SO w Warszawie - XXV C 2596/19
|SO Warszawa - XXV C 2596/19|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 82 GDPR
|National Case Number/Name:||XXV C 2596/19|
|European Case Law Identifier:|
|Original Source:||Portal Orzeczeń Sądów Powszechnych (in Polish)|
|Initial Contributor:||Maciej Niezgoda|
The District Court in Warsaw ordered an insurance company to pay €330 of compensation to a data subject for the insurer's breach of the data minimization principle.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject was the owner of the vehicle which was involved in the road collision. On the date of collision the vehicle was insured in terms of civil liability of motor vehicle holders. After the collision, the insurer handled the loss adjustment. The injured party in the subject traffic collision approached the insurer to send documentation regarding the loss. The insurer's employee sent to the injured party scans of the loss documentation, which were not anonymized, i.e. including the name of the data subject, her residence address, PESEL number, telephone number, and vehicle data. Later on, the insurer notified the data subject of the above incident, as a result of which personal data may have fallen into the wrong hands. Upon receipt of the above information, the data subject changed her cell phone number and stipulated to the bank that withdrawals from her bank account could only be made on her personal instruction. She was afraid of the negative consequences of having her personal data disclosed by the insurer, i.e. that someone would call her and that her data would be passed on. The injured party in the traffic collision did not contact the data subject or file a claim in court against her. The insurance company paid the injured party compensation under the data subject's insurance contract.
The representative of the data subject requested the insurance company to pay the amount of PLN 10,000 as compensation due to the violation of the protection of the claimant's personal data by unauthorised disclosure to third parties.
In its reply, the insurance company refused to accept the data subject's claim, arguing that the transfer of the claimant's personal data to the injured party was based on provisions of law.
Dispute[edit | edit source]
Whether there has been an unlawful transfer of personal data to a third party?
Did the scope of personal data provided to the third party comply with the data minimization principle?
Holding[edit | edit source]
The District Court in Warsaw held that under specific regulations itself, personal data of the data subject as the owner of the vehicle involved in the road collision could - as a matter of principle - be made available to the injured party in the collision even though the data subject was not driving the vehicle during the collision. The court held, however, that the insurer was entitled to provide the injured party with data including the data subject's first and last name and her place of residence, but was not entitled to provide information regarding her PESEL number and telephone number. The transfer of these additional data of the data subject went beyond the statutory authorization under specific provisions and was therefore unlawful and violated the principle of data minimization. Therefore the court ordered the insurance company to pay compensation to the data subject in the amount of PLN 1,500 in connection with the insurer's breach of the principle of data minimization.
Comment[edit | edit source]
According to the court, by providing a third party with a data subject's personal data in an overly broad scope, the insurance company violated the data subject's right to privacy and caused non-pecuniary damage to the data subject. Privacy is a good relating to the facts of a person's life, about which he or she does not consent to their publication in public. The right to privacy is embodied in such goods as secrecy of correspondence, personal data, or inviolability of the home. As a result of the insurer's actions, personal data of the data subject, which the person was not entitled to obtain (PESEL, the claimant's telephone number), was made available to a third party. As a result of the incident, the data subject lost a sense of security and began to experience fear related to the possibility of unauthorized use of her personal data by other persons, by performing banking activities on her behalf or making unwanted phone calls to her. The harm thus caused to the data subject gives rise to an obligation on the part of the insurance company to redress this harm by paying monetary compensation to the claimant pursuant to Article 82(1) of the GDPR
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Judgment Of the District Court in Warsaw of August 6, 2020 XXV C 2596/19 SUBSTANTIATION Adjudication panel Chairman: Judge SO Paweł Duda. Sentence District Court in Warsaw, XXV Civil Division, after hearing on August 6, 2020 in Warsaw, at the hearing of the case brought by MK against Towarzystwo (...) Spółka Akcyjna with its seat in W. for payment I. awards the Towarzystwo (...) Spółka Akcyjna with its seat in W. to MK the amount of PLN 1,500 (one thousand five hundred zlotys); II. dismisses the claim for the remainder; III. refrains from charging the claimant with the costs of legal representation for the defendant. Factual justification MK, in a lawsuit of 8 July 2019, requested that Towarzystwo (...) Spółka Akcyjna with its seat in W. amount to PLN 10,000 in connection with the breach of its personal data. In the justification, the claimant indicated that on October 31, 2018, she received a notification from the defendant about the transfer of her personal data to a participant in a road accident involving the claimant's car. In the claimant's opinion, her personal data could be used for information (...) by SA and the Police, but not by third parties. From the moment she receives the defendant's letter, the plaintiff is under constant stress, fearing how her personal data will be used. The claimant based her claim on the basis of Art. 82 of the Regulation of the European Parliament and of the Council (EU) (...) of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive95/46 / WE (Journal of Laws UE.L No. 119, p. 1), hereinafter referred to as "GDPR". In addition, in the procedural letter of March 16, 2020, the plaintiff referred to the claim art. 445 of the Civil Code and Art. 24 of the Civil Code in connection with with art. 448 of the Civil Code The defendant Towarzystwo (...) SA, in response to the claim, requested that the claim be dismissed in its entirety. The respondent denied that there was a breach of the provisions on the protection of personal data, as well as that any material or non- material damage to the plaintiff was therefore caused. The disclosure of the plaintiff's data (the insured person, the owner of the vehicle) by the defendant to the injured person was legally permissible, as it was permitted by the provisions of the Act on Insurance and Reinsurance Activity, the Act on Compulsory Insurance, the Insurance Guarantee Fund and the Polish Motor Insurers' Bureau, and the Road Traffic Act. Therefore, the content of the defendant's letter of October 31, 2018 was a mistake and cannot give rise to liability for damages on the part of the defendant, since the conditions for this liability have not been met. The court established the following facts: MK is the owner of a vehicle that was involved in a road collision. On the date the vehicle was in collision civil liability of motor vehicle owners insured Society (...) SA W. During the collision the plaintiff was not the person in charge of the vehicle (the circumstances established under Art. 229 of the Code - given by the defendant in response to the lawsuit and by the claimant at the hearing on August 6, 2020). After the collision, Towarzystwo (...) SA dealt with the liquidation of the loss registered under the number (...). The injured party in the road accident in question asked the defendant to send documentation regarding the damage. On October 5, 2018, the defendant's employee sent the injured person scans of the documentation regarding the damage that had not been anonymised, i.e. the name and surname of the claimant, her address, PESEL number, telephone number, and vehicle data. By letter of October 31, 2018, the insurer notified the claimant of the above incident, as a result of which the plaintiff's personal data could have fallen into the wrong hands (notification of a personal data breach of October 31, 2018 - p. 9-11). After receiving the above information, the plaintiff changed her mobile phone number and stipulated at the bank that withdrawals from her bank account could only be made on her personal request. She was afraid of the negative consequences of disclosing her personal data by the defendant, i.e. that someone stranger would call her, that her data would be passed on. So far, the plaintiff has not faced any negative consequences of disclosing her personal data by the defendant. The injured party in a road accident did not contact the plaintiff and did not file a claim against the plaintiff. The defendant insurance company paid compensation to the victim of the insurance contract the plaintiff (the circumstances established under Art. 230 of the Code - given by the applicant at the hearing of 6 August 2020. And not challenged by the defendant). By letter of February 21, 2019, the attorney of MK summoned Towarzystwo (...) SA to pay PLN 10,000 as compensation in connection with the breach of the plaintiff's personal data protection through unauthorized disclosure to third parties (request for payment of February 21, 2019. - sheets 12-12v.). In response, the defendant in a letter of 22 March 2019 refused to recognize the claimant's claim, arguing that the transfer of the plaintiff's personal data to the aggrieved was based on the provisions of law (the defendant's letter of 22 March 2019 - file 13-13v). The above-mentioned facts were established by the Court on the basis of the above-mentioned documentary evidence which did not raise any doubts as to their authenticity, and the facts established by them were not questioned by the parties to the proceedings. Regardless of this, the facts of the case were undisputed between the parties who were in dispute only as to the legal consequences of the facts described above. The court considered as follows: Due to the fact that the claimant referred to the provisions of the GDPR and the Civil Code on the protection of personal rights as the legal basis for the claim, the claim pursued by the claim will be assessed taking into account both of these legal bases invoked by the claimant. In accordance with Art. 82 GDPR, any person who has suffered material or non-pecuniary damage as a result of a breach of the regulation has the right to obtain compensation from the controller or processor for the damage suffered (paragraph 1). Any controller involved in processing is liable for damage caused by processing in breach of this Regulation. The processor is liable for damage caused by the processing only if he has not complied with the obligations which the regulation imposes directly on processors, or if he acted outside or contrary to the lawful instructions of the controller (paragraph 2). The controller or processor shall be exempt from liability if they prove that they were not at fault in any way for the event that led to the damage (paragraph 3). As defined in the GDPR, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, economic, cultural or social identity of a natural person ( Article 4 (1 ) of the GDPR). "Processing" means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or other types of sharing, matching or combining, limiting, deleting or destroying ( Article 4 point 2 of the GDPR). By contrast, "controller" means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; if the purposes and means of such processing are specified in EU law or in the law of a Member State, the controller may also be designated under EU law or in the law of a Member State, or specific criteria for its appointment may be specified ( Article 4 (7 ) of the GDPR). The provisions of the GDPR show that the processing of personal data is lawful only in cases where - and to the extent in which - at least one of the following conditions is met, specified e.g. in art. 6 lit. what the content: processing is necessary to fulfill the legal obligation incumbent on the administrator, and art. 6 lit. fo content: when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data , in particular when the data subject is a child. Moreover, what is important in the present case, in Art. 5 sec. 1 lit. c GDPR, the principle of "data minimization" was expressed, according to which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. On the other hand, in Polish civil law, the principle of the protection of human personal rights is expressed in Art. 23 of the Civil Code, according to which a person's personal rights remain under the protection of civil law, irrespective of the protection provided for in other provisions. The catalog of protected personal rights listed in art. 23 of the Civil Code is only exemplary, as indicated by the phrase "in particular", so it is not an exhaustive catalog. The means of protecting the infringed goods include pecuniary compensation for the harm suffered ( Art. 448 of the Civil Code in conjunction with Art. 24 § 1 sentence 3 of the Civil Code). The premise for a claim for payment of compensation on the basis of the cited provisions is the demonstration by the aggrieved party of the infringement of a specific personal interest and suffering of harm as a result of infringement of the personal interest. The provision of art. 448 of the Civil Code was placed in the title VI of the third book of the Civil Code "Prohibited Deeds", therefore the rules of the tort liability regime apply to it (see: Supreme Court of 12 December 2002, V CKN 1581/00 , OSNC 2004/4/53 and of 24 January 2008, I CSK 319/07 , LEX No. 448025). The condition for awarding pecuniary compensation for the harm suffered is the fault of the entity that committed the infringement ( Art. 415 of the Civil Code). The burden of proof regarding the guilt lies with the entity seeking protection of its personal rights. The provision of art. 24 § 1 of the Civil Code formulates the presumption of unlawfulness of infringement of personal rights, therefore it is the defendant's duty to prove that his action infringing the personal rights of the plaintiff was not unlawful. The culpable act of the perpetrator, which entails civil liability, must show signs of inappropriate conduct both from the objective side, which is referred to as the unlawfulness of the act, and from the subjective side, which is defined as a guilt in a subjective sense. Unlawfulness - as an objective feature of the perpetrator of the act - is recognized as a contradiction with the applicable legal order, which is understood as orders and prohibitions resulting not only from legal norms (in the field of civil, criminal, administrative, labor, financial law, etc.), but also resulting from moral and social norms, referred to as "principles of social coexistence" or "good manners" (cf. Gerard Bieniek, in: Commentary to the Civil Code. Księga third. Obligations, vol. 2, Warsaw 2005, pp. 235-236; orz. Supreme Court of 19 July 2003, V CKN 1681/00, LEX No. 121742). In a subjective sense, guilt refers to the sphere of human mental phenomena and is understood as a reprehensible decision relating to an unlawful act committed by him, however, in the case of legal persons, this qualification will apply to persons belonging to the body authorized to represent the person. legal ( Art. 416 of the Civil Code). Therefore, under civil law, blame can be attributed to the subject of law when there are grounds for a negative assessment of his behavior both from the objective and subjective point of view - the so-called overlaps in the proceedings (yes, Supreme Court in the ruling of September 26, 2003, IV CK 32/02 , LEX no. 146462 ). It should also be pointed out that in the event of infringement of a personal right, the court - pursuant to Art. 448 of the Civil Code - "may admit to a person whose personal interest has been violated" with an appropriate amount as compensation for the harm suffered. This means that even in the event of a violation of a personal interest, the award of pecuniary compensation is not obligatory, but optional - left to the discretion of the judge The legitimacy of the award of pecuniary compensation, as well as its amount, depend on the assessment of the entirety of the facts of the case, such as the type of the breached good, the extent of the harm suffered, the nature of the consequences of the breach, the degree of culpability, the property relations of the obligated and entitled party, etc. (also: GB , in: Commentary to the Civil Code. Book Three. Obligations. Volume 1, Warsaw 2005, p. 492; the Supreme Court in the ruling of April 19, 2006, II PK 245/2005 and the Court of Appeal in Poznań in the ruling of 11 January 2007, I ACa 833/2006 , LEX No. 298413). In order to assess the claim of the plaintiff, it was necessary to examine in the case under examination whether the disclosure of the plaintiff's personal data by the defendant to the person injured in a road accident was lawful. The regulation of Art. 29 sec. 6 of the Act of September 11, 2015 on insurance and reinsurance activities (consolidated text: Journal of Laws of 2020, item 895), according to which the insurance company provides the policyholder, the insured, the claimant or the beneficiary under the insurance contract ( the aggrieved party is also considered to be the entitled party in the case of third party liability insurance - Article 3 (1) (52) of the Act) information and documents collected in order to determine the liability of the insurance company or the amount of compensation or benefits. These persons may request written confirmation by the insurance undertaking of the disclosed information, as well as the preparation, at their own expense, of photocopies of documents and confirmation of their compliance with the original by the insurance undertaking. Moreover, pursuant to Art. 44 sec. 1 point 4 of the Act of June 22, 1997, Road Traffic Law (consolidated text: Journal of Laws of 2020, item 110), the driver of the vehicle, in the event of participating in a road accident, is obliged to provide his / her personal data the owner or holder of the vehicle and data on the insurance company with which the compulsory third party liability insurance contract is concluded, at the request of the person involved in the accident. It follows from the above regulations that the personal data of the claimant, as the owner of the vehicle involved in a road accident, could - as a rule - be made available to the person injured in the accident, even though the claimant did not drive the vehicle during the accident. The basis for the defendant to provide such data to the plaintiffs were the above-mentioned provisions of Art. 29 sec. 6 of the Insurance and Reinsurance Activity Act in connection with with art. 44 sec. 12 point 4 of the Road Traffic Law. The purpose of the road accident victim's access to data concerning the owner of the vehicle (its holder) is to enable him to pursue claims related to the sustained property or non-pecuniary damage. From the previously mentioned Art. 5 sec. 1 lit. c GDPR, it follows that the processed (and therefore transferred to a third party) personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Objectives of Art. 29 sec. 6 of the Insurance and Reinsurance Activity Act and Art. 44 sec. 1 point 4 of the Road Traffic Law also indicate that the (personal) data of the owner or holder of the vehicle (insured under the compulsory third-party liability insurance of motor vehicle owners), which can be obtained by the injured person (entitled under civil liability insurance), does not include all (any) data the owner (holder) of the vehicle, but only those that are needed by the injured party in order to establish liability and pursue claims for damages against the owner (holder) of the vehicle or the third party liability insurer. For these purposes, it is sufficient to provide the name and surname of the vehicle owner and the number of the civil liability insurance policy (possibly additionally the place of residence), which sufficiently identify him. The provision of the PESEL number and the phone number of the vehicle owner certainly goes beyond these goals. Therefore, it should be concluded that the defendant insurer was entitled to provide the injured party with data including the plaintiff's name and surname and her place of residence, but was not entitled to provide information on the PESEL number and the plaintiff's telephone number. The provision of these additional data to the claimant exceeded the statutory authorization resulting from the above-mentioned provisions, and was therefore unlawful. The defendant insurance company can be attributed a subjective fault in the meaning described above. The above-mentioned legal regulations on the protection of personal data (protection of personal rights) should be known to the representatives of the defendant who hand over the damage documentation to the injured party in a road accident, since the defendant is professionally involved in insurance activities, including claims settlement. By providing a third party with the plaintiff's personal (personal) data to a too broad extent, the defendant violated the plaintiff's right to privacy and led to non-pecuniary damage (harm) on its part. Privacy is a good relating to the facts of a person's life that he or she does not consent to being made public. The emancipation of the right to privacy are goods such as the confidentiality of correspondence, personal data or the inviolability of the home. As a result of the defendant's actions, the claimant's personal data was made available to a third party, which that person was not entitled to obtain (PESEL, the claimant's telephone number). As a result of this incident, the claimant lost her sense of security, she began to feel anxiety related to the possibility of unauthorized use of her personal data by other persons by making banking activities on her behalf or making unwanted telephone calls with her. Damage caused in this way to the plaintiff gives rise to the defendant's obligation to repair it by paying the plaintiff a pecuniary compensation, pursuant to Art. 82 sec. 1 GDPR and art. 448 of the Civil Code in connection with with art. 24 § 1 sentence 2 of the Civil Code The purpose of awarding pecuniary compensation is to mitigate the harm suffered by the aggrieved party (non-pecuniary damage) caused by the tort. Compensation for the harm suffered, due to its compensatory nature, must present some economic value. On the other hand, its amount cannot be excessive in relation to the harm suffered and the current property relations of the society, as it is supposed to mitigate the harm and not lead to the enrichment of the aggrieved party. The elements determining the extent of compensation are the nature of the infringed personal interest, the degree of the perpetrator's guilt, the intensity of the infringer's interference in a given good or personal goods and the duration of the infringement, the way in which the aggrieved person felt in his psyche the unlawful action of the perpetrator (see the Court of Appeal in Warsaw, June 10, 2011, VI ACa 84/11 , Legalis No. 363615). The evidence in the case does not show that the plaintiff's personal data (PESEL number, telephone number) was made public or used unlawfully by an unauthorized person. The claimant herself admitted that the victim of the accident, to whom the claimant's data was provided, did not contact her by phone and did not experience any other negative consequences related to the disclosure of her personal data . The fact of unlawful transfer of the plaintiff's extensive personal data to the aggrieved did not lead to harassment of the plaintiff, attempts to incur liabilities with the use of her personal data, or violation of her home life. Apart from the claims declared by the claimant regarding the possibility of unlawful use of her personal data by a third party, the claimants faced no further consequences. Therefore, the damage caused to the claimant as a result of the breach of her personal data turned out to be small, and therefore the compensation should be small. The compensation demanded by the plaintiff in the amount of PLN 10,000 is considered excessive in this situation. In the opinion of the Court, the appropriate compensation for the plaintiff in the context of the extent of the damage will be PLN 1,500. Such an amount of compensation will compensate the claimant's harm caused by the defendant's infringement of her personal rights. It will be a financial gain for the claimant, giving the claimant a moral satisfaction adequate to the scale of the infringement of her personal rights, and thus fulfilling its compensatory function. On the other hand, this sum will not be excessive and will not lead to unjustified enrichment of the claimant at the expense of the defendant. For the reasons described, the Court, in point I of the operative part of the judgment, ordered the defendant to pay the plaintiff PLN 1,500, and in point II of the judgment dismissed the remaining part of the claim, pursuant to the above-mentioned provisions. While ruling on the costs of the proceedings in point III of the operative part of the judgment, the Court applied the principle of equity expressed in Art. 102 of the Code of Civil Procedure, according to which, in particularly justified cases, the court may award only part of the costs from the losing party or not charge it with costs at all. The application of the principle of equity should be assessed against all the circumstances that would justify a departure from the basic principles determining the decision as to the costs of the trial. These circumstances include both the facts related to the course of the trial and the facts outside the trial, especially those relating to the financial condition (life situation). These circumstances should be assessed primarily taking into account the principles of social coexistence (see the post of the Supreme Court of January 14, 1974, II CZ 223/73 , Legalis). The court costs incurred by the defendant include only the costs of legal representation by a professional attorney. The court had in mind that the present case was not complicated and the pleading constituting a response to the statement of claim essentially duplicated the arguments presented in the defendant's letter to the plaintiff at the pre-trial stage. On the other hand, the plaintiff had grounds to believe that the claim was right (which was confirmed in principle), and its amount depended on the judge's discretion, so the plaintiff was not able to precisely estimate it. The text of the judgment comes from the collections of common courts.