 32 of Regulation 2016/679 by failing to implement appropriate technical and organizational measures aimed at securing the data of natural persons in connection with the storage of recordings of the City Council sessions A. only on YouTube servers, without making and storing backup copies of these recordings in the own resources of the City Hall in A .. The provision of Art. 32 of Regulation 2016/679 imposes another obligation on the personal data controller, namely the obligation to secure the processed data.</P><P> The provision of art. 32 sec. 1 letter b and c of Regulation 2016/679 states: "taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probabilities and severity, the controller and the processor shall implement appropriate technical and organizational to ensure the level of safety corresponding to this risk, including, but not limited to: (...)</P><P> (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;</P><P> (c) the ability to restore the availability and access to personal data rapidly in the event of a physical or technical incident. "</P><P> This provision does not require the data controller to implement any technical and organizational measures that are to constitute personal data protection measures, but requires the implementation of adequate measures. Such adequacy should be assessed in terms of the manner and purpose for which personal data are processed, but also the risk related to the processing of such personal data, which may vary in size, should be taken into account.</P><P> The adopted measures are to be effective, in specific cases some measures will have to be low-risk mitigating measures, others - must mitigate high risk, however, it is important that all measures (and each separately) are adequate and proportional to the degree of risk . In the opinion of the Court, the transfer of personal data to an external entity that transmits meetings of the bodies on the public network, such as the Internet, where personal data are processed, resulted in a breach of the provisions on the protection of personal data, and the measures that had to be taken should be proportionate to the indicated high risk.</P><P> It should be emphasized that at the end of the recording, it was only saved on the YouTube website, the complainant had no backup, according to the Court, the provisions of Art. 32 sec. 1 lit. b and c of Regulation 2016/679. A possible technical failure of the website may result in the loss of the recording and prevent the personal data administrator from restoring their availability, as a result the obliged entity will not be able to ensure the confidentiality, integrity, availability and resilience of processing systems and services. Therefore, in the opinion of the Court, the authority correctly and in accordance with the applicable provisions proved that the applicant infringed the provisions contained in this paragraph. The allegation of the complainant concerning the infringement of substantive law, ie Art. 5 sec. 1 point f in conjunction with art. 5 section 2 and art. 32 of Regulation 2016/679. As already mentioned, the activities of a technical and organizational nature are the responsibility of the personal data administrator, but they cannot be selected in a completely free and voluntary manner, without taking into account the degree of risk or the nature of the personal data being protected. Undoubtedly, the measures taken by the applicant did not ensure security, which was duly demonstrated by the authority, and the arguments raised by the applicant on this point constitute only a polemic with the facts, correctly established by the authority in the opinion of the Court.</P><P> The last of the provisions, the correctness of which was applied by the authority by the Court in the present case, are the alleged infringement of the provisions of Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of accountability and art. 30 sec. 1 lit. d) and f) of Regulation 2016/679 (by not indicating in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the City Hall in A., all data recipients and failure to indicate the planned date of data deletion for these processing activities in a manner ensuring data processing in accordance with the principle of limited storage). In the opinion of the Court, the authority correctly interpreted the provisions of the act on municipal self-government and the act on access to public information, the court fully shares the arguments of the authority in this respect, and therefore found it pointless to copy it here.</P><P> The provision of art. 30 sec. 1 lit dif of Regulation 2016/679 provides that each administrator and - where applicable - the administrator's representative shall keep a register of personal data processing activities for which they are responsible. This register shall include all of the following information: (...) (d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or in international organizations; (...) (f) if possible, the planned dates of deletion of individual categories of data.</P><P> Taking into account the linguistic interpretation directives, the responsibility of the administrator keeping a register of personal data processing activities has been explicitly stated. Interpretation methods other than linguistic are applicable only when the linguistic interpretation proves insufficient or does not lead to the correct decoding of the legal norm from the provision. Personal data administrator who does not indicate in the register of activities the categories of recipients to whom the personal data have been or will be disclosed, and not indicates the scheduled date for the removal of individual categories of a given data (provided that it is possible - and in the present case it was possible), it directly violates the provisions on the protection of personal data, compliance with which is responsible. Each of the obligations arising from this provision must be fulfilled: a breach of the provision is failure to perform at least one of the obligations indicated in the register of personal data processing activities. For the described reason, the allegation of infringement of the provisions of substantive law, i.e. Art. 30 sec. 1 lit. difw zw. with art. 5 section 1 lit. possibly related with art. 5 (2) of Regulation 2016/679.</P><P> The court assessed, taking into account the nature of the violations committed and the number of provisions of substantive law on the protection of personal data, the violation of which had been committed by the complainant, that the fine in the amount of PLN 40,000 is adequate, proportional and was correctly imposed. The authority duly justified the penalty, taking into account the very long duration of the infringements, their deliberate nature, the high degree of responsibility of the administrator and the lack of cooperation with the authority after initiating the procedure. The maximum fine for the violations found is PLN 100,000, and only 40% of the possible fine was imposed on the applicant, which allows assessing it as effective, proportionate and dissuasive.</P><P> Taking into account the above considerations, the Court, pursuant to Art. 151 ppsa dismissed the complaint.</td></tr></table></div><!-- Stopka -------------------------------------------------------------------------><div class="dolne-linki"> <a
			href="/cbo/find?p=1"><span
			class="navl">Back to the list</span></a></div><div class="disclaimer"></div><BR><hr style="margin-bottom:1"/><div id="sp"> Powered by SoftProdukt</div></div></div></div><script type="text/javascript">
function logExtHref(doc, href)
{var callback={success: function(o){},failure: function(o){},argument:{}};
 var d= new Date();
 var url= "/cbo/servlet/logExtHref?doc="+doc+"&href="+href+"&d="+d.getTime();
 YAHOO.util.Connect.asyncRequest('GET', url, callback);
}
</script><script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-1768873-2', 'nsa.gov.pl');
  ga('send', 'pageview');

</script></BODY><script type="text/javascript" src="/yui/yahoo/yahoo-min.js"></script><script type="text/javascript" src="/yui/connection/connection-min.js"></script></html>