NSA (Poland) - III OSK 4763/21

From GDPRhub
Revision as of 10:19, 17 February 2022 by FA (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Poland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=NSA (Poland) |Court_With_Country=NSA (Poland) (Poland) |Case_Number_N...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NSA (Poland) - III OSK 4763/21
Courts logo1.png
Court: NSA (Poland) (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(c) GDPR
Article 17(1) GDPR
Decided: 13.01.2022
Published:
Parties:
National Case Number/Name: III OSK 4763/21
European Case Law Identifier:
Appeal from: Polish DPA (UODO)
Appeal to: Not appealed
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: czapla

The Polish Supreme Administrative Court held that the Polish DPA should make a data minimisation assessment on the necessity of processing a data subject's phone number for the collection of debts.

English Summary

Facts

The proceedings started with a complaint made to the Polish DPA (UODO) in which a data subject claimed that the processing of their personal data by a non-standardised securitisation fund (fund) was not justified and lacked legal basis on the grounds that the debt being collected by the fund was non-existent. The plaintiff therefore requested that all of their personal data be removed from the fund’s database in accordance with Article 17(1) GDPR.

The personal data obtained by the fund included: name, surname, date of birth, gender, national identification number, correspondence addresses, telephone number, e-mail address, as well as information on the claim broken down to financial components, including principal amount, interest and bank account number dedicated to debt repayment, the date of the contract and the date of termination of the contract.

The UODO decided that the processing of personal data by the fund was lawful, since the fund acquired the debt from an original creditor in the performance of a contract under Article 28 GDPR. The UODO stated that as a debtor, the data subject must consider that their right to privacy may be limited in connection with the recovery of debts. The UODO emphasized, however, that it had not examined the factual elements regarding the existence of the debt or its amount, which are issues that should be determined by civil courts.

The claimant, which disputed the existence of the debt, specifically complained about receiving importunate telephone calls by the fund. With regards to these allegations, the UODO explained that this issue must be considered in the context of established practices applied by debt collection agencies. The UODO, therefore, decided that the fund was not obligated to grant the data subject's erasure request, since it had a legitimate interest and legal basis for processing the data.

The data subject appealed this decision to the Voivodship Administrative Court in Warsaw, on the basis that the UODO incorrectly assumed that the data subject was a debtor. The data subject further argued that UODO should have leaned towards the principle of data minimisation under Article 5(1)(c) GDPR, and requested the removal of the phone number from the fund's database.

The Administrative Court sided with the UODO, stating that pursuant to the contract with the original creditor, the fund became the controller of the transferred data for the purpose of collecting the purchased debt.

Regaridng the issue of the data minimisation, the Administrative Court pointed out that the data subject originally requested that all of their personal data be deleted by the fund, alleging it was processed without a legal basis, since the debt itself was disputed. The Administrative Court held that the data minimisation argument was not part of the initial complaint, and therefore the UODO rightly limited itself to what was specifically argued in the complaint.

The data subject then appealed this Administrative Court decision with the Polish Supreme Administrative Court (NSA).

Holding

The NSA agreed with the UODO that in this situation, the fund's legitimate interest justified the processing of the personal data even against the data subject's consent, and that the same rules applied to the entity that repurchased the debt as those who apply to the the original creditor. Similarly, the NSA held that the data processing was not hindered by the disputed nature of the debt, which would be a matter that the civil courts are competent to decide on.

With regards to data minimisation, the NSA indicated that although the original erasure request addressed to the UODO was broad, and concerned the removal of all the data subject's personal data, the UODO could have taken into account the request to a lesser extent, and assessed the specific complaint regarding the phone calls received by the data subject. Thus, the NSA held that the Voivodship Administrative Court incorrectly treated the alleged of breach of the principle of data minimisation as being outside UODO's scope in this complaint.

Based on this consideration, the NSA held that the UODO should revisit their original opinion, and issue a decision as to whether a phone number is necessary personal data processing for the purposes of debt collection.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Date of the judgment

2022-01-13 the decision is final

Date of receipt

2021-05-04

court

The Supreme Administrative Court

Judges

Małgorzata Masternak - Kubiak / chairman /
Mariusz Kotulski
Zbigniew Ślusarczyk / rapporteur /

Symbol with description

647 Matters related to the protection of personal data

Thematic slogans

Personal data protection

Ref. linked

II SA / Wa 2104/19 - Judgment of the Provincial Administrative Court in Warsaw of 2020-11-06

The appealed authority

Inspector General for Personal Data Protection

Result content

The judgment under appeal and the decision of the second instance were revoked

Cited regulations

Journal of Laws 2016 item 922 art. 23 sec. 1 point 5
The Act of August 29, 1997 on the Protection of Personal Data - consolidated text

Sentence

Supreme Administrative Court composed of: Chairman: Judge of the Supreme Administrative Court Małgorzata Masternak - Kubiak Judges Judge of the Supreme Administrative Court Zbigniew Ślusarczyk (spokesman) Judge del. WSA Mariusz Kotulski, after considering on January 13, 2022, at a closed session in the General Administrative Chamber, T. K.'s cassation appeal against the judgment of the Provincial Administrative Court in Warsaw of November 6, 2020, file ref. no. II SA / Wa 2104/19 on the complaint of the Constitutional Tribunal against the decision of the President of the Personal Data Protection Office of [...] June 2019 No. [...] on the refusal to grant the application 1. repeals the judgment under appeal and the decision under appeal , 2. orders the President of the Personal Data Protection Office to pay for the benefit of the Constitutional Tribunal the amount of PLN 200 (two hundred) as reimbursement of the costs of proceedings before the Court of first instance.

Justification

The Provincial Administrative Court in Warsaw by the judgment of November 6, 2020, file ref. no. II SA / Wa 2104/19, pursuant to art. 151 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended), hereinafter referred to as "p.p.s.a." dismissed the complaint of T. K. against the decision of the President of the Personal Data Protection Office of [...] June 2019 No. [...] concerning the refusal to grant the application.

The judgment was issued in the following factual and legal status of the case.

In a letter of [...] December 2018, T. K. lodged a complaint with the Inspector General for Personal Data Protection against the processing of personal data by [...] Fundusz Inwestycyjny Zamknięty Niepandaryzowany Fundusz Sekurtyzacyjny in W., which acquired a liability from V. S.A. on the basis of an assignment agreement. and on this basis, it processes the applicant's personal data contrary to the Personal Data Protection Act. He applied for an order for the above-mentioned the company to restore legal status in the processing of personal data by deleting personal data processed without a legal basis.

By the decision of [...] June 2019, No. [...], the President of the Office for Personal Data Protection (legal successor of the Inspector General for Personal Data Protection), hereinafter referred to as the "President of the Personal Data Protection Office", refused to take into account the Constitutional Tribunal's application for irregularities in the processing his personal data by [...] Sp. z o.o. based in W. The decision was issued pursuant to Art. 104 § 1 of the Code of Administrative Procedure (Journal of Laws of 2018, item 2096), hereinafter referred to as the "k.p.a.", art. 18 of the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2016, item 922 and of 2018, item 138) in connection with joke. 160 sec. 1 and 2 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000, as amended) and art. 6 sec. 1 lit. f and art. 28 of the Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal Official Journal L 119 of May 4, 2016, p. 1 and Official Journal L 127 of May 23, 2018, p. 2).

In the justification of the decision, the authority indicated that the claim relating to the complainant had been purchased by the Fund on the basis of a debt sale agreement. The scope of the complainant's personal data obtained included: name, surname, date of birth, gender, PESEL identification number, correspondence addresses, telephone number, e-mail address, information on the basis of the claim, broken down into financial components, i.e. principal amount, interest and bank account number dedicated to debt repayment, date of conclusion of the contract and date of termination of the contract. When assessing the compliance of the Fund's operations with the Act of August 29, 1997 on the protection of personal data in force on the date of receipt of the complaint (Journal of Laws of 2016, item 922, as amended), in the opinion of the authority, the processing of the complainant's data was justified by the provisions of this act, because the Fund operates under a contract. As a debtor, the complainant must take into account that in delaying the fulfillment of an obligation, his right to privacy may be limited in connection with the recovery of claims. Otherwise, a situation could arise in which the debtor, relying on the right to the protection of personal data, would effectively avoid his obligation to perform the service and, consequently, would limit the creditor's right to obtain the payment due to him.

The administration authority emphasized that it had not examined the issue of the existence of the claim or its amount, as these cases are of a civil nature and should be considered in proceedings conducted by common courts. Similarly, beyond the jurisdiction of the President of the Personal Data Protection Office, the question of the statute of limitations on the claim remains. However, with regard to the allegation of importunate telephone calls to the complainant by [...] Sp. z o.o., the authority explained that this issue may be considered in the context of practices applied by debt collection companies. Pursuant to the Act of February 16, 2007 on competition and consumer protection (Journal of Laws of 2019, item 369), these matters fall within the competence of the President of the Office of Competition and Consumer Protection.

By letter of 23 July 2019, T. K. lodged a complaint with the Provincial Administrative Court in Warsaw against the above decision, demanding that it be repealed. He alleged an error in fact consisting in the assumption that he was a debtor, while he was only a client of the company V., and a breach of Art. 5 sec. 1 point c) GDPR due to the lack of an order to remove the telephone number from the company's data file.

In response to the complaint, the President of the Office for Personal Data Protection appealed for its dismissal.

By the judgment indicated at the outset, the Court of first instance dismissed the complaint. In the justification of the judgment, the Court shared the opinion of the authority that the provisions authorizing the processing of the complainant's personal data are currently Art. 6 sec. 1 lit. f) Regulation 2016/679, which fills out the legal grounds for the processing of personal data, as well as art. 28 sec. 3 of the aforementioned regulation, which allows the processing of data on the basis of a contract or other legal instrument, which are subject to European Union law or the law of a Member State and are binding on the processor and the controller, define the subject and duration of the processing, nature and purpose of processing, type of personal data and categories of persons, data subjects, obligations and rights of the controller. The court indicated that the sale of receivables is permissible pursuant to Art. 509 § 1 of the Civil Code. The assignment of receivables is associated with the right to transfer the debtor's personal data to the buyer. Pursuant to the agreement for the sale of receivables, the fund became the administrator of the transferred data, processing them for the purpose of collecting the purchased receivables. The prerequisite authorizing the processing of the complainant's personal data by the Fund until 25 May 2018 was Art. 23 sec. 1 point 5 of the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2016, item 922, as amended). In the opinion of the court of first instance, the authority did not correctly examine the issue of the existence of the debt and its amount, leaving this assessment to common courts. Referring to the issue of data minimization, the Court noted that the complainant originally demanded that his personal data be deleted by the company processed without a legal basis, and not their minimization. The request to minimize the data by ordering the debt collection company to remove the complainant's phone number was formulated only at the stage of the administrative court complaint, therefore the authority rightly limited itself to the request contained in the complainant's request of 4 January 2018.

T. K. lodged a cassation appeal, challenging the above judgment in its entirety. He alleged a violation:

1.Art. 145 § 1 point 1 of the AA in connection with joke. 134 § 1 of the p.s.a. in connection with joke. 5 sec. 1 point c of Regulation 2016/679 GDPR by declaring that the failure to recognize the violation of the minimization principle was correct, while in accordance with the a maiore ad minus principle, since the request was wider, then in the absence of grounds for considering the entire request, this does not exclude the consideration of the request in a narrower scope,

2.Art. 145 § 1 point 1 of the AA in connection with joke. 134 § 1 of the p.s.a. in connection with joke. 1 of the Code of Civil Procedure by recognizing the correct operation of the office, consisting in not examining the issue of the existence or non-existence of receivables, while the office was obliged to do so, or at least should have stayed the proceedings until the issue in question was resolved by a civil court.

On the basis of these allegations, T. K. requested that the judgment under appeal be set aside and the case remitted for reconsideration.

In the justification of the cassation appeal, he indicated that the request addressed to the authority was broad, as it concerned the deletion of all the complainant's personal data. The authority, acting within the scope of the request, could take into account the request to a lesser extent. Thus, the first-instance court incorrectly treated the allegation of breach of the principle of minimalism as falling outside the scope of proceedings by the authority. Moreover, the Court incorrectly held that the authority should not examine the question of the existence of a claim. In the opinion of the applicant in cassation, this circumstance remains significant in terms of the outcome of the case, therefore the authority should have stayed the proceedings and obligated the applicant to initiate proceedings before a civil court.

In response to the cassation appeal, the President of the Personal Data Protection Office requested that the cassation appeal be dismissed. In the opinion of the authority, the argumentation presented in the judgment under appeal is correct.

The Supreme Administrative Court considered as follows:

Pursuant to Art. 183 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts (i.e. Journal of Laws of 2019, item 2325, as amended), hereinafter referred to as the PPSA, the Supreme Administrative Court examines the case within the scope of the cassation appeal, taking into account ex officio only the nullity of the proceedings. In the case under examination, none of the circumstances resulting in the invalidity of the proceedings referred to in Art. 183 § 2 of the Law on Civil Procedure and none of the conditions referred to in Art. 189 of the AA, which the Supreme Administrative Court considers ex officio when reviewing the judgment appealed against in a cassation appeal. In these circumstances, only the charges raised in the cassation appeal in support of the cited grounds for cassation were subject to examination.

The court of first instance approved the position of the authority, which held that the provisions authorizing [...] Fundusz Inwestycyjny Zamknięty Niepandaryzowany Fundusz Sekuritizacyjny and the Company [...] to process the complainant's personal data are currently Art. 6 sec. 1 lit. f) Regulation 2016/679 (GDPR), which fills out the legal grounds for the processing of personal data, as well as art. 28 sec. 3 of this regulation, in which the processing by the processor takes place on the basis of a contract or other legal instrument, which is governed by Union law or the law of a Member State and is binding on the processor and the controller, and specifies the subject and duration of the processing, the nature and purpose of the processing, and the type of personal data and the categories of data subjects, the obligations and rights of the controller. Pursuant to the agreement for the assignment of receivables, the Fund has become the administrator of the provided data of the debtor (complainant) and processes them in order to recover the acquired receivables. The prerequisite authorizing the processing of the complainant's personal data by the Fund until 25 May 2018 was Art. 23 sec. 1 point 5 of the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2016, item 922, as amended), and currently there is Art. 6 sec. 1 lit. f) Regulation 2016/679. The transfer of the complainant's personal data to the [...] Company enforcing the debt for the benefit of the Fund took place pursuant to Art. 31 sec. 1 and 2 of the Act of August 29, 1997 on the protection of personal data, and currently it is carried out on the basis of art. 28 of Regulation 2016/679.

The complainant alleges that the claim does not exist as it has expired, therefore the authority should order the Company to delete all his personal data.

However, the position of the authority accepted by the Court is correct that, since the Company has proved the existence of the debt, the authority is not entitled to resolve the dispute between it and the complainant as to the expiry of the debt due to the statute of limitations. The Supreme Administrative Court shares the view that the dispute as to the existence or non-existence of receivables is a civil matter within the meaning of Art. 1 of the Code of Civil Procedure, which is settled by the competent common court, inter alia, in the procedure of settling an action for determination pursuant to Art. 189 of the Code of Civil Procedure Only the legality of the complainant's personal data processing by the Company was assessed in the controlled administrative proceedings. It is difficult to find any arguments in the cassation appeal that the position of the authority and the Court of first instance in this respect was incorrect. The applicant merely claims that, since the authority was unable to examine this issue, it should stay the proceedings and oblige the applicant to initiate the procedure before a civil court. However, this allegation was not based on any provision of law from which such an obligation of the authority would arise. The fact that the Court of Cassation is bound by the grounds of a cassation appeal (based on an indication of a breach of specific legal provisions) does not allow the Court to guess which provision the applicant is bound by in relation to the breach. This renders the complainant's assertions as to the obligation to suspend the proceedings by the authority ineffective.

Moreover, it should be stated that the Court of first instance took a position as to the inability of the authority to investigate the existence or non-existence of a claim. The position of the Court in this respect, contrary to the applicant's expectations, does not constitute an infringement of Art. 134 § 1 of the p.s.a.

Consequently, the allegation of infringement of "Art. 145 § 1 point 1 of the AA." Should be considered unfounded. in connection with joke. 134 § 1 of the p.s.a. in connection with joke. 1 of the Code of Civil Procedure

On the other hand, the allegation of violation of Art. 145 § 1 point 1 lit. a) p.p.s.a. in connection with joke. 5 sec. 1 lit. c) GDPR. In his complaint, the complainant alleged breach of the principle of minimalism resulting from Art. 5 sec. 1 lit. c) GDPR by not deleting the telephone number from the data set, because the processed personal data in this respect are not necessary for the purpose for which they are processed. Referring to this issue, the court of first instance indicated that the complainant originally demanded that his personal data be erased by the Company processed without a legal basis, and not to be minimized. The request to minimize the data by ordering the debt collection company to remove the complainant's telephone number was formulated only at the stage of the administrative court complaint. In this state of affairs, the court of first instance found that the authority correctly addressed the request contained in the applicant's request of 4 January 2018, refusing to grant that request. In the opinion of the Supreme Administrative Court, the position of the court of first instance in this respect is not correct.

Pursuant to art. 5 sec. 1 lit. c) GDPR, personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"). After examining the complaint of T. K. about irregularities in the processing of his personal data by [...] Sp. z o.o. refused to grant the request. The authority determined that the personal data of the Constitutional Tribunal in the form of name, surname, date of birth, gender, PESEL registration number, correspondence address, telephone number, e-mail address, information on the basis of the claim, broken down into financial components, i.e. principal amount, interest and number a bank account dedicated to debt repayment, the date of the contract and the date of termination of the contract are processed in accordance with the purpose of debt enforcement. In the application, the complainant questioned the legal basis for the processing of his personal data by the Company due to the statute of limitations of the debt resulting from the contract concluded with V. S.A. He applied for a legal restoration by deleting all his personal data by [...] Sp. z o.o. However, already in the course of the administrative proceedings, the complainant argued that his telephone number was unnecessary for debt enforcement, which is used by the Company as a form of unlawful pressure on him in order to pay a non-existent claim. The applicant then argued that the processing of his data was inconsistent with the basic premise of the adequacy and purposefulness of the processing of personal data. In such a situation, the authority was obliged to take into account the provisions of Art. 5 sec. 1 lit. c) GDPR, the principle of data minimization and examine whether the specific personal data of the applicant processed by the Company are adequate, relevant and limited to what is necessary for the purposes for which they are processed. Since the applicant, in particular, indicated incorrect processing of his telephone number, the authority incorrectly referred the applicant to proceedings before the President of the Office of Competition and Consumer Protection. The applicant did not demand an order to stop the insistent making phone calls to him, but to delete his personal data, including his telephone number. At the same time, it does not validate the indicated failure of the authority, the laconic and unspoken statement in the reply to the cassation complaint that the deprivation of the possibility to process the complainant's telephone number would make it difficult for the Company to achieve its goal.

Contrary to the authority's claims, the complainant clearly specified his request as to the processing of his personal data without a legal basis and their removal. This request meets the requirement of precision resulting from Art. 63 § 2 of the Code of Civil Procedure The indication of the legal basis does not result from the content of Art. 63 § 2 of the Code of Civil Procedure The applicant was not obliged to provide the legal basis for his request and the authority was not bound by the given legal basis. In the opinion of the Supreme Administrative Court, it is obvious that since the request concerned incorrect processing of all the complainant's personal data, then if the irregularity did not concern all data but only part of it, the authority was obliged to grant the request in part and dismiss it in part.

As a result, one cannot agree with the statement of the Court of first instance that since the complainant originally demanded the removal of his personal data by the Company processed without a legal basis, and not their minimization, and the demand to minimize the data by ordering the debt collection company to remove the complainant's telephone number was formulated only at the stage of administrative court complaint, the authority was not obliged to apply the principle of data minimization when resolving the case.

Consequently, it should be concluded that the Court of first instance incorrectly assessed the failure of the authority to recognize the case as regards the compliance of the processing of the complainant's personal data with the principle of data minimization resulting from Art. 5 sec. 1 lit. c) GDPR, as it erroneously recognized the allegation of breach of the principle of minimalism as a request not covered by the present case.

Considering the above arguments, the Supreme Administrative Court found that the cassation appeal contains a justified basis, therefore, pursuant to Art. 188 p.p.s.a. admitted the cassation appeal and, considering that the essence of the case had been sufficiently clarified, examined the complaint.

The above-mentioned failure to investigate the case by the authority regarding the compliance of the complainant's personal data with the principle of data minimization resulting from Art. 5 sec. 1 lit. c) GDPR had to result in the revocation of the contested decision pursuant to Art. 145 § 1 point 1 lit. a) p.p.s.a.

Recognizing the case, the authority pursuant to Art. 153 p.p.s.a. recognize the matter of compliance of the processing of the complainant's personal data by the Company with the principle of data minimization resulting from art. 5 sec. 1 lit. c) GDPR, in particular as regards the processing of its telephone number.

The costs of the proceedings before the Court of first instance were adjudicated pursuant to Art. 200 p.p.s.a. in connection with joke. 210 § 2 of the p.p.s.a. and in connection with art. 188 p.p.s.a.