UODO (Poland) - DKN. 5131.27.2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 72: Line 72:
In the investigation that followed, the controller claimed first, that the data disclosed were not personal data. Second, it argued that their publication was lawful and therefore did not constitute a data breach. Lastly, the controller submitted that, in any case, this disclosure did not entail any risk to the rights and freedoms of natural persons due to the short-term nature of the disclosure and the availability of the data in other sources. For this reason, the controller deemed that there was no need to notify the DPA and the affected data subjects under [[Article 33 GDPR|Articles 33(1)]] and [[Article 34 GDPR|34(1) GDPR]].  
In the investigation that followed, the controller claimed first, that the data disclosed were not personal data. Second, it argued that their publication was lawful and therefore did not constitute a data breach. Lastly, the controller submitted that, in any case, this disclosure did not entail any risk to the rights and freedoms of natural persons due to the short-term nature of the disclosure and the availability of the data in other sources. For this reason, the controller deemed that there was no need to notify the DPA and the affected data subjects under [[Article 33 GDPR|Articles 33(1)]] and [[Article 34 GDPR|34(1) GDPR]].  
=== Holding ===
=== Holding ===
The Polish DPA held, first, that land and mortgage register numbers constitute personal data. The land and mortgage register of natural persons contains, among others, first names, surnames, parents' names, PESEL numbers (i.e. an eleven-digit numeric symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender and a control number), and real estate addresses. The land and mortgage register numbers consequently enabled anyone to identify persons whose data were included in the land and mortgage register. Thus, land and mortgage register number is information allowing one to indirectly identify a natural person, i.e. personal data.  
The Polish DPA held, first, that land and mortgage register numbers constitute personal data. The land and mortgage register of natural persons contains, among others, first names, surnames, parents' names, PESEL numbers (i.e. an eleven-digit numeric symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender and a control number), and real estate addresses. The land and mortgage register numbers consequently enabled anyone to identify persons whose data were included in the land and mortgage register. Thus, land and mortgage register number is information allowing one to indirectly identify a natural person.  


Second, the Polish DPA held that the publication of the land and mortgage register numbers was not lawful. Whilst the Land and Mortgage Register Act provides for the land and mortgage register being public via a dedicated ICT system, it does not refer to disclosing such information on publicly available websites. Similarly, the Geodetic and Cartographic Act states that the relevant data could only be shared by the district governor upon request. Lastly, the Regulations of the Minister of Development, Labor and Technology, an executive act that the controller also referred to in its submissions, cannot take precedence over the Geodetic and Cartographic Act and hence provide for universal access to the data concerned. Consequently, the Polish DPA held that the accidental disclosure of land and mortgage register numbers on the controller’s website constituted a personal data breach within the meaning of [[Article 4 GDPR#12|Article 4(12) GDPR]].  
Second, the Polish DPA held that the publication of the land and mortgage register numbers was not lawful. Whilst the Land and Mortgage Register Act provides for the land and mortgage register being public via a dedicated ICT system, it does not refer to disclosing such information on publicly available websites. Similarly, the Geodetic and Cartographic Act states that the relevant data could only be shared by the district governor upon request. Lastly, the Regulations of the Minister of Development, Labor and Technology, an executive act that the controller also referred to in its submissions, cannot take precedence over the Geodetic and Cartographic Act and hence provide for universal access to the data concerned. Consequently, the Polish DPA held that the accidental disclosure of land and mortgage register numbers on the controller’s website constituted a personal data breach within the meaning of [[Article 4 GDPR#12|Article 4(12) GDPR]].  


Third, in considering the failure to notify the DPA of the data breach, the DPA found that the controller did not assess the risk to the rights and freedoms of natural persons based on objective criteria. The assessment entailed no methodology and the controller merely asserted that the land and mortgage register was public and the numbers were also available in other sources. The DPA noted that risk assessments should be made from the point of view of the data subject’s interest and not that of the controller. In addition, the DPA emphasized that the existence of private entities that run websites allowing access to the content of land and mortgage registers cannot serve as a justification for non-compliance with the law on the part of the controller. Considering the above and the fact that the controller did not demonstrate, in accordance with the accountability principle, that it was unlikely that this data breach could result in a risk to rights and freedoms of natural persons, the DPA held that the controller violated [[Article 33 GDPR#1|Article 33(1) GDPR]] by not notifying the DPA of the personal data breach.
Third, in considering the failure to notify the DPA of the data breach, the DPA found that the controller did not assess the risk to the rights and freedoms of natural persons based on objective criteria. The controller merely asserted that the land and mortgage register was public and the numbers were also available in other sources. The DPA noted that risk assessments should be made from the point of view of the data subject’s interest and not that of the controller. In addition, the DPA emphasized that the existence of private entities that run websites allowing access to the content of land and mortgage registers cannot serve as a justification for non-compliance with the law on the part of the controller. Considering the above and the fact that the controller did not demonstrate, in accordance with the accountability principle, that it was unlikely that this data breach could result in a risk to rights and freedoms of natural persons, the DPA held that the controller violated [[Article 33 GDPR#1|Article 33(1) GDPR]] by not notifying the DPA of the personal data breach.


Lastly, the DPA pointed out that the disclosure of a person’s PESEL number, together with their name and surname, could lead to identity theft. For this reason, there was a possibility of significant negative consequences for a large number of data subjects and the likelihood of such a risk materializing was not low. There were also no factors reducing the probability of such negative consequences on the data subjects. The DPA also pointed out that it is relevant whether the data breach “may result in a high risk”, thus a mere possibility of a high risk suffices. Consequently, the DPA held that the personal data breach in question constituted a high risk to the rights and freedoms of data subjects and the controller violated [[Article 34 GDPR|Article 34(1) GDPR]] by not notifying the affected data subjects of the breach, not even through a public announcement.  
Lastly, the DPA pointed out that the disclosure of a person’s PESEL number, together with their name and surname, could lead to identity theft. For this reason, there was a possibility of significant negative consequences for a large number of data subjects, and the likelihood of such a risk materializing was not low. There were also no factors reducing the probability of such negative consequences on the data subjects. Consequently, the DPA held that the personal data breach in question may have resulted in a high risk to the rights and freedoms of data subjects and the controller violated [[Article 34 GDPR|Article 34(1) GDPR]] by not notifying the affected data subjects of the breach, not even through a public announcement.  


As a result, the DPA fined the controller PLN 60,000 (roughly € 12,773) and ordered the controller to communicate the personal data breach to the data subjects within 3 days from the date of notification of this decision.
As a result, the DPA fined the controller PLN 60,000 (roughly € 12,773) and ordered the controller to communicate the personal data breach to the data subjects within 3 days from the date of notification of this decision.

Latest revision as of 07:57, 14 September 2022

UODO - DKN. 5131.27.2022
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 33(1) GDPR
Article 34(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 06.07.2022
Published:
Fine: 60,000 PLN
Parties: Chief National Surveyor (Główny Geodeta Kraju)
National Case Number/Name: DKN. 5131.27.2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: n/a

The Polish DPA held that the Polish Chief National Surveyor violated Articles 33(1) and 34(1) GDPR by not notifying the DPA and the data subjects after it had accidentally disclosed land and mortgage register numbers on its website.

English Summary

Facts

The Chief National Surveyor (the controller) accidentally disclosed land and mortgage register numbers on its website. The numbers were publicly available for about 48 hours. The controller did not notify the DPA and the affected data subjects of this event.

In the investigation that followed, the controller claimed first, that the data disclosed were not personal data. Second, it argued that their publication was lawful and therefore did not constitute a data breach. Lastly, the controller submitted that, in any case, this disclosure did not entail any risk to the rights and freedoms of natural persons due to the short-term nature of the disclosure and the availability of the data in other sources. For this reason, the controller deemed that there was no need to notify the DPA and the affected data subjects under Articles 33(1) and 34(1) GDPR.

Holding

The Polish DPA held, first, that land and mortgage register numbers constitute personal data. The land and mortgage register of natural persons contains, among others, first names, surnames, parents' names, PESEL numbers (i.e. an eleven-digit numeric symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender and a control number), and real estate addresses. The land and mortgage register numbers consequently enabled anyone to identify persons whose data were included in the land and mortgage register. Thus, land and mortgage register number is information allowing one to indirectly identify a natural person.

Second, the Polish DPA held that the publication of the land and mortgage register numbers was not lawful. Whilst the Land and Mortgage Register Act provides for the land and mortgage register being public via a dedicated ICT system, it does not refer to disclosing such information on publicly available websites. Similarly, the Geodetic and Cartographic Act states that the relevant data could only be shared by the district governor upon request. Lastly, the Regulations of the Minister of Development, Labor and Technology, an executive act that the controller also referred to in its submissions, cannot take precedence over the Geodetic and Cartographic Act and hence provide for universal access to the data concerned. Consequently, the Polish DPA held that the accidental disclosure of land and mortgage register numbers on the controller’s website constituted a personal data breach within the meaning of Article 4(12) GDPR.

Third, in considering the failure to notify the DPA of the data breach, the DPA found that the controller did not assess the risk to the rights and freedoms of natural persons based on objective criteria. The controller merely asserted that the land and mortgage register was public and the numbers were also available in other sources. The DPA noted that risk assessments should be made from the point of view of the data subject’s interest and not that of the controller. In addition, the DPA emphasized that the existence of private entities that run websites allowing access to the content of land and mortgage registers cannot serve as a justification for non-compliance with the law on the part of the controller. Considering the above and the fact that the controller did not demonstrate, in accordance with the accountability principle, that it was unlikely that this data breach could result in a risk to rights and freedoms of natural persons, the DPA held that the controller violated Article 33(1) GDPR by not notifying the DPA of the personal data breach.

Lastly, the DPA pointed out that the disclosure of a person’s PESEL number, together with their name and surname, could lead to identity theft. For this reason, there was a possibility of significant negative consequences for a large number of data subjects, and the likelihood of such a risk materializing was not low. There were also no factors reducing the probability of such negative consequences on the data subjects. Consequently, the DPA held that the personal data breach in question may have resulted in a high risk to the rights and freedoms of data subjects and the controller violated Article 34(1) GDPR by not notifying the affected data subjects of the breach, not even through a public announcement.

As a result, the DPA fined the controller PLN 60,000 (roughly € 12,773) and ordered the controller to communicate the personal data breach to the data subjects within 3 days from the date of notification of this decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT
SECURITY OFFICE
PERSONAL DATA

Warsaw, July 6, 2022

DECISION

DKN.5131.27.2022

Based on Article. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended), Art. 7 sec. 1, art. 60, art. 102 paragraph. 1 point 1 and sec. 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) as well as Art. 57 sec. 1 lit. a) and h), art. 58 sec. 2 lit. e) and i), Art. 83 sec. 1 and sec. 2, art. 83 sec. 4 lit. a) in connection with Art. 33 paragraph 1 and art. 34 sec. 1, 2 and 4 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of May 4, 2016, p. 1, Journal of Laws UE L 127 of May 23, 2018, p. 2 and EU Official Journal L 74 of March 4, 2021, p. 35), hereinafter referred to as "Regulation 2016/679", after conducting the administrative proceedings initiated ex officio regarding the violation of the provisions on the protection of personal data by the Chief National Surveyor based in Warsaw (address: ul. Wspólna 2, 00-926 Warsaw), President of the Personal Data Protection Office,

1) finding an infringement by the Chief National Surveyor with its seat in Warsaw at ul. Common 2 regulations:
a) Art. 33 paragraph 1 of Regulation 2016/679, consisting in not reporting the breach of personal data protection to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after the breach has been found and
b) art. 34 sec. 1 of Regulation 2016/679, consisting in not notifying about a breach of personal data protection, without undue delay of data subjects,
imposes on the Chief National Surveyor based in Warsaw, at ul. Wspólna 2, an administrative fine in the amount of PLN 60,000 (say: sixty thousand zlotys),

2) orders the Chief Surveyor of the country based in Warsaw at ul. Wspólna 2, notify - within 3 days from the date of notification of this decision - data subjects of a breach of the protection of their personal data in order to provide them with the information required in accordance with Art. 34 sec. 2 of the Regulation 2016/679, i.e .:
a) description of the nature of the personal data breach;
(b) the name and contact details of the data protection officer or designation of another contact point from which more information can be obtained;
c) a description of the possible consequences of a breach of personal data protection;
d) a description of the measures taken or proposed by the administrator to remedy the breach, including measures to minimize its possible negative effects.

JUSTIFICATION

The President of the Personal Data Protection Office (hereinafter referred to as the "President of the Personal Data Protection Office") learned about a possible breach of personal data protection, consisting in the disclosure of land and mortgage register numbers on the website www.geoprtal.gov.pl, hereinafter referred to as the "Website", run by the Chief National Surveyor ( address: Wspólna 2, 00-926 Warsaw), hereinafter referred to as the "Administrator". Information on the disclosure of land and mortgage register numbers on the Website is available, inter alia, on websites, dangerous (https://niebezpiecznik.pl / post / numbers-ksiag-wieczyych-znow-byly-visible-w-geoportalu-ale-to-byl-blad /) and geoforum (https://geoforum.pl / news / 32207 / whether-in-the-geoportal-again-new-land-registry-numbers- appeared).

In connection with the above, on [...] April 2022, the President of the Personal Data Protection Office informed the Administrator about the obligations arising from Art. 33 paragraph 1 and 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Official Journal of the European Union L 119 of 04/05/2016, p. 1, Official Journal of the European Union L 127 of 23/05/2018, p. 2 and the Official Journal of the European Union L 74 of 04/03/2021, p. 35), hereinafter referred to as "Regulation 2016/679", i.e. on the obligation to notify the breach of personal data protection to the President of the Personal Data Protection Office. At the same time, the President of the Personal Data Protection Office informed the Administrator about possible ways of reporting a breach of personal data protection to the supervisory authority.

In addition, the President of the Personal Data Protection Office (UODO) asked the Administrator, pursuant to art. 58 sec. 1 lit. a) and e) of Regulation 2016/679, to provide information whether in connection with the above-mentioned the possibility of a breach of personal data protection, an analysis of the incident was made in terms of the risk of violation of the rights or freedoms of natural persons, necessary to assess whether there has been a breach of data protection resulting in the need to notify the President of the Personal Data Protection Office and the persons affected by the breach.

In response to the above-mentioned request, the Administrator provided explanations in a letter of [...] April 2022, in which it was indicated that (quoted): "(...) are personal data within the meaning of art. 4 point 1 (...) ”of Regulation 2016/679. The administrator also indicated that this issue was the subject of a decision by the President of the Personal Data Protection Office, and that it is currently being considered by the Supreme Administrative Court in proceedings following the above-mentioned the decision, and until the case is resolved, the land and mortgage register numbers on the website www.geoportal.gov.pl are unavailable. The administrator also indicated that (quoted): "on [...] April 2022 from [...] by [...] April 2022 by […] There was an ICT incident related to a mistake […]. As a result [...] the numbers of land and mortgage registers were visible for about 48 hours on the website www.geoportal.gov.pl. ”.

The Chief Surveyor of the Country also pointed out that (quoted): "(...) even if we assume that we are dealing here with personal data, in connection with the above-mentioned mistake no additional risk of violating the rights and freedoms appeared, and this is due to due to the fact that land and mortgage register numbers are commonly available in other sources (...) ”.

In addition, the Chief Surveyor of the Country noted that (quoted) "numbers of land and mortgage registers were indicated in Table 4 in Annex 8 to the Regulation of the Minister of Development, Labor and Technology of July 27, 2021 on land and building records (Journal U. 2021, item 1390) as an obligatory element of sharing data from the land and building register by means of network services and internet portals (§ 39 of the Regulation), indicating that in his opinion the provision of Art. 20 paragraph 1 point 1 of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2021, item 1990) in connection with the above-mentioned provision of the regulation gives starosts the opportunity to publish, inter alia, land and mortgage register numbers in network services.

In connection with the arrangements made, on [...] April 2022, the President of the Personal Data Protection Office (UODO) initiated ex officio administrative proceedings regarding violation of the provisions on the protection of personal data in connection with the processing of personal data within the meaning of Regulation 2016/679 by the Chief National Surveyor, indicating the subject of the proceedings on the possibility of a breach by the Chief Surveyor of the Country of obligations under the provisions of Art. 33 paragraph 1 and art. 34 sec. 1 and 2 of Regulation 2016/679. At the same time, the President of the Personal Data Protection Office asked the Chief National Surveyor to send the results of the analysis of the risk of violation of the rights or freedoms of natural persons, made in connection with the disclosure of land and mortgage register numbers on the website www.geoprtal.gov.pl, along with the adopted methodology for assessing the risk of violating the rights or freedoms of persons physical. In addition, the President of the Personal Data Protection Office asked for an indication of whether, and if so, when and in what form, data subjects were notified of a breach of their personal data.

In response to the notification about the initiation of administrative proceedings, the Administrator, in a letter received by the local Office on [...] April 2022, again indicated that, in its opinion, land and mortgage register numbers are not personal data within the meaning of Regulation 2016/2019 and in connection with with the above (quoted) "in this situation there can be no violation of the protection of personal data".

Referring to the requests of the President of the Personal Data Protection Office to present the results of the analysis of the personal data breach risk assessment and to provide information on whether the data subjects have been notified of the breach of their personal data, the Administrator indicated that (quotation): statement in the letter of [...] April 2022, was based on the indisputable facts that since the entire land and mortgage register (and thus its number) is public, and the numbers of land and mortgage registers are also commonly available in other sources, which is not questioned by Mr. President, this means, inter alia, that their publication does not pose any threat to the rights and freedoms of natural persons. " In addition, the Administrator indicated that (quoted): "even if we assumed that the land and mortgage register numbers are allegedly" personal data ", GGK took immediate and effective actions to disable their visibility, which prevented unauthorized access to these data. Therefore, the actions taken effectively eliminated the probability of a possible risk of violating the rights or freedoms of persons, so that - even when the land and mortgage register numbers were recognized as personal data - it was not required to notify anyone (Article 33 (1) and Article 34 (3) (a) and (b)). ) ”Of Regulation 2016/2019.

In addition, the Administrator indicated that (quoted): "short-term visibility of land and mortgage register numbers does not in any way affect the level of risk of violating the rights and freedoms of data subjects due to the activities of websites such as: Ø https://geoportal360.pl/; Ø https://ekw.plus/; Ø http://www.wieczyste.pl/; Ø https://skaner.com; Ø http://www.znajdzksiege.pl/; Ø https://ksiegiwieczyste.pl Ø https://hipoteki.pl - which, when publishing the numbers of land and mortgage registers, operate in accordance with the law (Article 2 of the Act on land and mortgage registers and mortgage and Article 20 (1) point 1 and Article 24 section 2 of the Geodetic and Cartographic Law). Therefore, I do not see any grounds for concluding that the short-term appearance of land and mortgage register numbers at www.geoportal.gov.pl caused any risk of violating the rights and freedoms of data subjects ”.

After reviewing all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following:

Pursuant to Art. 33 paragraph 1 of Regulation 2016/2019, in the event of a breach of personal data protection, the controller shall, without undue delay - if possible, no later than 72 hours after finding the breach - report it to the competent supervisory authority in accordance with art. 55, unless it is unlikely that the breach would result in a risk of violation of the rights or freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours shall be accompanied by an explanation of the reasons for the delay.

Art. 34 sec. 1 of Regulation 2016/2019 provides that if the breach of personal data protection may result in a high risk of violation of the rights or freedoms of natural persons, the controller shall notify the data subject of such a breach without undue delay. In accordance with Art. 34 sec. 2 of Regulation 2016/2019, the notification referred to in para. 1 of this article, in clear and simple language, describes the nature of the personal data breach and contains at least the information and measures referred to in Art. 33 paragraph 3 lit. b), c) and d).

The Chief Surveyor of the Country is the administrator of data processed on the Website. In accordance with the "Regulations of the Website - www.geoportal.gov.pl", available on the website at https://www.geoportal.gov.pl/regulamin, "Website Administrator within the meaning of the Act of July 18, 2002 on the provision of services by electronic means. (Journal of Laws of 2002, No. 144, item 1204, as amended) is the Chief Surveyor of the Country ”. In the indicated regulations of the Website, in the chapter entitled "GDPR - Fulfillment of the information obligation", there is a reference to the information clause. Above the clause available at http://www.gugik.gov.pl/urzad/ rodo-wypelnienie-czasiazku-informacyjny contains the information that "The administrator of your personal data is the Chief Surveyor of the Country, ul. Wspólna 2, 00-926 Warsaw ".

Referring to the position presented by the Administrator, according to which the numbers of land and mortgage registers are not personal data, first of all, the definition of personal data presented in art. 4 point 1 of Regulation 2016/2019. Pursuant to the said provision, "personal data" means information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person. There is no doubt that natural persons are also entities that are affected by the individual rights and obligations disclosed in the land and mortgage registers. Pursuant to Art. 25 sec. 1 of the Act of 6 July 1982 on land and mortgage registers and mortgage (Journal of Laws of 2019, item 2204, as amended), hereinafter referred to as the "Land and Mortgage Act", the land and mortgage register contains four sections, of which : 1) the first includes the designation of the property and entries of rights related to its ownership; 2) the second includes entries on ownership and perpetual usufruct; 3) the third one is intended for entries on limited rights in rem, except for mortgages, for entries of restrictions on the disposal of real estate or perpetual usufruct, and for entries of other rights and claims, except for claims relating to mortgages; 4) the fourth is intended for mortgage entries. The scope of data disclosed in the land and mortgage register of natural persons includes, inter alia, names, surnames, parents' names, PESEL number, real estate address. On this basis, it should be stated that the numbers of the land and mortgage registers made public allow for the identification of persons whose data are included in the land and mortgage register. Having information about the number of the land and mortgage register enables easy and simple access to the personal data of persons disclosed in the land and mortgage register. Obtaining access to personal data contained in the content of the land and mortgage register does not require that persons who have this number have access to a dedicated IT system or have special rights. The land and mortgage register number is information that allows you to indirectly identify a natural person (i.e. the owner of a given property). Therefore, it should be considered that the land and mortgage register number constitutes personal data within the meaning of Art. 4 sec. 1 of Regulation 2016/679.

The above position of the President of the Personal Data Protection Office has also been well-established in the jurisprudence of administrative courts. As indicated by the Supreme Administrative Court in the justification of the judgment of September 26, 2018, file ref. Act I OSK 11/17, “the receipt of information on the designation of the land and mortgage register enables easy and simple access to the content of the entire land and mortgage register, ie all IV sections, including the subject data contained therein. Applying for obtaining data from the land and building register regarding the designation of the land register is not intended to obtain "a set of marked numbers and signs", but is aimed at obtaining subjective data about the owner of the property, which can be easily obtained with "a set of marked numbers and characters ", that is, the marking of the land and mortgage register." The above position of the Supreme Administrative Court was also shared by the Provincial Administrative Court in Warsaw in the justification of the judgment of May 5, 2021, file ref. no. II SA / Wa 2222/20.

Consequently, it should be considered that the disclosure of land and mortgage register numbers on the geoportal.gov.pl website violates the protection of the data of the persons concerned.

The President of UODO also does not share the position presented by the Administrator in the course of the proceedings, according to which the publication of land and mortgage register numbers in publicly available network services is carried out in accordance with the law pursuant to Art. 2 of the Land and Mortgage Register Act and Art. 20 paragraph 1 point 1 and art. 24 sec. 2 of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276), hereinafter referred to as the "Geodetic and Cartographic Law". According to the art. 2 of the Act on land and mortgage registers and mortgage, the land and mortgage registers are public. However, it should be pointed out that the Act on land and mortgage registers and mortgage contains regulations that ensure the implementation of the principle of open land and mortgage registers. These are, in particular, the provisions of Art. 364 paragraph. 5 and 6 of this Act. As it results from these regulations, the Central Information of the Land and Mortgage Registers enables viewing the land and mortgage registers via the ICT system, and anyone who knows the land and mortgage register number can view the land and mortgage register free of charge via the ICT system. Thus, the legislator indicated how the openness of land and mortgage registers is ensured and which entities are responsible for it. None of these provisions, as well as other provisions of the Act on land and mortgage registers and mortgage, grant competences in this respect to entities running generally available internet portals. In addition, no provision of generally applicable law imposes a task for the Administrator or other entities running internet portals to ensure universal availability of land and mortgage registers and the information contained therein. At this point, it is necessary to recall the above-mentioned judgment of the Supreme Administrative Court of September 26, 2018, file ref. Act I OSK 11/17, in the justification of which the Supreme Administrative Court stated that "openness of the land and building register means that the information contained in the register is not classified information within the meaning of the law, but it does not mean universal access to it." The above statement obviously also applies to the land and mortgage register numbers, which constitute the information covered by the land and building register.

The legal basis for making available land and mortgage registers in publicly available network services does not constitute the art. 20 paragraph 1 point 1 and art. 24 sec. 2 of the Geodetic and Cartographic Law. The provision of art. 20 paragraph 1 point 1 of the Geodetic and Cartographic Law specifies that the land and building records include information on land - their location, boundaries, areas, types of land use and their valuation classes, designations of land and mortgage registers or collections of documents, if they were established for the real estate, which the land falls. In turn, art. 24 sec. 2 of the Geodetic and Cartographic Law states that the information contained in the inventory is public. It should be emphasized, however, that the provisions of the above-mentioned The geodetic and cartographic law defines the rules for sharing data from the land and building records, which the Administrator completely ignores in his explanations. Pursuant to Art. 24 sec. 5 of the geodetic and cartographic law, the staroste provides data from the land and building records containing the data of the entities referred to in art. 20 paragraph 2, paragraph 1, and it seems extracts from the inventory, containing such data, upon request. This means that, contrary to the Administrator's claims, the provisions of art. 20 paragraph 1 point 1 and art. 24 sec. 2 of the Geodetic and Cartographic Law do not constitute a legal basis for publishing land and mortgage register numbers via generally available network services. In the above-mentioned justification of the judgment of September 26, 2018, issued in the case file ref. no. I OSK 11/17 The Court of Cassation decided that “(...) the adoption of such an interpretation that the information contained in the land register on the designation of the land and mortgage register is only objective in nature and, consequently, may be made available to anyone, would mean that the adopted in Art. 24 sec. 5 P.g. and k. the rule that disclosure of registration data containing the data of entities referred to in art. 20 paragraph 2 point 1 may occur only at the request of the entities indicated in point 1 to point 3 would become redundant, because everyone would obtain data on the entities by obtaining a land and mortgage register designation. This means that such an interpretation is incorrect, as it leads to the result that the disposition of the norm, which specifies the prescribed behavior in points 1 to 3, would become redundant. (...) There is no doubt that the mere fact of having a land and mortgage register designation allows, in an easy and simple manner that does not require excessive costs, time or special activities, to access personal data of persons disclosed in the land and mortgage register, and these data, in accordance with § 41 paragraph 1 point 4 in connection with from paragraph 4 of the Regulation of the Minister of Justice of November 21, 2013 on the establishment and maintenance of land and mortgage registers, in the case of natural persons there is first name (names), surname, parents' names, as well as PESEL number. "

In the course of the proceedings, the Administrator also argued that the numbers of land and mortgage registers were indicated in Table 4 in Annex 8 to the Regulation of the Minister of Development, Labor and Technology of July 27, 2021 on land and building records (Journal of Laws 2021, item 1390) as an obligatory element of sharing data from the land and building register by means of network services and internet portals (§ 39 of the Regulation), pointing out at the same time that, in his opinion, the provision of Art. 20 paragraph 1 point 1 of the Geodetic and Cartographic Law in connection with the above-mentioned provision of the regulation gives starosts the opportunity to publish, inter alia, land and mortgage register numbers in network services. Referring to the above, it should be pointed out that the rules of access to personal data contained in the land and building records result directly from the applicable Geodetic and Cartographic Law and therefore there is no basis for the concept of deriving universal access to this data from the provisions of the Regulation of the Minister of Development presented in the Administrator's letter. , Labor and Technology on land and building records. It is obvious that the indicated § 39 of the above-mentioned of the regulation, which provides for the electronic exchange of data from the records, refers only to the technical method of data processing, including the provision of data from the records. This means that the rules for publishing data from the land and building records specified in the Geodetic and Cartographic Law (Article 24 (2) and Article 24 (5)) remain unchanged. The norms of the executive act may not create a separate mode of data processing, disregarding the rules of the Geodetic and Cartographic Law, which does not provide for universal access to personal data contained in the land and building register. It is unacceptable to replace the statutory provisions of law regulating the principles of access to various registers, including land and building records, with strictly IT solutions. In the light of the above, it is unreasonable to interpret the indicated provisions of the Geodetic and Cartographic Law in such a way that the executive regulation to the act would change or replace the rules of sharing data expressed in this act.

Bearing in mind the above, it is undisputed in this case that the land and mortgage register numbers made available on the Website as a result of a breach of personal data protection allow for indirect identification of natural persons, and thus constitute personal data within the meaning of art. 4 sec. 1 of Regulation 2016/679. It is also undisputed that publishing the land and mortgage register numbers on the Website has no legal basis in the applicable law.

Reporting breaches of personal data protection by administrators is an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, the administrators inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights or freedoms of data subjects, and - if such a risk occurred - whether they provided relevant information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfillment of the conditions set out in Art. 34 sec. 3 lit. a) and b) of Regulation 2016/679. The President of the Personal Data Protection Office (UODO) verifies the assessment made by the controller and may - if the controller has not notified the data subjects - request such notification from him. Notifications of a personal data breach allow the supervisory authority to react appropriately, which may limit the effects of such breaches, because the controller is obliged to take effective measures to protect natural persons and their personal data, which, on the one hand, will allow for the control of the effectiveness of existing solutions, and on the other hand, for the assessment of modifications and improvements to prevent irregularities similar to those covered by the infringement. On the other hand, notifying natural persons about a breach enables them to be informed about the risk related to the breach and to indicate actions that these persons can take to protect themselves against the potential consequences of the breach. The obligation to notify a natural person about a breach does not depend on the materialization of negative consequences for such a person, but on the very possibility of such a risk. Thus, this obligation enables a natural person to make an independent assessment of the infringement in the context of the possibility of materialization of negative consequences for that person and to decide whether or not to apply remedial measures. On the other hand, the very assessment of the infringement carried out by the controller in terms of the risk of violating the rights or freedoms of natural persons, necessary to assess whether there has been a breach of data protection resulting in the need to notify the President of the Personal Data Protection Office (Article 33 (1) and (3) of Regulation 2016/679) and the persons concerned the infringement (Article 34 (1) and (2) of Regulation 2016/679) should be made from the point of view of the interests of the person affected by the infringement.

In the facts of the case at hand, it was established that the disclosure of the land and mortgage register numbers on the Website took place from [...] April 2022, at [...], until [...] April 2022, at […]. The explanations presented in the course of the proceedings that the disclosure of the land and mortgage register numbers on the Website was related to the Administrator's mistake remain irrelevant for the resolution in this case. Pursuant to Art. 4 point 12) of Regulation 2016/679, "breach of personal data protection" means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. The disclosure of land and mortgage register numbers on the Website as a result of a mistake of the Administrator's employee falls within the definition of a personal data breach specified in Regulation 2016/679.

Pursuant to recital 85 of Regulation 2016/679, (...) immediately after discovering a breach of personal data protection, the controller should notify it to the supervisory authority without undue delay, if feasible, no later than 72 hours after finding the breach, unless the controller is able to demonstrate, in accordance with the accountability principle, that the breach is unlikely to result in a risk of infringement of the rights or freedoms of natural persons (…).

One cannot agree with the position of the Administrator presented in the course of the proceedings, according to which the analysis of the incident did not reveal any risk of violating the rights or freedoms of natural persons. In a letter of [...] April 2022, being a reply to the letter informing about the initiation of administrative proceedings, in which the President of the Personal Data Protection Office (UODO) asked the Administrator, inter alia, for providing the results of the risk analysis along with the methodology adopted for the assessment, the Administrator also explained that the analysis carried out by him was based on the assessment that (quoted): "since the entire land and mortgage register (and thus its number) is public and the book numbers are also commonly available in other sources, (...), which means, inter alia, that their publication does not pose any threat to the rights and freedoms of natural persons ”. The administrator did not present the adopted methodology of the risk assessment of violating the rights or freedoms of natural persons, basing his position on the above-mentioned circumstances.

Above, in the justification of this decision, it has already been indicated that the principle of open land and mortgage registers does not constitute a legal basis for the publication of land and mortgage register numbers through the Website operated by the Administrator. It should also be pointed out that the provision of land and mortgage register numbers on the Website by a public administration body, which is the Administrator, with data on the scale of the entire country for over 48 hours, could have given other entities providing land and mortgage register numbers via publicly available network services the possibility of, for example, updating the land and mortgage register. databases for their further sharing. In the opinion of the President of the Personal Data Protection Office, the above circumstance should be taken into account when assessing the risk of violating the rights or freedoms of natural persons related to the disclosure of land and mortgage register numbers on the Website, definitely increasing the level of this risk. It should also be emphasized that the Administrator cannot justify his unlawful actions with the existence of private entities that run websites that allow access to the content of land and mortgage registers.

It should be emphasized that the assessment of the risk of violating the rights or freedoms of a natural person should be made from the point of view of the interests of the affected person, and not the interests of the controller. Based on the breach notification, the individual can himself assess whether, in his opinion, the security incident may have negative consequences for him and take appropriate remedial action. Also, based on the information provided by the administrator regarding the description of the nature of the breach and the measures taken or proposed to remedy the breach, a natural person may assess whether, after the breach, the data controller still guarantees the proper processing of his personal data in a manner ensuring their security. Failure to notify a natural person about a breach in the event of a high risk of violation of their rights or freedoms deprives them not only of the possibility of an appropriate response to the violation, but also of the possibility of making an independent assessment of the violation, which, after all, concerns their personal data and may have significant consequences for them. On the other hand, failure to notify the supervisory authority of a breach of personal data protection deprives this authority of the possibility of an appropriate response to the breach, which is reflected not only in the assessment of the risk of breach for the rights or freedoms of a natural person, but also in particular in verifying whether the controller has applied appropriate measures to remedying the breach and minimize the negative consequences for the data subjects, as well as whether it has applied appropriate security measures to minimize the risk of a recurrence of the breach.

The provisions of Art. 33 paragraph 1 and art. 34 sec. 1 and 2 of Regulation 2016/679 impose an obligation on the Administrator to report the breach to the President of the Personal Data Protection Office and notify data subjects about the breach of their personal data.

The administrator may refrain from reporting a breach of personal data protection if it is unlikely that the breach would result in a risk of violating the rights or freedoms of natural persons. Pursuant to the above-mentioned recital 85 of Regulation 2016/679, the controller notifies the supervisory authority of the breach, unless it is able to demonstrate, in accordance with the accountability principle, that it is unlikely that the breach could result in a risk of violating the rights or freedoms of natural persons. As shown above, the Administrator based the risk assessment on incorrect assumptions made by him. Moreover, in the course of the proceedings, the Administrator referred to the fact of a dispute pending before the court in this respect. As indicated by the Article 29 Working Party in the Guidelines on reporting personal data breaches in accordance with Regulation 2016/679 (WP250rev.01), hereinafter referred to as "WP250 Guidelines", "when assessing the risk that may arise as a result of a breach, the controller should collectively take into account the importance of the potential impact on the rights and freedoms of individuals and the likelihood of their occurrence. Of course, the risk increases when the consequences of a breach are more severe and also when the probability of their occurrence increases. In case of any doubts, the controller should report the breach, even if such caution could turn out to be excessive ”. For this reason, the fact of the pending court dispute, the subject of which is the decision of the President of the Personal Data Protection Office, ref. [...] stating a breach of the provisions of Regulation 2016/679 by providing on the Website, without a legal basis, personal data in the field of land and mortgage register numbers obtained from the land and building register (kept by starosts), may not constitute a premise in any way justifying the Administrator's failure to report a breach of protection personal data to the President of the Personal Data Protection Office, because the Administrator, having any doubts as to the legitimacy of the notification, was even more obliged to make it.

The obligation to report a breach of personal data protection set out in Art. 33 paragraph 1 of Regulation 2016/679 is also not dependent on whether the risk of violating the rights or freedoms of natural persons has materialized. As indicated by the Provincial Administrative Court in the justification of the judgment of September 22, 2021, file ref. no. II SA / Wa 791/21, “It should be emphasized that the possible consequences of the event that occurred do not have to materialize. In the wording of Art. 33 paragraph 1 of Regulation 2016/679 indicates that the mere occurrence of a breach of personal data protection, which involves the risk of violating the rights or freedoms of natural persons, implies an obligation to notify the breach to the competent supervisory authority, unless it is unlikely that the breach would result in a risk of violating the rights or freedoms natural persons ". A similar opinion was expressed by the Provincial Administrative Court in Warsaw in the judgment of January 21, 2022, file ref. no. II SA / Wa 1353/21, stating that "(...) the possible consequences of the event of a personal data breach do not have to materialize - because in art. 33 paragraph 1 GDPR says that the mere occurrence of a breach of personal data protection, which involves the risk of violating the rights or freedoms of natural persons, implies an obligation to notify the breach to the competent supervisory authority. The circumstance raised by the Company that the breach did not result in the occurrence of physical or damage to natural persons is irrelevant for the determination of the Company's obligation to notify the President of the Personal Data Protection Office of the breach of personal data protection, in accordance with the above-mentioned recipe ".

In the facts of the case at hand, it should be stated that the Administrator did not assess the risk of violation of the rights or freedoms of natural persons based on objective criteria, did not demonstrate, in accordance with the accountability principle, that it is unlikely that this violation could result in a risk of violating the rights or freedoms of natural persons, and by not reporting a breach of personal data protection to the President of the Personal Data Protection Office, he violated Art. 33 paragraph 1 of Regulation 2016/679.

Breach of confidentiality of data that occurred in the case in question in connection with the breach of personal data protection consisting in making available, in a way that allows every user of the Website to read the numbers of land and mortgage registers, allowing in an easy and simple manner and not requiring excessive costs, time or special actions, In the opinion of the President of the Personal Data Protection Office, obtaining access to personal data of persons disclosed in land and mortgage registers, including PESEL numbers, poses a high risk of violating the rights or freedoms of natural persons. As indicated by the Article 29 Working Party in the WP250 Guidelines, “This risk exists when a breach may lead to physical or material or non-material damage to the data subjects whose data has been breached. Examples of such damage include discrimination, identity theft or fraud, financial loss and damage to reputation. " There is no doubt that the examples of damages mentioned in the guidelines, due to the scope of data covered by this personal data breach, including the PESEL number together with the name and surname and information about real estate, may occur in the discussed case.

When assessing the risk of violation of the rights or freedoms of natural persons on which the notification of a personal data breach and notification of the breach of data subjects depend, the probability factor and the importance of potential negative effects should be taken together. A high level of any of these factors has an impact on the overall score on which the fulfillment of the obligations set out in Art. 33 paragraph 1 and art. 34 sec. 1 of Regulation 2016/679. Bearing in mind that due to the scope of the disclosed personal data, there was a possibility of significant negative consequences for data subjects to materialize, the importance of the potential impact on the rights or freedoms of natural persons should be considered high. At the same time, the likelihood of high risk arising from the present infringement is not small and has not been eliminated. In addition, due to the large number of people affected by the infringement, the seriousness of the infringement increases by extending the possibility of negative effects and in the event of the administrator's doubts as to the need to submit a notification, this circumstance should be taken into account.

Thus, it should be pointed out again that in connection with the breach in question there was a high risk of violation of the rights or freedoms of data subjects, which in turn determines the obligation to report the breach of personal data protection to the supervisory authority and notify these persons about the breach. Also in relation to the occurrence of a breach of personal data protection, there were no factors reducing the probability of negative consequences, such as limited possibility of identification, finding that personal data are publicly available, or recognizing the wrong recipient as a "trusted" person.

It should be emphasized that Art. 34 sec. 1 of Regulation 2016/679 requires the Administrator to notify data subjects about the breach of their personal data. Importantly, according to this provision, "if the breach of personal data protection may result in a high risk of violation of the rights or freedoms of natural persons, the controller shall inform the data subject about such a breach without undue delay". Therefore, it should be emphasized that the provision of Art. 34 sec. 1 of the Regulation 2016/679 does not make the obligation to notify data subjects about the breach conditional on the controller unequivocally establishing that a given breach of personal data protection causes a high risk of the rights or freedoms of natural persons, because according to this provision the very possibility of such a risk is obligatory administrator to notify these people.

The Article 29 Working Party in WP250 indicates that “controllers should remember that reporting a personal data breach to the supervisory authority is mandatory, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. Furthermore, when a breach of personal data protection is likely to result in a high risk of violating the rights and freedoms of natural persons, natural persons should also be informed of it ”.

Pursuant to recital 86 of Regulation 2016/679, "the controller should inform the data subject without undue delay of the breach of personal data protection if it may result in a high risk of violating the rights or freedoms of that person, so as to enable him to take the necessary preventive measures. . "

In the light of the above, it is indisputable that the obligation to notify data subjects of the breach arises in a situation where there is a possibility of a high risk of violating the rights or freedoms of natural persons. Notifying individuals about a breach ensures that these individuals are informed about the risks associated with the breach and an indication of actions that they can take to protect themselves from the potential negative effects of the breach.

It should be emphasized again that the obligation to notify a natural person about a breach does not depend on the materialization of negative consequences for such a person, but on the very possibility of such a risk. The notification enables the natural person to independently assess the infringement in the context of the possibility of negative consequences for him and the decision to apply or not to apply remedial measures. As indicated by the Article 29 Working Party in the WP250 Guidelines, “whether a breach should be notified to data subjects depends primarily on whether the breach may result in a high risk of violating the rights and freedoms of natural persons. This risk exists where the breach could lead to physical or material or non-material damage to the data subjects of the breach. Examples of such damage include discrimination, identity theft or fraud, financial loss and damage to reputation. "

As already indicated above in the justification of this decision, the number of the land and mortgage register allows, in an easy and simple manner, which does not require excessive costs, time or special activities, to gain access to the personal data of persons disclosed in the land and mortgage register, which in the case of natural persons are: first name (s) , surname, parents' names, PESEL number, real estate designation and possible information on established mortgages and enforcement proceedings,

The President of the Personal Data Protection Office has no doubts that the PESEL number, i.e. an eleven-digit numeric symbol, uniquely identifying a natural person, containing the date of birth, serial number, gender and a control number, and therefore closely related to the private sphere of a natural person and also subject to, as a national identification number , exceptional protection under Art. 87 of Regulation 2016/679 is a data of a special nature and requires such special protection, and its disclosure to unauthorized entities may result in a high risk of violating the rights or freedoms of natural persons. Special protection of personal data, including in particular the PESEL number, is also required from public trust institutions, which undoubtedly include the Administrator as a public administration body.

Similarly, the European Personal Data Protection Board has no doubts that an individually assigned number that uniquely identifies a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve a high risk of violating the rights or freedoms of natural persons. The European Personal Data Protection Board in Guidelines 01/2021 on the examples of personal data breach notification adopted on 14 December 2021 (hereinafter "Guidelines 01/2021"), intended to complement the WP250 Guidelines, presented the common experiences of supervisory authorities European Economic Area from the entry into force of Regulation 2016/2019. In the above-mentioned Of Guideline 01/2021, an example is given (example No. 14), referring to the situation of "sending highly sensitive personal data by mistake". In the aforementioned case, the social security number was disclosed, which is the equivalent of the PESEL number used in Poland. In the example given, it was clearly indicated that "The number of victims is significant, and the involvement of their social security number, as well as other, more basic personal data, additionally increases the risk, which can be described as high."

The fact that data that unambiguously identifies a natural person may result in a high risk of violation of rights or freedoms is also indicated by the European Personal Data Protection Council in other examples provided in the Guidelines 01/2021. Points 55 and 56 of Guideline 01/2021 indicate: "(...) The data breached allows the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by an attacker to guess customers' passwords or to run a phishing campaign targeting the bank's customers. For these reasons, it was considered that a breach of data protection may involve a high risk of violating the rights and freedoms of all data subjects. Therefore, the occurrence of material damage (eg financial loss) and non-pecuniary damage (eg identity theft or fraud) is a possible result ”. In turn, paragraph 96 states that 'When assessing the risk, the controller should take into account the potential consequences and negative effects of breach of confidentiality. As a result of the breach, data subjects may suffer identity fraud by relying on data available on the stolen product, and therefore the risk is considered to be high. '

Similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violation of the rights or freedoms of natural persons) did not have the Provincial Administrative Court in Warsaw, which in the judgment of September 22, 2021, file ref. II SA / Wa 791/21, stated that "There is no doubt that the examples of damage cited in the guidelines may occur in the case of persons whose personal data - in some cases together with the Pesel identification number or the series and number of the identity card - have been recorded on shared recordings. Another important factor for such an assessment is the possibility, based on the disclosed data, of identifying persons whose data was affected by the breach. " The Court further pointed out in the cited judgment - "The data has been made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases the PESEL identification number or the series and number of the identity card, determines this that there was a high risk of violating the rights and freedoms of natural persons. "

PESEL number serves as a data identifying each person and is commonly used in contacts with various institutions and in legal circulation. The PESEL number together with the name and surname clearly identify a natural person in a way that allows ascribing the negative effects of the violation (e.g. identity theft, extortion of a loan) to that specific person.

From the last report of infoDOK [1] (which is prepared as part of the social information campaign of the DOCUMENTS RESERVED system, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of the Interior and in cooperation with, among others, the Police and the Federation of Consumers), it appears that that in the first quarter of 2022 there were 1,915 attempts of extorting loans and credits. This means an average of 21 extortion attempts a day. Every day, attempts were made to steal someone else's names, a total of about 575,000. zloty. In the whole of 2020, 6,884 fraud attempts were recorded for the amount of PLN 253.8 million, while in the entire 2021 there were 8,096 attempts to extort loans for a total amount of PLN 336.6 million. This means that the entire year of 2021 in terms of the number of fraud attempts and their amounts was significantly more dangerous than the previous one: there was a 17% increase in the number of fraud attempts and a 32% increase in the total amount of these fraud attempts.

Moreover, according to the jurisprudence, judgments in cases of credit extortion are not uncommon and have been issued by Polish courts in similar cases for a long time - by way of example, one can refer to the judgment of the District Court in Łęczyca of July 27, 2016 (file reference number I C 566). / 15), in which the fraudsters who borrowed someone else's data used the PESEL number, a fake address and the wrong number of proof (invalid). In the justification of the above-mentioned of the judgment, the Court stated that: "In the present case, the plaintiff (...) with its seat in W. purchased the debt from (...) Spółka z ograniczoną odpowiedzialnością S.K.A. with its seat in W. Party to the loan agreement of May 5, 2014. was a person who used the data of J. R. in an unauthorized way (...) Spółka z ograniczoną odpowiedzialnością S.K.A. based in W. transferred the amount of PLN 500 to the indicated bank account.

In the case that is the subject of this decision, in the opinion of the President of the Personal Data Protection Office, it has been shown that the provision of land and mortgage register numbers to every user of the Website that allows easy and simple access and does not require excessive costs, time or special activities, access to personal data of persons disclosed in land and mortgage registers, including PESEL numbers, may result in a high risk of violating the rights or freedoms of natural persons.

If the breach of personal data protection may result in a high risk of violation of the rights or freedoms of natural persons, the controller shall notify the data subjects of such breach without undue delay. Art. 34 sec. 3 of Regulation 2016/679 indicates when, despite the possibility of a high risk of violating the rights or freedoms of natural persons, notification is not required. Pursuant to this provision, the notification is not required only in cases where: these personal data; (b) the controller has then applied measures to eliminate the likelihood of a high risk of violation of the rights or freedoms of the data subject referred to in paragraph 1. 1; c) it would require a disproportionate effort. In such a case, a public notice is issued or a similar measure is applied whereby the data subjects are informed in an equally effective manner.

In the actual state of the case, the Administrator did not report a breach of personal data protection and did not notify the data subjects, stating that the land and mortgage register numbers do not constitute personal data, they can be published via online services on the basis of applicable law and has taken actions as a result of which the numbers of land and mortgage registers have been hidden, describing their availability on the Website as "short-term".

Above, in the justification of this decision, it has been clearly demonstrated that the Administrator's position that the land and mortgage register numbers are not personal data and that their publishing in publicly available network services complies with the applicable law, has no basis.

Referring to the argument of "short-term" visibility of land and mortgage register numbers on the Website, raised by the Administrator, it should be clearly indicated that the Administrator has lost control over the processed personal data, providing by mistake the land and mortgage register numbers on the Website. The Article 29 Working Party explained in its Opinion 03/2014 on breach notification that, according to the three commonly recognized security principles, breaches can be divided into the following categories: data confidentiality, data availability and data integrity breaches, where "breach concerning data confidentiality - means a breach which results in unauthorized or accidental disclosure or unauthorized access to personal data ”. Accordingly, unauthorized access to data constitutes a breach of the confidentiality of personal data. Both the Article 29 Working Party in the above-cited guidelines and the legislator in the definition of a personal data breach set out in Art. 4 point 12 of Regulation 2016/679, when indicating the cases in which there is a breach of data security, the conjunction "or" is used, which is an alternative, ie "unauthorized disclosure or unauthorized access to data". The above means that a breach of data security occurs not only when the incident leads to simultaneous unauthorized disclosure and unauthorized access to data, but also when it leads only to unauthorized disclosure or only to unauthorized access to data. Whereby, in accordance with the above-mentioned by guidelines, unauthorized access to data constitutes a breach of the confidentiality of personal data.

In the actual state of the case, the land and mortgage register numbers were made available on the Website for over 48 hours. The administrator allowed unauthorized access to the data to a wide range of users, because in order to gain access to this data, it was enough to have a computer connected to the Internet. At the same time, the Administrator did not take the actions specified in art. 34 sec. 3 lit. a) -c) of Regulation 2016/679. In the light of the above, it should be assumed that there has been a breach of personal data protection which, taking into account the above-mentioned circumstances justifying the possibility of a high risk of violation of the rights or freedoms of natural persons, obliged the Administrator to notify data subjects in accordance with art. 34 sec. 1 of Regulation 2016/679.

At the end of the above considerations, the provision of Art. 34 sec. 3 lit. c) of Regulation 2016/679. This provision allows controllers to issue a public announcement or a similar measure whereby the data subjects will be informed of the breach, taking into account the information specified in Art. 34 sec. 2 of Regulation 2016/679, in the event that individual notification of data subjects would require a disproportionate effort. There is no doubt that the notification of data subjects in connection with the violation in question could take place in the manner specified in the above-mentioned provision of Regulation 2016/679.

By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights or freedoms against the negative effects of the breach. Art. 34 sec. 1 and 2 of Regulation 2016/679 is intended not only to ensure the most effective protection of the fundamental rights or freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5 sec. 1 lit. a) Regulation 2016/679 (cf. Chomiczewski Witold [in:] GDPR. General Data Protection Regulation. Comment. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper compliance with the obligation specified in art. 34 of Regulation 2016/679 is to provide data subjects with quick and transparent information about a breach of the protection of their personal data, together with a description of the possible consequences of the breach of personal data protection and the measures that they can take to minimize its possible negative effects. Acting in accordance with the law and showing concern for the interests of data subjects, the controller should, without undue delay, provide data subjects with the best possible protection of personal data. To achieve this goal, it is necessary to indicate at least the information listed in Art. 34 sec. 2 of Regulation 2016/679, which the administrator did not fulfill. Therefore, when deciding not to notify the supervisory authority and the data subjects of the breach, the administrator in practice deprived these persons of reliable information about the breach and the possibility of counteracting potential damage, provided without undue delay.

When applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1 (2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in connection with the processing of personal data is one of the fundamental rights (first sentence of Recital 1). In case of any doubts, e.g. regarding the performance of obligations by administrators - not only in a situation where there has been a breach of personal data protection, but also when developing technical and organizational security measures to prevent them - these values should be taken into account in the first place.

The above reasoning is confirmed by the judgment of the Provincial Administrative Court in Warsaw of September 22, 2021 (file reference number II SA / Wa 791/21), in which the Court, when deciding on the imposition of an administrative fine in connection with the violation of the provisions on the protection of personal data, referred to the above-mentioned the above issue, indicating that "When assessing whether there are risks of violating human rights or freedoms, the administrator should take into account all possible damage and harm that may result from a given event for natural persons (like this: S. Jandt [ in:] DS.-GVO ..., edited by J. Kuhling, B. Buchner, p. 617; Y. Reif [in:] DS.- GVO ..., edited by P. Gola, p. 496) . They may in particular consist in losing control over your own personal data, negative image consequences, the possibility of another person concluding contracts using the personal data of another natural person, financial losses or, finally, negative public perception, which may be a consequence of making some personal data public. For the risk to occur, it is not necessary for the final loss or harm resulting from a given breach of personal data protection (as above, p. 616) ”.

As a consequence, it should be stated that the Administrator did not notify the personal data breach to the supervisory body in compliance with the obligation under Art. 33 paragraph 1 of Regulation 2016/679 and did not notify data subjects without undue delay of a breach of their data protection, in accordance with art. 34 sec. 1 of the Regulation 2016/679, which means the Administrator's violation of these provisions.

Pursuant to Art. 34 sec. 4 of Regulation 2016/679, if the controller has not yet notified data subjects about the breach of personal data protection, the supervisory authority - taking into account the likelihood that this breach of personal data protection will result in a high risk - may request it or may state that that one of the conditions referred to in sec. 3. In turn, from the content of Art. 58 sec. 2 lit. e) of Regulation 2016/679, it follows that each supervisory authority has the right to remedy the need for the controller to notify data subjects of a breach of data protection.

Based on Article. 58 sec. 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other remedial measures provided for in Art. 58 sec. 2 lit. a) - h) and lit. (j) of that Regulation, an administrative fine under Article 83 of the Regulation 2016/679, depending on the circumstances of the specific case. Bearing in mind the findings of the facts, the President of the Office for Personal Data Protection, using his right specified in the above-mentioned provision of Regulation 2016/679, stated that in the case under consideration there were premises justifying the imposition of an administrative fine on the Chief Surveyor of the Country based in Warsaw.

When determining the amount of the fine, the President of the Personal Data Protection Office took into account the following circumstances of the case aggravating the amount of the imposed financial penalty:

a) The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing, the number of data subjects affected and the extent of the damage suffered by them (Article 83 (2) (a) of Regulation 2016/679);
In the opinion of the President of the Personal Data Protection Office, this violation is of great importance and of a serious nature. The administrator is a public administration body which should be expected to be familiar with the provisions and properly apply them, as well as to higher standards of the services provided. The administrator had no legal grounds to process land and mortgage register numbers (allowing easy access to a wide range of personal data) in order to make them available through the Website to an unlimited number of people, i.e. anyone who had a computer with Internet access. The breach concerns a large number of people, i.e. all persons disclosed in the land and mortgage registers, whose numbers have been made available on the Website. Due to the large number of people affected by the breach, the possibility of negative effects is significantly expanded. A large data collection may also have economic value and be the subject of unlawful trade and use for malicious purposes. This breach is therefore of great importance. The President of the Personal Data Protection Office recognizes the long duration of the infringement as an aggravating circumstance. It is true that immediately after detecting the fact that the number of land and mortgage registers was made available on the Website, the Administrator took appropriate actions, as a result of which an error in the Website configuration was found, and, as a consequence, the number of land and mortgage registers ceased to be made available there, but from the Administrator becoming aware of the breach of personal data protection until of issuing this decision, many weeks have passed, during which the risk of violation of the rights or freedoms of persons affected by the violation could be realized, and which could not be prevented by these persons due to the Administrator's failure to comply with the obligation to report the violation of personal data protection to the President of the Personal Data Protection Office and the obligation to notify these people about the breach.

b) Intentional nature of the infringement (Article 83 (2) (b) of Regulation 2016/679);
By letter of [...] April 2022, the Administrator was informed about the obligations arising from Art. 33 paragraph 1 and 3 of Regulation 2016/679. In this letter, the President of the Personal Data Protection Office informed the Administrator that in the event of a breach of personal data protection, the data administrator, without undue delay - if possible, no later than 72 hours after finding the breach - reports it to the competent supervisory authority in accordance with Art. 55 of Regulation 2016/679, unless the breach is unlikely to result in a risk of violating the rights or freedoms of natural persons. At the same time, the President of the Personal Data Protection Office instructed the Administrator about the methods of submitting this notification. Due to the court and administrative proceedings in connection with the complaint against the decision of the President of the Personal Data Protection Office, ref. [...] The administrator knew the position of the President of the Personal Data Protection Office, as well as the rulings of administrative courts regarding the unlawfulness of publishing land and mortgage register numbers via publicly available network services. In the course of the proceedings, in a separate letter of [...] May 2022, the President of UODO again presented his position in the above-mentioned range. Despite this, the Administrator did not report the breach of personal data protection to the President of the Personal Data Protection Office and did not notify the data subjects of the breach.

c) Relevant previous violations of the provisions of Regulation 2016/679 by the Administrator (Article 83 (2) (e) of Regulation 2016/679) - in the scope of publishing the numbers of land and mortgage registers on the Website by the Administrator, DKE.561.3.2020 decision was issued, in which it was found that the Administrator breached art. 5 sec. 1 lit. a) and art. 6 sec. 1 of Regulation 2016/679. In addition, the Administrator was issued a decision DKN.5112.13.2020, in which a violation of Art. 31 and 58 sec. 1 lit. e) and f) of Regulation 2016/67. It should be noted that in both of the above-mentioned cases, the Administrator was charged with administrative fines in the amount of PLN 100,000. PLN, while the Provincial Administrative Court in Warsaw dismissed the Administrator's complaints against the above-mentioned decisions of the President of the Personal Data Protection Office.

d) The manner in which the supervisory authority learned about the breach (Article 83 (2) (h) of Regulation 2016/679) - about the infringements being the subject of this proceeding (Article 33 (1) and Article 34 (1) of Regulation 2016/679) 679) The President of the Personal Data Protection Office found out as a result of actions initiated by him ex officio, initiated by press releases. Therefore, the President of the Personal Data Protection Office recognizes this circumstance as an infringement of Art. 34 sec. 1 of Regulation 2016/679. In his opinion, the correct and mitigating influence on the assessment of the breach, the Administrator's action would be to inform the President of the Personal Data Protection Office about the breach (i.e. not providing information about the breach of personal data protection to the affected persons). Meanwhile, this circumstance was established by the President of the Personal Data Protection Office on his own. However, with regard to the violation of Art. 33 paragraph 1 of Regulation 2016/679, the manner in which the supervisory authority learned about the infringement did not have any impact on its assessment. Violation of this provision (failure to report the personal data breach incident to the President of the Personal Data Protection Office) is the subject of this proceeding and the reason for imposing a fine in it. In the opinion of the President of the Personal Data Protection Office (UODO), there is no breach of Art. 33 paragraph 1 of Regulation 2016/679 - the need to treat this circumstance as additionally aggravating the penalty.

e) The categories of personal data concerned by the infringement (Article 83 (2) (g) of Regulation 2016/679) - in the case in question, the infringement related to land and mortgage register numbers which, as has been shown, allow easy and simple access to data subjective persons disclosed in the land and mortgage registers, including the PESEL number. These data do not belong to the special categories of personal data referred to in art. 9 of Regulation 2016/679, however, their wide scope (name and surname, PESEL number, information on real estate, possible information on mortgages and enforcement proceedings), may result in a high risk of violating the rights or freedoms of natural persons.

The fact that the President of the Office applied a sanction in the form of an administrative fine, as well as its amount, was not affected by other sanctions specified in Art. 83 sec. 2 of Regulation 2016/679, the circumstances, i.e .:

a) actions taken by the administrator to minimize the damage suffered by data subjects (Article 83 (2) (c) of Regulation 2016/679) - the information held by the President of the Personal Data Protection Office does not indicate that such damage occurred, which does not mean that there was no risk of their creation;

b) the degree of responsibility of the controller, taking into account technical and organizational measures implemented by him pursuant to Art. 25 and 32 (Article 83 (2) (d) of Regulation 2016/679) - the subject of these proceedings did not cover issues related to the security of personal data in the context of technical and organizational measures implemented by the Administrator;

c) compliance with previously applied measures in the same case, referred to in Art. 58 sec. 2 of Regulation 2016/679 (Article 83 (2) (i) of Regulation 2016/679) - this circumstance is irrelevant in the context of the administrative fine imposed on the Controller due to the fact that no such measures were applied in the present case;

(d) adherence to approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of Regulation 2016/679 (Article 83 (2) (j) of Regulation 2016/679) - it does not follow from the circumstances of the case that the Administrator has implemented such instruments and used them;

e) financial benefits obtained directly or indirectly in connection with the infringement or avoided losses (Article 83 (2) (k) of Regulation 2016/679) - the evidence collected in this case does not show that the Administrator has obtained benefits in connection with this infringement financial or avoided losses.

In the opinion of the President of the Personal Data Protection Office, the applied administrative fine performs the functions referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case. At this point, the content of Art. 102 of the Act on the Protection of Personal Data, which limits the amount (up to PLN 100,000) of the fine that may be imposed on a public sector entity.

It should be emphasized that the penalty will be effective if its imposition leads to the fact that the Controller complies with the applicable provisions of law and ceases to permanently violate the protection of personal data by not reporting the violations of personal data protection to the President of the Personal Data Protection Office and not notifying the data subjects about the violations. .

The President of the Personal Data Protection Office is of the opinion that the applied fine is proportional to the infringement found, in particular due to the seriousness of the infringement and the mass nature of the infringement.

The dissuasive nature of a financial penalty is related to preventing future violations and paying greater attention to the performance of the administrator's tasks. By imposing an administrative fine for violating the provisions on the protection of personal data, the President of the Personal Data Protection Office took into account both aspects: data protection law, while exercising greater diligence in the implementation of its obligations under the general data protection regulation.

The purpose of the imposed penalty is to ensure that the Administrator performs the obligations provided for in art. 33 and 34 of Regulation 2016/679, and consequently to conduct data processing processes in accordance with applicable law.

In connection with the above, it should be noted that the fine in the amount of PLN 60,000 (in words: sixty thousand zlotys) meets the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679 due to the seriousness of the infringement found in the context of the basic objective of Regulation 2016/679 - protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. At the same time, the amount of the administrative fine imposed by this decision on the administrator who is a unit of the public finance sector (indicated in Art. 9 of the Act of 27 August 2009 on Public Finance) is within the scope specified in Art. 102 paragraph. 1 of the Act on the Protection of Personal Data, the limit of PLN 100,000.

In this factual and legal state, the President of the Personal Data Protection Office resolved as in the sentence.



[1] https://www.zbp.pl/getmedia/1dd981c1-9ebb-47ee-921e-52e472040a66/infodok-2022-01-03-wydanie-49-sklad-220505-gk09

2022-07-12