UODO (Poland) - DS.523.1470.2020: Difference between revisions

From GDPRhub
No edit summary
Line 19: Line 19:
|Type:||n/a
|Type:||n/a
|-
|-
|Outcome:||Discontinuance of proceedings  
|Outcome:||Discontinuance of proceedings
|-
|-
|Decided:||6.4.2020
|Decided:||6.4.2020
Line 66: Line 66:
==Further Resources==
==Further Resources==


UODO's press release [https://uodo.gov.pl/en/553/1119 here] (in EN).  
Full decision in Polish is available [https://uodo.gov.pl/pl/file/2833 here].
 
''Share blogs or news articles here!''


==English Translation of the Decision==
==English Translation of the Decision==
Line 75: Line 73:


<pre>
<pre>
DECISION
The obligation for judges and prosecutors to submit declarations of membership in the association, including in the association, and to publish them in the Public Information Bulletin is unequivocally stipulated by law. Therefore, processing of personal data of the above mentioned persons does not violate the regulations on personal data protection.
CP.421.19.2019
 
Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) and (f) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended), following an ex officio procedure initiated in the case of Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, 29 lok. 9, the President of the Office for Personal Data Protection, stating that Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, infringed the provisions of Article 31 and Article 58(1)(e) and (f) of the General Data Protection Regulation by not providing access to personal data and other information and premises, resulting in preventing the President of the Office for Personal Data Protection from carrying out control activities necessary for the performance of his tasks,
 
imposes on Vis Consulting Sp. z o.o. in liquidation, seated in Katowice at 29 Zygmunta Krasińskiego Street 9, a fine of PLN 20,000 (say: twenty thousand zlotys), which is equivalent to EUR 4,673,56, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as at 28 January 2020.
Justification
 
Based on Article 58(1)(b), (e) and (f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2011, p. 1). 2016, p. 1 and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter referred to as the Regulation 2016/679, the President of the Office of Personal Data Protection has planned to carry out in Vis Consulting Sp. z o.o. with its registered office in Katowice at Zygmunta Krasińskiego 29 lok. 9 (hereinafter also referred to as the "Company") an inspection of compliance of data processing with the regulations on personal data protection. The audit was to be conducted from 29 July 2019 to 2 August 2019.
 
By letter of [...] July 2019. (mark: [...]) Urząd Ochrony Danych Osobowych via Poczta Polska notified the Company of the date and scope of the planned inspection. The letter was delivered on [...] July 2019 to the registered office of Vis Consulting Sp. z o.o. (Katowice, ul. Zygmunta Krasińskiego 29, 9), indicated in the National Court Register. 
 
On [...] July 2019, in order to carry out control activities (ZSPR.421.19.2019), the controlling persons went to the place indicated in the National Court Register as the address of the Company, but the persons representing the Company were not there. It turned out that this address is the Office of [...] (hereinafter referred to as the "Office") run by [...]. As agreed, the Company sub-leases the commercial premises located in Katowice at 29 Zygmunta Krasińskiego Street, 9, for the so-called 'virtual office'. Only an employee of the Office was found in the premises in question. After presenting this person with the purpose of the arrival of the controlling persons, an employee of the Office, after checking the content of the electronic mail, in order to determine whether any message was received from the Company in this respect, informed that a letter dated [...] July 2019 was received from the Company signed by Mr. Paweł Kępka - President of the Board. From the content of the letter, it resulted that the Company terminates the lease agreement for premises no. 9 located in Katowice at 29 Zygmunta Krasińskiego Street and that as of [...] July 2019, this entity will not operate at the above mentioned address. A copy of the aforementioned letter was forwarded to the inspectors.
 
Moreover, an employee of the Office informed the inspectors that after receiving the letter of [...] July 2019 from the Office of Personal Data Protection, regarding the notification of the planned control in the Company, the content of the letter in question in the form of a scan was transferred to the Company. In order to document the above mentioned findings, on [...] July 2019, the inspectors made an official note.
 
In connection with the situation, the inspectors asked the employee of the Office to contact the Company in order to determine whether the inspection activities could be carried out. However, it was not possible to establish contact with the Company. Therefore, the inspector asked for a telephone number to the Company. An employee of the Office stated that it is only upon written request of the President of the Office for Personal Data Protection that he can provide information on this entity (including the telephone number). The Controllers left the telephone number to contact. On the same day, at approximately 2:00 p.m., a man who introduced himself as an "attorney [...]" called the Controller and said he was contacting on behalf of the Company, but did not know if the control could be carried out. In the course of the conversation, the above mentioned person has agreed that he will try to determine whether the inspection can take place by [...] July 2019.
 
At the same time, on July [...], 2019, the President of the Office for Personal Data Protection sent a request to the e-mail address of the Office to provide a copy of the lease agreement for the premises in question and to provide contact information to the Company.
 
On [...] July 2019 the Controllers went again to the Company's address, but also on that day the persons representing the Company were not present. Therefore, no control activities took place. An employee of the Office provided the inspectors with a copy of the sublease agreement for the premises in question. At 11.00 a.m., a person representing himself as "advocate [...]" called the inspectors and informed them that the inspection would not take place.
 
In this connection, by letter dated [...] August 2019, the mark: [...] The President of the Office for the Protection of Personal Data initiated ex officio administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's compliance with the provisions on personal data protection. The above mentioned correspondence was returned with the note "out of date address".
 
Based on the financial statements for the period from 1 January 2018 to 31 December 2018. (available on the website of the Ministry of Justice with the address: ekrs.ms.gov.pl), it was established that in the aforementioned period, the Company's net revenue from sales and equalised with them amounted to PLN 426 261.14.
 
After reviewing all the evidence gathered in the case the President of the Office for Personal Data Protection weighed the following:
 
According to the information contained in the National Court Register, on July 30, 2019, a resolution was passed to dissolve the Company and put it into liquidation. On 23 August 2019, the District Court in Katowice - Wschód, 8th Commercial Division made an entry in the National Court Register on placing the Company in liquidation. Since then, the Company has been operating under the name of Vis Consulting Sp. z o.o. in liquidation.
 
Pursuant to Article 57(1)(a) of Regulation 2016/679, each supervisory authority on its territory shall monitor and enforce the application of Regulation 2016/679. In addition, pursuant to Article 58(1)(e) and (f) of Regulation 2016/679, the supervisory authority shall be entitled to access all the premises of the controller and the processor, including the equipment and means of data processing, in accordance with the procedures laid down in EU or Member State law. It should be noted that in accordance with Article 58(6) of Regulation 2016/679, each Member State may provide in its legislation that its supervisory authority has, in addition to the powers laid down in Union or Member State law, the following powers
in paragraphs 1, 2 and 3, also other powers. As provided for in Article 31 of Regulation 2016/679, the controller and processor and, where applicable, their representatives, shall cooperate with the supervisory authority upon request in the performance of its tasks.
 
Pursuant to Article 78 paragraph 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "the Act", the President of the Office for the Protection of Personal Data shall carry out the control of compliance with the provisions on personal data protection. Pursuant to Art. 79 sec. 1 point 1 of the Act, the control is carried out by an employee of the Office authorised by the President of the Office.
 
As stipulated in Art. 84 sec. 1 of the Act, the inspector has the right to: a) enter the land and buildings, premises or other premises between 600 and 2200 hours; b) inspect documents and information directly related to the subject matter of the inspection; c) inspect places, objects, devices, carriers and IT or ICT systems used for data processing; d) demand written or oral explanations and question a person as a witness to the extent necessary to establish the facts; e) have expert opinions and opinions drawn up.
 
The fact that the President of the Office for Personal Data Protection has planned to carry out an inspection in the Company in connection with the findings made during the inspection carried out in V is of significant importance in this case. Sp. z o.o. sp. k. with its registered office in [...]. In the course of the audit conducted in the above mentioned entity, it was established that it conducts telemarketing activities. In connection with this activity it processes personal data (landline and mobile phone numbers) by means of an ICT system provided by the Company. The system in question is used on the basis of a cooperation agreement on the outsourcing of telemarketing services. The agreement was concluded with the Company [...] February 2017. An important issue is that V. Sp. z o.o. sp. k. does not have its own database, and all telephone connections are generated only by the IT system made available by the Company.
 
The content of the aforementioned agreement shows, among other things, that the Company has a technical solution - an ICT system in the form of a computer program, the use of which allows for making telephone calls to fixed and mobile phone numbers according to the location criterion. Moreover, in this agreement it is also indicated that the functionality of the system in question prevents V. Sp. z o.o. sp. k. from accessing any information, including the dialed telephone number. Moreover, in this agreement, the Company declares that in case of using any personal data for the purpose of performing the above-mentioned agreement, it will administer "the above-mentioned data in accordance with the applicable provisions of Polish law". In § 3 point 2 of the aforementioned agreement there is a provision with the following content: "VIS declares that in case of any claims by third parties against V. [...] related to the functionality of the SYSTEM [...], releases V. from this liability to the extent permitted by the applicable law and undertakes to cover all costs related to the protection of V. against such claims".
 
Due to the fact that V. Sp. z o.o. sp. k. does not have access to personal data processed in this system (i.e. to information about telephone numbers dialled), the President of the Office for Personal Data Protection considered it necessary to carry out control activities also in the Company (i.e. in the entity which, on the basis of the established agreement, is considered to be the data controller). The aim of the inspection was to examine the legality of personal data processing using the system in question.
 
The fact that it was impossible to carry out the inspection in the Company made it significantly more difficult for the President of the Office for Personal Data Protection to examine the process of personal data processing by V. Sp. z o.o. sp. k.
 
The evidence gathered in the case indicates that the actions taken by the persons representing the Company definitely prove the lack of cooperation with the President of the Office for Personal Data Protection.
 
To confirm the above position, the following circumstances should be recalled:
 
1) after receiving information about the planned control of the President of the Office for Personal Data Protection (letter of [...] July 2019), on [...] July 2019. (two days before the commencement of the planned control), the Company sent a motion to the lessor to terminate the lease agreement for the premises located in Katowice at 29 Zygmunta Krasińskiego Street (address of the Company indicated in the National Court Register);
 
2) both [...] July 2019 and [...] July 2019. The Company has thwarted the control activities as no person authorised to represent the Company in the course of the control has been found at the Company's address;
 
3) On 30 July 2019, a resolution was adopted on dissolution of the Company and commencement of liquidation proceedings (this information is contained in the National Court Register).
 
To sum up, it should be stated that the Company's activities referred to above undoubtedly prove that it does not fulfil its obligations related to the processing of personal data or at least intentionally avoids submitting to the control of the supervisory authority which is the President of the Office for Personal Data Protection. Thus, it should be considered that by preventing the President of the Office for the Protection of Personal Data from carrying out the inspection, the Company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679. It should be pointed out that in accordance with Article 31 of Regulation 2016/679, the controller and the processor and, where applicable, their representatives shall cooperate with the supervisory authority upon request in the performance of its tasks. The obligation to cooperate includes ensuring that the supervisory authority is able to obtain from the controller (and the processor) access to all personal data and all information necessary for the performance of its tasks (Article 58(1)(e) of Regulation 2016/679), to obtain access to any premises of the controller and the processor, including the processing equipment and means in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f) of Regulation 2016/679). This obligation for the controller to cooperate is in fact correlated with the tasks of the supervisory authority as formulated in Article 57 of Regulation 2016/679 and the powers stemming from Article 58 of Regulation 2016/679.
 
The President of the Office for the Protection of Personal Data, acting on the basis of Article 108 par. 1 of the Act on the Protection of Personal Data, notified the District Prosecutor's Office in [...] of a suspicion of committing an offence consisting in thwarting control activities by the Company. On [...] January 2020, the Office for Personal Data Protection received a notification (file ref. [...]) from the District Prosecutor's Office [...] [...] of sending a bill of indictment against [...] [...] [...], accused of committing an offence under Article 108 of the Act on Personal Data Protection.
 
Moreover, in view of the above findings, the President of the Office for the Protection of Personal Data, exercising his powers under Article 83 of the Regulation 2016/679, states that in the case under consideration, there are prerequisites for imposing an administrative fine on the Company.
 
Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case.
 
In accordance with Article 83 of Regulation 2016/679 - laying down general conditions for the imposition of administrative fines - each supervisory authority shall ensure that the administrative fines referred to in paragraphs 4, 5 and 6 of this Article are effective, proportionate and dissuasive in each individual case (paragraph 1). In accordance with Article 83(2)(b) of Regulation 2016/679, the authority shall pay due attention to the intentional or unintentional nature of the breach in each individual case when deciding whether to impose an administrative pecuniary sanction and when setting the amount of the administrative sanction.
 
Pursuant to Article 83(2)(k) of Regulation 2016/679, the authority shall, in determining whether to impose an administrative penalty payment and in fixing the amount of the administrative penalty payment, pay due attention in each individual case to any other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided, whether directly or indirectly related to the infringement.
 
The President of the Office for the Protection of Personal Data has taken into account the following aggravating circumstances when deciding on the administrative fine to be imposed on the Company and when determining its amount, in accordance with 83(2)(a-k) of Regulation 2016/679:
 
(1) The infringement found in this case is of considerable gravity and seriousness, as the Company's lack of cooperation with the President of the Office for the Protection of Personal Data has made it impossible for that body to carry out checks on the Company's compliance with the provisions on personal data protection. The Company's action is reprehensible. By its failure to do so, the Company prevented the President of the Office for the Protection of Personal Data from making very important findings (concerning the legality of personal data processing), the results of which would undoubtedly have a significant impact on the assessment of the evidence collected in the course of another inspection, which was carried out by the President of the Office for the Protection of Personal Data in V. Sp. z o.o. sp. k. (nature, seriousness and time of the infringement).
 
The Company deliberately thwarted the inspection, and thus prevented the President of the Office for Personal Data Protection from performing the statutory tasks under Article 58(1)(e) and (f) of Regulation 2016/679. This situation gives rise to a suspicion that the Company's thwarting of the inspection was aimed at preventing the President of the Office for Personal Data Protection from collecting evidence that the processing of personal data by the Company is unlawful (intentional or unintentional nature of the infringement).
 
The other prerequisites for the administrative fine indicated in Art. 83 par. 2 letter c - k, due to the subject matter of the proceedings shall not apply in these proceedings. Consequently, they did not affect the assessment of the infringement and the level of the administrative penalty imposed.
 
In determining the amount of the administrative penalty payment, the President of the Office for the Protection of Personal Data did not see any mitigating circumstance affecting the final penalty.
 
The fixing of the amount of the financial penalty imposed also required the definition of the objectives which that penalty would achieve. It should be pointed out that the financial penalty imposed on the Company in connection with the lack of cooperation with the President of the Office for the Protection of Personal Data is of repressive nature (it is to cause the Company to incur a financial penalty for the avoidance of control) and preventive (it is to prevent future violations of law by the Company, but also by other entities). In addition, the financial penalty imposed on the Company is also of a deterrent nature and is related to the prevention of violations. The penalty is designed to deter both the Company and others from recidivism.
 
In addition, the President of the Office for the Protection of Personal Data can undoubtedly not accept situations in which entities by thwarting control activities prevent the implementation of his statutory tasks.
 
Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date.
 
In the opinion of the President of the Office for the Protection of Personal Data, the penalty payment applied meets, in the established circumstances of this case, the conditions referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the established breach resulting from Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679, which is undoubtedly a lack of cooperation with the supervisory authority in the exercise of its statutory powers, including the prevention of control activities.
 
Under those provisions, an infringement of the obligation of the controller referred to in Article 31 of Regulation 2016/679 is subject to an administrative fine of up to EUR 10 000 000 and, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable.


An infringement of the obligations of the controller referred to in points (e) and (f) of Article 58(1) of Regulation 2016/679 shall be punishable by an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being that which the President of the Office for the Protection of Personal Data pursuant to Article 83(3) of Regulation 2016/679 considers to be the most serious infringement and the amount of the fine imposed by this Decision shall not exceed that amount.
The President of the Office for the Protection of Personal Data has discontinued the proceedings concerning data processing in connection with the requirement for judges and prosecutors to submit declarations on membership in the association, including in the association. This proceeding was initiated ex officio after the Ombudsman applied for it in a letter to the President of the Office for the Protection of Personal Data of 9 March 2020. The ROP indicated, that such a requirement and the publication of these statements in the Public Information Bulletin limit the privacy of judges and prosecutors.


In view of the above, the President of the Office for Personal Data Protection has decided as set out in the operative part of this Decision.  
The proceedings showed, that the obligation to submit statements by judges and prosecutors results from the amendment of the Acts - the Law on the Common Court System, the Act on the Supreme Court and certain other acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) of the GCU, according to which the processing of personal data is allowed if it is necessary to fulfil a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the PPA did not have any grounds to declare a breach of the provisions on personal data protection.


The Decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for the Protection of Personal Data (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.
When examining the case of processing the data of judges and prosecutors submitting declarations of membership in the Association, including the Association, the President of PDPO also took into account the current jurisprudence of the WSA, according to which if the processing of personal data is based on the national law, it is thus in compliance with the provisions on personal data protection and there are no grounds for the President of PDPO to exercise the corrective powers provided for in Art. 58 par. 2 of the GDC.


Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the case of postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for the Protection of Personal Data shall calculate interest on the unpaid amount on an annual basis, using the reduced rate of interest for delay, announced on the basis of art. 56d of the Act of August 29th, 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.
In the context of the above, there were also no grounds to issue a security decision pursuant to Article 70, paragraph 1 of the Act on the protection of personal data, as - as it has been pointed out - the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Public Information Bulletin clearly results from the provisions of law. Thus, it is difficult to say, that further processing of such data may cause serious and difficult to remove effects, if it is carried out in compliance with generally applicable provisions of law.


Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to the administrative court shall suspend the execution of the decision on the administrative fine.
The President of UODO, in his justification of the decision, also referred to the accusation of unconstitutionality of the ROP, which he challenged, obliging judges and prosecutors to make statements. The President of UODO is not competent to resolve this issue. The Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the RPO has the right to refer the matter. The RPO has the right to submit motions to the Constitutional Tribunal on the compliance of acts with the Constitution. It should be stressed that contrary to the ROP, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.
</pre>
</pre>

Revision as of 16:26, 28 April 2020

UODO - DS.523.1470.2020
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 6(1)(c)

GDPR

Type: n/a
Outcome: Discontinuance of proceedings
Decided: 6.4.2020
Published: 15.4.2020
Fine: n/a
Parties: Ombudsman
National Case Number: DS.523.1470.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Polish
Original Source: UODO (PL)

The President of the Personal Data Protection Office in Poland (UODO) decided to discontinue the proceedings concerning the processing of data in connection with the requirement for Polish judges and prosecutors to submit declarations about their membership in associations. He clarified that the obligation to submit the above mentioned statements clearly results from the provisions of the national law and thus falls under one of the legal grounds in Article 6(1)(c) GDPR. The President of the UODO stated that he cannot make a decision regarding the constitutionality of such an obligation providing that this is a competence of the Constitutional Tribunal. The Ombudsman has the right to submit motions on the compliance of acts with the Polish Constitution to the Constitutional Tribunal.

English Summary

Facts

The UODO clarified that the obligation for judges and prosecutors to submit declarations about their membership in associations, and to publish them in the Bulletin of Public Information is unequivocally stipulated by law. Therefore, the processing of personal data of the above mentioned persons does not violate the law on personal data protection.

The proceedings were initiated ex officio after the Ombudsman submitted a letter to the President of the UODO on 9 March 2020. The Ombudsman indicated, that a requirement to publish such statements in the Bulletin of Public Information impose a limitation on the privacy of judges and prosecutors.

Dispute

When examining the case of processing of data that judges and prosecutors submit concerning their membership in associations, the President of UODO took into account the current jurisprudence of the Voivodeship Administrative Court, according to which if the processing of personal data is based on the national law, it is in compliance with the provisions on personal data protection and there are no grounds for the President of UODO to exercise the corrective powers provided for in Article 58(2) GDPR.

The proceedings revealed that the obligation to submit statements by judges and prosecutors results from the amendment of the Law on the Common Court System, the Act on the Supreme Court and certain other legal acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) GDPR, according to which the processing of personal data is allowed if it is necessary to fulfill a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the UODO did not find any grounds to declare a breach of the provisions on personal data protection.

Holding

In the context of the above, the President of the UODO did not identify any grounds to order the restriction of processing pursuant to Article 70(1) of the Polish Act on the Protection of Personal Data. As it has been pointed out, the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Bulletin of Public Information clearly results from the provisions of national law. Thus, it is difficult to state that further processing of such data may cause serious effects if it is carried out in compliance with generally applicable law.

The President of UODO, in his justification of the decision, also referred to the Ombudsman's argument that challenged the unconstitutionality of the provision which obliges judges and prosecutors to disclose information which may reveal their world views, religious beliefs, or sexuality. The President of UODO has proclaimed himself to be incompetent to resolve this issue. He pointed out that the Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the Ombudsman has the right to refer a matter. The Ombudsman has the right to submit motions on the compliance of acts with the Constitution to the Constitutional Tribunal. It should be stressed that unlike the Ombudsman, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.

Comment

Share your comments here!

Further Resources

Full decision in Polish is available here.

English Translation of the Decision

Below you can find the English translation of the decision (see PDF for Original)

The obligation for judges and prosecutors to submit declarations of membership in the association, including in the association, and to publish them in the Public Information Bulletin is unequivocally stipulated by law. Therefore, processing of personal data of the above mentioned persons does not violate the regulations on personal data protection.

The President of the Office for the Protection of Personal Data has discontinued the proceedings concerning data processing in connection with the requirement for judges and prosecutors to submit declarations on membership in the association, including in the association. This proceeding was initiated ex officio after the Ombudsman applied for it in a letter to the President of the Office for the Protection of Personal Data of 9 March 2020. The ROP indicated, that such a requirement and the publication of these statements in the Public Information Bulletin limit the privacy of judges and prosecutors.

The proceedings showed, that the obligation to submit statements by judges and prosecutors results from the amendment of the Acts - the Law on the Common Court System, the Act on the Supreme Court and certain other acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) of the GCU, according to which the processing of personal data is allowed if it is necessary to fulfil a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the PPA did not have any grounds to declare a breach of the provisions on personal data protection.

When examining the case of processing the data of judges and prosecutors submitting declarations of membership in the Association, including the Association, the President of PDPO also took into account the current jurisprudence of the WSA, according to which if the processing of personal data is based on the national law, it is thus in compliance with the provisions on personal data protection and there are no grounds for the President of PDPO to exercise the corrective powers provided for in Art. 58 par. 2 of the GDC.

In the context of the above, there were also no grounds to issue a security decision pursuant to Article 70, paragraph 1 of the Act on the protection of personal data, as - as it has been pointed out - the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Public Information Bulletin clearly results from the provisions of law. Thus, it is difficult to say, that further processing of such data may cause serious and difficult to remove effects, if it is carried out in compliance with generally applicable provisions of law.

The President of UODO, in his justification of the decision, also referred to the accusation of unconstitutionality of the ROP, which he challenged, obliging judges and prosecutors to make statements. The President of UODO is not competent to resolve this issue. The Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the RPO has the right to refer the matter. The RPO has the right to submit motions to the Constitutional Tribunal on the compliance of acts with the Constitution. It should be stressed that contrary to the ROP, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.