| UODO - DKE.561.3.2020 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 31 GDPR Article 58(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.07.2020 |
| Published: | 02.07.2020 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | DKE.561.3.2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Polish |
| Original Source: | Urzędu Ochrony Danych Osobowych - UODO (in PL) |
| Initial Contributor: | n/a |
The Surveyor General of Poland violated the provisions of the GDPR by failing to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks.
English Summary
Facts
beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations.
Dispute
GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.
Holding
THe UODO imposed an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK), because due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground the GEOPORTAL2 online portal (geoportal.gov.pl) enables access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security.
Comment
This summary is based on the English summary of the Polish Data Protection Authority, which can be found here: https://uodo.gov.pl/en/553/1146
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Warsaw, 02 July 2020
DECISION
DKE.561.3.2020
Based on Article. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Art. 7 section 1 and section 2, art. 60 and art. 102 paragraph. 1 point 1 and sec. 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) in connection with Art. 31, art. 57 sec. 1 lit. a), art. 58 section 1 lit. e) and f) and art. 58 sec. 2 lit. i) in connection with Art. 83 sec. 1 and 2, art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting the administrative procedure initiated ex officio regarding the imposition of the Chief Surveyor of the Country in Warsaw at ul. Wspólna 2, represented by attorneys PT and SK (Kancelaria [...]), an administrative fine, the President of the Office for Personal Data Protection, declaring an infringement by the Chief National Surveyor based in Warsaw at ul. Wspólna 2, the provisions of Art. 31 and 58 sec. 1 lit. e) and f) of Regulation 2016/679, consisting in failure to provide the President of the Office for Personal Data Protection, during the control of compliance with the provisions on the protection of personal data, ref. [...], access to premises, equipment and means for the processing of personal data and access to personal data and information necessary for the President of the Personal Data Protection Office to perform its tasks,
imposes on the Chief National Surveyor based in Warsaw at ul. Wspólna 2, an administrative fine in the amount of PLN 100,000 (in words: one hundred thousand zlotys).
SUBSTANTIATION
On [...] February 2020, the President of the Personal Data Protection Office (hereinafter referred to as the "President of the Personal Data Protection Office") inspected the processing of personal data in the Poviat Starosty in J. (reference number [...]). The inspection concerned the provision by Starost J., via the GEOPORTAL2 internet portal (www.geoportal.gov.pl), of personal data from the land and building register kept by starosts. In the course of the inspection, it was found that Starosta J. does not publish personal data from the land and building register on this portal, but - on the basis of an appropriate agreement - transfers them (including land and mortgage register numbers) to the Chief Surveyor of the Country, who then makes the obtained data available on the GEOPORTAL portal2 . Due to the above, the President of the Personal Data Protection Office (UODO) decided to carry out a personal data processing control in the scope of sharing personal data from the land and building register via the GEOPORTAL2 portal with the Chief National Surveyor. About the inspection planned for [...] March 2020 (marked with file reference [...]), the Chief National Surveyor was informed on [...] March 2020 by phone and in a letter delivered on that day by e-mail (e-mail).
On [...] March 2020, the inspectors (employees of the Office for Personal Data Protection authorized by the President of the Personal Data Protection Office) went to the Main Office of Geodesy and Cartography to start the planned inspection. The inspectors presented the Chief National Surveyor with official ID cards and submitted personal authorizations, in which the detailed scope of the inspection was specified as follows: "The inspection will cover the provision by the Chief Surveyor of the Country via the GEOPORTAL2 website, personal data from the land and building records, by establishing:
The legal basis for processing, including sharing personal data.
Sources of obtaining personal data.
The scope and type of personal data provided.
The manner and purpose of sharing the bottom passenger.
Is the processing of personal data carried out on the basis of an authorization granted by the personal data administrator or the processor (Article 29 of Regulation 2016/679).
Has the Chief Surveyor of the Country implemented appropriate technical and organizational measures to ensure an adequate level of security of the data protected (Article 32, Article 24 (1) and (2) of Regulation 2016/679).
Has the Chief Surveyor of the country appointed a data protection officer (Article 37 of Regulation 2016/679). "
According to the inspection report drawn up on [...] March 2020 and signed by the inspectors and the Chief National Surveyor, after presenting the identity card and submitting authorizations to conduct the inspection, the Chief National Surveyor stated that he would not sign the submitted authorizations and refused to consent to the inspection. control activities in the scope resulting from the submitted authorizations. Justifying his position in this case, he pointed out that, according to his assessment, from the scope indicated in the controlling authorizations, it follows that the control is to concern the land and mortgage register number, which is not a personal data within the meaning of the provisions of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276, as amended), hereinafter referred to as the "Geodetic and cartographic law". On the submitted authorizations, the Chief Surveyor of the country included a written annotation: "I refuse to consent to the inspection activities in the scope of the presented authorization (items 1 to 5) due to the irrelevance of the inspection, which I justify in the letter [...] of [...]. 03.2020 the shortest time is due to the fact that the scope of the inspection is to focus on the number of the land and mortgage register, which is not a personal data within the meaning of the Geodetic and Cartographic Law. I am asking for clarification of the scope of the control in accordance with the basis for its initiation. " The Chief Surveyor of the country then stated that he agreed to carry out control activities only to the extent specified in points 6 and 7 of personal authorizations. Only then did he sign the personal authorizations of the inspectors, placing the annotation "Signed in accordance with the declaration below" next to the signature. In accordance with the above-mentioned statement, the Chief Surveyor of the Country submitted a letter with the reference number [...] to the inspection files, in which it was indicated, inter alia, legal grounds for qualifying the number of the land and mortgage register as a given subject, that is art. 20 paragraph 1 point 1 of the Geodetic and Cartographic Law and § 73 of the Regulation of the Minister of Regional Development and Construction of March 29, 2001 on land and building records.
Due to the unequivocally expressed lack of consent of the Chief Surveyor of the Country to carry out control activities in the scope specified in items 1-5 of personal authorizations, the inspectors withdrew from activities in this respect, making arrangements only in the scope referred to in items 6 and 7 of the authorization. Within the scope of control, for which the Chief National Surveyor has consented, controlling, among others:
heard as a witness Mr. W. I. - Chief Country Surveyor,
obtained a copy of an exemplary agreement with the staroste on cooperation in the creation and maintenance of common elements of technical infrastructure regarding the publication of PZGiK data,
obtained copies of documents confirming the general organizational measures implemented by the Chief Surveyor of the Country (not particularly related to the GEOPRTAL2 portal) to ensure the security of the protected data,
obtained copies of documents confirming the appointment by the Chief Land Surveyor of Mr. [...] as the Data Protection Inspector at the Central Office of Geodesy and Cartography,
heard as a witness Mr. [...] - Chief Specialist in the Department [...] at the Head Office of Geodesy and Cartography,
obtained a printout of the Regulations of the website www.geoportal.gov.pl,
obtained copies of the Register of processing activities containing the risk analysis and impact assessment for data protection and the Register of processing activities categories with risk analysis.
During the inspection, the inspectors - due to the lack of consent of the Chief National Surveyor - did not assess the implemented technical measures to ensure the security of the protected data (including data processed via the GEOPORTAL2 portal), in particular, they did not inspect the places, objects, devices of carriers and IT systems for data processing. Moreover - due to, inter alia, against the refusal of the Chief Country Surveyor to sign the protocol of testimony made on [...] March 2020 - the inspectors did not obtain full and binding, legally effective explanations of the inspected party in the subject covered by the inspection.
Due to the ineffectiveness of further inspection, due to the lack of consent of the Chief Surveyor of the Country for inspection activities regarding the scope specified in points 1-5 of personal inspection authorizations, and the lack of cooperation on his part in this regard, the inspectors decided to terminate on [...] March 2020 control. On that day, an inspection protocol was drawn up by the inspectors, and then signed by the Chief National Surveyor (without any reservations).
Due to the fact that it was impossible to control the processing by the Chief Surveyor of the Country of personal data from the land and building register on the GEOPORTAL2 portal, this procedure was initiated ex officio to impose an administrative fine on the Chief Surveyor of the Country for violation of Art. 31 and art. 58 sec. 1 lit. e) and f) of Regulation 2016/679, consisting in the lack of cooperation with the President of the Personal Data Protection Office in the performance of his tasks, preventing the inspection of personal data processing, as well as failure to provide the President of the Personal Data Protection Office with access to premises, equipment and means used to process personal data , and access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks.
The Chief National Surveyor was informed about the initiation of the procedure and the collection of evidence in the case by a letter of [...] March 2020, delivered to him electronically via the ePUAP platform.
By letter of [...] April 2020 (delivered to the President of the Personal Data Protection Office on [...] April 2020), the representative of the Chief Surveyor of the Country requested that the representatives of the Chief Surveyor of the Country be able to inspect the case files and prepare their photocopies, or to provide copies of the entire case files by electronic means . In response to the request, copies of the entire case files were submitted to the representative of the Chief Surveyor of the Country by post, by letter of [...] May 2020, delivered to the representative on [...] May 2020.
In a letter of [...] May 2020 (delivered to the President of UODO on [...] May 2020), the representative of the Chief Surveyor of the Country presented the position of the Chief Surveyor of the Country, indicating that "the initiation and conduct of proceedings by the President of UODO in this case is pointless and for this reason should be written off in full ”. The Plenipotentiary of the Chief Surveyor of the Country submitted in particular that
"The scope of the inspection was pointless, as it concerned the use of information that does not constitute personal data, and for which the Chief Surveyor of the Country does not decide on the purposes and methods of processing (thus, it could not have the status of a data controller). GKK did not prevent the inspection, but only questioned the scope of the inspection, which was to concern the processing of personal data in the form of a land and mortgage register number. "
"The inspection [...] was carried out not at the Head of the National Surveyor, but at the Head Office of Geodesy and Cartography, which, from the point of view of the provisions of the GDPR, is a separate administrator of personal data."
"The President of the Personal Data Protection Office groundlessly found that the Chief National Surveyor - who participated in the inspection proceedings as a representative of the inspected entity, ie the Central Office of Geodesy and Cartography - did not cooperate with the President of the Personal Inspectorate as part of his tasks".
"The President of the Personal Data Protection Office (UODO) groundlessly found that the Chief National Surveyor made it impossible to carry out an inspection in the field of personal data processing at the controlled entity, i.e. at the Central Office of Geodesy and Cartography."
"The President of the Personal Data Protection Office unjustifiably considered that the Chief National Surveyor did not provide the President of the Personal Data Protection Office with access to premises, equipment and means for processing personal data in connection with the control carried out at the Central Office of Geodesy and Cartography, and did not provide access to information necessary for the President of the Personal Data Protection Office. his tasks. "
“As a result of the above, the President of the Personal Data Protection Office unjustified that GGK could infringe Art. 31 and art. 58 sec. 1 lit. e) and f) GDPR. "
After considering all the evidence collected in the case, the President of UODO considered the following.
Pursuant to Art. 57 sec. 1 lit. a) Regulation 2016/679, the President of the Personal Data Protection Office - as a supervisory authority within the meaning of art. 51 of the Regulation 2016/679 - its task is to monitor and enforce the application of this regulation on its territory. As part of his competences, the President of the Personal Data Protection Office is responsible, inter alia, conduct proceedings on the application of Regulation 2016/679 (Article 57 (1) (f)). In order to enable the performance of such defined tasks, the President of the Personal Data Protection Office has a number of provisions specified in art. 58 sec. 1 of Regulation 2016/679, the rights in the scope of conducted proceedings, including the right to order the administrator and the processor to provide all information needed to perform its tasks (Article 58 (1) (a), the right to obtain from the controller and the processor access to any personal data and any information necessary for the performance of its tasks (Article 58 (1) (e) and the right to access all premises of the controller and processor, including equipment and measures for data processing, in accordance with the procedures laid down in EU law or in the law of a Member State (Article 58 (1) (f)). Violation of the provisions of Regulation 2016/679, consisting in failure to provide access to the data and information referred to above by the public authority being the controller or processor, resulting in the violation of the authority's powers specified in art. 58 sec. 1 of Regulation 2016/679 (including the right to obtain personal data and information necessary to perform its tasks and to gain access to premises, equipment and means for data processing), and may be subject - in accordance with art. 83 sec. 5 letter e) in fine of the Regulation 2016/679 in connection with art. 102 paragraph. 1 and 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as "PDA" - an administrative fine of up to PLN 100,000.
It should also be pointed out that the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Art. 31 of Regulation 2016/679. Failure to comply with this obligation is also threatened - in accordance with Art. 83 sec. 4 lit. a) Regulation 2016/679 in connection with art. 102 paragraph. 1 and 3 of the Personal Data Protection Act - an administrative fine of up to PLN 100,000.
Indicated in art. 58 sec. 1 lit. f) of Regulation 2016/679 "the procedure laid down in EU law or in the law of a Member State" for the exercise of the supervisory authority's right to gain access to the premises of the controller and the processor, including equipment and means for data processing, is based on Polish law, described in Chapter 9 of the Act on Personal Data Protection (Articles 78 - 91), the procedure of "monitoring compliance with the provisions on the protection of personal data". Pursuant to Art. 78 uodo, the President of the Personal Data Protection Office (UODO) controls compliance with the provisions on the protection of personal data (paragraph 1), and this control may be carried out "in accordance with the control plan approved by the President of the Office or on the basis of information obtained by the President of the Office or as part of monitoring compliance with the application of Regulation 2016 / 679 ”(section 2). Controlling persons (authorized employees of the Office for Personal Data Protection) are entitled to - as provided for in Art. 84 sec. 1 of the Personal Data Protection Act - the right to: 1. enter the land and buildings, premises or other premises between 6.00 a.m. and 10.00 p.m., 2. access documents and information directly related to the scope of the inspection, 3. carry out inspections of places, objects, devices, data carriers and IT or teleinformation systems used for data processing, 4. demand to submit written or oral explanations and to interview a person as a witness to the extent necessary to establish the facts, 5. commission the preparation of expert opinions and opinions. The inspector determines the facts on the basis of evidence collected (with the use of the above-mentioned powers) in the control procedure, in particular documents,
Referring the above-mentioned provisions to the facts of the present case, it should be stated that the President of the Personal Data Protection Office had the right to initiate and conduct an inspection of the processing of personal data at the Chief National Surveyor; it also had a justification for making findings in this type of procedure (control procedure regulated in chapter 9 of the PDPA).
The control powers of the President of the Personal Data Protection Office (UODO) have been formulated - in the above-mentioned provisions of the Regulation 2016/679 and the Personal Data Protection Act - broadly; their use is limited only to the purpose - checking whether the provisions on the protection of personal data are complied with. It is worth noting that the condition for carrying out such an inspection is not even a justified suspicion that a violation has been found. The legislator expressly allows in Art. 78 sec. 2 uodo, the possibility of carrying out inspections "in accordance with [...] the inspection plan", i.e. without prior information indicating irregularities in the processing of personal data taking place in a specific entity, and even without information indicating whether a given entity processes personal data at all (control of such an entity would, however, first have to establish such a circumstance - before making further determinations regarding, for example, the legality and lawfulness of processing). General and broad definition of the task to be performed by the President of the Personal Data Protection Office ("monitoring and enforcement of the application of the regulation" referred to in Article 57 (1) (a) of Regulation 2016/679, "control of compliance with the provisions on the protection of personal data" referred to in Art. 78 sec. 1 UODO) leaves the President of UODO the freedom to define both the group of controlled entities and the scope of the inspections carried out. This task should be understood broadly - not only as checking whether a specific entity in a specific case violates the provisions on the protection of personal data in a specific way, but also as a task undertaken to identify the types, areas and scale of problems related to the application of the provisions on the protection of personal data. (in particular, Regulation 2016/679), their elimination and prevention in the future. In the context of the freedom left to the President of the Personal Data Protection Office in determining the entity subject to control and the scope of this control, it should be stated that in this case the President of the Personal Data Protection Office had a particularly justified basis to initiate and conduct an inspection at the Chief Surveyor of the country in the scope that he considered necessary for the implementation of the task of monitoring the application of the Regulation. 2016/679. As a result of the inspection carried out on [...] February 2020 in the Poviat Starosty in J. (reference number [...]), he obtained information about the provision of personal data to the Chief Surveyor of the Country by Starost J. land and mortgage registers) and their further processing (sharing) via the GEOPORTAL2 portal. The mere fact of having these data by the Chief Surveyor of the Country is a sufficient basis for conducting an inspection aimed at - as stated in Art. 87 of the PPA - only collecting evidence allowing to establish the facts of the case (and not the legal assessment of this status, which - in the case of suspected violations - takes place in a separate administrative procedure). From the essence of control understood in this way, it follows that that the inspected entity cannot question - at the stage of initiating and conducting the inspection - its legitimacy and its scope. As rightly pointed out by the Supreme Administrative Court in the judgment of March 3, 2016 in the case file no. II OSK 1667/14 (regarding the imposition by the Chief Sanitary Inspector, on the basis of the Act of August 25, 2006 on Food and Nutrition Safety (Journal of Laws of 2019, item 1252, as amended), a fine in connection with preventing official food control): "The court of first instance and the authorities inspected in administrative court proceedings are right that the plant under examination is not entitled to decide on the scope of the control. It is the exclusive domain of the controlling units. " (Lex No. 2113109). This statement - in the opinion of the President of the Personal Data Protection Office - has a general meaning and also applies to the control of compliance with the provisions on the protection of personal data. The place for questioning the legal assessment of the facts of the case (and in this case it is essentially the questioning by the Chief National Surveyor of the scope of the inspection, related to the statement that the land and mortgage register number does not constitute a personal o evidence collected during the control procedure.
As shown above, the inspection powers of the President of the Personal Data Protection Office are limited to the purpose of the inspection, which is to verify compliance with the provisions on the protection of personal data. The position of the Chief National Surveyor expressed during the inspection, and developed in his representative's letter of [...] May 2020, that the data in the form of land and mortgage register numbers do not constitute personal data, is in fact a statement that the inspection (to the extent specified in items 1 -5 personal controlling authorizations) did not fit this purpose. Such a claim should definitely be considered incorrect. Without prejudging the qualification of such data as personal data in the case at hand, it should be pointed out that at the time of initiating the inspection, the President of the Personal Data Protection Office had at least reasonable grounds to accept such a classification. This justification resulted from the consistent position of the President of the Personal Data Protection Office, and previously the Inspector General for Personal Data Protection, as well as the position of the doctrine and jurisprudence of administrative courts (see the judgment of the Supreme Administrative Court of 18 February 2014, ref. I OSK 1839/12 - LEX No. 1449867, judgment of the Supreme Administrative Court of 26 September 2018, reference number I OSK 276/17 - LEX no. 2737936, judgment of the Supreme Administrative Court of 26 September 2018, reference number I OSK 11/17 - LEX no. 2573629). In view of the above, the actions of the Chief National Surveyor aimed at thwarting or hindering the inspection should be considered unacceptable, in particular when these actions are based solely on the subjective legal assessment of the controlled entity (even if they are supported by selected, unrepresentative voices of the doctrine and court decisions). Doing so would lead to an unacceptable situation where
Similar to the above argumentation of the Chief Surveyor of the Country, the position presented by his attorney in the letter of [...] May 2020 should be assessed that "the scope of the inspection is pointless because it concerned the use of information [...] for which the Chief Surveyor of the Country does not decide on the goals and methods of processing (therefore, he could not have the status of a data controller) ”. The assessment of whether the Chief National Surveyor performs the role of the administrator in the data processing on the GEOPRTAL2 portal (or maybe a co-administrator, or a processor) is an element of the facts that was to be determined in the course of the inspection. At the time of the inspection, the President of the Personal Data Protection Office had information that on the GEOPORTAL2 portal, whose administrator is the Chief Country Surveyor, the information that constitutes (or may constitute) personal data is processed, in particular the land and mortgage register numbers assigned to the real estate presented on the portal. The above was confirmed by the results of the inspection carried out in the Poviat Starosty in J. (reference number [...]), which showed that the Chief Surveyor of the Country obtained data (including the numbers of land and mortgage registers from the land and building records kept by Starost J. ) for further processing via the GEOPORTAL2 portal. Additionally, it is worth mentioning that in the Regulations of the website which showed that the Chief Surveyor of the Country obtained from the land and building records kept by Starost J., data (including land and mortgage register numbers) for further processing via the GEOPORTAL2 portal. In addition, it is worth mentioning that in the Regulations of the website which showed that the Chief Surveyor of the Country obtained from the land and building records kept by Starost J., data (including land and mortgage register numbers) for further processing via the GEOPORTAL2 portal. In addition, it is worth mentioning that in the Regulations of the websitewww.geoportal.gov.pl (posted on the website www.geoportal.gov.pl.) there is information directly indicating that the administrator of personal data processed on the GEOPORTAL2 portal is the Chief National Surveyor ("The administrator of your personal data is the Chief National Surveyor with its seat in Warsaw, ul. Wspólna 2, 00-926 Warsaw"). Such information justifies the need to carry out an audit of compliance with the provisions on the protection of personal data in order to determine the role of the Chief National Surveyor in this data processing process. The position of the Chief National Surveyor, presented in the letter of his representative of [...] May 2020, also erroneously assumes that the entity subject to the control of the President of the Personal Data Protection Office may only be the entity deciding on the purposes and methods of processing, i.e. the controller (which he - in his own opinion - in the case under consideration is not). The Chief Surveyor of the Country does not seem to notice that the obligation to provide access to personal data and information necessary to perform the tasks of the President of the Personal Data Protection Office and access to premises, equipment and means for data processing, referred to in Art. 58 section 1 lit. e) and f), rests not only on the controller, but also on the co-controller and the entity processing personal data. By denying his role as administrator, the Chief National Surveyor seems not to exclude that he processes personal data from the land and building register as a processor - on behalf of administrators (starosts), on the basis of contracts that could in fact be assessed as in art. 28 sec. 3 of the Regulation 2016/679). The above uncertainty as to the role played in the processing of data obtained from the land and building register in the GEOPORTAL2 portal, which could be removed in the course of the inspection, proves the legitimacy of carrying out the inspection at the Chief National Surveyor in the full scope - specified in the personal authorizations for inspecting - to the extent. Similarly, with regard to the provisions of Art. 31 of Regulation 2016/679, the obligation to cooperate with the supervisory authority, it is addressed not only to the controller, but also to the processor.
that it is in the Head Office of Geodesy and Cartography as an organizational unit with which the Chief Surveyor of the country carries out his tasks, personal data and sources of information, premises, equipment and means for the processing of personal data, access to which was necessary for the President of the Personal Data Protection Office in order to collect evidence regarding. The analysis of the entire content of the documents relating to the inspection (in particular those preparing the inspection - the inspection notice of [...] March 2020 and the personal authorizations of the inspectors of [...] March 2020) shows unequivocally that the purpose of the inspection was related to the implementation of the statutory main task Country Surveyors, which is the creation and maintenance of the GEOPORTAL2 portal. This is evidenced by such phrases as: "the scope of the inspection will cover disclosure by the Chief Surveyor of the Country ...", "I am asking for the preparation of documentation regarding the processing of personal data by the Chief National Surveyor." (both from the notification of inspection), "the inspection will cover the disclosure by the Chief Surveyor of the Country ...", "whether the Chief Surveyor of the Country has implemented appropriate technical and organizational measures ...", "whether the Chief Surveyor of the Country has appointed a data protection officer ..." (the last three of the personal authorizations controlling). As the representative of the Chief National Surveyor himself pointed out in a letter of [...] May 2020, the task of creating and maintaining the GEOPORTAL2 portal was formulated in the provisions of Art. 5 of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276, as amended) and Art. 13 sec. 1 of the Act of March 4, 2010 on spatial information infrastructure (Journal of Laws of 2020, item 177, as amended). The latter provision states that the Chief National Surveyor creates and maintains a geo-portal of the spatial information infrastructure as a central access point to spatial data sets and services; however, it does not provide for any participation in this task for the Head Office of Geodesy and Cartography. The above provision specifying the competences and responsibilities in the field of the GEOPORTAL2 portal operation, in conjunction with the subject and scope of control indicated by the President of the Personal Data Protection Office, should not leave (especially to the central authority competent in matters of geodesy and cartography) any doubts as to the determination of the entity subject to control. It should also be emphasized that the Chief National Surveyor, both at the start of the inspection and during the inspection, did not raise any objections as to the indication of the inspected entity, although he had such a possibility (by submitting a declaration of disagreement to the inspection on personal authorizations of the inspectors, submitting such objections to the report of the hearing as a witness or in the form of an objection to the inspection report). In the opinion of the President of the Personal Data Protection Office, the objection to the indication of the controlled entity was formulated by the Chief Surveyor of the Country post factum - solely for the purpose of justifying his infringement of the provisions on the protection of personal data.
Summarizing the above considerations, it should be stated that presented by the Chief Surveyor of the Country during the inspection, and developed by his attorney in the position presented to the President of the Personal Data Protection Office in a letter of [...] May 2020, the justification for refusing to consent to the inspection of personal data processing by him, it does not deserve approval at any point. The President of the Personal Data Protection Office had the right and justification to carry out an inspection at the Chief National Surveyor. The scope of this control fell within the objectives set out in Art. 57 sec. 1 lit. a) Regulation 2016/679 ("monitoring and enforcement of the application of the regulation") and in art. 78 sec. 1 uodo ("control of compliance with the provisions on the protection of personal data"). The operation of the Chief Surveyor of the country as the inspected person, consisting in refusing to consent to the inspection in the scope specified in points 1-5 of personal authorizations of the inspected persons, made it impossible to fully perform inspection activities in this area (in particular, inspection of IT and teleinformation systems in which the Chief Surveyor The country has personal data, collecting the explanations of the Chief National Surveyor in this regard, receiving explanations and testimonies from employees of the Chief Surveyor of the Country, obtaining access to documents constituting the basis for obtaining personal data processed on the GEOPORTAL2 portal - e.g. contracts linking the Chief Surveyor of the Country with the starosts). Refusal of the Chief National Surveyor to carry out an inspection in the scope specified in points 1-5 of personal authorizations for the inspected, denoting a declaration of the lack of any cooperation with the inspectors in this scope, caused the inspectors to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. caused the controllers to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. caused the controllers to withdraw from activities in this regard. The Supreme Administrative Court in the above-mentioned judgment of March 3, 2016 in case no. II OSK 1667/14 rightly pointed out that: “one should agree with the position that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief Surveyor of the Country in the field of control, which he himself arbitrarily considered groundless. that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief National Surveyor in the field of control, which he himself arbitrarily considered to be groundless. that in order for the control to achieve its goal, it requires at least a minimum degree of cooperation on the part of the controlled entity. At the same time, the cooperation should concern the full scope of powers vested in the authorities. " In the present case, there was no cooperation whatsoever on the part of the Chief National Surveyor in the field of control, which he himself arbitrarily considered to be groundless.
Referring the above findings to the obligations imposed by the provisions of Regulation 2016/679 on the administrator and processor, and regarding their relationship to the supervisory body, it should be stated that the Chief National Surveyor, during the control procedure with reference number [...], by his actions he violated:
art. 58 sec. 1 lit. e) Regulation 2016/679, imposing an obligation on him to provide the President of the Personal Data Protection Office with access to all personal data and all information necessary for the supervisory body to perform its tasks,
art. 58 sec. 1 lit. f) Regulation 2016/679, imposing an obligation on him to provide the President with access to all premises of the controller and the processor, including equipment and means for data processing, in accordance with the procedures set out in EU law or in the law of a Member State,
art. 31 of Regulation 2016/679, imposing on him the obligation to cooperate with the President of the Personal Data Protection Office, at his request, as part of his tasks.
In connection with the above violations of the provisions of Regulation 2016/679, the President of the Personal Data Protection Office states that in the present case there are grounds justifying the imposition of the Chief Surveyor of the Country - pursuant to Art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. e) in fine of Regulation 2016/679 - an administrative fine in connection with the failure by the Chief Surveyor of the Country to provide access to premises, equipment and means for the processing of personal data as well as access to personal data and information necessary for the President of the Personal Data Protection Office to perform his tasks, as well as lack of cooperation with the President of the Personal Data Protection Office during this inspection.
Pursuant to art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, it refers to a number of circumstances listed in points a) to k) of the above-mentioned provision. When deciding to impose an administrative fine on the Chief Surveyor of the country and determining its amount, the President of the Personal Data Protection Office (UODO) took into account the following circumstances aggravating the assessment of the infringement:
Nature, gravity and duration of the infringement (Article 83 (2) (a) of Regulation 2016/679).
The breach subject to administrative pecuniary penalty in the present case undermines the system aimed at protecting one of the fundamental rights of a natural person, which is the right to the protection of his personal data, or more broadly, to the protection of his privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are supervisory authorities with tasks related to the protection and enforcement of the rights of natural persons in this respect. In order to enable the performance of these tasks, supervisory authorities have been equipped with a number of control powers, powers to conduct administrative proceedings and remedial powers. On the other hand, controllers and processors have been imposed specific obligations, correlated with the powers of supervisory authorities, including the obligation to cooperate with supervisory authorities and the obligation to provide these authorities with access to personal data and other information necessary for the performance of their tasks, as well as access to premises, equipment and means used to process personal data. Activities of the Chief National Surveyor during the control with reference number [...], in order to prevent its implementation in the scope indicated in points 1-5 and in point 6 (with regard to technical measures implemented to ensure an adequate level of security) personal authorizations to inspect, and resulting in the lack of access to evidence indicating the legality and the lawfulness of the processing by the Chief Surveyor of the Country of personal data from the land and building register, therefore should be considered as harmful to the entire personal data protection system and therefore of great importance and reprehensible character. The gravity of the violation is additionally increased by the fact that the violation by the Chief National Surveyor, although a one-off (it took place on [...] March 2020), caused effects that have lasted until now. The lack of cooperation of the Chief Surveyor of the Country, expressed in the refusal to recognize the right of the President of the Personal Data Protection Office to control compliance with the provisions of the processing of personal data from the land and building records on the GEOPRTAL2 portal, is up-to-date, which is confirmed by the position of the Chief Surveyor of the Country expressed in the letter of his representative with on [...] May 2020. As aggravating, it should also be pointed out that the violation of the rights of the public authority, which is the President of the Personal Data Protection Office, was committed by another public authority - the Chief Surveyor of the Country. From a public authority,
Intentional nature of the breach (Article 83 (2) (b) of Regulation 2016/679).
In the opinion of the President of the Personal Data Protection Office, the Chief National Surveyor has an intentional lack of will to cooperate in providing the authority with all information (evidence) necessary to determine whether the data processing processes subject to control have a legal basis and are processed in accordance with the law. Lack of consent of the Chief Surveyor of the country to carry out the inspection and his declaration of non-cooperation in this regard were expressed in an unambiguous and firm manner. The argumentation presented to justify this position of the Chief National Surveyor is, as it was shown above, completely unfounded and - in the opinion of the President of the Personal Data Protection Office - to a large extent was created post factum in order to justify the unwillingness to submit to a justified and lawful examination by an independent control body. . Considering
Lack of cooperation with the supervisory authority to remove the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679).
In the course of this proceeding concerning the imposition of an administrative fine, the Chief Surveyor of the Country maintained his refusal to carry out the inspection in the questioned scope (based on the position that the President of the Personal Data Protection Office refused the right to examine the processing of personal data from the land and building register on the GEOPORTAL portal2). He also did not express any willingness to cooperate with the President of the Personal Data Protection Office in order to remove the infringement, which could include, in particular, providing full and exhaustive explanations to the extent to which the inspection was frustrated.
The remaining conditions for the assessment of an administrative fine specified in Art. 83 sec. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement made by the President of the Personal Data Protection Office (including: any relevant prior infringements by the controller or processor, the manner in which the supervisory authority learned about the infringement, compliance with the previously applied the measures itself, the use of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (relating to the controller's or processor's relationship with the supervisory authority, and not the controller's or processor's relationship with the data subject), they could not be taken into account in the present case (including:
Pursuant to the wording of Art. 83 sec. 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Chief National Surveyor in this proceeding meets these criteria. It will discipline the Chief National Surveyor to properly cooperate with the President of the Personal Data Protection Office in proceedings conducted in the future by the President of the Personal Data Protection Office with his participation. The penalty imposed by this decision, up to the maximum specified in Art. 102 paragraph. 1 UODO, the amount is - in the opinion of the President of the Personal Data Protection Office - justified and proportional to the seriousness of the infringement found. This penalty will also have a deterrent function;
In this case, the provisions of Art. 102 paragraph. 1 and 3 of the PDPA, according to which the amount of the administrative fine imposed - on the basis and under the conditions specified in art. 83 of Regulation 2016/679 - per unit of the public finance sector within the meaning of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869, as amended), is limited to the amount of PLN 100,000.
Considering the above, the President of UODO ruled as in the conclusion of this decision.
The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warsaw). A proportionate fee should be filed against the complaint, pursuant to Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Art. 74 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine.
Pursuant to Art. 105 paragraph. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from the date the ruling of the administrative court becomes legally binding, to the bank account of the Personal Data Protection Office at NBP O / O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 paragraph. 2 of the above-mentioned Act, the President of the Personal Data Protection Office may, at a justified request of the punished entity, postpone the payment of the administrative fine or divide it into installments. In the event of postponing the payment of the administrative fine or dividing it into installments, the President of UODO shall charge interest on the unpaid amount annually, using a reduced rate of interest for late payment, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submitting the application.
