UODO (Poland) - DKN.5112.7.2020

From GDPRhub
Revision as of 10:36, 24 August 2020 by ML (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKN...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
UODO - DKN.5112.7.2020
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 30.06.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: DKN.5112.7.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: Urzędu Ochrony Danych Osobowych - UODO (in PL)
Initial Contributor: n/a

The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020.

English Summary

Facts

The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.

In connection with the survey, the school processed personal data of students, including minors, in particular names and surnames, attended class, indication of legal guardians (parents), family status (single parent, full family), information about death of a legal guardian (parent), separation of legal guardians (parents), their education and professional situation, the number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and information on social benefits.

The processing of students’ personal data included collection, storage and destruction of those data.

the survey was conducted to identify students who require psychological support from the school they attend. The survey was carried out by class teachers in classes 7-8 of elementary school and in high school classes as in blanco paper forms on direct instruction from school principal.

Dispute

It was disputed that the legal acts regulating the functioning of educational institutions do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way it was done in the penalised entity, in connection with the conducted survey.

Holding

By conducting a survey among students, the school has violated the principle of lawfulness of data processing, according to which personal data must be processed lawfully, fairly and in a transparent manner for the data subject.

Comment

This summary is based on the English summary of the Polish Data Protection Authority

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

 Warsaw, 30 June 2020.
DECISION
SEE 5112.7.2020

Warsaw, 30 June 2020.

 

Pursuant to Article 104 § l of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256) in connection with Article 7 and Article 60 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and pursuant to Article 58(2)(b) in connection with Article 5(1)(a) and Article 6(1)(c) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulations) (OJ EU L 119, 04.05.2016, p. 1, as amended), after the administrative proceedings on the processing of personal data have been carried out by the General School Complex in D., President of the Office for Personal Data Protection,

 

gives a warning for the violation by the General School Complex in D. of the provisions of Article 5(1)(a) and Article 6(1)(c) of Regulation 2016/679 of the European Parliament and of the Council of the EU 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/679, p. 1). EU L 119 of 04.05.2016, p. 1 as amended), hereinafter referred to as "Regulation 2016/679", consisting of processing without a legal basis of personal data of students in connection with conducting surveys (interviews) on their personal situation among them in the school year 2019/2020, using a survey called "Diagnosing the home and school situation of a student. Student Survey".

 

Justification .

 

Pursuant to Article 78 paragraph 1, Article 79 paragraph 1 point 1 and Article 84 paragraph 1 point 1-4 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as the "Act", in connection with Article 57 paragraph 1 point a and point h, Article 58 paragraph 1 point b and point e of the Regulation 2016/679, in order to control the compliance of data processing with the provisions on the protection of personal data, control activities were carried out in the Complex of General Education Schools in D. (file reference DKN.5112.7.2020).

The scope of control included processing by the General Education School Complex in D. (hereinafter also referred to as "ZSO") of personal data of students in connection with conducting among them in the school year 2019/2020 surveys (interviews) concerning their personal situation, using a questionnaire called "Diagnosing the home and school situation of a student. Student Survey".

During the audit oral explanations were received from the CSO employees. The facts were described in detail in the inspection protocol, which was signed by the CSO Director.

On the basis of the collected evidence it was established that in the process of personal data processing, the CSO, as the administrator, violated the regulations on personal data protection by processing without legal basis the personal data of students in connection with conducting among them in the school year 2019/2020 surveys (interviews) concerning their personal situation, using a questionnaire called "Diagnosing the home and school situation of a student. Student Survey".

In connection with the above, the President of the Office of Personal Data Protection initiated administrative proceedings in the scope of the identified violations, in order to clarify the circumstances of the case (letter from [...] May 2020, mark: [...]).

In response to the notice of initiation of administrative proceedings the CSO Director in a letter of [...] June 2020. (mark: [...]) submitted explanations, in which he indicated, among others, that the circumstance that should be taken into account by the supervisory authority in connection with the control is the fact that as of July [...], 2019 personal changes took place on the position of the CSO Director. Moreover, the CSO Director raised that due to lack of continuity in the management of documentation and procedures in the CSO, including those related to personal data protection, the CSO's internal documents related to personal data protection in this institution were not provided to him and he was not informed about the person performing the duties of data protection inspector and his contact details.

The CSO Director also pointed out that he was "forced" to create rules concerning proper data protection in the CSO from the beginning, without proper support from the CSO's director, who did not contact the CSO management until the incident covered by this control, and thus the CSO Director took actions based on the knowledge and experience of his staff. Moreover, after the school pedagogue passed the questionnaire to the CSO Manager for review, the CSO Manager was to indicate in the interview with the above mentioned pedagogue that the questionnaires must be voluntary and should be anonymous, i.e. the student may or may not fill in the questionnaires, as well as fill in only the part where he considers it appropriate. The headmaster of the CSO admitted in a letter that the school pedagogue at that time did not consult the content of the questionnaire with the CSO's data protection officer, because he performed his duties improperly, i.e. he did not contact the CSO's management during his duties. Moreover, the CSO director indicated that in each class where the questionnaires were distributed to students, recommendations were to be made that the questionnaires were voluntary and may be anonymous. According to the Director of the CSO, despite the instructions given by the majority of tutors, some of the students indicated their names or personal data of their parents or legal representatives in the survey.

To the above mentioned letter addressed to the Office of Personal Data Protection, the Director of the CSO attached the following attachments:

1) Information Security Policy in the CSO of 2019,

2) Order No. [...] of the Director of the Comprehensive School Complex in D. of [...] October 2019,

3) the protocol of destruction of questionnaires of [...] October 2019,

4) register of information security incidents in the CSO,

5) the analysis of the event in terms of the risk of violation of rights and freedoms of individuals (risk analysis) performed by the Data Protection Officer [...] October 2019,

6) e-mail correspondence between the CSO Director and the data protection officer of [...] October 2019,

7) post-control report of the Board of Education in L. of [...] October 2019,

8) information of the Disciplinary Ombudsman for Teachers at the Governor's Office [...] to the Director of the CSO with a request to send documents in connection with the initiation of an investigation,

9) the handover protocol for the Complex of General Education Schools in D. of July [...], 2019,

10) the list of attendance of persons trained in the field of personal data protection by the CSO data protection inspector of [...] October 2019.

After reviewing all the evidence gathered in the case, the President of the Office for the Protection of Personal Data (hereinafter the "President of the Office for the Protection of Personal Data") weighed the following:

Article 5 of the Regulation 2016/679, formulates the rules concerning the processing of personal data, which must be respected by all controllers, i.e. entities which determine the purposes and means of processing personal data on their own or together with others. According to Article 5(1)(a) of Regulation 2016/679, personal data must be processed lawfully, fairly and transparently for the data subject ("lawfulness, fairness and transparency"). Furthermore, pursuant to Article 6(1)(c) of Regulation 2016/679, processing is lawful only if and in so far as the condition that the processing is necessary for compliance with a legal obligation on the controller is met.

In the course of the inspection it was established (the protocol of acceptance of oral explanations is attached as Appendix 1 to the inspection protocol) that in the CSO a survey was conducted among its students using a questionnaire form called "Diagnosing the home and school situation of a student. Student survey". (hereinafter "the survey"). As part of the survey, personal data of CSO students, including data of minors, were processed, especially in the following scope: name and surname, class designation, identification of legal guardians (parents), information about the condition of the family (full, incomplete), as well as information about the death of the legal guardian (parent), separation of legal guardians (parents), their education and professional situation, number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and the fact of receiving or not receiving financial assistance. Students' data were processed in terms of collection, storage and deletion.

It was also established in the course of the inspection (minutes of acceptance of oral explanations are attachments No. 1 and No. 23 to the inspection protocol) that a survey was conducted in order to identify students who require psychological support from the school they attend. It was also established that the survey was conducted solely using blank paper forms, which were distributed to classroom educators: 7 - 8 and high school classes at the request of the Principal of the CSO. It follows from the above that personal data of ZSO's students were processed only with the use of paper questionnaire forms, on which the data were obtained (collected) and then stored and finally destroyed (minutes of oral explanation are attachments no. 1 and no. 23 to the control protocol). All copies of the questionnaire returned to the Director of the CSO were destroyed by the commission [...] October 2019. As it results from the findings of the inspection, personal data included in the questionnaires were not introduced into electronic telecommunication systems, nor were they recorded on electronic data carriers or other information carriers, including in paper form. After collecting the questionnaires, the educators did not make any scans or paper copies of them, nor did they make any other additional documents containing personal data concerning the questionnaires. As of the date of starting the audit the personal data of students obtained in connection with the surveys were no longer processed by the CSO.

As it results from the evidence obtained as a result of the control activities (protocols of acceptance of oral explanations are appendices no. 20, no. 22, no. 23 to the control protocol), the questionnaires were carried out in a way that excludes the possibility of getting acquainted with the data contained therein by unauthorized persons. According to the statements made by the tutors who conducted or were supposed to conduct the questionnaires, they did not get acquainted with the content of the filled in questionnaires, and thus with the personal data included in them (protocols of acceptance of oral explanations are appendices no. 20, no. 22, no. 23 to the control protocol). Some tutors, after receiving the printed questionnaire forms, did not even carry out the survey at all (the protocol of acceptance of oral explanations is an appendix no. 24 to the control protocol), i.e. they did not distribute the above mentioned forms to the students to be filled in. Moreover, as it was explained, the way of storing the questionnaire forms took into account the necessity of securing them against unauthorized access, i.e. after the completed questionnaires were collected by the tutors, they were stored in lockable lockers, to which only the above-mentioned tutors had access.

In connection with the above findings, it should be concluded that the CSO, by conducting a survey among students, violated the principle of processing data in accordance with the law, expressed in Article 5(1)(a) of Regulation 2016/679, according to which personal data must be processed in accordance with the law, fairly and transparent to the data subject. This principle is developed in Article 6(1)(c) of Regulation 2016/679, according to which the processing is lawful only if and to the extent that it is necessary for the controller to fulfil a legal obligation.

Referring to the above mentioned principles, it should be stated that the evidence gathered in the course of the inspection allows to conclude that the processing of personal data of CSO students took place without a legal basis resulting from the provisions of applicable normative acts.

In particular, it should be pointed out that in accordance with § 9 of the CSO Statute and § 1 clause 11 of the Primary School Statute in D. in connection with Article 9 point 3 of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869 as amended), the CSO is a budgetary unit, and thus also a unit of the financial sector identical to a public entity within the meaning of Regulation 2016/679. Therefore, the ATS as a public entity may process personal data within the scope of its tasks imposed by the Acts, only in accordance with Article 5(1)(a) and Article 6(1)(c) of Regulation 2016/679. In turn, in accordance with Article 30a of the Act of 14 December 2016. Educational Law (Journal of Laws of 2019, item 1148 as amended), schools shall process personal data to the extent necessary to carry out the tasks and obligations arising from these provisions.

It should be noted that in the provisions of the Act of 14 December 2016. Educational Law (Journal of Laws of 2019, item 1148, as amended) and other legal acts governing the functioning of educational institutions, do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way that was done in the CSO in connection with the survey. Conducting the survey, which entailed the processing of students' data by the CSO, did not constitute the fulfillment of the obligation or task imposed on this educational institution by the Act, and therefore it should be considered that there was also a violation of Article 6(1)(c) of Regulation 2016/679.

The President of UODO, analyzing all the evidence gathered in the course of the audit, decided that the statements of the Director of the CSO included in the letter of [...] June 2020. (mark: [...]), concerning the key issues in this decision, do not confirm the findings made in this case or are not essential for it and therefore do not bring new circumstances to it. First of all it should be pointed out that the fact of personal changes in the ATS directorate, referred to by the ATS Director, has no meaning for the responsibility of the ATS as a personal data controller in the light of Regulation 2016/679. The data controller, which is the ATS represented by the Director, is obliged to ensure continuity of performance of duties resulting from the provisions of Regulation 2016/79, regardless of personal changes in the above position. Explanations of the Director of the CSO in this respect, including referring, inter alia, to the circumstances of failure to provide him/her with the documentation, may be relevant at most in the sphere of his/her responsibility resulting from the employment relationship between him/her and the local government body being the organizer of the CSO, and not in the sphere of responsibility resulting from the regulations on personal data protection.

Moreover, the Director of CSO's explanation that from the beginning of the implementation of the survey and giving copies of it to CSO teachers, they were instructed about the necessity of conducting the survey anonymously, should be considered questionable. First of all it should be pointed out that the questionnaire form, due to the fact that it included in its content a place to indicate the student's name, suggested filling in the questionnaire by name, which was a violation of the regulation 679/2016. Moreover, the statement of ZSO Director about the obligation of teachers to instruct the students about the anonymity of the questionnaire is in contradiction with his earlier explanations, as well as the explanations of ZSO teachers. As the Principal of ZSO explained during the inspection (the protocol of acceptance of oral explanations is attached as Appendix no. 1 to the main inspection protocol), he noticed during the conversation with the school pedagogue about the questionnaire that by assumption it is not anonymous and ordered the school pedagogue to inform the tutors that completing the questionnaire is optional. He also instructed the tutors to inform the students about the voluntary nature of the questionnaire directly at the time of handing out the survey forms.

It follows from the above that the recommendations regarding the anonymity of the survey were not made to the tutors at the very beginning of the survey, since the voluntary nature of the survey does not in any way imply anonymity, especially because of its content. This state of affairs is confirmed by the explanations of Mrs. M. K., ZSO teacher, classroom teacher [...] (the protocol of acceptance of oral explanations is attached as Appendix No. 20 to the protocol of the main audit), according to which the school teacher did not inform her about any recommendations concerning the method or date of the survey. According to Ms. K.'s explanations, the questionnaires were filled in by name, i.e., the students gave their names and surnames, and she did not inform the students about her voluntariness and anonymity before they filled in the questionnaire. Mrs. M. K. also mentioned that after the students had completed the questionnaires, a pedagogical council took place, during which her teacher friends posed questions to the ZSO Director, Mrs. J. P., regarding the anonymity and voluntariness of completing the questionnaire, as well as the purposefulness of its content. According to Mrs. M. K., the Principal of ZSO informed during the above mentioned council that the questionnaire can be filled in voluntarily and anonymously by students. However, from the response of the Principal of the CSO Mrs. M. K. concluded that there is no general recommendation from the Principal that the survey must be anonymous.

The fact that the classroom tutors were not informed about the need to conduct the questionnaire anonymously is also due to the explanations of Mrs. I. J., ZSO teacher, class tutor of [...] High School (the protocol of acceptance of oral explanations is attached as Appendix No. 21 to the main control protocol). Mrs. I. J. stated that she learned about the questionnaire from her school teacher, Mrs. D. K., who personally brought her printed and unfilled questionnaire forms in September 2019 while Mrs. I. was conducting it. J. of the classroom's teaching hours [...] of the High School. Mrs. D. K. asked Mrs. I. J. to conduct a survey among the students of the [...] class, and informed her that completing the survey was voluntary (optional). Ms. D. K. did not inform Ms. J. about any other recommendations concerning the method or date of the survey.

She also provided explanations of similar content: Mrs. W. M., teacher of the Comprehensive School Complex in D., class teacher of [...] High School (the protocol of accepting oral explanations is enclosed in the protocol of the main control), Mrs. M. D., teacher of the Comprehensive School Complex in D.., the tutor of the class [...] of the High School (the protocol of the oral hearing is attached as appendix no. 23 to the protocol of the main audit) and Mrs. M. C., teacher of the High School Complex in D., tutor of the class [...] of the High School (the protocol of the oral hearing is attached as appendix no. 24 to the protocol of the main audit). In view of the above, the statement of the Headmaster of the CSO that despite the instructions of the majority of tutors, some of the students indicated their names or personal data of their parents or statutory representatives on the survey, as no one directed such instructions to the students for the most part, should be considered unconvincing.

In connection with the above, acting pursuant to Article 58(2)(b) of Regulation 2016/679, pursuant to which each supervisory authority is entitled to issue a warning to the controller or processor in the event of a breach of the provisions of this Regulation by the processing operations, the President of UODO considers it justified to issue a warning to the CSO in the event of a breach of the provisions of Article 6(1)(c) in connection with Article 5(1)(a) of Regulation 2016/679.

Recital 148 of Regulation 2016/679 provides that in order to make enforcement more effective, sanctions, including administrative fines, should be imposed for a breach of the Regulation, in addition to or instead of the appropriate measures imposed by the supervisory authority under this Regulation. If the infringement is minor, the financial penalty may be replaced by a warning. However, due consideration should be given to the nature, gravity and duration of the breach, to whether the breach was not intentional, to actions taken to minimise damage, to the degree of liability or any relevant previous breaches, to the manner in which the supervisory authority learned of the breach, to compliance with measures imposed on the controller or processor, to the application of codes of conduct and any other aggravating or mitigating factors.

Determining the nature of the breach consists in determining which provision of Regulation 2016/679 has been breached and classifying the breach in the appropriate category of breaches, i.e. those indicated in Article 83(4) or 83(5) and (6) of Regulation 2016/679. The assessment of the severity of the breach (e.g. low, medium or significant) is indicated by the nature of the breach, as well as the scope, purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them. The purpose of the processing of personal data involves determining the extent to which the processing meets the two key elements of the 'limited purpose' principle, i.e. the determination of the purpose and its consistent application by the controller or processor. In choosing the corrective measure, the supervisory authority takes into account whether the damage has been or may be suffered due to a breach of Regulation 2016/679, although the supervisory authority itself is not competent to grant specific compensation for the damage suffered. By specifying the duration of the breach, it may be concluded that the breach has been rectified immediately and for how long it lasted, which consequently makes it possible to assess, for example, the appropriateness or effectiveness of the actions of the controller or processor. The Article 29 Working Party, in its guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679 adopted on October 3, 2017, referring to the intentional or unintentional nature of the infringement, indicated that, in principle, "intentionality" includes both knowledge and intentional action, in relation to the characteristics of the prohibited act, while "unintentionality" means the lack of intent to cause the infringement, despite the failure of the controller or the processor to comply with the duty of care required by law. Intentional infringements are more serious than unintentional ones and, consequently, more often involve the imposition of an administrative fine.

The President of UODO decided that in the established circumstances of this case a warning to the CSO is sufficient. The President of UODO considered that the above mentioned infringement was of unintentional nature as an attenuating circumstance, which supports it. ZSO immediately took a number of corrective actions, such as: destruction of survey forms or failure to conduct it by some teachers, organization of training for ZSO employees in order to raise their awareness of the issue of personal data protection, as well as analysis of the event, which was conducting a survey among students, due to the risk of violation of rights and freedoms of individuals. Moreover, based on the circumstances of the case in question, there are no grounds to consider that the data subjects suffered damage as a result of the event.

The President of UODO also did not receive any other signals that similar behaviors resulting in violation from the CSO took place. Therefore, the event refers to a one-time incident, not a systematic action or omission that would pose a serious threat to the rights of persons whose personal data are processed by the CSO. The above circumstances justify the granting of a reminder to the CSO for the found violation, taking into account the possibility of avoiding similar events in the future.

It should be noted that in case of occurrence of a similar event in the future, each reminder issued by the President of UODO to the CAC will be taken into account when assessing the prerequisites for a possible administrative penalty, in accordance with the principles set out in Article 83 paragraph 2 of Regulation 2016/679.

In this factual and legal situation the President of UODO decided, as in the operative part.

 

The decision is final. A party has the right to lodge a complaint against the decision with the Voivodeship Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for Personal Data Protection (address: 2 Stawki Street, 00 - 193 Warsaw). A fixed entry in the amount of 200 PLN should be made from the complaint, according to art. 231 in connection with art. 233 of the Act of August 30, 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended). A party (natural person, legal person, other organizational unit without legal personality) has the right to apply for the right of assistance, which includes exemption from court costs and establishment of an advocate, legal adviser, tax advisor or patent attorney. The right of assistance may be granted at the request of a party submitted before or during the proceedings. The application is free of court fees.

 

 

 

 

 

 

 

 

 

They receive:

 

    General School Complex in D.

 

    A/a