UODO (Poland) - DKN.5112.13.2020

From GDPRhub
(Redirected from UODO - DKN.5112.13.2020)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
UODO - DKN.5112.13.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 57(1)(h) GDPR
Article 57(1)(a) GDPR
Article 58(1)(b) GDPR
Article 58(1)(e) GDPR
Article 58(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 24.08.2020
Published: 31.08.2020
Fine: 100000 PLN
Parties: Głównemu Geodecie Kraju
National Case Number/Name: DKN.5112.13.2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
English
Original Source: PREZES URZĘDU OCHRONY DANYCH OSOBOWYCH (in PL)
PREZES URZĘDU OCHRONY DANYCH OSOBOWYCH (in EN)
Initial Contributor: n/a

The President of the Polish DPA (UODO) fined the Surveyor General of Poland (GGK) with PLN 100000 for making land register numbers intentionally available on the GEOPORTAL2 without a legal basis.

English Summary

Facts

The GGK published personal data in the form of information obtained from land and property registers (including land register numbers) from 90 poviat starosties only on the basis of agreements concluded with them.

Dispute

Was the publishing of the land register numbers by the GGK on the GEOPORTAL2 (geoportal.gov.pl) lawful, in accordance with Articles 5(1)(a) and 6(1) GDPR?

Holding

The DPA held that the agreements between the GGK and the poviat starosties concerned the creation and maintenance of common elements of the technical infrastructure intended to store and make available certain data filing systems, but did not constitute a legal basis for making available the data, including the land register numbers. Such a basis would need to result from commonly binding legal provisions.

Since the GGK could not provide a valid legal basis for its processing of personal data, the UODO held that the publishing on the GEOPORTAL2 was not in line with the principle of lawfulness in Article 5(1)(a) GDPR, as none of the conditions of Article 6 GDPR were satisfied. The data disclosed in the land register of natural persons includes, among others, names, surnames, parents’ names, PESEL number (personal identification number), and property address. The DPA therefore held that a large number of data subjects may be exposed to identity theft in such a situation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT
OF THE PERSONAL
DATA PROTECTION OFFICE
Warsaw, August 24, 2020
DECISION
DKN.5112.13.2020
                                                                                                                                                                                     August 24, 2020

 

DKN.5112.13.2020

DECISION

Based on Article. 104 § 1 and art. 105 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended), art. 7 sec. 1, art. 60, art. 102 paragraph. 1 point 1 and sec. 3 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) and art. 57 sec. 1 lit. a, art. 58 sec. 2 lit. d and lit. and in connection with with art. 5 sec. 1 lit. a, art. 6 sec. 1, as well as art. 83 sec. 1 - 3 and art. 83 sec. 5 lit. a Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation ) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended),

I. Noting a breach by the Chief Surveyor of the Country, the provisions of: 5 sec. 1 lit. a Regulation of the European Parliament and the EU Council 2016/679 and the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general data protection regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended), hereinafter referred to as "Regulation 2016/679", ie the principles of lawfulness of personal data processing and art. 6 sec. 1 of Regulation 2016/679, by making available on the portal called "GEOPORTAL2" ("geoportal.gov.pl") without legal basis, personal data in the field of land and mortgage register numbersobtained from the land and building register (kept by starosts),

orders the Chief National Surveyor to adjust the processing of personal data to the provisions of Regulation 2016/679 , within 14 days from the date of delivery of this decision, by: ceasing to provide personal data on the portal called "GEOPORTAL2" ("geoportal.gov.pl") in the scope land and mortgage register numbers obtained from the land and building register (kept by starosts).

II. A violation of the provisions of Art. 5  sec. 1 lit. a and art. 6 sec. 1 Regulation 2016 / 679 imposes on the Surveyor General Land administrative penalty in the amount of PLN 100 000 (one hundred thousand).

III. In the remaining scope, the proceedings are discontinued.

 

SUBSTANTIATION

 

On [...] March 2020, pursuant to Art. 78 sec. 1, art. 79 sec. 1 point 1 and art. 84 sec. 1 points 1-4 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the "Act", in connection with with art. 57 sec. 1 lit. a and lit. h, art. 58 sec. 1 lit. b, lit. e and lit. f of the Regulation 2016/679, in order to control the compliance of the processing of personal data with the provisions on the protection of personal data, control activities were carried out at the Chief Surveyor of the Country (place of control - the Head Office of Geodesy and Cartography with its seat in Warsaw at ul. Wspólna 2).

According to the scope indicated in the personal authorizations, the planned inspection was aimed at examining the process of making available by the Chief Surveyor of the Country via the GEOPORTAL2 internet portal (geoportal.gov.pl), personal data from the land and building records. The Chief Surveyor of the Country, however, frustrated the control activities in the planned scope .He refused to submit any statements regarding the legality of publishing information on the land and mortgage register numbers on GEOPORTAL2 (geoportal.gov.pl), and did not allow the inspectors to examine the IT systems used in the process of publishing data on GEOPORTAL2. Due to the circumstances, the President of the Personal Data Protection Office, in a decision of [...] July 2020 (reference number [...]), imposed an administrative fine on the Chief Surveyor of the country in connection with the violation of Art. 31 and art. 58 sec. 1 lit. e and lit. f of the Regulation 2016/679.

Ultimately, in the course of the inspection, only documentation was obtained specifying the organizational measures used by the Chief Surveyor of the country to ensure data security and evidence confirming the appointment of a data protection officer.

The facts established during the inspection (carried out to a limited extent) were described in the inspection report, which was signed [...] in March 2020 by the Chief Surveyor of the country without any reservations.

In this case, it is important that the President of the Personal Data Protection Office on [...] February 2020 carried out control activities (reference number [...]) in the Poviat Starosty in J. The scope of the control covered the issue of making available by the Starost J. through the website called "GEOPORTAL2" (geoportal.gov.pl) personal data from the land and building register. In the course of the above-mentioned inspection, it was found that Starosta J. does not publish on the above-mentioned portal of personal data from the land and building records, but the data from the records (including land and mortgage register numbers) on the basis of the concluded agreement is provided to the Chief Surveyor of the Country, who makes the information obtained in this way available on the GEOPORTAL2 portal. Because of the above,

During the inspection, the Chief Surveyor of the Country testified that " in the case of 90 poviat starosties, which do not yet have their own technical infrastructure, the Chief Surveyor of the Country on the basis of concluded agreements (concluded pursuant to Article 5 of the Geodetic and Cartographic Law), after receiving relevant geodetic data from of these starosties publishes the data on the GEOPORTAL2 website ”- the witness interview protocol is attached as Appendix 1 to the inspection protocol with reference number DKN.5112.13.2020.

In connection with the above, it should be stated that the Chief National Surveyor publishes on GEOPORTAL2 (geoportal.gov.pl) information obtained from the land and building register (including land and mortgage register numbers) kept by Starost J. and other poviat starosts who do not have the technical infrastructure to publish this information on GEOPORTAL2.

On the basis of the evidence collected in the case, it was found that in the processing of personal data, the Chief Surveyor of the Country violated the provisions on the protection of personal data. These violations consisted of:

1) making available on the GEOPORTAL2 website (geoportal.gov.pl) without legal basis data obtained from the land and building register (kept by starosts) regarding land and mortgage register numbers (violation of Article 5 paragraph 1 letter a and Article 6 paragraph 1 of Regulation 2016/679);

2) failure to indicate in the register of data processing activities, for activities with the names: "Registration of Geoportal website forum users", "Registration of project repository users", "Registration of Geoportal training participants" related to the Geoportal, information on the planned dates of data deletion (violation Article 30 (1) (f) of Regulation 2016/679);

3) failure to indicate in the register of personal data processing activities for activities with the names: "Registration of users of the Geoportal system and GUGiK domain systems", "Registration of Geoportal website forum users", "Registration of project repository users" and "Registration of Geoportal training participants" of the required security measures for a given processing activity (violation of Article 30 (1) (g) of Regulation 2016/679).

In connection with the above, by a letter of [...] March 2020 (ref .: DKN.5112.13.2020), the President of the Office for Personal Data Protection initiated ex officio administrative proceedings regarding the identified deficiencies in order to clarify the circumstances of the case.

In addition, by the decision of [...] April 2020 (ref .: DKN.5112.13.2020) the President of the Office for Personal Data Protection obliged the Chief Surveyor of the Country to limit the processing of personal data in the field of land and mortgage register numbers, ordering to cease publishing them on the website GEOPORTAL2 (geoportal.gov.pl) until an administrative decision concluding the proceedings in this case is issued. On [...] April 2020, the Office for Personal Data Protection received a letter (ref .: [...]), in which the Chief Surveyor of the Country demanded, inter alia, suspending the execution of the decision with an indication that the issued decision poses a threat to the stability of the state's spatial information systems, but did not justify this request in any way, focusing only on the lack of justification for issuing the decision.

On [...] April 2020, the Office for Personal Data Protection received a complaint from the Chief National Surveyor, represented by the attorney SK and attorney PT (power of attorney in the case files), addressed to the Provincial Administrative Court in Warsaw, against the decision of the President of the Office for Personal Data Protection from on [...] April 2020 (ref. no .: DKN.5112.13.2020).

          In response to the notification of the initiation of administrative proceedings, the Representative of the Chief Surveyor of the Country, in a letter of [...] May 2020, submitted explanations in which he indicated, inter alia, that the initiation and conduct of the proceedings by the President of the Office for Personal Data Protection in this case is pointless and therefore these proceedings should be discontinued in full. Justifying his position on the case, the Representative of the Chief Surveyor of the Country indicated that:

1. No obligatory prior control procedure has been carried out against the Chief Surveyor, which constitutes a gross violation of Art. 90 of the Act on the Protection of Personal Data, because the control of the President of the Office for Personal Data Protection was carried out at the Head Office of Geodesy and Cartography, and not at the Chief National Surveyor, which, from the point of view of the provisions of Regulation 2016/679, is a separate data administrator.

2. The President of the Personal Data Protection Office groundlessly decided that the data from the land and building register, including in particular the land and mortgage register numbers processed on the website www.geoportal.gov.pl, constitute personal data, and thus that the President of the Personal Data Protection Office is authorized to undertake activities regarding their processing.

3. The President of the Personal Data Protection Office groundlessly considered that the administrator of the data from the land and building register published on the website www.geoportal.gov.pl is the Chief National Surveyor.

4. The inspection preceding the initiation of the procedure concerned the disclosure of data from the land and building register, including, in particular, land and mortgage register numbers. However, the allegation of violation of Art. 30 sec. 1 lit. f and lit. g of Regulation 2016/679 applies to processing activities in which these data are not used at all. Therefore, the President of the Personal Data Protection Office could not carry out any checks on these processes. Therefore, the initiation of proceedings in this respect is groundless, as it was not preceded by a mandatory inspection.

5. The President of the Office for Personal Data Protection has groundlessly considered that in the register of personal data processing activities kept by the Chief Surveyor of the Country pursuant to Art. 30 of Regulation 2016/679, the planned dates for the removal of data from the land and building records published on the website www.geoportal.gov.pl should be specified and a general description of technical and organizational security measures for the processing of this data should be provided. Regardless of that, in the opinion of the GGK Representative, a violation of Art. 30 sec. 1 lit. f and lit. g of Regulation 2016/679 to the extent indicated by the President of the Personal Data Protection Office, it did not take place because the register in question was kept in accordance with the legal requirements.

6. The Chief Surveyor of the Country considers that he is not the addressee of the obligations under Art. 5 sec. 1 lit. a, art. 6 sec. 1 and art. 30 sec. 1 lit. f and lit. g of the Regulation 2016/679, in relation to data from the land and building records (in particular, land and mortgage register numbers) published on the website www.geoportal.gov.pl and therefore cannot infringe the above-mentioned regulations.

7. Pursuant to Art. 15zzs paragraph. 9 of the Act of March 2, 2020 on special solutions related to the prevention, counteracting and combating COVID-19, other infectious diseases and emergencies caused by them, the authority, during an epidemic threat or state of an epidemic announced due to COVID, may issue a decision entirely taking into account page request. Therefore, despite the suspension of procedural time limits in administrative proceedings pursuant to Art. 15zzs paragraph. 1 point 6 above of the Act, the Plenipotentiary of the Chief Surveyor of the Country applied for the entire procedure to be discontinued by the President of the Personal Data Protection Office without the need to continue the administrative procedure.

To the above The following documents were attached in the reply to the notice of initiation of the procedure: an extract from the inspection documentation, a copy of the Agreement No. [...] of [...] February 2018 with Annex No. [...] of [...] May 2019 and an annex No. [...] of [...] March 2020

In addition, it should be noted that in point 5 of the letter of [...] May 2020, the Plenipotentiary of the Chief Surveyor of the Country explained that " on the day of the inspection, it was not possible to specify the planned dates of data deletion, because an analysis was ongoing in this regard (after the completion of analysis process, which took place after receiving the  inspection report, the dates were indicated in the register). Due to the fact that the submitted explanations did not constitute grounds for concluding that the Chief National Surveyor did not violate Art. 30 sec. 1 lit. f of the regulation, in a letter of [...] June 2020, the President of the Office for Personal Data Protection requested the Chief Plenipotentiary of the National Surveyor to send evidence confirming the inclusion of information on the planned dates of data deletion in the register of data processing activities.

In a letter of [...] July 2020, the Representative of the Chief Surveyor of the Country provided explanations in which he indicated that:

- in the register of personal data processing activities for activities with the names: "Registration of project repository users", "Registration of Geoportal training participants", which are related to the Geoportal, currently there is information about the planned dates of deletion of data referred to in art. 30 sec. 1 lit. f of the Regulation 2016/679,

- in the register of personal data processing activities for activities named: "Registration of users of the Geoportal system and GUGiK domain systems", "Registration of users of the project repository" and "Registration of Geoportal training participants" there is already a description of the technical and organizational security measures referred to in art. 32 sec. 1 of Regulation 2016/679,

- Currently, the Chief Surveyor of the Country does not perform the activities called "Registration of users of the Geoportal website forum" and therefore does not process personal data as part of this activity. The above activity was deleted from the register of data processing activities.

In addition, to the letter of [...] July 2020, the Plenipotentiary of the Chief Surveyor of the Country attached a printout of the register of processing activities along with an electronic medium containing an electronic record of this register.

After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection considered the following:

The President of the Office for Personal Data Protection is the authority competent for the protection of personal data (Article 34 of the Act) and the supervisory authority within the meaning of Regulation 2016/679 (Article 34 (2) of the Act).

I. Referring to the position of the Chief National Surveyor in response to the initiation of the procedure, which shows that the President of the Office for Personal Data Protection violated Art. 90 of the Act, because the control was carried out at the Head Office of Geodesy and Cartography, and not at the Chief Surveyor of the country, which is a separate administrator of personal data, it should be indicated that in accordance with art. 81 sec. 2 point 5 of the Act, the personal authorization to carry out the inspection contains the designation of the inspected entity. Moreover, it should be noted that according to Art. 90 of the Act, if, on the basis of information collected in the control proceedings, the President of the Personal Data Protection Office deems that there may have been a breach of the provisions on the protection of personal data, he is obliged to immediately initiate proceedings.

It is undisputed that in the content of personal authorizations to carry out the inspection, as well as in the inspection report, the Chief National Surveyor was indicated as the controlled entity. First of all, when assessing the personal authorizations to carry out the inspection, it should be noted that the part defining the scope of the inspection clearly shows that the inspection concerned the provision of personal data from the land and building register by the Chief Surveyor of the country via the GEOPORTAL2 internet portal. It should be mentioned here that the provisions of the Act on the Protection of Personal Data do not specify or contain a delegation for the minister competent for internal affairs (or any other) to determine the template of a personal authorization to carry out an inspection, in which the place for marking the controlled entity would be precisely indicated. As a result, the indication of the controlled entity in the personal authorization is in the most appropriate place for this purpose, in the opinion of the President of the Personal Data Protection Office. With regard to the personal authorizations issued in connection with the inspection planned at the Chief National Surveyor, it took place in part of the authorization, where the detailed scope of the inspection was indicated along with the indication of the inspected entity, ie the Chief National Surveyor.

In addition, referring to the information contained in the authorizations to carry out the inspection of information about the name and address of the Central Office of Geodesy and Cartography, it should be noted that this information relates only to the indication of the organizational unit with which the Chief National Surveyor performs his tasks, including activities covered by the audit. With art. 6 of the Act of May 17, 1989, Geodetic and Cartographic Law (Journal of Laws of 2020, item 276), it follows that the central government administration body competent in matters of geodesy and cartography is the Chief Surveyor of the Country, who performs his tasks with the help of the Chief Office of Geodesy and Cartography. Therefore, the indication of the Central Office of Geodesy and Cartography was only intended to indicate by the President of the Office for Personal Data Protection the actual place of the inspection.

Moreover, the scope of control included in the personal authorizations relates only to the activities of the Chief National Surveyor, and not to the activities of the General Office of Geodesy and Cartography. Therefore, it is undisputed that the subject under control was the Chief National Surveyor.

It should also be noted that the Chief National Surveyor during the inspection questioned the scope of the inspection, but he had no doubts that he was an inspected entity as a body of geodetic and cartographic services. This is confirmed both by the declarations made by the Chief Surveyor of the Country regarding the refusal to carry out an inspection in the planned scope, as well as by his testimony given in the course of the inspection.

It is also impossible to agree with the position of the GGK's Representative, who believes that it is unacceptable to initiate administrative proceedings by the President of the Personal Data Protection Office in a situation where no inspection has been carried out. Recognition of such a position would, in practice, mean that it would not be possible to initiate proceedings in each case when the controlled entity would frustrate the inspection. This is the actual state of affairs in the present case, as the Chief National Surveyor prevented the full planned scope of the inspection. There is no doubt that the consequence of the deliberate violation of the law by the Chief National Surveyor cannot be an omission on the part of the President of the Personal Data Protection Office.

Regardless of the above, it is also necessary to question the incorrect interpretation of Art. 90 of the Act made by the GGK Representative. It should be pointed out that the mentioned provision does not define the list of entities against which the President of the Office for Personal Data Protection may initiate administrative proceedings, and in particular, it does not restrict this catalog only to controlled entities. This means that the supervisory authority may initiate administrative proceedings against any entity, as long as the information collected during the inspection procedure indicates that there has been a breach of the provisions on the protection of personal data.

In the case at hand, the Chief National Surveyor prevented the possibility of the personal data protection authority from examining such an important matter as the legality of publishing information on land and mortgage register numbers on GEOPORTAL2 (geoportal.gov.pl).

During the inspection, it only provided documentation specifying organizational measures applied to ensure data security and evidence confirming the appointment of a data protection officer. Nevertheless, on the occasion of the refusal to carry out the inspection, the Chief Surveyor of the Country gave testimony that " in the case of 90 poviat starosties, which do not yet have their own technical infrastructure, the Chief Surveyor of the Country, on the basis of concluded agreements (concluded pursuant to Article 5 of the Surveying Law and cartographic), after receiving relevant geodetic data from these starosties, publishes these data on the GEOPORTAL2 website". Therefore, in the case in question, despite the fact that the Chief Surveyor of the Country prevented the full scope of the inspection, the President of the Personal Data Protection Office (UODO), on the basis of the evidence collected in this case, undoubtedly found irregularities in the processing of personal data by the Chief National Surveyor in connection with the disclosure of data by him without legal basis. personal details (in terms of land and mortgage register numbers) on the Geoportal2 portal (geoportal.gov.pl). The Chief Surveyor of the Country in the entire procedure did not indicate any legal provision that would constitute the legal basis for his activities in the scope referred to above. Consequently, it should be considered that pursuant to Art.

            It is also impossible to agree with the position of the GGK Representative contained in the response to the initiation of the proceedings, which shows that the President of the Office for Personal Data Protection unjustified that the data from the land and building records, including in particular land and mortgage register numbers processed on the website. geoportal.gov.pl constitute personal data and therefore the President of the Personal Data Protection Office is not authorized to take action with regard to their processing.

It should be pointed out that pursuant to Art. 4 point 1 of Regulation 2016/679, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person .

It is indisputable in the present case that the entities affected by the various rights and obligations disclosed in the land and mortgage registers are also natural persons. The scope of data disclosed in the land and mortgage register of natural persons includes, inter alia, names, surnames, parents' names, PESEL number, real estate address. On this basis, it should be stated that the numbers of the land and mortgage registers made public (on the GEOPORTAL2 portal) allow for the identification of persons whose data is included in the land and mortgage register. Due to the above, there is no doubt that having information about the number of the land and mortgage register allows easy and simple access to the personal data of persons disclosed in the land and mortgage register. Obtaining access to personal data contained in the content of the land and mortgage register does not require that persons who have this number have access to a dedicated IT system or have special rights. All you need is a computer connected to the Internet. Moreover, the Chief National Surveyor allowed the users of the website to have direct access to the content of land and mortgage registers, as the numbers of land and mortgage registers placed on Geoportal2 (geoportal.gov.pl) are also links redirecting the user to the website of the Ministry of Justice to electronic land and mortgage registers. This functionality of Geoportal2 (geoportal.gov.pl) meant that the user of this portal did not even have to enter the land and mortgage register number to obtain access to the information contained therein, including personal data of the owner of a given property. Consequently, it should be pointed out that the number of the land and mortgage register is information that allows you to indirectly identify a natural person (ie the owner of a given property). Therefore, it should be considered that the land and mortgage register number constitutes personal data within the meaning of Art. 4 sec. 1 of Regulation 2016/679.

The position of the General Representative of the National Surveyor, who in response to the initiation of the procedure, indicated that the President of the Office for Personal Data Protection groundlessly found that the administrator of data from the land and building records published on the website www.geoportal.gov.pl is the Chief National Surveyor.

It should be pointed out that pursuant to Art. 4 point 7 of Regulation 2016/679  "controller" means a natural or legal person, public authority, unit or other entity that alone or jointly with others determines the purposes and means of processing personal data; if the purposes and means of such processing are specified in Union law or the law of a Member State, the controller may also be designated under Union law or the law of a Member State or specific criteria for his appointment may be defined ". It is indisputable in this case that it is the Chief National Surveyor who publishes on Geoportal2 (www.geoportal.gov.pl) the numbers of land and mortgage registers obtained from the land and building records kept by starosts. At this point, it should be noted that the planned inspection was primarily aimed at determining the role of the Chief Surveyor of the Country in the process of publishing the land and mortgage register numbers on Geoportal2. Unfortunately, also in this respect, the Chief National Surveyor prevented the President of the Personal Data Protection Office from finding this issue. Nevertheless, it should be noted that in the  Regulations of the SERVICE www.geopo r tal.gov.pl (available on the website www.geopor t al.gov.pl. )there is information which shows that "The administrator of your personal data is the Chief Surveyor of the Country with its registered office in Warsaw, ul. Wspólna 2, 00-926 Warsaw " .

Referring to the position of the Plenipotentiary of GGK, contained in the response to the initiation of the procedure, from which it follows, inter alia, that the Chief Surveyor of the Country in connection with publishing the numbers of land and mortgage registers on the website www.geoportal.gov.pl does not violate the provisions of Art. 5 sec. 1 lit. a and art. 6 sec. 1 of Regulation 2016/679, as it is not the addressee of these provisions, the following should be indicated:

According to Art. 5 sec. 1 lit. and Regulation 2016/679, personal data must be processed in accordance with the law, fairly and in a transparent manner for the data subject.

According to Art. 6 sec. 1 of Regulation 2016/679, processing is lawful only in cases where - and to the extent that - at least one of the following conditions is met: a) the data subject has consented to the processing of his personal data in one or more more specific goals; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary to fulfill the legal obligation incumbent on the controller; d) processing is necessary to protect the vital interests of the data subject or another natural person;

During the inspection, the Chief Surveyor of the Country testified that " in the case of 90 poviat starosties that do not yet have their own technical infrastructure, the Chief Surveyor of the Country, on the basis of concluded agreements (concluded pursuant to Article 5 of the Geodetic and Cartographic Law), after receiving relevant geodetic data from these starosts publish the data on the GEOPORTAL2 website ”.

In connection with the above, it should be stated that the Chief National Surveyor publishes on GEOPORTAL2 information obtained from the land and building records (including land and mortgage register numbers) kept by poviat starosts who do not have the technical infrastructure enabling the publication of this information on GEOPORTAL2.

It is indisputable in the present case that the functionality of GEOPORTAL2 allows, on the basis of the number of the land and mortgage register provided by the Chief Surveyor of the Country, to see the scope of information contained in a given land and mortgage register by the National Surveyor. According to Art. 36 4 sec. 6 of the Act of 6 July 1982 on land and mortgage registers and mortgage (Journal of Laws 2019, item 2204), anyone who knows the land and mortgage register number can view the land and mortgage register free of charge via the ICT system. Therefore, due to the inclusion of the land and mortgage register number in GEOPORTAL2, anyone can see its contents, even if they did not have the number before.

It should be pointed out that pursuant to Art. 25 sec. 1 of the Act on land and mortgage registers and mortgage, the land and mortgage register contains four sections, of which: 1) the first includes the designation of real estate and entries of rights related to its ownership; 2) the second includes entries on ownership and perpetual usufruct; 3) the third one is intended for entries on limited property rights, except for mortgages, for entries of restrictions on the disposal of real estate or perpetual usufruct, and for entries of other rights and claims, except for claims relating to mortgages; 4) the fourth is intended for mortgage entries.

Therefore, it should be emphasized once again that the entities to whom particular rights and obligations are disclosed in the land and mortgage register are, among others, physical people. The scope of data disclosed in the land and mortgage register of these persons includes, inter alia, names, surnames, parents' names, PESEL number, real estate address. On this basis, it should be stated (as has already been demonstrated in the earlier part of this decision) that the numbers of land and mortgage registers made available to the public (on GEOPORTAL2) allow for indirect identification of natural persons, and thus constitute personal data within the meaning of Art. 4 sec. 1 of Regulation 2016/679. As indicated by the Supreme Administrative Court in the justification of the judgment of September 26, 2018, file ref. act I OSK 11/17,“Receiving information on the marking of the land and mortgage register enables easy and simple access to the content of the entire land and mortgage register, ie all IV sections, including the personal data contained therein. Applying for obtaining data from the land and building register regarding the designation of the land and mortgage register is not intended to obtain "a set of marked numbers and signs", but is aimed at obtaining subjective data about the owner of the property, which can be easily obtained with "a set of marked numbers and characters ", that is, the marking of the land register." Consequently, it should be considered that the disclosure of the land and mortgage register numbers on GEOPORTAL2 (geoportal.gov.pl) violates the protection of the data of the persons concerned.

It should be noted here that pursuant to Art. 36 4 sec. 16 of the act on land and mortgage registers and mortgage, Central Information allows authorities managing real estate cadastre, for real estate from a specific town, commune or poviat, in order to verify the compliance of the data of land and building records with the data contained in the land and mortgage registers, free of charge obtaining, via the ICT system, data contained in the first and second sections of the land and mortgage register, without the right to disclose to third parties.

It should be noted that the GEOPORTAL2 project was developed as part of the establishment of an infrastructure for spatial information in the European Community (INSPIRE). The project of developing such infrastructure is regulated by the provisions of Directive 2007/2 / EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE). The scope of data included in spatial data sets is specified in the annexes to Directive 2007/2 / EC. The indicated scope does not include data on the ownership or legal status of real estate, which are included in the collection.

Pursuant to recital 24 of Directive 2007/2 / EC, the provision of network services (such as data sharing within Geoportal2) should comply with the principles of personal data processing. Additionally, Art. 13 sec. 1 lit. f of the Directive stipulates that Member States may restrict public access to spatial data sets and services if their disclosure would adversely affect the confidentiality of personal data, if the data subject has not consented to the public disclosure of this information, and if data confidentiality is provided for in national or EU regulations.

It is also necessary to refer to Art. 5a sec. 4 of the Geodetic and Cartographic Law, which imposes on the Chief National Surveyor an obligation to apply security measures to prevent abuse or unlawful access or transfer of personal data processed, inter alia, in connection with the management of the state geodetic and cartographic resource as well as the creation and maintenance of an integrated real estate information system.

It should be noted that the content of the agreement No. [...] of [...] November 2018 (concluded by the Chief Surveyor of the country with Starost J.) that the agreement was concluded pursuant to Art. 5 of the Act of 17 May 1989 Geodetic and Cartographic Law in connection with Art. 7 and art. 9 paragraph 1 of the Act of March 4, 2010 on spatial information infrastructure (Journal of Laws of 2018, item 1472). The content of this agreement defines the purpose of the cooperation, ie supplementing and improving the functioning of the elements of the national information system on the area, which is a component of the spatial information infrastructure. The scope of information provided by Starost J. (and then published by the Chief Surveyor of the Country on GEOPORTAL2), in accordance with the above-mentioned agreement, includes, inter alia,

It should be pointed out that pursuant to Art. 11 of the Act on spatial information infrastructure, access to spatial data sets and services is subject to restrictions on the basis of, inter alia, provisions on the protection of personal data.

The protection of personal data is currently regulated in the provisions of Regulation 2016/679. These provisions established the basic principles for the processing of personal data, including the principle of lawfulness as set out in Art. 5 sec. 1 lit. a regulation 2016/679. Principle of compliance with the law,“Also known as the lawfulness of data processing, it means the requirement to comply with the norms established by law. The principle of lawfulness of data processing has a wide substantive scope, it is not only about the provisions of the discussed regulation, but also about the provisions contained in other normative acts. (...) Among the provisions on data processing, a special role is played by the requirements relating to the lawfulness of processing (also referred to as the so-called grounds for admissibility of data processing or grounds for the lawfulness of data processing), specified in the provisions of Art. 6, 9 and 10 of the discussed regulation. These provisions indicate cases where data processing is legally permissible (to put it simply: when personal data can be processed in accordance with the law) "(Fajgielski Paweł, Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation), [in:] General Regulation on data protection. Act on the protection of personal data. Comment). Therefore, the Chief Surveyor of the Country, as a public administration body, should have a premise that allows him not only to collect land and mortgage register numbers, but also to make them publicly available under the spatial information infrastructure (GEOPORTAL2). Meanwhile, in the present case, the Chief National Surveyor may not rely on any of the premises listed in Art. 6 sec. 1 of Regulation 2016/679, and in particular to the one referred to in art. 6 sec. 1 lit. c,

As it has been shown above, none of the provisions regulating the issues related to the activities of the Chief National Surveyor allows him to share this type of data under GEOPORTAL2 (geoporatl.gov.pl), and even with Art. 36 4 sec. 16 of the Land and Mortgage Register Act and Art. 5a sec. 4 of the Geodetic and Cartographic Law Act, it is forbidden to make them available to third parties. On this basis, it should also be stated that the condition referred to in Art. 6 sec. 1 lit. e of Regulation 2016/679 cannot be applied. Other conditions for the admissibility of personal data processing listed in art. 6 sec. 1 of Regulation 2016/679, due to their nature, cannot constitute the basis for the processing of personal data in this case.

At the same time, it should be noted that the Chief National Surveyor was aware of the lack of legal provisions that would constitute the legal basis for publishing the land and mortgage register number on Geoportal2 (geoportal.gov.pl). This is clearly evidenced by the fact of concluding agreements with poviat starosts in this regard. These agreements, pursuant to Art. 5 sec. 2 of the Geodetic and Cartographic Law, however, they are to apply to the creation and maintenance of common elements of technical infrastructure intended for the storage and sharing of specific data sets, and not to constitute the legal basis for sharing (publishing) data, including land and mortgage register numbers. Such a basis, as already shown above, must result from generally applicable provisions of law.

Moreover, it should be pointed out that the Chief National Surveyor as a public administration body cannot hide behind the fact that he does not decide what information is disclosed in the land and mortgage register.

It should be noted that the Chief National Surveyor, by placing the land and mortgage register number on Geoportal2 (geoportal.gov.pl) with a link to the website of the Ministry of Justice with the Electronic Land Registry system, was intended to enable geoportal.gov.pl users to quickly and easily gain access to the content of the land and mortgage register, the number of which has been disclosed, including the personal data of the property owner.

Consequently, it should be considered that the provision of land and mortgage register numbers on GEOPORTAL2 (geoportal.gov.pl) without a legal basis results in a breach by the Chief National Surveyor of Art. 5 sec. 1 lit. a and art. 6 sec. 1 of Regulation 2016/679. It should also be pointed out that the legal doctrine represents the position that disclosing personal data from public filing systems, in the absence of an explicit legal basis relating to the sharing operation, is illegal. In order for the processing (including making public) of personal data to be lawful, it is necessary to indicate the legal basis for processing. It is indisputable in the present case that no legal provision authorizes the Chief Surveyor of the Country to publish on GEOPORTAL2 (geoportal.gov.pl) information about land and mortgage register numbers,

            It should also be noted that the Act on land and mortgage registers and mortgage contains regulations that ensure the implementation of the principle of open land and mortgage registers. These are in particular the provisions of Art. 36 4paragraph 5 and 6 of this Act. As it results from these regulations, the Central Information of the Land and Mortgage Registers enables viewing the land and mortgage registers via the teleinformation system, and anyone who knows the land and mortgage register number can view the land and mortgage register free of charge via the ICT system. Thus, the legislator indicated how the openness of land registers is ensured and which entities are responsible for it. None of these provisions, as well as other provisions of the Act on land and mortgage registers and mortgage, do not confer competence in this respect on the Chief Surveyor of the country. Moreover, no provision of generally applicable law implies the task of the Chief National Surveyor to ensure universal availability of land and mortgage registers and the information contained therein. Assigning this task to himself by the Chief Surveyor of the Country is not only a violation of Art. 7, but also art. 47 and 51 sec. 2 of the Polish Constitution, since it leads to a breach of the protection of personal data disclosed in the land and mortgage register. At this point, it is necessary to recall the above-mentioned judgment of the Supreme Administrative Court of September 26, 2018, file ref. act I OSK 11/17, in which the Supreme Administrative Court stated that"Openness of land and building records means that the information contained in the records is not classified information within the meaning of the law, but it does not mean universal access to it." The above statement obviously also applies to the land and mortgage register numbers.

II. Based on Article. 58 sec. 2 lit. and Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other remedial measures provided for in Art. 58 sec. 2 lit. a - h and lit. j of this Regulation, an administrative fine under Art. 83 of the Regulation 2016/679, depending on the circumstances of the specific case. Taking into account the findings of the facts, the President of the Office for Personal Data Protection, using his right specified in the above-mentioned provision of Regulation 2016/679, stated that in the case under consideration there were premises justifying the imposition of an administrative fine on the Chief Surveyor of the Country.

When determining the amount of the fine, the President of the Personal Data Protection Office took into account the following circumstances of the case that had an aggravating effect on the amount of the imposed financial penalty:

1. Gravity and nature of the infringement- The Chief Surveyor of the Country, by his actions in the process of providing access to the GEOPORTAL2 website (geoportal.gov.pl) without a legal basis, of data obtained from the land and building register (kept by starosts) regarding land and mortgage register numbers violates the principle of compliance with the law of data processing referred to art. 5 sec. 1 lit. a regulation 2016/679. The findings made by the President of the Personal Data Protection Office allow for the conclusion that the violation in question concerns a very large number of people. The massive scale of the occurrence of such a phenomenon was confirmed by the Chief National Surveyor himself, who in the justification of the refusal to carry out the inspection indicated that such a situation applies to at least 90 poviat starosties. Undoubtedly, publishing the numbers of land and mortgage registers with a link on the GEOPORTAL2 website (geoportal.gov.pl),

2. Duration of infringements - the findings of the President of the Personal Data Protection Office indicate that the publication of the land and mortgage register numbers on the portal in question is carried out by the Chief National Surveyor at least from 2019.

3. Willfulness of the Infringement- The Chief National Surveyor as a public administration entity should act only on the basis of legal provisions. In the opinion of the President of the Personal Data Protection Office, due to the lack of legal grounds that would authorize the Chief Surveyor of the Country to obtain information from land and building records (including land and mortgage register numbers) kept by starosts for publication on GEOPORTAL2 (geoportal.gov.pl) The Chief Surveyor of the Country decided to conclude agreements with the starosts. Unfortunately, the concluded agreements, in the opinion of the President of the Office for Personal Data Protection, do not constitute a legal basis for such activities carried out by the Chief Surveyor of the Country. It should be emphasized that when deciding to publish on GEOPORTAL2 (geoportal.gov.pl) information about the land and mortgage register numbers, he realized that that, in the opinion of the supervisory authority, the number of the land register is subject to the provisions on the protection of personal data and therefore their processing should be in accordance with these provisions. It is undeniable from the circumstances of the present case that the Chief Surveyor of the Country, despite the fact that he knew about the position of the supervisory body in this case, decided against that position to publish the land and mortgage register numbers on GEOPORTAL2. On this basis, it should be stated that the breach by the Chief Surveyor of the Country of data protection provisions in the above scope is intentional. that he knew about the position of the supervisory body in this case, he decided against this position to publish the land and mortgage register numbers on GEOPORTAL2. On this basis, it should be stated that the breach by the Chief Surveyor of the Country of data protection provisions in the above scope is intentional. that he knew about the position of the supervisory authority in this case, he decided against this position to publish the land and mortgage register numbers on GEOPORTAL2. On this basis, it should be stated that the breach by the Chief Surveyor of the Country of data protection provisions in the above scope is intentional.

4. The high degree of responsibility of the Chief Surveyor of the Country as an entity of public administration, which should undoubtedly uphold the rule of law, and whose activity (in the field of publishing land and mortgage register numbers on GEOPORTAL2) violates applicable law, which results in unauthorized access to personal data of an unlimited number of people, because from access to this source of information about land and mortgage register numbers can be used by any interested Internet user.

In addition, it should be noted that:

1. Undoubtedly, publishing the numbers of land and mortgage registers on GEOPORTAL2 (geoportal.gov.pl) exposes a very large number of people to theft of their identity. The actions of the Chief National Surveyor to prevent the full scope of the inspection did not allow obtaining evidence that would directly prove that the consequence of the breach was damage to data subjects. Nevertheless, there is no doubt that the further publication of information about the number of land and mortgage registers on GEOPORTAL2 poses the risk of exposing a significant number of natural persons to interference in the sphere of their privacy ( measures taken to minimize the damage ).

2. It has not been found that the Chief Surveyor of the Country previously violated the provisions of Regulation 2016/679, which would be significant for the present proceedings.

3. The President of the Office for Personal Data Protection obtained information about making available on the portal called "GEOPORTAL2" ("geoportal.gov.pl") without a legal basis, personal data in the field of land and mortgage register numbers in the course of another inspection, which was carried out at Starost J. ( how the supervisory authority became aware of the breach ).

4. In the same case, the President of the Personal Data Protection Office, pursuant to Art. 70 paragraph. 1 and 2 of the Act on the Protection of Personal Data, issued [...] April 2020, a decision (ref .: DKN.5112.13.2020), which obliged the Chief Surveyor of the country to limit the processing of personal data in terms of land and mortgage register numbers, ordering to cease publishing them on the GEOPORTAL2 internet portal until an administrative decision concluding the proceedings in this case is issued.

When determining the amount of the administrative fine, the President of the Personal Data Protection Office found no grounds to recognize that there were any mitigating circumstances affecting the final penalty.

In the case at hand, the authority did not consider the circumstances referred to in Art. 83 sec. 2 lit. j of the General Data Protection Regulation, due to the fact that the administrator does not apply codes of conduct and approved certification mechanisms.

When deciding whether to impose an administrative fine, as well as determining its amount, the President of the Personal Data Protection Office recognized the serious nature of the breach resulting from the disclosure of personal data without a legal basis to persons other than the data subjects.

Moreover, the President of the Personal Data Protection Office took into account that the assessed body is a public sector entity.

At this point, the content of Art. 102 of the Personal Data Protection Act, which limits the amount (up to PLN 100,000) of the fine that may be imposed on a public sector entity.

The President of the Personal Data Protection Office took into account the seriousness of the infringement when imposing the maximum fine. In the opinion of the President of the Personal Data Protection Office, the administrative fine of PLN 100,000 applied under the established circumstances of this case performs the functions referred to in Art. 83 sec. 1 of the General Data Protection Regulation, i.e. it is effective, proportionate and dissuasive in this individual case.

It should be considered that the penalty will be effective if its imposition leads to the fact that the Chief Surveyor of the Country complies with applicable law and ceases permanently further violations of personal data protection by disclosing land and mortgage register numbers on GEOPORTAL2 (geoportal.gov.pl).

In the opinion of the President of the Personal Data Protection Office, the applied fine is proportional to the infringement found, in particular due to the seriousness of the infringement, the mass nature of the infringement and the duration of the infringement.

The dissuasive nature of a financial penalty is related to preventing future violations and paying more attention to the performance of the administrator's tasks. The penalty is intended to deter both the administrator from repeated violations and other entities. By imposing an administrative fine for violating the provisions on the protection of personal data by this decision, the President of the Personal Data Protection Office took into account both aspects: first - repressive nature, the Chief Surveyor of the Country violated the provisions of the General Data Protection Regulation, The country and other administrators will be effectively discouraged from violating the personal data protection law in the future,

                The purpose of the penalty is to ensure that the Chief Surveyor of the country properly performs the obligations provided for in Art. 5 sec. 1 lit. a and art. 6 sec. 1 of the General Data Protection Regulation, and consequently to conduct data processing processes in accordance with applicable law.

III. At the same time, on the basis of the explanations submitted by the National Surveyor's Chief Plenipotentiary in letters of [...] May 2020 and of [...] July 2020 and the attached other evidence, it should be stated that the remaining shortcomings being the subject of these proceedings were by the Chief Surveyor of the Country deleted.

Currently, the register of personal data processing activities for activities with the names: "Registration of project repository users", "Registration of Geoportal training participants", which are related to the Geoportal, contains information on the planned dates of data deletion referred to in Art. 30 sec. 1 lit. f of the Regulation 2016/679.

In addition, in the register of personal data processing activities for activities named: "Registration of users of the Geoportal system and GUGiK domain systems", "Registration of users of the project repository" and "Registration of Geoportal training participants", a description of the technical and organizational security measures referred to in in art. 32 sec. 1 of Regulation 2016/679.

The explanations of the Chief National Surveyor of the Country included in the letter of [...] July 2020 also show that currently the Chief Surveyor of the Country does not perform activities called "Registration of users of the Geoportal website forum" and therefore does not process personal data
as part of this activity. The above activity was deleted from the register of data processing activities.

Bearing in mind the above, the President of the Office for Personal Data Protection resolved as in the operative part of this decision. 

 

The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00-193 Warsaw). A proportionate fee should be filed against the complaint, pursuant to Art. 231 in connection with Art. 233 of the Act of August 30, 2002, Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). The party (natural person, legal person, other organizational unit without legal personality) has the right to apply for the right to assistance, which includes exemption from court costs and the appointment of an attorney, legal advisor, tax advisor or patent attorney. The right to assistance may be granted at the request of a party submitted before the initiation of the proceedings or in the course of the proceedings. The application is free of court fees.

According to Art. 105 paragraph. 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine must be paid within 14 days from the date of expiry of the deadline for lodging a complaint to the Provincial Administrative Court, or from on the day the ruling of the administrative court becomes legally binding, to the bank account of the Office for Personal Data Protection at NBP O / O Warsaw No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Art. 105 paragraph. 2 above of the Act, the President of the Personal Data Protection Office may, at the justified request of the punished entity, postpone the payment of the administrative fine or divide it into installments. In the event of postponing the payment of the administrative fine or dividing it into installments, the President of the Personal Data Protection Office shall charge interest on the unpaid amount annually, using a reduced rate of interest for late payment, announced pursuant to Art. 56d of the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submitting the application.

According to Art. 74 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the submission of a complaint by a party to the administrative court suspends the execution of the decision on the administrative fine.