UODO (Poland) - DKE.561.3.2020
From GDPRhub
| UODO - DKE.561.3.2020 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 31 GDPR Article 58(1)(e) GDPR Article 58(1)(f) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 06.07.2020 |
| Published: | 17.07.2020 |
| Fine: | 25000 EUR |
| Parties: | Surveyor General of Poland |
| National Case Number/Name: | DKE.561.3.2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (in PL) |
| Initial Contributor: | n/a |
The President of the Personal Data Protection (UODO) imposed a fine of 100 000 PLN (approx. 25 000 EUR) on the Surveyor General of Poland for the failure to provide the supervisory authority with access to premises, data processing equipment and means, access to personal data and information required to conduct the inspection by the UODO. The UODO stated a violation of Article 31 and Article 58(1)(e) and (f) GDPR.
English Summary
Facts
The UODO notified the Surveyor General of Poland about a planned audit in the Central Office for Geodesy and Cartography. The audit concerned the the making available by the Chief Surveyor of the State of personal data from the land and building register through the GEOPORTAL2 website. The audit was planned to clarify the following questions:
1. The legal basis for the processing, including making personal data available. 2. Sources of obtaining personal data. 3. The scope and type of personal data made available. 4. The manner and purpose of sharing the personal data. 5. Is the processing of personal data carried out on the basis of the authorisation given by the controller of personal data or the processor (Article 29 of Regulation 2016/679). 6. Has the Chief National Surveyor implemented appropriate technical and organisational measures to ensure an adequate level of security of data (Article 32, Article 24(1) and (2) of Regulation 2016/679). 7. Has the Chief National Surveyor appointed a Data Protection Officer (Article 37 of Regulation 2016/679).
The Chief National Surveyor declared that he will not sign the submitted authorisations and refused to give his consent to carry out inspection activities within the scope resulting from the submitted authorisations. According to his assessment, the inspection is to concern the land and mortgage register number, which is not a personal data within the meaning of the Act of 17 May 1989 on the Geodesic and cartographic law (Journal of Laws of 2020, item 276 as amended).
However, the Surveyor General of Poland consented to the performance of the inspection activities in the scope of determining whether appropriate technical and organisational measures have been implemented to ensure an adequate level of security of the data being subject to protection, and whether his Office has appointed a Data Protection Officer.
Dispute
The UODO provided that it was impossible to establish it has not been established whether the Surveyor General of Poland has implemented appropriate technical measures to ensure data security, due to impossibility to gain access for the UODO inspectors to the IT systems used by the Surveyor General of Poland and to conduct the necessary inspections of the IT system during the inspection.
In view of the above, in the course of the inspection it was only established what organisational measures the Surveyor General of Poland used for data security and whether a Data Protection Officer was appointed.
Holding
In view of the declined consent to carry out full inspection activities and the expressive lack of will to cooperate, the UODO inspectors could not determine the legal basis, the technical and organisational measures to ensure data security on the website GEOPORTAL2. The UODO deemed the inspection to be thwarted by the Surveyor General of Poland.
The UODO has therefore found a violation of Article 58(1) of the GDPR by the Surveyor General of Poland and imposed an administrative fine of approx. 25 000 EUR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Warsaw, 17 July 2020
DECISION
DKE.561.3.2020
Pursuant to Article 104 § 1 of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7 section 1 and section 2, Article 60 and Article 102 section 1 point 1 and section 3 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 256). 1781) in connection with Article 31, Article 57 paragraph 1 point (a), Article 58 paragraph 1 points (e) and (f) and Article 58 paragraph 2 point (i) in connection with Article 83 paragraph 1 and 2, Article 83 paragraph 4 point (a) and Article 83 paragraph 5 point (e) of the Regulation of the European Parliament and of the Council of the EU 2016/679 of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting ex officio administrative proceedings to impose on the Chief Surveyor of the Country with its registered office in Warsaw at 2 Wspólna Street, represented by advocates P. T. and S. K. (Kancelaria [...]), an administrative fine, the President of the Office for the Protection of Personal Data, stating that the Head of the National Geodesist, with its registered office in Warsaw at ul. Wspólna 2, infringed the provisions of Article 31 and 58(1)(e) and (f) of Regulation 2016/679, consisting in the failure to provide the President of the Office for the Protection of Personal Data, in the course of controlling the observance of the provisions on the protection of personal data, ref. [...], access to premises, equipment and means for the processing of personal data and access to personal data and information necessary for the President of the Office for the Protection of Personal Data to carry out his tasks, as well as failure to cooperate with the President of the Office for the Protection of Personal Data during this inspection, imposes an administrative fine of PLN 100,000 (in words: one hundred thousand zlotys) on the Chief Surveyor of the Country with its registered office in Warsaw, Wspólna 2 Street.
EXPLANATORY MEMORANDUM
On [...] February 2020. The President of the Office for the Protection of Personal Data (hereinafter referred to as "the President of the Office for the Protection of Personal Data") carried out an inspection of personal data processing in the Poviat Starosty in J. (Ref. No. of the control act [...]). The inspection concerned making available by the Starost of J., through the GEOPORTAL2 website (www.geoportal.gov.pl), personal data from the land and building register kept by the Starosts. During the inspection it was established that Starost J. does not publish personal data from the land and building register on this portal, but - on the basis of a relevant agreement - transfers them (including land and mortgage register numbers) to the Chief Surveyor of the Country, who then makes the obtained data available on GEOPORTAL2. Due to the above, the President of UODO decided that it is necessary to carry out an inspection of personal data processing in the scope of making personal data from the land and building register available through GEOPORTAL2 to the Chief Surveyor of the Country. The Chief National Surveyor was informed about the inspection planned for [...] March 2020 (marked as [...]) by telephone and in a letter delivered on that day by e-mail.
On [...] March 2020 the inspectors (employees of the Office for the Protection of Personal Data authorised by the President of the Office for the Protection of Personal Data) went to the Head Office of Geodesy and Cartography to start the planned inspection. The inspectors presented their service cards to the Chief Surveyor of the Country and submitted their personal authorizations, which defined the detailed scope of the inspection in the following way: "The inspection will include making available by the Chief Surveyor of the State through the GEOPORTAL website2, personal data from the land and building register, by establishing:
1. The legal basis for the processing, including making personal data available.
2. Sources of obtaining personal data.
3. The scope and type of personal data made available.
4. The manner and purpose of providing personal data to the bottom.
5. Is the processing of personal data carried out on the basis of the authorization given by the controller of personal data or the processor (Article 29 of Regulation 2016/679).
6. Has the Chief National Surveyor implemented appropriate technical and organisational measures to ensure an adequate level of security of the protected data (Article 32, Article 24(1) and (2) of Regulation 2016/679).
7. Has the Chief National Councillor appointed a Data Protection Officer (Article 37 of Regulation 2016/679).
As it results from the inspection protocol, signed by the inspectors and by the Chief Geodesist of the Country, drawn up on [...] March 2020, after presenting the legitimacy and submitting the authorizations to carry out the inspection, the Chief Geodesist of the Country declared that he will not sign the submitted authorizations and refuses to give his consent to carry out inspection activities within the scope resulting from the submitted authorizations. Justifying his position in this case, he indicated that according to his assessment, within the scope indicated in the inspection authorizations, the inspection is to concern the land and mortgage register number, which is not a personal data within the meaning of the Act of 17 May 1989. Geodesic and cartographic law (Journal of Laws of 2020, item 276 as amended), hereinafter referred to as the "Geodesic and cartographic law". On the submitted authorizations, the Chief Surveyor of the Country has made a written note of the content: "I refuse to give my consent to carry out control activities within the scope of the submitted authorisation (points 1 to 5) due to the lack of objectivity of the control, which I justify in my letter [...] of [...].03.2020, in the shortest possible way, it results from the fact that the scope of control is to focus on the land and mortgage register number, which is not a personal data within the meaning of the Geodetic and Cartographic Law. I request that the scope of control be clarified in accordance with the basis for its initiation". The Chief Surveyor of the State then declared that he agreed to carry out inspection activities only to the extent that this results from points 6 and 7 of the inspection authorisations. Only then did he sign the inspectors' personal authorisations by placing the words 'Signed in accordance with the declaration below' next to his signature. In accordance with the above mentioned statement, the Chief Surveyor of the Country presented to the inspection file a letter with the signature [...], which indicated, among other things, the legal basis for classifying the land and mortgage register number as the subject matter, i.e. Article 20(1)(1) of the Surveying and Cartographic Law and § 73 of the Regulation of the Minister of Regional Development and Construction of 29 March 2001 on the land and building registration.
In view of the unequivocally expressed lack of consent of the Chief Surveyor of the Country to perform inspection activities within the scope specified in points 1-5 of the registered authorisations, the inspectors abandoned the activities in this scope, making arrangements only within the scope specified in points 6 and 7 of the authorisations. Within the scope of control, to which the Chief Surveyor of the Country, who controls, among others, the following, has given his consent:
1. they questioned as a witness Mr. W. I. - Chief National Surveyor,
2. they have obtained a copy of the sample agreement with the starost on cooperation in the establishment and maintenance of common elements of the technical infrastructure for the publication of PZGiK data,
3. obtained copies of documents certifying the general organisational measures implemented by the Chief Surveyor of the country (not specifically related to the GEOPRTAL portal2) to ensure the security of protected data,
4. they obtained copies of documents confirming the appointment of Mr [...] as Data Protection Inspector in the Main Office of Geodesy and Cartography by the Chief Surveyor of the Country,
5. they questioned Mr. [...] - the Chief Specialist in the Department [...] in the Main Office of Geodesy and Cartography as a witness,
6. have obtained a printout of the Regulations of www.geoportal.gov.pl,
7. obtained copies of the Register of processing activities including risk analysis and assessment of the effects on data protection and the Register of categories of processing activities with risk analysis.
In the course of the inspection, the inspectors - due to the lack of consent of the Chief National Surveyor - did not assess the technical measures implemented to ensure the security of the protected data (including the data processed through the GEOPORTAL portal2), in particular they did not inspect the places, objects, media devices and IT systems used for data processing. Moreover, due to, inter alia, the refusal of the Chief National Surveyor to sign the protocol of testimony submitted on [...] March 2020. - the inspectors did not obtain full and binding explanations, having legal effect, of the subject matter covered by the inspection.
Due to the lack of purpose of further inspection, caused by the lack of consent of the Chief Surveyor of the Country for inspection activities concerning the scope specified in points 1-5 of the registered inspection authorizations and lack of cooperation from his side in this scope, the inspectors decided to finish the inspection on March [...], 2020. On that day, the inspection report was drawn up by the inspectors, then signed by the Chief Surveyor of the Country (without any reservations).
In connection with the fact that it was impossible to control the processing of personal data from the land and building register on the GEOPORTAL2 portal by the Chief Inspectorate of the Country, the present proceedings were initiated ex officio in order to impose an administrative fine on the Chief Inspector of the Country for breach of Articles 31 and 58(1)(a) and (b) of the Act of Accession. e) and f) of Regulation 2016/679, consisting in the lack of cooperation with the President of PODO in the performance of his tasks, making it impossible to carry out inspections in the field of personal data processing, as well as not providing the President of PODO with access to premises, equipment and means for personal data processing and access to personal data and information necessary for the President of PODO to perform his tasks.
The Chief Surveyor of the Country was informed about the initiation of the proceedings and the collection of evidence in the case by letter of [...] March 2020, delivered to him electronically via the ePUAP platform.
By letter dated [...] April 2020. (delivered to the President of UODO [...] April 2020), the attorney of the Chief National Surveyor requested that the attorneys of the Chief National Surveyor be allowed to inspect the case file and make a photocopy of the files, or that a copy of the entire case file be made available electronically. In response to the request, copies of the entire case file were presented to the attorney of the Regional Surveyor by mail, by letter of [...] May 2020, delivered to the attorney [...] May 2020.
By letter dated [...] May 2020 (delivered to the President of UODO [...] May 2020), the attorney of the Chief Regional Surveyor presented the position of the Chief Regional Surveyor, indicating that 'the initiation and conduct of proceedings by the President of UODO in this case is pointless and should therefore be discontinued in full'. The attorney of the Chief Regional Surveyor argued in particular that:
1. "The scope of the inspection was pointless as it concerned the use of information which does not constitute personal data and in respect of which the Chief Inspectorate of the Country does not decide on the purposes and methods of processing (so he could not have the status of a data controller). The GKK did not thwart the inspection, but only questioned the scope of the inspection, which was to concern the processing of personal data in the form of a land and mortgage register number.
2. "The inspection [...] was carried out not at the Chief Surveyor of the Country, but at the Chief Office of Geodesy and Cartography, which is a separate controller of personal data from the point of view of the provisions of the GDR.
3. "The President of UODO unjustifiably considered that the Chief Surveyor of the Country - who took part in the inspection proceedings as a person representing the inspected person, i.e. the Chief Office of Geodesy and Cartography - did not cooperate with the President of UODO in the performance of his tasks'.
4. "The President of UODO unjustifiably stated that the Chief Surveyor of the Country prevented the inspection of personal data processing at the controlled entity, i.e. the Main Office of Geodesy and Cartography.
5. "The President of the UODO unjustifiably considered that the Chief Surveyor of the country did not provide the President of the UODO with access to the premises, equipment and means for processing personal data in connection with the control carried out in the Main Office of Geodesy and Cartography, and did not provide access to information necessary for the President of the UODO to perform his tasks".
6. "Consequently, the President of the UODO unduly found that GGK could have infringed Articles 31 and 58(1)(e) and (f) of the GDPR."
After considering all the evidence gathered in the case, the President of UODO weighed the following.
According to Article 57(1)(a) of Regulation 2016/679, as the supervisory authority within the meaning of Article 51 of Regulation 2016/679, the President of the PPA has the task of monitoring and enforcing the application of the Regulation on its territory. Within the framework of his competences, the President of the PPA has the task, inter alia, of conducting proceedings for the application of Regulation 2016/679 (Article 57(1)(f)). In order to be able to carry out these tasks, the President of the PPA has a number of powers, as set out in Article 58(1) of Regulation 2016/679, to conduct proceedings, including the power to order the controller and processor to provide all information necessary for the performance of its tasks (Article 58(1)(f) of Regulation 2016/679). (Article 58(1)(a), the power to obtain from the controller and the processor access to all personal data and to all information necessary for the performance of their tasks (Article 58(1)(e)) and the power to obtain access to all premises of the controller and the processor, including the data processing equipment and means, in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f). Infringement of the provisions of Regulation 2016/679, as a result of the failure of the public authority, being the controller or processor, to ensure access to the data and information referred to above, resulting in a breach of the authority's powers specified in Article 58 (1)(f). The authority may - in accordance with Article 83(5)(e) in fine of Regulation 2016/679 in connection with Article 102(1) and (3) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "u.o.d.o.". - administrative fine of up to PLN 100,000.
It should also be noted that the administrator and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of Regulation 2016/679. Failure to comply with this obligation is also at risk - pursuant to Article 83(4)(a) of Regulation 2016/679 in conjunction with Article 102(1) and (3) of the Polish Commercial Companies Code. - an administrative fine of up to PLN 100,000.
The "procedure laid down in EU or Member State law" indicated in Article 58(1)(f) of Regulation 2016/679 for the exercise of the power of the supervisory authority to obtain access to the premises of the controller and the processor, including the equipment and means of data processing, is, under Polish law, described in Chapter 9 of the Polish Commercial Companies Code. (Articles 78 - 91), the procedure of "control of the observance of personal data protection regulations". In accordance with Article 78 of the Polish Data Protection Act. The President of UODO carries out a control of the observance of the provisions on personal data protection (paragraph 1), and this control may be carried out "in accordance with the control plan approved by the President of the Office or on the basis of information obtained by the President of the Office or as part of monitoring the observance of the application of Regulation 2016/679". (paragraph 2). Controllers (authorized employees of the Office for the Protection of Personal Data) are entitled - as provided for in Article 84(1) of the Polish Data Protection Act. - right: 1. enter the land and buildings, premises or other premises from 6.00 a.m. to 10.00 p.m., 2. inspect the documents and information directly related to the subject matter of the inspection, 3. carry out an inspection of places, objects, devices, carriers and IT or ICT systems used for data processing, 4. demand written or oral explanations and questioning as a person's witness to the extent necessary to establish the facts, 5. have expert opinions and opinions prepared. The inspector shall establish the facts on the basis of evidence gathered (using the powers indicated above) in the inspection proceedings, in particular documents, objects, inspections and oral or written explanations and statements (Article 87 of the Polish Commercial Companies Code).
Referring to the above mentioned provisions with regard to the facts of the present case, it should be stated that the President of UODO had the right to initiate and carry out with the Chief Surveyor of the Country an inspection of personal data processing; he also had a justification for making findings in this type of proceedings (inspection proceedings regulated in Chapter 9 of U.o.d.o.).
The control powers of the President of UODO were formulated - in the above mentioned provisions of Regulation 2016/679 and U.o.d.o. - broadly; their use is limited only to the purpose - checking whether the provisions on personal data protection are observed. It is worth noting that the condition for such a control is not even a justified suspicion of a violation. The legislator explicitly allows in Article 78(2) of the Polish Commercial Companies Code for the possibility to carry out the control 'in accordance with [...] the control plan', i.e. without prior information indicating the irregularities in the processing of personal data taking place in a particular entity, and even without information indicating whether the entity is processing personal data at all (the control of such an entity would have to establish such circumstance in the first place - before making further arrangements concerning e.g. legality and lawfulness of processing). General and broad definition of the task to be performed by the President of the PPA ("monitoring and enforcement of the application of the Regulation" referred to in Article 57(1)(a) of Regulation 2016/679, "control of compliance with the rules on personal data protection" referred to in Article 78(1) of the U.o.d.o.) leaves the President of the PPA to define both the circle of controlled entities and the scope of controls. This task should be understood broadly - not only as checking whether a specific entity in a particular case violates the provisions on personal data protection in a specific way, but also as a task undertaken in order to identify the types, areas of occurrence and scale of problems related to the application of the provisions on personal data protection (in particular Regulation 2016/679), eliminate them and prevent them in the future. In the context of the freedom left to the President of UODO to determine the entity subject to the inspection and the scope of the inspection, it should be stated that in the present case the President of UODO had a particularly justified basis for initiating and carrying out the inspection with the Chief Surveyor of the Country to the extent that he considered necessary for the performance of the task of monitoring the application of Regulation 2016/679. As a result of the inspection carried out on [...] February 2020 in the Poviat Starosty in J. (ref. act of control [...]) obtained information on transferring personal data from the land and building register (including land and mortgage register numbers) and further processing (making them available) through the GEOPORTAL portal2 to the Chief Surveyor of the Country by the Starost of J. The mere fact of having these data at the disposal of the Chief Geodesist of the Country constitutes a sufficient basis for carrying out an inspection at his premises for the purpose of - as stated in Article 87 of the Polish Commercial Companies Code. - only to gather evidence allowing to establish the factual state of the case (and not the legal assessment of this state, which - in the case of suspicion of an infringement - takes place in a separate administrative procedure). It follows from the essence of control understood in this way that the controlled entity cannot question - at the stage of initiation and conduct of control - its legitimacy and scope. As the Supreme Administrative Court rightly pointed out in the judgment of 3 March 2016 in the case ref. II OSK 1667/14 (concerning a fine imposed by the Chief Sanitary Inspector on the grounds of the Act of 25 August 2006 on food and nutrition safety (Journal of Laws of 2019, item 1252, as amended) in connection with preventing the official control of food): "The court of first instance and the authorities inspected in the administrative court proceedings are right that the plant inspected is not entitled to decide on the scope of inspection. This is the exclusive domain of the inspection bodies." (Lex No 2113109). This statement, in the opinion of the President of UODO, is of general significance and also applies to the control of compliance with the provisions on personal data protection. The place for questioning the legal assessment of the facts of the case (and this is what the Chief Surveyor of the Country in this case is actually about, in fact, questioning the scope of the inspection, related to the claim that the land and mortgage register number does not constitute a personal data) is a possible infringement procedure initiated on the basis of evidence gathered during the inspection procedure.
As shown above, the control powers of the President of UODO are limited by the purpose of the control, which is to check compliance with the provisions on personal data protection. The position of the Chief Surveyor of the Country expressed during the inspection, and developed in the letter of his proxy of [...] May 2020, that the data in the form of land and mortgage register numbers do not constitute personal data, is in fact a statement that the inspection (to the extent specified in points 1-5 of the registered inspection authorisations) did not fall within this objective. Such an assertion must definitely be regarded as incorrect. Without prejudging in this Decision the qualification of these data as personal data in the present case, it should be pointed out that, at the time the inspection was initiated, the President of the UODO had at least legitimate grounds for such qualification. This justification resulted from the consistently held position of the President of UODO and earlier the Inspector General for the Protection of Personal Data, as well as from the position of the doctrine and the jurisprudence of administrative courts (see the judgment of the Supreme Administrative Court of 18 February 2014 ref. I OSK 1839/12 - LEX no. 1449867, the judgment of the Supreme Administrative Court of 26 September 2018 ref. I OSK 276/17 - LEX no. 2737936, the judgment of the Supreme Administrative Court of 26 September 2018 ref. I OSK 11/17 - LEX no. 2573629). The actions of the Chief Surveyor of the State aimed at thwarting or hindering the inspection should therefore be considered inadmissible, in particular when these actions are based solely on the subjective legal assessment of the inspected person (even if they are supported by selected, unrepresentative voices of doctrine and court rulings). Such an action would lead to an unacceptable situation where, by making it impossible to establish the facts of the case, the inspected person deprives the independent reviewing authority of the possibility to make its own, reliable and comprehensive legal assessment of the situation, which could be subject to subsequent verification by the competent judicial and administrative authorities if necessary.
In line with the above argumentation of the Chief National Inspectorate, the position put forward by his representative in his letter of [...] May 2020 that 'the scope of the control carried out is devoid of purpose, since it concerns the use of information [...] in respect of which the Chief National Inspector does not decide on the purposes and means of processing (and could not therefore have the status of data controller)' should be assessed. The assessment of whether the Chief Surveyor is a controller (or perhaps a co-controller, or possibly a processor) in the processing of data on the GEOPRTAL portal2 is an element of the facts to be determined during the inspection. At the moment of initiating the inspection, the President of UODO had information that in the GEOPORTAL2 portal, whose administrator is the Chief Surveyor of the Country, information which constitutes (or may constitute) personal data is processed, in particular the land and mortgage register numbers assigned to the properties presented in the portal. The above has been confirmed by the results of an inspection carried out in the Poviat Starosty in J. (file reference [...]), from which it appeared that the Chief Land Surveyor obtained data (including land and building register numbers) from the land and building register kept by the Starost of J., in order to further process them through the GEOPORTAL portal2. Additionally, it is worth pointing out that in the Rules and Regulations of the www.geoportal.gov.pl website (located on the website www.geoportal.gov.pl.) there is information directly indicating that the administrator of personal data processed in the GEOPORTAL2 portal is the Chief Surveyor of the Country ("The administrator of your personal data is the Chief Surveyor of the Country with its registered office in Warsaw, Wspólna 2, 00-926 Warsaw"). Such information justified the need to carry out an inspection of compliance with the regulations on personal data protection, among others, in order to determine the role of the Chief Surveyor of the Country in this data processing process. The position of the Chief Surveyor of the Country, presented in the letter of his proxy of [...] May 2020, also assumes erroneously that the entity subject to the control of the President of UODO may only be the entity which decides about the purposes and methods of processing, i.e. the controller (which - in his own opinion - is not the controller in the case under consideration). The Chief Surveyor of the Country seems not to notice that the obligation to provide access to personal data and information necessary for the performance of the tasks of the President of PODO and access to premises, equipment and means of data processing, referred to in Article 58(1)(e) and (f), lies not only with the controller, but also with the co-administrator and the entity processing personal data. Denying his role of the controller, the Chief Surveyor of the Country seems not to exclude that he processes personal data from the land and building register as a processor - on behalf of the controllers (starosts), on the basis of agreements which could in fact be assessed as the agreements referred to in Article 28(3) of Regulation 2016/679). The above uncertainty as to the role played in the process of processing in GEOPORTAL2 the data obtained from the land and building register, which could be removed in the course of the inspection, proves the legitimacy of carrying out the inspection at the Chief Surveyor of the Country to the full extent - specified in the inspectors' personal authorisations. Similarly, as far as the obligation to cooperate with the supervisory authority, specified in Article 31 of Regulation 2016/679, is concerned, it is addressed not only to the administrator but also to the processor.
Referring to the last one, presented by the representative of the National Surveyor General in a letter dated [...] May 2020, the aspect justifying - in his opinion - the refusal to give consent for the inspection to be carried out by the President of UODO, i.e. to state that 'the inspection [...] was carried out not at the Head Surveyor's Office, but at the Head Office of Geodesy and Cartography, which from the point of view of the provisions of UODO is a separate controller of personal data', it should be noted that it is based only on the fact that in several places in the documents relating to the inspection (in the inspectors' personal authorisations, The President of UODO indicated the Main Office of Geodesy and Cartography as the place where the control activities were to be (were) carried out, due to the fact that it is in the Main Office of Geodesy and Cartography as an organizational unit with the help of which the Main Surveyor of the Country carries out his tasks, that personal data and sources of information, premises, equipment and means for the processing of personal data, access to which was necessary for the President of UODO to gather evidence in the case, are located. The analysis of the entire content of documents concerning the inspection (in particular those preparing the inspection - the inspection notice of [...] March 2020 and the personal inspection authorizations of [...] March 2020) shows unequivocally that the purpose of the inspection was related to the realization of the statutory task of the Chief Surveyor of the Country which is to create and maintain the GEOPORTAL portal2. This is evidenced by such statements as: "the scope of the inspection will include making available by the Chief National Surveyor...", "please prepare documentation concerning the processing of personal data by the Chief National Surveyor". (both from the notification of the inspection), "the inspection will include making available by the Chief National Surveyor...", "whether the Chief National Surveyor has implemented appropriate technical and organisational measures...", "whether the Chief National Surveyor has appointed a Data Protection Officer...". (the last three of the registered inspectors' authorisations). As indicated by the Chief National Surveyor's representative himself in his letter of [...] May 2020, the task of creating and maintaining the GEOPORTAL portal2 was formulated in the provisions of Article 5 of the Act of 17 May 1989. Geodetic and cartographic law (Journal of Laws of 2020, item 276 as amended) and Article 13.1 of the Act of 4 March 2010 on spatial information infrastructure (Journal of Laws of 2020, item 177 as amended). The latter provision stipulates that the Chief Geodesist of the Country creates and maintains a geoportal of spatial information infrastructure as a central point of access to services related to spatial data sets and services; however, it does not provide for any participation in this task for the Chief Geodesy and Cartography Office. The above provision defining competence and responsibility for the functioning of the GEOPORTAL2 portal, combined with the subject and scope of control indicated by the President of the UODO, should not leave (especially to the central authority competent in matters of geodesy and cartography) any doubt as to the definition of the entity subject to control. It should be additionally emphasized that the Chief Surveyor of the Country, both at the time of commencement and during the inspection, did not raise any reservations as to the identification of the entity to be inspected, although he had the opportunity to do so (by making a statement on the inspectors' personal authorizations about their lack of consent to carry out the inspection, by making such reservations to the minutes of the hearing as a witness or in the form of a reservation to the inspection report). In the opinion of the President of UODO, the reservation concerning the indication of the controlled entity was formulated by the Chief Surveyor of the country post factum - solely for the purpose of justifying the infringement of the provisions on personal data protection.
Summarizing the above considerations, it should be stated that the justification for the refusal to give consent to the inspection of personal data processing by the Chief Surveyor of the country during the inspection, developed by his representative in the position presented to the President of UODO in his letter of [...] May 2020, does not deserve to be accepted in any point. The President of UODO had the right and justification to carry out an inspection with the Chief Surveyor of the Country. The scope of this inspection was within the objectives set out in Article 57(1)(a) of Regulation 2016/679 ('monitoring and enforcement of the Regulation') and Article 78(1) of the Polish Civil Code. ('monitoring of compliance with data protection rules'). The action of the Chief Surveyor of the Country as the inspected, consisting in the refusal to give consent to carry out the inspection within the scope specified in points 1-5 of the personal authorisations of the inspected persons, made it impossible to carry out inspection activities in this area to the full extent (in particular the inspection of IT and ICT systems in which personal data are processed by the Chief Surveyor of the Country, receiving in this respect the explanations of the Chief Surveyor of the Country, receiving explanations and testimonies of the employees of the Chief Surveyor of the Country, obtaining an insight into the documents constituting the basis for obtaining personal data processed in the GEOPORTAL portal2 - e.g. "the inspection of the data protection of personal data". The General Surveyor of the Country and the heads of district authorities). The refusal of the Chief Surveyor of the Country to carry out the inspection within the scope specified in points 1-5 of the registered authorisations of the inspected persons, which means a declaration of lack of any cooperation with the inspectors in this respect, caused the inspectors to withdraw from activities in this respect. The Supreme Administrative Court in the aforementioned judgment of 3 March 2016 in the case ref. II OSK 1667/14 rightly indicated that: "one should agree with the position that in order for the inspection to achieve its objective it requires at least a minimum degree of cooperation from the inspected party. That cooperation must relate to the full extent of the authority's powers'. In the present case, there was no cooperation on the part of the Chief Surveyor of the State in the field of control, which he arbitrarily considered to be unfounded.
With reference to the above findings to the obligations imposed by the provisions of Regulation 2016/679 on the controller and processor, and concerning their relation to the supervisory body, it should be stated that the Chief National Inspectorate, in the course of the inspection proceedings under the heading [...], violated his action:
1. Article 58(1)(e) of Regulation 2016/679, which requires him to ensure that the President of the PPA has access to all personal data and all information necessary for the supervisory authority to carry out its tasks,
2. Article 58(1)(f) of Regulation 2016/679 requiring him to ensure that the President has access to all premises of the controller and the processor, including the equipment and means of processing, in accordance with the procedures laid down in Union or Member State law,
3. Article 31 of Regulation 2016/679 which requires him to cooperate with the President of UODO, at his request, in the performance of his tasks.
In connection with the above infringements of Regulation 2016/679, the President of the UODO concludes that in the present case there are grounds for imposing on the Chief National Surveyor, pursuant to Articles 83(4)(a) and 83(5)(a) and 83(5)(a) of Regulation 2016/679, the conditions for the imposition of the obligation under Article 83(4)(a) and 83(5)(b) of Regulation 2016/679 on the Chief National Surveyor are met. e) in fine of Regulation 2016/679 - an administrative fine for failure to ensure access by the Chief Surveyor of the State to premises, equipment and means for processing personal data and access to personal data and information necessary for the President of the PPA to perform his tasks, as well as for failure to cooperate with the President of the PPA during this inspection.
Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, a number of circumstances listed in points a) through k) of the aforementioned provision are addressed. When deciding to impose an administrative penalty payment on the Chief National Surveyor in the present case and when setting the amount of the fine, the President of the UODO took into account, among other things, the following aggravating circumstances affecting the assessment of the infringement:
1. Nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).
An infringement that is subject to administrative pecuniary sanctions in this case undermines a system designed to protect one of the fundamental rights of the individual, which is the right to the protection of his or her personal data or, more broadly, to the protection of his or her privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of individuals' rights in this respect. In order to be able to carry out these tasks, supervisory authorities have been equipped with a number of inspection powers, administrative investigation powers and remedial powers. On the other hand, certain obligations are imposed on controllers and processors, correlated with the powers of the supervisory authorities, including the obligation to cooperate with the supervisory authorities and to provide those authorities with access to personal data and other information necessary for the performance of their tasks, as well as access to premises, equipment and means of processing personal data. The actions of the Chief Inspectorate of the Country in the course of the inspection under the heading [...], aimed at thwarting its performance within the scope indicated in points 1-5 and point 6 (as regards the technical measures implemented to ensure an appropriate level of security) of the registered inspection authorizations, and resulting in the lack of access to evidence indicating the legality and lawfulness of the processing by the Chief Inspector of the Country of personal data coming from the land and building register, should therefore be considered to be detrimental to the entire system of personal data protection, and therefore of great importance and reprehensible nature. The seriousness of the infringement is further increased by the fact that the infringement committed by the Chief National Inspectorate, albeit one-off (which took place on [...] March 2020), has had effects lasting until now. The lack of cooperation of the Chief Surveyor of the Country, expressed in the refusal to recognise the right of the President of UODO to control the compliance of his processing of personal data from the land and building register in the GEOPRTAL2 portal with the regulations, is current, which is confirmed by the position of the Chief Surveyor of the Country expressed in the letter of his proxy of [...] May 2020. Moreover, it should be pointed out as an aggravating circumstance that a violation of the rights of a public authority, i.e. the President of UODO, was committed by another public authority - the Chief Surveyor of the Country. In the opinion of the President of UODO, the public authority should be expected to have a special, greater understanding and respect for the actions taken by other authorities within the framework of their statutory tasks than in the case of private entities, and a greater degree of cooperation in the performance of these tasks.
2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).
In the opinion of the President of UODO, there is an intentional lack of willingness on the part of the Chief Surveyor of the Country to cooperate in providing the authority with all the information (evidence) necessary to determine whether the data processing processes being subject to control have a legal basis and are processed in accordance with the law. The lack of consent of the Chief Surveyor of the Country to carry out the inspection and his declaration of non-cooperation in this respect has been expressed unequivocally and firmly. The argumentation presented to justify this position of the Chief Surveyor is, as shown above, completely unfounded and - in the opinion of the President of UODO - was largely created post factum in order to justify the unwillingness to submit to a justified and lawful examination by an independent supervisory body. Given that the Chief Surveyor of the Country is a public entity (and additionally a central body within the structure of the surveying and cartographic services), an entity which processes personal data of citizens on a large scale within the scope of its competence, it should also be assumed that he was (and still is) aware that his conduct may constitute a breach of the provisions of Regulation 2016/679, and agrees with this state of affairs.
3. Lack of cooperation with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679).
In the course of the present proceedings concerning the imposition of an administrative fine, the Chief Surveyor of the Country maintained his disagreement with the inspection in the disputed scope (based on the position denying the President of UODO the right to examine the processing of personal data from the land and building register in GEOPORTAL2). It also did not express any willingness to cooperate with the President of UODO in order to rectify the infringement, which could consist, in particular, in providing full and exhaustive explanations to the extent to which the inspection was thwarted.
The other conditions for imposing an administrative penalty payment set out in Article 83(1)(a) and (b) of the Treaty on the Functioning of the European Union The other prerequisites for imposing an administrative fine set out in Art. 83 par. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement by the President of UODO (including the following: any relevant previous breaches on the part of the controller or processor, the manner in which the supervisory authority learned about the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller or processor with the supervisory authority and not the relationship of the controller or processor with the data subject), could not be taken into account in this case (including: the number of persons harmed and the extent of the harm suffered by them, actions taken by the controller or processor to minimise the harm suffered by the data subjects, the degree of responsibility of the controller or processor taking into account the technical and organisational measures implemented by the controller or processor, the categories of personal data concerned by the breach).
According to the wording of Article 83 paragraph 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Chief National Surveyor in these proceedings meets these criteria. It will discipline the Chief Surveyor of the Country to properly cooperate with the President of UODO in future proceedings conducted by the President of UODO with his participation. The maximum penalty imposed by the present decision, as specified in Article 102(1) of Ustawa o.o.d.o., is, in the opinion of the President of UODO, justified and proportional to the seriousness of the infringement found. The penalty will also serve as a deterrent; it will send a clear signal both to the Chief National Surveyor and to other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of UODO that disregarding the obligations related to cooperation with him (in particular, hindering the control of compliance with the provisions on personal data protection) constitutes a serious infringement and as such will be subject to financial sanctions.
In this case, the provisions of Art. 102 section 1 and 3 of the Polish Commercial Companies Code apply, according to which the amount of the administrative fine imposed - on the basis and under the conditions specified in Art. 83 of the Regulation 2016/679 - on a public finance sector unit within the meaning of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869 as amended), is limited to PLN 100,000.
In view of the above, the President of the UODO ruled as in the operative part of this decision.
The decision is final. A party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of UODO (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court shall suspend the execution of a decision on an administrative fine.
Pursuant to Article 105 Section 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine should be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Voivodship Administrative Court, or from the date when the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. If the deadline for payment of the administrative fine is postponed or spread in instalments, the President of UODO charges interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Art. 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.
