UODO (Poland) - DKN.5131.42.2022
From GDPRhub
| UODO - DKN.5131.42.2022 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 33 GDPR Article 34(1) GDPR Article 34(2) GDPR Article 55(3) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 27.07.2022 |
| Decided: | 19.12.2023 |
| Published: | 14.03.2024 |
| Fine: | 2,324 EUR |
| Parties: | Sąd Okręgowy w Krakowie |
| National Case Number/Name: | DKN.5131.42.2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (in PL) |
| Initial Contributor: | im |
The DPA found that the GDPR applies to a court that fails to notify a personal data breach occurred in the exercise of administrative tasks. The court was fined €2,324.
English Summary
Facts
The Polish Minister of Foreign Affairs ('Minister') informed the DPA that the Consulate General of the Republic of Poland ('Consulate') sent, at the request of the District Court of Kraków ('Court'), correspondence through a postal operator to an addressee.
The addressee informed the Consulate that a delivered parcel was damaged, additionally wrapped and was incomplete. The infringement covered a various categories of personal data, namely first and last names, ID numbers, addresses of residence, dates of birth, bank account numbers, photographs. Personal data of two children were also breached.
The DPA identified the court as a controller of the data affected by the breach. It invited the Court to indicate whether a risk analysis had been done to assess whether a data protection breach required notifying the DPA and the affected individuals under Articles 33 and 34 GDPR. In its defence, the court referred to Article 175dd of the Law on the Common Court System, stating that the District Court of Kraków, under the President of the Court of Appeal in Krakow, is responsible for overseeing data processing in court proceedings and legal protection tasks.
As a response, the DPA clarified that it was the competent authority to investigate the infringement in question.
However, the Court reiterated its stance, referencing various articles of the Law on the System of Common Courts and a decision by the CJEU from March 24, 2022 (Case C-245/20). The Court emphasized that the protection of judicial independence is paramount, stating that judicial functions should be exercised independently without external interference or pressure. They asserted that the administration of justice encompasses all operations related to judicial activities, including informing parties about court proceedings. Additionally, the Court referenced a decision by the DPA (no. ZSOŚS.440.109.2018) regarding the authority's reluctance to interfere with documents collected in court proceedings. Consequently, they argued that the DPA lacks the authority to control courts in matters related to adjudicatory activities.
Holding
In investigating the incident, the DPA assessed whether the reported event constituted a breach of personal data protection and whether the DPA was the competent authority to verify compliance with GDPR by the controller (the court) involved in the incident.
Referencing Article 4(12) GDPR, the DPA found that the event reported by the Minister, involving the delivery of damaged correspondence to the addressee, was considered a breach of personal data protection, as it compromised data confidentiality and availability. The Court did not disprove the occurrence of this event during the proceedings.
The DPA, as the competent supervisory authority, determined that the delivery of correspondence did not constitute judicial or legal protection by the Court but rather a technical administrative task. Therefore, the DPA was acting within its powers to assess the infringement. As Article 55(3) GDPR specifies that supervisory authorities cannot supervise processing operations carried out by courts in the administration of justice, the opposite applies to administrative activities of the court, such as the delivery of correspondence.
The Court's reference to C-245/20 was deemed unjustified as it pertained to the provision of information by a court in its judicial capacity, not while performing administrative activities. The DPA's intervention did not impinge on judicial independence but focused on rectifying data protection irregularities, aligning processing operations with GDPR provisions. These remedial actions did not interfere with pending proceedings or judicial competence but addressed administrative aspects of the court's activities.
The Court's reference to the previous decision of the DPA was also not applicable.
Furthermore, the Court of Appeal in Kraków could be considered the supervisory body for the notification of the breach in this case. According to Article 175dd of the Law on the Common Court System, judicial supervisory bodies are not authorized to receive notifications of personal data protection violations or assess high-risk situations resulting from such breaches.
Consequently, the DPA assessed the incident as a breach of confidentiality, regardless of the postal operator's fault. The assessment focused on the failure to report the breach and notify data subjects, which falls within the DPA's jurisdiction without interfering with court decisions.
The DPA found a breach of Article 33 GDPR and Article 34(1) and (2) GDPR resulting in a fine of €2,324.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Based on Article. 104 § 1 and art. 105 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775) in connection with Art. 7(1) 1 and 2, art. 60, art. 102 section 1 point 1 and section 3 of the Personal Data Protection Act (Journal of Laws of 2019, item 1781) and Art. 57 section 1 letter a) and letter h), art. 58 section 2 lit. e) and letter i), art. 83 section 1 and 2, art. 83 section 4 lit. a) in connection with Art. 33 section 1, section 3 and section 5 and art. 34 section 1 - 2 and section 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation data) (OJ EU L 119 of 4/05/2016, p. 1 and OJ EU L 127 of 23/05/2018, p. 2 and OJ EU L 74 of 4/03/2021, p. 35 ), hereinafter referred to as Regulation 2016/679, after administrative proceedings initiated ex officio regarding violations of the provisions on the protection of personal data by the District Court in Kraków with its registered office in Kraków at ul. Przy Rondo 7, President of the Personal Data Protection Office
1) finding an infringement by the District Court in Kraków with its registered office in Kraków at ul. At Rondo 7 provisions: a) Art. 33 section 1 and section 3 of Regulation 2016/679, consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach, b) Art. 34 section 1 and section 2 of Regulation 2016/679, consisting in failure to notify data subjects about a breach of personal data protection without undue delay,2) imposes a penalty on the District Court in Kraków for violating Art. 33 section 1 and section 2 and art. 34 section 1 and section 2 of Regulation 2016/679 an administrative fine in the amount of PLN 10,000 (in words: ten thousand zlotys and 00/100),3) orders the District Court in Kraków to notify, within 3 days from the date of receipt of this decision, (...) persons, whose data were contained in the documents contained in the damaged postal item (i.e. the plaintiff, the defendant and their two children), about the violation of the protection of their personal data in order to provide them with the information required in accordance with Art. 34 section 2 of Regulation 2016/679, i.e.: a) description of the nature of the personal data protection breach; b) name and contact details of the data protection officer or designation of another contact point from which more information can be obtained; c) description of the possible consequences of the data protection breach personal data, taking into account the categories of persons and the scope of data subject to the breach; d) a description of the measures applied or proposed by the controller to remedy the breach - including measures to minimize its possible negative effects, taking into account the categories of persons and the scope of data subject to the breach, 4) in other respects discontinues the proceedings.
Justification
On July 27, 2022, the Personal Data Protection Office received a notification of a personal data protection breach submitted by the Minister of Foreign Affairs with its registered office in Warsaw at (...) (hereinafter: the Minister), consisting in the delivery to the addressee by the postal operator R. (...) of a damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in October at the request of the District Court in Krakow with its registered office in Krakow at ul. Przy Rondo 7 (hereinafter: Court or Administrator). As established, the Consulate General of the Republic of Poland in October, in a letter dated (...) July 2022, no. (...), informed the District Court in Kraków about the delivery of a damaged and incomplete shipment to the addressee. The notification of a personal data protection breach made by the Minister was registered under the reference number DKN.5130.8015.2022.
The President of the Personal Data Protection Office, hereinafter also referred to as the President of the Personal Data Protection Office, as a result of the explanatory proceedings conducted regarding the reported personal data protection breach and the administrative proceedings initiated ex officio regarding the violation of the provisions of Art. 33 and art. 34 section 1-2 of Regulation 2016/679 by the District Court in Kraków, in connection with a breach of personal data protection consisting in "delivery to the addressee by the postal operator R. (...) of damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in October to request of the District Court in Kraków (...)", established the following factual situation.
The Minister informed the supervisory authority that the Consulate General of the Republic of Poland in October, July 2022, at the request of the District Court in Kraków, sent correspondence via the postal operator R. (...). The addressee of the correspondence informed on (...) July 2022 the above-mentioned Consulate that he was delivered a damaged shipment and "there may have been a breach of correspondence." The information obtained from the addressee also showed that the correspondence was additionally packed in protective foil to protect the damaged envelope, as well as that it did not contain all documents to be delivered.
The Consulate General of the Republic of Poland in October informed the Administrator about the event in a letter dated (...) July 2022 (which was delivered on (...) August 2022). Its content shows that the correspondence was delivered to the addressee on (...) July 2022 via the postal operator R. (...). Moreover, this letter also indicated that "the delivered parcel was delivered damaged and incomplete".
The administrator of the data affected by the breach is the District Court in Kraków as the sender of the shipment.
In a letter of (...) August 2022, the supervisory authority called on the Court to indicate whether an analysis of the risk of violating the rights and freedoms of natural persons was carried out, necessary to assess whether there was a data protection breach resulting in the need to notify the President of the Personal Data Protection Office and the persons affected by the breach. . In a letter of (...) August 2022, the Court indicated that "pursuant to Art. 175dd of the Act on the Organization of Common Courts (...), the body competent to supervise the processing of personal data processed in court proceedings as part of the administration of justice or the implementation of tasks in the field of legal protection, the administrator of which are the courts within the meaning of Art. 174da and 175db is for the District Court in Kraków, President of the Court of Appeal in Kraków (...).”
In a letter of (...) September 2022, the supervisory authority again turned to the Court, demanding an answer to the question contained in the letter of (...) August 2022, at the same time informing that the President of the Personal Data Protection Office is the supervisory authority in this case and competent to investigate the infringement in question. In response, in a letter of (...) September 2022, the Court maintained its position, again referring to the content of Art. 174 da [no such provision in the Act], Art. 175 db and art. 175 dd of the Act on the Organization of Common Courts[1]. Moreover, the Court referred to the judgment of the Court of Justice of the European Union of 24 March 2022 in case C-245/20, in which the Court noted that "the protection of the independence of the judiciary assumes, in principle, that judicial functions are performed in a completely , independent; "the courts are not subject to any chain of command or subordination to anyone, nor do they receive orders or directions from any source, and are therefore protected from any external interference or pressure that may impair the independence of judgment of their members and influence their decisions." The CJEU came to the conclusion that the activity/process of administering justice cannot and is not limited only to the processing of personal data as part of specific court proceedings, but its broad scope covers all operations carried out as part of judicial activity. This also applies to code procedures for informing parties about ongoing and initiated court proceedings. The above means that the scope of understanding "the administration of justice by the courts" is broad and includes everything that can be related to the independence of the courts. The above was also emphasized by the Advocate General of the CJEU (...) in the opinion preceding the mentioned judgment, where he drew attention to the fact that these may also be decisions that at first glance are of an administrative nature, but in fact should be related to the adjudication, e.g. recording hearings , transmitting them or even applying security measures (see: C-245/20 - Opinion of the Advocate General, Court of Justice of the European Union, Article 55(3) of the Regulation). In turn, against the background of Art. 175 section 1 of the Constitution of the Republic of Poland, it is assumed that the administration of justice is the binding resolution of disputes about law by a court. “The essence of the justice system is the resolution of legal disputes (disputes arising from legal relations)” within the framework of special forms of proceedings (provisions of civil and criminal court proceedings) (see: judgment of the Constitutional Tribunal 28/97). The national supervisory authority is therefore not authorized to supervise courts to the extent to which they perform judicial activities, and such activities include adjudicating not only in the main case, but also in all incidental cases (see the judgment of the Supreme Administrative Court of May 26, 2020 r. I OSK 1533/19). (…)” In addition, the Court also referred to the decision of the President of the Office of Personal Data Protection, ref. no. ZSOŚS.440.109.2018, in which the authority found itself incompetent to interfere with the content of documents collected in the files of court proceedings.
The Court, in a letter dated September 2022, indicated that, in the Court's opinion, the President of the Personal Data Protection Office does not have the authority to consider a case regarding the processing of personal data contained in the exercise of justice by this Court. In the opinion of the Court, the judicial activity of courts, which is a manifestation of the administration of justice, is determined by the provisions contained, among others, in the Act of November 17, 1964, Code of Civil Procedure (hereinafter: Code of Civil Procedure). Activities related to serving the statement of claim together with attachments to the defendant in a civil case are regulated in detail and comprehensively in the Code of Civil Procedure. The court explained that these norms create a detailed legal framework for the court's administration of justice in civil law cases. The court also referred to the judgment of the Court of Justice of March 24, 2022, ref. no. file: C-245/20, pointing out that "(...) processing operations whose supervision by the supervisory authority could directly or indirectly affect the independence of members of these courts or influence their decisions are excluded from the jurisdiction of the supervisory authority (see: judgment of the Court of Justice of March 24, 2022 C-245/20). Therefore, the administration of justice undoubtedly includes activities related to the delivery of procedural documents to the parties, including a copy of the lawsuit to the defendant. A copy of the statement of claim is a court document directly related to the court proceedings, for the transmission of which the applicable national law provides for formalized service (...).” Moreover, the Court indicated that "the above issues are regulated in the provisions of the Code of Civil Procedure, i.e. Title VI, Section I, Chapter II "Delivery" and Section II, Chapter 2a "Organization of proceedings". Pursuant to Art. 2051 § 1 and 2 of the Code of Civil Procedure the chairman orders the service of the lawsuit on the defendant and calls on him to submit a response to the lawsuit within a set deadline of no less than two weeks. The plaintiff is notified of the order to serve the statement of claim. (…) In the circumstances of the case, a copy of the complaint together with attachments in the case (…) was delivered to the defendant in accordance with the judge's order through the Consulate General of the Republic of Poland in October, by way of legal assistance pursuant to Art. 1130 et seq. k.p.c. and § 37 et seq. Regulation of the Minister of Justice of January 28, 2002 on detailed court activities in matters relating to international civil and criminal proceedings in international relations (Journal of Laws of 2014, item 1657). This regulation provides for delivery by Polish consuls. Correspondence sent to diplomatic missions is signed by a judge and the letter is marked with, among others: official seal (§ 14(1) and (2) of the Regulation). Taking into account the above, there is no doubt that the judge's actions in the case (...) in the scope of processed personal data, related to the delivery of a copy of the lawsuit with attachments to the defendant, took place within the framework of the administration of justice, i.e. to the extent not falling within the competence of the President of the Personal Data Protection Office. The President of the Personal Data Protection Office cannot interfere with the internal organization of the Court's work, and in particular with the rules for the circulation of procedural documentation, since this circulation takes place in connection with the administration of justice by the court. By serving a copy of the complaint with attachments to the defendant, the court acts as part of the administration of justice, because these activities have a measurable impact on the content of the judgment issued by the court in the proceedings. Therefore, in the circumstances of the case, it is justified to discontinue the proceedings due to the lack of material jurisdiction of the President of the Personal Data Protection Office in the scope of considering cases regarding the processing of personal data by courts in the course of administering justice. Pursuant to Art. 175 dd § 1 of the Act of 27 July 2001, u.s.p. the supervisory authority for the Court as the administrator of personal data processed in court proceedings as part of the administration of justice or the implementation of tasks in the field of legal protection is not the President of the Personal Data Protection Office, but - in relation to the subordinate district court - the president of the court of appeal. (…) The exercise by the President of the Personal Data Protection Office - as the authority competent in data protection matters - to supervise the processing of data in the scope of court rulings could constitute unacceptable interference in their judicial activities. The President of the Personal Data Protection Office, within the powers granted to him by law, cannot therefore interfere in the course of the proceedings or the manner in which they are conducted by other bodies authorized under separate provisions, including in particular courts. Therefore, the President of the Personal Data Protection Office cannot interfere with the principles of serving the defendant with a copy of the complaint together with attachments (often constituting part of the evidence). (…) Therefore, the President of the Personal Data Protection Office shall examine whether the controller has allegedly violated the provisions on the protection of personal data or failed to fulfill the obligations arising from Art. 33 and 34 section 1 and 2 of the GDPR remain irrelevant. (…) The lack of material jurisdiction of the body - the President of the Office of Personal Data Protection, who is not authorized to issue a substantive decision in the case in question, determines the groundlessness of the administrative proceedings. Regardless of the above, it should be noted that the allegation that the Court may have acted as a data controller in connection with a breach of personal data protection by delivering damaged and incomplete correspondence containing personal data to the addressee remains completely misplaced and groundless. In the case (...), the judge, acting on the basis of applicable legal norms, in a letter of May 11, 2022, asked the Consul General of the Republic of Poland in October, as part of legal assistance, to deliver to the defendant M.O. a copy of the lawsuit together with attachments (listed in detail in the cover letter) . The correspondence was set in motion and sent for shipment on (...) June 2022, in accordance with the rules arising from the Regulation of the Minister of Justice of January 28, 2002 on detailed court activities in matters relating to international civil and criminal proceedings in international relations . On (...) July 2022, the Consulate General of the Republic of Poland in October 2022 delivered the parcel to the addressee by registered mail with acknowledgment of receipt. According to the information available in the electronic system of the postal operator R. (...), the parcel was delivered to the addressee on (...) July 2022 (no annotations about any damage during transport - records in postal systems) (...)". The court attached a violation report describing the event to the explanations in question.
As a result of the above the event resulted in a breach of both confidentiality and data availability (point 4E of the notification form sent by the Minister). In the Minister's opinion, it concerned the following scope of data: name and surname, address of residence or stay, and other information related to the court proceedings themselves. In a letter of October 2022, the court explained that the breach covered personal data of (...) persons in the following scope: 1) the plaintiff: her name and surname, PESEL number, address, date of birth, data included in the medical documentation, bank account number, 2) the defendant: his name and surname, PESEL number, residential address, date of birth, image contained in the photograph, 3) personal data of two children: their names and surnames, PESEL numbers, residential address, dates of birth, data included in the psychological opinion, 4) personal data (...) of witnesses: their names and surnames, telephone numbers, residential addresses, e-mail addresses (in the case of (...) witnesses). Moreover, the Court stated that the court proceedings concerned the dissolution of a marriage.
The case file includes a report from August 2022 sent by the Court regarding a personal data protection breach, which shows, among other things, that the damaged shipment concerned the lawsuit with attachments. The operator did not note any damage during transport, however, the addressee of the correspondence reported the above. The consulate is damaged and incomplete.
In a letter of January 9, 2023, the Court, responding to the authority's request of January 4, 2023, regarding the indication of actions that allowed the Court to find that the correspondence was neither damaged nor incomplete, explained that "[b]here is also no reasons to conclude that the correspondence was sent incomplete or was not properly secured. All procedures resulting from the provisions of the Code of Civil Procedure were followed. However, the court did not explain how it found the above.
The case files contain three photos of the parcel in question taken by its addressee. The first photo shows correspondence wrapped in foil with a visibly torn paper envelope inside, the second photo shows the package/correspondence without foil, but with a significantly torn paper envelope enabling removal of all the documents contained therein, and the third photo shows its addressee opening the damaged envelope to show its contents. The photos were sent to the authority by the Minister.
After considering all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following.
The subject of these proceedings was the Administrator's violation of the provisions of Art. 33 and art. 34 section 1 and 2 of Regulation 2016/679, resulting from failure to report a personal data protection breach to the supervisory authority and failure to notify the affected persons in connection with the delivery to the addressee by the postal operator of damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in Warsaw at the request of the District Court in Krakow.
When assessing the event in question, the President of the Personal Data Protection Office examined whether the event reported by the Minister constituted a breach of personal data protection, as well as whether the President of the Personal Data Protection Office is the competent supervisory authority to verify the correct compliance with the provisions of Regulation 2016/679 by the data controller (Court) covered by the above-mentioned. event, i.e. whether in this case the Court exercised justice or legal protection.
Pursuant to Art. 4 point 12 of Regulation 2016/679, the concept of personal data protection breach should be understood as a security breach leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. Due to the fact that the event reported by the Minister consisted in the delivery of a damaged and incomplete parcel by the postal operator to the addressee, in the opinion of the President of the Personal Data Protection Office there was a breach of personal data protection due to the breach of data confidentiality (the correspondence was delivered in a damaged envelope) as well as their availability (the addressee reported the incompleteness of the shipment to the Minister). At no stage of the proceedings did the court demonstrate that the event described by the Minister did not occur.
Moreover, it should be noted that, in the opinion of the President of the Personal Data Protection Office, he is the supervisory authority competent to assess the above-mentioned. violations. The delivery of correspondence does not constitute the administration of justice by the Court or legal protection, but a technical, administrative activity of the Court. Therefore, there is no premise excluding the competences of the President of the Personal Data Protection Office as a supervisory authority. Pursuant to Art. 55 section 3 of Regulation 2016/679, supervisory authorities are not competent to supervise processing operations carried out by courts in the course of their administration of justice. Moreover, according to recital 20 of Regulation 2016/679, the jurisdiction of supervisory authorities should not cover the processing of personal data by courts in the administration of justice - so as to protect the independence of the administration of justice. It should be possible to entrust the supervision of such data processing operations to specific authorities in the justice system of a Member State, and those authorities should, in particular, ensure compliance with the provisions of this Regulation, increase the knowledge of the judiciary of its obligations under this Regulation and deal with complaints related to such processing operations data. Pursuant to Art. 175 dd § 1 of the Act of July 27, 2001, Law on the Organization of Common Courts (Journal of Laws of 2023, item 217), supervision over the processing of personal data whose administrators are the courts, in accordance with Art. 175da and art. 175db, perform within the scope of the court's activities: district court - president of the district court; regional – president of the court of appeal; appeal – National Council of the Judiciary. Taking into account this legal status, it should be assumed that the supervisory bodies over common courts, as part of the administration of justice, are those listed in Art. 175 dd § 1 of the Act on the Organization of Common Courts. However, in matters that do not fall within the scope of the concept of "exercising justice", the competent supervisory authority for common courts is the President of the Personal Data Protection Office. In the opinion of the President of the Personal Data Protection Office, the concept of administering justice in the context of the personal data protection framework established by Regulation 2016/679 should be understood narrowly in this case. The Constitutional Tribunal in its judgment of December 1, 2008, ref. no. file: P 54/07, (Journal of Laws of 2008, item 218, no. 1400), pointed out that "[according to the dominant view of legal doctrine, the administration of justice is the activity of the state consisting in adjudicating, i.e. binding dispute resolution o law in which at least one of the parties is an individual or other similar entity [see L. Garlicki, Polish constitutional law. Outline of the lecture, Warsaw 2006, p. 342; Z. Czeszejko-Sochacki, On the administration of justice in the light of the Constitution, international standards and practice, "Państwo i Prawo" z. 9/1999, p. 3; S. Włodyka, The system of legal protection bodies, Warsaw 1968, p. 16]. It should be noted that, apart from the judicial sphere, courts also perform administrative activities, the essence of which is to ensure appropriate technical and organizational conditions for the court to perform the tasks entrusted to it in the field of administration of justice and legal protection. Pursuant to Art. 8 of the Law on the Organization of Common Courts, the administrative activity of courts consists in: ensuring appropriate technical, organizational and financial conditions for the functioning of the court and the performance by the court of the tasks referred to in Art. 1 § 2 and 3 (point 1); ensuring the proper conduct of the court's internal operations, directly related to the performance of the court's tasks referred to in Art. 1 § 2 and 3 (point 2). Therefore, activities of a strictly technical nature performed by a court official and then a postal operator, such as sending correspondence in accordance with a judge's order or order, do not fall within the sphere of "the administration of justice", but belong to the administrative sphere of the court's activities. At the same time, it should be emphasized here that the Administrator's reference to the judgment of the Court of Justice of the EU of March 24, 2022, ref. no. C-245/20, is unjustified because it does not concern the administrative activities of the court. This judgment refers to the disclosure of information about court proceedings to journalists (the case concerned the Kingdom of the Netherlands). In this ruling, the Tribunal interpreted Art. 55 section 3 of Regulation 2016/679, regarding the "temporary disclosure" by the court of pleadings containing personal data to journalists. In this judgment, the Court found that the "administration of justice" includes the "court's information policy" in order to ensure media coverage of a given case. Therefore, the above judgment cannot be applied to the present case, because in the analyzed case there was a violation of personal data protection in connection with the delivery of a damaged and incomplete parcel to the addressee by the postal operator, i.e. an activity of a technical and administrative nature. Moreover, it should be emphasized that the President of the Personal Data Protection Office, when dealing with the case in question, does not interfere with the rules for serving procedural documents or what documents should be served to the addressee. The supervisory authority is only interested in the loss of data confidentiality and its incompleteness as a result of the postal operator's actions, which is within the scope of the court's administrative activities. Therefore, the competences of the President of the Personal Data Protection Office do not violate judicial independence, because they do not concern the judge's competences in the proceedings. Moreover, they are remedial powers which, by their nature, do not have a nature that may affect ongoing proceedings (e.g. they do not lead to the suspension of ongoing proceedings or to order the removal of part of a witness's testimony) and concern the administrative sphere of the court's activity. Identified irregularities violating the principle of "integrity and confidentiality" expressed in Art. 5(1) 1 letter f) of Regulation 2016/679, correspond to the corrective powers of the President of the Personal Data Protection Office, which do not affect the independence of the court, as they only consist in ordering the controller to adapt the processing operations to the provisions of Regulation 2016/679.
At the same time, the Court's reference to the decision of the President of the Personal Data Protection Office with reference number ZSOŚS.440.109.2018 is also inappropriate. The decision indicated by the Court was issued in a case in which a natural person filed a complaint and wanted to create his or her situation as a party to court proceedings on the basis of the provisions on the protection of personal data, and not on the proper procedure. The complaint concerned the inclusion in the court files kept by the district court of a printout from the website of a law firm, containing the complainant's personal data regarding his image. According to the complainant, in the above-mentioned In this case, it was unnecessary for evidentiary purposes, because the document to which this printout was attached was not admitted by the court as evidence in the case. The President of the Personal Data Protection Office could not take a position in such a case (and order, in accordance with the complainant's request, the removal of the image from the court case files), because the admission of evidence in the case or not depends solely on the court's decision (and is an element of the administration of justice). However, the judgment referred to by the Court (judgment of the Supreme Administrative Court of May 26, 2020, file ref. no. I OSK 1533/19) refers to the provisions on the protection of personal data that are no longer in force - the Act of 1997[2]. Moreover, this case also concerned a situation in which the complainant questioned court actions after applying for exemption from court costs. The court asked the complainant to prove her assets by submitting an asset declaration and to complete the application in formal terms. In this judgment, the Supreme Administrative Court stated that neither the authority nor the administrative court can make a substantive assessment of summons issued to the parties by a common court (and therefore, again, in the scope of the administration of justice).
Taking the above into account, it should be noted that both the above-mentioned decision, as well as the above-mentioned the judgment of the Supreme Administrative Court, concern procedural activities undertaken by the court as part of the administration of justice, and not administrative (technical) activities, as is the case in the case in question.
Regardless of the above, it should be noted that the President of the Court of Appeal in Kraków, as the body indicated in Art. 175 dd § 1 of the Act on the Organization of Common Courts, in the present case cannot be considered a supervisory body over the Court. Pursuant to the wording of Art. 175dd of the Law on the Organization of Common Courts, judicial supervisory authorities (including the President of the Court of Appeal in Kraków) are not authorized to receive reports of personal data protection breaches (Article 33 of Regulation 2016/679), nor to assess whether in connection with a breach of protection personal data, there was a high risk of violating the rights and freedoms of natural persons, resulting in the need to notify data subjects about the breach (Article 34 of Regulation 2016/679).
When examining the event in question, the President of the Personal Data Protection Office assessed it as a breach of confidentiality (data security issues - a damaged envelope, the contents of which could have been accessed by unauthorized persons) as well as a breach of availability (some documents were missing). It does not matter that the postal operator was at fault by damaging the shipment, because the subject of these proceedings is the failure to report a data protection breach and the failure to notify data subjects about the breach of the protection of their personal data. Moreover, it should be emphasized that the President of the Personal Data Protection Office, when analyzing the breach of personal data protection reported by the Minister, concerning data of which the District Court in Krakow is the administrator, does not in any way affect the independence of the court, as it does not affect the Court's decision or individual decisions taken by the Court within the framework of ongoing proceedings. It is also worth emphasizing that while the President of the Personal Data Protection Office is not an entity that controls or supervises the application of substantive or procedural law by courts in the course of their administration of justice (which takes place in the course of an instance), nor does he interfere with the rules for serving court documents (e.g. whether by registered letter, ordinary letter or by delivery at a hearing), or what documents should be served on the party to the proceedings by the court, the authority is entitled to control and verify the correct application of the provisions on the protection of personal data, including the security measures applied by the administrator data (including the administrator's response to a data protection breach) and the implementation of obligations arising from Art. 33 and art. 34 of Regulation 2016/679. The method of securing personal data by the Court is not subject to judicial review as part of its judicial function and does not relate to the administration of justice by the court. Therefore, it is subject to the control of the President of the Personal Data Protection Office, as is the implementation of the administrator's obligations arising from the above-mentioned. provisions of Regulation 2016/679.
Taking the above into account, it should be noted that if there has been a breach of personal data protection in connection with the administrative part of the court's activities, it should be reported in the manner provided for in Art. 33 section 1 of Regulation 2016/679 to the President of the Personal Data Protection Office, as the competent supervisory authority. The fact that the judicial competences of the supervisory authorities referred to in Art. 175 dd § 1 of the Act on the Organization of Common Courts, it is not necessary to accept reports of personal data protection violations or evaluate them substantively. The scope of competences of these bodies is listed exhaustively in Art. 175 dd § 2 and 3 of the Act on the Organization of Common Courts (and should be treated as a closed catalogue).
Article 33 of Regulation 2016/679 states that in the event of a breach of personal data protection, the data controller shall report it without undue delay - whenever possible, no later than 72 hours after discovering the breach - to the supervisory authority competent in accordance with Art. 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours is accompanied by an explanation of the reasons for the delay (section 1). The notification referred to in section 1, must at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data entries affected by the breach; b) contain the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained; c) describe the possible consequences of a personal data breach; d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects (paragraph 3).
Referring to the rights and freedoms of persons affected by the violation, it should be noted that Art. 34 section 1 of Regulation 2016/679 indicates that in a situation where a breach of personal data protection may result in a high risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject of such a breach without undue delay. Pursuant to Art. 34 section 2 of Regulation 2016/679, a proper notification should: 1) describe the nature of the personal data protection breach in clear and plain language; 2) contain at least the information and measures referred to in Art. 33 section 3 lit. b), c) and d) of Regulation 2016/679, i.e.: name and surname and contact details of the data protection officer or designation of another contact point from which more information can be obtained; a description of the possible consequences of a personal data breach; a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.
Reporting personal data protection breaches by controllers is an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights and freedoms of data subjects and - if such a risk occurred - whether they have provided appropriate information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfillment of the conditions specified in Art. 34 section 3 lit. a) – letter c) Regulation 2016/679. The President of the Personal Data Protection Office verifies the assessment made by the controller and may - if the controller has not notified the data subjects - request such notification from the controller. Reports of personal data protection breaches allow the supervisory authority to respond appropriately to limit the effects of such breaches, as the controller is obliged to take effective actions to ensure the protection of natural persons and their personal data, which will, on the one hand, allow for control of the effectiveness of existing solutions and, on the other hand, the assessment of modifications and improvements to prevent irregularities similar to those covered by the infringement.
In the case in question, there was a violation of the protection of personal data of (...) persons, and (...) of them were at high risk of violating their rights and freedoms due to the scope of the personal data violated. In the case of the plaintiff, the violation included, among others: her PESEL number and data on her health condition contained in the medical documentation, in the case of the defendant, her PESEL number, and in the case of two children, information on their health condition (contained in the psychological opinion). These data were included in the documentation sent to the party to the divorce proceedings. Moreover, which should be emphasized again, the authority received information about a personal data protection breach from an entity other than the Administrator.
It should be emphasized at this point that the President of the Personal Data Protection Office, before initiating the administrative proceedings, first asked the Court (twice) whether the Court had knowledge about the infringement in question, however, in its answer, the Court presented the position that the President of the Personal Data Protection Office was not the competent authority. to investigate the event in question, without providing answers to the questions asked by the authority (at the same time making it difficult to investigate the event in question, whether there was actually a breach of personal data protection and to assess the level of risk of violating the rights and freedoms of persons whose data was included in the correspondence in question, or scope of data covered by the breach). This approach of the Court resulted in the initiation of administrative proceedings by the President of the Personal Data Protection Office. According to the case material, the Court checked the information received from the Minister about the incomplete and damaged shipment only in the postal operator's system, concluding that the lack of annotations in this regard proves that no incident occurred (this is evidenced by the Report (...) from on (...).08/2022). In the course of the proceedings, the President of the Personal Data Protection Office established that the envelope and documents received by the addressee were significantly damaged (which is confirmed by the photos of the parcel received from the Minister). The damage to the envelope made it possible to get acquainted with its contents, i.e. documents containing personal data in the scope indicated above. It is also worth emphasizing that the President of the Personal Data Protection Office, in a letter of January 4, 2023, asked the Court about the actions taken by the Administrator, which allowed him to conclude that the correspondence was not damaged or incomplete, despite the information provided by the Minister. The Administrator, responding in a letter of January 2023, limited himself to stating that he did not find any shortcomings on the part of the Court in the delivery of correspondence. In the opinion of the Court, there are no grounds to assume that the correspondence reached the addressee incomplete or improperly secured. However, the President of the Personal Data Protection Office, based on the photos received from the Minister, made different findings (described above), stating that there was a risk of violation of data confidentiality as well as completeness (violation of availability). The content of the correspondence in question (the plaintiff's medical documentation, psychological opinions regarding the children), their PESEL numbers, but also the descriptions of the marriage itself mean that the handling of an event that includes such data should be considered as requiring special attention and diligence on the part of the data controller. . Each category of data, such as the PESEL number or information about health status, represents a high risk of violating the rights and freedoms of data subjects. In this case, the high risk of violating rights and freedoms concerned (...) people. It is also worth emphasizing the ease of identifying these people, based on the above-mentioned. data.
As indicated in Guidelines 9/2022[3], a personal data breach involving high-risk data may potentially cause a number of negative consequences for the natural persons whose data is subject to the breach. The possible effects of a breach include: physical damage, material or non-material damage. Examples of such damages include, but are not limited to: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal information and significant economic or social damage. In this case, there is no doubt that due to the scope of data covered by the personal data protection breach in question, including the PESEL registration number with name and surname and health data, there is a high probability of the above-mentioned damages occurring.
It should be noted here that the PESEL number, i.e. an eleven-digit numerical symbol containing the date of birth, serial number, gender designation and control number, uniquely identifies a specific natural person, and is therefore closely related to the private sphere of the natural person and, as such, is subject to also, as a national identification number, exceptional protection under Art. 87 of Regulation 2016/679. Due to the fact that the PESEL number is data of a special nature, its disclosure to unauthorized entities may result in a high risk of violating the rights and freedoms of natural persons (see: https://www.bik.pl/poradnik-bik/wyluczenie-kredytu- this is how scammers work - where a case was described in which: "Only the name, surname and PESEL number were enough for fraudsters to extort several loans worth tens of thousands of zlotys in total. Nothing else was correct: neither the ID number nor the residential address" It is also impossible to ignore that the analyzed personal data protection breach also concerned data other than the PESEL number, e.g. information about health status. Guidelines 9/2022 emphasize that a collection of various personal data is usually more sensitive than individual data.
It is worth mentioning here one of the examples listed in the EDPB Guidelines 01/2021 on examples regarding reporting personal data protection breaches, hereinafter Guidelines 01/2021 (case no. 14, p. 31), referring to the situation of "sending by post by mistake highly confidential personal data.” In the above-mentioned case guidelines, the social security number, which is the equivalent of the PESEL number used in Poland, was disclosed. In this case, the EDPB had no doubt that the disclosed data in the scope of: name and surname, e-mail address, postal address, social security number indicate a high risk of violating the rights and freedoms of natural persons ("involvement of their [victims'] social security number social media, as well as other, more basic personal data, further increases the risk, which can be described as high). The EDPB recognizes the importance of national identification numbers (in this case the PESEL number), at the same time emphasizing that this type of personal data protection breach, which includes data such as: name and surname, e-mail address, correspondence address and social security number, requires the implementation of actions, i.e.: notification of the supervisory authority and notification of a breach to data subjects. The EDPB also has no doubt that an individually assigned number uniquely identifying a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve high risk of violating the rights and freedoms of natural persons.
The EDPB also points out in other examples provided in Guidelines 01/2021 that data that uniquely identifies a natural person may result in a high risk of violating rights or freedoms. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by the attacker to guess customer passwords or to conduct a spear phishing campaign aimed at bank customers. For these reasons, the data breach has been deemed likely to result in a high risk to the rights and freedoms of all data subjects. Therefore, material (e.g. financial losses) and intangible (e.g. identity theft or fraud) damage may occur.”
The Provincial Administrative Court in Warsaw did not have similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violating the rights and freedoms of natural persons), in its judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, stated that "[t]here is no doubt that the examples of damage mentioned in the guidelines may occur in the case of persons whose personal data - in some cases, including the PESEL registration number or the series and number of the ID card – were recorded on shared recordings. Not without significance for such an assessment is the possibility of identifying persons whose data were subject to the breach, based on the disclosed data. Further, the Court in the cited judgment indicated that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases also the PESEL registration number or the series and number of the ID card, determines the that there is a high risk of violating the rights and freedoms of natural persons.” When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of July 1, 2022 issued in the case with reference number file II SA/Wa 4143/21. In justification of this judgment, the Court stated that: "[i]t should be agreed with the President of the Personal Data Protection Office that the loss of confidentiality of the PESEL number in connection with personal data, such as: name and surname, registered address, bank account numbers and the identification number assigned to the Bank's clients - CIF number, involves a high risk of violating the rights and freedoms of natural persons. In the event of a breach of data such as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects. Therefore, in the case in question, the Bank should have acted without undue delay, pursuant to Art. 34 section 1 GDPR, to notify data subjects about a personal data breach, so as to enable them to take the necessary preventive actions. It is also worth mentioning the judgment of August 31, 2022, ref. no. No. II SA/Wa 2993/21, in which the Provincial Administrative Court in Warsaw emphasized that "(...) the authority correctly assumed that there was a high risk of violating the rights and freedoms of persons affected by the violation in question due to the possibility of easy, based on the disclosed data , identification of persons whose data was subject to the breach. These data include name and surname, correspondence address, telephone number, and PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify data subjects about the breach without undue delay. The Provincial Administrative Court in Warsaw expressed a similar opinion in its judgments of November 15, 2022, ref. no. no. II SA/Wa 546/22, and June 21, 2023, ref. no. no. II SA/Wa 150/23.
From the latest infoDOK report[4] (which is prepared as part of the social Information Campaign of the RESTRICTED DOCUMENTS System, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation) , it shows that in the second quarter of 2023, 2,116 attempts at credit and loan fraud were recorded, amounting to PLN 50.3 million. Over the last twelve months, the total amount of thwarted loan fraud attempts is PLN 191.6 million. Moreover, it should be noted that in the second quarter of 2022, 1,806 attempts at credit and loan fraud were recorded, amounting to PLN 54.4 million[5]. This means a significant increase in credit and loan fraud attempts in the presented period.
Moreover, as evidenced by case law, judgments in loan fraud cases are not uncommon and have been issued by Polish courts in similar cases for a long time - as an example, the judgment of the District Court in Łęczyca of July 27, 2016 (reference number I C) 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). In the course of the court proceedings, the defendant demonstrated that it had not incurred the above-mentioned obligations, even though someone used her PESEL number. However, this required evidentiary proceedings. However, there are many more such situations and they require injured persons (de facto victims of crime) to take action (in court or amicably) to prove that they were not the ones who performed specific actions resulting in, for example, incurring an obligation or theft of other people's funds (in the case of crimes related to e.g. internet fraud).
To sum up, the personal data protection breach in question creates a high risk of violating the rights and freedoms of natural persons not only because it involves the PESEL numbers of the above-mentioned persons. people, but also their special categories of data - information about the plaintiff's health condition and information contained in the psychological opinions of two children. This information is related to, among others: names and surnames and the context of the divorce case may result in loss of control over the data and not only the risks associated with providing the PESEL number, but also may cause discrimination among these people, or even infringement of their personal rights.
The Administrator did not take all these circumstances into account when analyzing the event, even one forced by a request from the President of the Personal Data Protection Office.
It should also be borne in mind that the Administrator's performance of his obligation under Art. 33 section 1 and 34 section 1 of Regulation 2016/679 may not be made dependent on the materialization of the risk resulting from the violation of the rights and freedoms of natural persons whose data is affected by a personal data breach. As stated by the Provincial Administrative Court in Warsaw in the judgment of September 22, 2021 issued in case no. no. II SA/Wa 791/21: "[it] should be emphasized that the possible consequences of the event do not have to materialize. In the content of art. 33 section 1 of Regulation 2016/679 indicates that the very occurrence of a breach of personal data protection, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons. natural persons” (this Court ruled similarly in the previously cited judgment of July 1, 2022, issued in the case with reference number II SA/Wa 4143/21 and in the judgments of August 31, 2022, reference number II SA/Wa 2993/21, of November 15, 2022, ref. no. II SA/Wa 546/22 and of April 26, 2023, ref. no. II SA/Wa 1272/22).
When analyzing the above, you should also not forget about the basic principles. When applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1(2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - including in situations where there has been a breach of personal data protection - these values should be taken into account first.
It is worth emphasizing in particular that when assessing the risk of violating the rights and freedoms of natural persons, which determines the notification of a personal data protection breach and the notification of the breach to the data subject, the probability factor and the importance of potential negative effects should be taken into account jointly. A high level of any of these factors affects the overall rating, which determines the fulfillment of the obligations specified in Art. 33 section 1 and art. 34 section 1 of Regulation 2016/679. Bearing in mind that due to the scope of personal data disclosed in the analyzed case, there was a possibility of significant negative consequences for data subjects (as shown above), the importance of the potential impact on the rights and freedoms of a natural person should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. Therefore, it should be stated that in connection with the breach in question, there was a high risk of violating the rights and freedoms of data subjects, which consequently determines the obligation to report the personal data protection breach to the supervisory authority and to notify the persons affected by the personal data protection breach.
In Guidelines 9/2022, the EDPB, indicating the factors to be taken into account when assessing the risk, refers to recitals 75 and 76 of Regulation 2016/679, which suggest that the administrator should take into account both the probability of occurrence and the seriousness of the threat to the rights or freedoms of the person whose data applies. In the event of a personal data protection breach, the controller should focus on the risk of the breach resulting from the breach on a natural person. Therefore, when assessing the risk to an individual arising from a personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence. Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk for natural persons. The risk of violating the rights or freedoms of a natural person in accordance with Guidelines 9/2022 will be greater when the consequences of the violation are more serious, as well as when the likelihood of their occurrence increases. The guidelines advise that in case of any doubts, the administrator should report a violation, even if such caution might prove excessive.
To sum up the above, it should be stated that in the case in question there is a high risk of violating the rights and freedoms of persons affected by the personal data protection breach, which in turn results in the Court's obligation to report the personal data protection breach to the supervisory authority, in accordance with Art. 33 section 1 of Regulation 2016/679, which must include the information specified in Art. 33 section 3 of Regulation 2016/679 and notification of data subjects about the breach, in accordance with Art. 34 section 1 of Regulation 2016/679, which must include the information specified in Art. 34 section 2 of Regulation 2016/679.
Referring to the Administrator's obligation specified in Art. 34 section 2 of Regulation 2016/679, the President of the Personal Data Protection Office stated that the Administrator (taking into account the nature of the breach and the categories of data that have been breached) should indicate to the data subject the most likely negative consequences of the breach of his or her personal data. Certainly, in the event of a breach of data such as name, surname and PESEL registration number, it is necessary to point out, first of all, possible identity theft or falsification by third parties obtaining, to the detriment of the person whose data was breached, loans from non-bank institutions or insurance fraud or insurance funds, which may result in negative consequences related to an attempt to attribute responsibility to the data subject for committing such fraud. The description of possible consequences should reflect the risk of violating the rights and freedoms of that person, so as to enable him to take the necessary preventive actions. However, in the case of other data subject to a breach of personal data protection and resulting in a high risk of violating the rights and freedoms of natural persons (special categories of data within the meaning of Article 9 of Regulation 2016/679), the Administrator should indicate discrimination, violation of personal rights, slander or other form persecution of these people due to the disclosed health data.
In a situation where, as a result of a breach of personal data protection, there is a high risk of violating the rights and freedoms of natural persons, the administrator is obliged to implement all appropriate technical and organizational measures to immediately determine the breach of personal data protection and quickly inform the supervisory authority, as well as the persons whose data applies. The administrator should fulfill this obligation as quickly as possible.
Recital 85 of the preamble to Regulation 2016/679 explains: "[w]ithout an appropriate and rapid response, a breach of personal data protection may result in physical harm, material or non-material damage to natural persons, such as loss of control over their own personal data or limitation of rights, discrimination, identity theft or falsification, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, immediately upon becoming aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay, where practicable and no later than 72 hours after becoming aware of it, unless the controller can demonstrate, in accordance with the principle of accountability, that it is unlikely that that the violation may result in a risk of violating the rights and freedoms of natural persons. If a report cannot be made within 72 hours, the report should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually, without further undue delay.”
In turn, recital 86 of the preamble to Regulation 2016/679 states: "The controller should, without undue delay, inform the data subject about a breach of personal data protection if it may result in a high risk to the rights and freedoms of that person, so as to enable that person to take necessary preventive actions. Such information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimize potential adverse effects. Information should be provided to data subjects as soon as reasonably possible, in close cooperation with the supervisory authority, respecting instructions provided by that authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimize an immediate risk of harm will require immediate information to data subjects, while the implementation of appropriate measures against the same or similar data protection breaches may justify subsequent information.
By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights and freedoms against the negative effects of the breach. Article 34 section 1 and 2 of Regulation 2016/679 is intended not only to ensure the most effective possible protection of the fundamental rights and freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5(1) 1 letter a) Regulation 2016/679 (see W. Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfillment of the obligation specified in Art. 34 of Regulation 2016/679 is to provide data subjects with quick and transparent information about a breach of the protection of their personal data, along with a description of the possible consequences of the personal data protection breach and the measures they can take to minimize its possible negative effects. Acting in accordance with the law and demonstrating concern for the interests of data subjects, the controller should have provided data subjects with the best possible protection of personal data without undue delay. To achieve this goal, it is necessary to provide at least the information listed in Art. 34 section 2 of Regulation 2016/679, which the administrator failed to fulfill. Therefore, by deciding not to notify the supervisory authority and the data subjects about the breach, the controller in practice deprived them of reliable information about the personal data protection breach and the opportunity to counteract potential damage, provided without undue delay.
It should also be noted here that the Court's Data Protection Inspector incorrectly assessed the level of risk of violating the rights and freedoms of natural persons in connection with the personal data protection breach in question. He pointed out that due to the fact that the documents were prepared in Polish and sent to Great Britain, this did not result in a high risk in this respect. In the opinion of the President of the Personal Data Protection Office, the fact that documents containing personal data were prepared in Polish and sent to a country where English is the primary language does not reduce the level of this risk. In the era of instruments enabling quick translation of entire documents, as well as due to the fact that in Great Britain a large part of the population speaks Polish, it cannot be assumed that this circumstance reduces the level of risk.
The President of the Personal Data Protection Office obviously recognizes the fact that for providing the above-mentioned documentation was the responsibility of the postal operator, however, damage to it or loss of some of the documents by the postal operator gives rise to certain obligations on the part of the administrator (the Court) (resulting from the provisions of Regulation 2016/679), the failure of which results in his liability. The court, as the sender of this correspondence, has knowledge of its content, including whether the documents contained in the shipment contain personal data and to what extent. As indicated by the Provincial Administrative Court in Warsaw in its judgment of July 1, 2022, ref. no. II SA/Wa 4143/21, "[i]n case of irregularities in the delivery of the shipment, the obligation to protect the interests of the data subject from the point of view of the risk of violating the rights and freedoms of the data subject rests with the sender of the shipment, who, knowing the content of the lost correspondence, is able to assess the risks posed to the data subject. However, the postal operator and courier company may perform the administrator's duties, within the meaning of the provisions of the GDPR, but only in relation to the personal data of the senders and addressees of the parcels. Consequently, the Provincial Administrative Court in Warsaw emphasized that "It is the Bank [here: the District Court in Krakow as the sender of the shipment] that can assess the risk to the rights and freedoms of a natural person resulting from the loss of the shipment and therefore has the opportunity to fulfill the obligation to report a violation personal data protection to the supervisory authority and notification of a breach to the data subject. The courier company does not have such knowledge.
Consequently, it should be stated that the Administrator did not report a personal data protection breach to the supervisory authority in fulfillment of the obligation under Art. 33 section 1 of Regulation 2016/679 and failed to notify data subjects without undue delay of a breach of data protection, in accordance with Art. 34 section 1 of Regulation 2016/679, which means a violation of these provisions by the Administrator.
Therefore, the President of the Personal Data Protection Office found it justified to send a decision to the data controller, using his corrective powers, ordering the notification of data subjects about a breach of the protection of their personal data, in order to provide them with the information specified in Art. 34 section 2 of Regulation 2016/679.
Pursuant to Art. 34 section 4 of Regulation 2016/679, if the controller has not yet notified the data subject about the personal data protection breach, the supervisory authority - taking into account the likelihood that the personal data breach will result in a high risk - may require him to do so or may determine that that one of the conditions referred to in section 3. In turn, according to the content of Art. 58 section 2 lit. e) of Regulation 2016/679 states that each supervisory authority has the corrective power to order the controller to notify the data subject about a data protection breach.
Pursuant to art. 58 section 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Art. 58 section 2 of Regulation 2016/679, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Administrator based on Art. 83 section 4 lit. a) of Regulation 2016/679, which states, among others, that violation of the administrator's obligations referred to in Art. 33 and 34 of Regulation 2016/679, is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher. However, from Art. 102 section 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) states that the President of the Personal Data Protection Office may impose, by way of a decision, administrative fines of up to PLN 100,000 on: public finance sector units referred to in Art. 9 points 1-12 and 14 of the Act of 27 August 2009 on public finances, a research institute or the National Bank of Poland. From paragraph 3 of this article also states that the administrative fines referred to, among others, in section 1, the President of the Office shall impose on the basis and under the conditions specified in Art. 83 of Regulation 2016/679.
Pursuant to the content of Art. 83 section 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 section 2 lit. a) - h) and letters j) Regulation 2016/679. When deciding to impose an administrative fine on the Court, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in the present case and having an aggravating effect on the amount of the administrative fine imposed:
1) The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them [Art. 83 section 2 lit. a of Regulation 2016/679]. The violation found in this case is of significant importance and serious nature, because reporting personal data protection breaches by data controllers is an effective tool contributing to a real improvement in the security of personal data processing. First of all, based on the information provided by controllers in reports of personal data protection breaches, the supervisory authority may assess whether the controller has correctly analyzed the impact of the breach on the rights and freedoms of the data subjects covered by the breach and, consequently, whether there is a high risk of breach. rights or freedoms of natural persons and it is necessary to notify these persons about a breach of their data. Correctly fulfilled by administrators the obligations specified in Art. 33 section 1 and 34 section 1 of Regulation 2016/679 also allow for limiting the negative effects of personal data protection breaches and eliminating or at least limiting the risk of such breaches in the future, as controllers are obliged to take actions that will ensure proper protection of personal data by applying appropriate security measures and monitoring their effectiveness. . Moreover, reporting a violation to the supervisory authority gives the authority the opportunity to respond appropriately, which would limit the effects of the violation. Failure to notify data subjects about a breach of the protection of their personal data may lead to material or non-material damage, and the probability of its occurrence is high. The President of the Personal Data Protection Office considers the long duration of the infringement to be an aggravating factor. (...) has passed since the Administrator received information about a personal data protection breach ((...) August 2022 - i.e. the date of delivery of the letter from the Consulate General of the Republic of Poland in October, July 2022) to the date of issuance of this decision ( ...) months during which the risk of violating the rights or freedoms (...) of persons for whom such a high level of risk occurred could have materialized, and which these persons could not have counteracted due to the Administrator's failure to comply the obligation to notify them of the violation. It is also important that the personal data protection breach in question was related to the delivery of court correspondence to a party to divorce proceedings and in total concerned (...) persons (in the case of (...) persons there was a high risk of violating their rights or freedoms, which determines the obligation to notify them about a personal data protection breach). Therefore, the nature of the information contained in the above-mentioned correspondence indicates the family situation of the persons affected by the breach, and therefore the personal nature of this information. And this, in turn, affects the level of risk of violating the rights or freedoms of persons affected by the violation.
2) Intentional nature of the infringement [Art. 83 section 2 lit. b) of Regulation 2016/679]. According to the Guidelines of the Article 29 Working Party on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, willfulness "covers both knowledge and "deliberate action, in connection with the characteristics of the prohibited act." The Administrator has made a conscious decision not to notify the President of the Personal Data Protection Office or the data subjects about a personal data breach. Special protection of personal data, including in particular the PESEL number and information about health condition is required from public trust institutions, which undoubtedly include the Administrator. Being aware of this, the Administrator decided to resign from reporting the violation to the President of the Personal Data Protection Office and notifying the data subjects, despite the fact that the President of the Personal Data Protection Office first informed Administrator about the administrator's obligations in connection with a data protection breach. Finally, the very initiation of these proceedings by the President of the Personal Data Protection Office regarding the obligation to report a personal data protection breach to the supervisory authority and to notify data subjects about the breach should at least raise doubts for the Administrator as to the validity of the position he has adopted.
3) Categories of personal data affected by the breach [Art. 83 section 2 lit. g) of Regulation 2016/679]. The personal data protection breach in question covered the personal data of (...) persons (violation of Article 33(1) of Regulation 2016/679), of which in the case of (...) there was a high risk violation of their rights or freedoms (violation of Article 34(1) of Regulation 2016/679). This violation covered the following data: 1) the plaintiff: her name and surname, PESEL number, residential address, date of birth, data contained in the medical documentation, bank account number, 2) the defendant: his name and surname, PESEL number, residential address , date of birth, image contained in the photograph, 3) personal data of two children: their names and surnames, PESEL numbers, address of residence, dates of birth, data contained in the psychological opinion. Moreover, the Court stated that the court proceedings concerned the dissolution of a marriage. This scope proves that there is a high level of risk of violating the rights and freedoms of these persons, in particular due to the PESEL number and health information, which is data subject to special protection under Art. 9 of Regulation 2016/679.
When determining the amount of the administrative fine, the President of the Personal Data Protection Office found no grounds to take into account mitigating circumstances that affect the final penalty. All the conditions listed in Art. 83 section 2 lit. a)-j) of Regulation 2016/679, in the opinion of the supervisory authority, constitute either aggravating or only neutral conditions. Also applying the premise specified in Art. 83 section 2 lit. k) of Regulation 2016/679 (ordering to take into account any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found, only neutral ones (as noted below in point 9).
Other circumstances indicated below, referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the Personal Data Protection Office to be neutral in his opinion, i.e. having neither an aggravating nor mitigating effect on the amount of the administrative fine imposed.
1. Actions taken by the controller to minimize the damage suffered by data subjects [Art. 83 section 2 lit. c) of Regulation 2016/679]. Based on the evidence collected in the case, no such actions were found to have been taken by the Administrator.
2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 [art. 83 section 2 lit. d) of Regulation 2016/679]. The violation assessed in these proceedings (failure to report a personal data protection breach to the President of the Personal Data Protection Office and failure to notify about a personal data breach of data subjects) is not related to the technical and organizational measures used by the controller.
3. Relevant previous infringements of the provisions of Regulation 2016/679 on the part of the controller [Art. 83 section 2 lit. e) of Regulation 2016/679]. The President of the Personal Data Protection Office did not find any previous violations of the provisions on the protection of personal data committed by the Administrator, therefore there are no grounds to treat this circumstance as an aggravating one. And since such a state (compliance with the provisions on the protection of personal data) is a natural state resulting from the legal obligations incumbent on the Administrator, it cannot have a mitigating effect on the assessment of the violation made by the President of the Personal Data Protection Office.
4. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects [Art. 83 section 2 lit. f) of Regulation 2016/679]. In the course of the explanatory proceedings and in the course of initiated administrative proceedings, the Administrator provided answers to requests from the supervisory authority aimed at explaining all circumstances related to the breach of personal data protection.
5. How the supervisory authority learned about the infringement [Art. 83 section 2 lit. h) Regulation 2016/679]. The President of the Personal Data Protection Office was informed by the Minister, not by the Administrator, about the occurrence of a personal data protection breach, i.e. about the postal operator delivering a damaged and incomplete parcel to the addressee. However, the failure to notify the supervisory authority of a breach of personal data protection and to notify data subjects about the breach of personal data protection (and therefore a violation of the provisions of Article 33(1) and Article 34(1) of Regulation 2016/679) is, however, the sole subject of these proceedings and in the circumstances of the considered facts, the supervisory authority assumed that it would not treat this condition as an aggravating circumstance.
6. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 [Art. 83 section 2 lit. and Regulation 2016/679]. Before issuing this decision, the President of the Personal Data Protection Office did not apply any measures listed in Art. 58 section 2 of Regulation 2016/679, therefore the Administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.
7. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 [Art. 83(2)(a) j) of Regulation 2016/679]. The administrator does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application are not - as provided for in the provisions of Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.
8. Financial benefits or avoided losses obtained directly or indirectly in connection with the infringement [Art. 83 section 2 lit. k) of Regulation 2016/679]. The President of the Personal Data Protection Office did not find that the Administrator obtained any financial benefits or avoided such losses in connection with the violation. Therefore, there are no grounds to treat this circumstance as aggravating the Administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - obtained on the part of the entity committing the infringement.
9. Other aggravating or mitigating factors applicable to the circumstances of the case [Art. 83 section 2 lit. k) of Regulation 2016/679]. The President of the Personal Data Protection Office, comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the imposed administrative fine.
In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed, in the established circumstances of this case, meets the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.
It should be emphasized that the penalty will be effective if its imposition leads to the Administrator fulfilling its obligations in the field of personal data protection in the future, in particular in the scope of reporting a personal data protection breach to the President of the Personal Data Protection Office and notifying persons of a personal data protection breach. affected by the infringement.
In the opinion of the President of the Office for Personal Data Protection, the administrative fine will fulfill a repressive function as it will be a response to the Administrator's violation of the provisions of Regulation 2016/679. It will also have a preventive function; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the Administrator and other data controllers the reprehensibility of disregarding the obligations of controllers related to the occurrence of a personal data protection breach, which are intended to prevent its negative and often painful effects for the persons affected by the breach, as well as removing these effects or at least limiting them.
In connection with the above, it should be noted that an administrative fine in the amount of PLN 10,000 (in words: ten thousand zlotys) meets, in the established circumstances of this case, the conditions referred to in Art. 83 section 1 of Regulation 2016/679, due to the seriousness of the identified violation in the context of the basic objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. At the same time, the amount of the administrative fine imposed by this decision on the administrator being a unit of the public finance sector (public authorities, including government administration bodies, state control and law enforcement bodies, as well as courts and tribunals - indicated in Article 9, point 1 of the Act of August 27, 2009 on public finances), falls within the scope specified in Art. 102 section 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), with a limit of PLN 100,000.
Pursuant to Art. 33 section 5 of Regulation 2016/679, the controller documents all personal data protection breaches, including the circumstances of the personal data protection breach, its effects and the remedial actions taken. This documentation must enable the supervisory authority to verify compliance with this Article.
Due to the fact that the Administrator submitted a document marked as: "Report (...)" in the course of the proceedings, it should be considered that the Administrator keeps documentation related to personal data protection breaches, including documentation regarding the personal data protection breach in question. It is true that the assessment of the event contained therein, in the opinion of the President of the Personal Data Protection Office, is incorrect (as already demonstrated above), but this cannot constitute an allegation of violation of the above-mentioned. provision of Regulation 2016/679. The above means that the proceedings in this respect are groundless and subject to discontinuation.
Due to the above, pursuant to the provisions of Art. 105 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775), hereinafter referred to as the Code of Administrative Procedure, when the proceedings have become groundless for any reason, the administrative authority issues a decision to discontinue the proceedings. The subject of the proceedings is related to the application of the provisions of substantive administrative law by a public authority. The doctrine indicates that: "the groundlessness of administrative proceedings, as stipulated in Art. 105 § 1 of the Code of Administrative Procedure means that one of the elements of a substantive legal relationship is missing, and therefore a decision cannot be issued to settle the matter by resolving it on its merits. The premise for discontinuing the proceedings may exist even before the initiation of the proceedings, which will be revealed only in the ongoing proceedings, and it may also arise during the proceedings, i.e. in a case already pending before the administrative body" (B. Adamiak, J. Borkowski, Code of Procedure administrative. Comment, C.H. Beck, Warszawa 2006, p. 489).
Determination by a public authority of the existence of the condition referred to in Art. 105 § 1 of the Code of Administrative Procedure, obliges him, as emphasized in the doctrine and case law, to discontinue the proceedings, because if this condition exists, there are no grounds to resolve the case on the merits, and continuing the proceedings in such a case would constitute its defectiveness, which would have a significant impact on influence on the outcome of the case.
In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.
[1] Act on the Organization of Common Courts - Act of 27 July 2001, Law on the Organization of Common Courts (Journal of Laws of 2020, item 2072, as amended).
[2] Act of 1997 - Act of August 29, 1997 on the protection of personal data (Journal of Laws of 2016, item 922, as amended).
[3] EDPB Guidelines 9/2022 on reporting personal data protection breaches in accordance with the GDPR;
[4] https://www.zbp.pl/getmedia/45bb9af8-95a4-4cc2-9767-05c73e5b1eb3/Raport-InfoDOK-II-kwartal-2023;
[5] https://www.zbp.pl/getmedia/b5257020-2baa-4507-828c-a1b78c769c6d/infodok-2022-04-06-wydanie-50-sklad-220725-gk05;
