WSA Warsaw (Poland) - II SA/Wa 310/20

From GDPRhub
WSA Warsaw (Poland) - II SA/Wa 310/20
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 28(1) GDPR
Article 28(3) GDPR
Article 28(10) GDPR
Article 29 GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Article 83(5) GDPR
Article 101 UODO (Personal Data Protection Act)
Decided: 27.10.2020
Published:
Parties:
National Case Number/Name: II SA/Wa 310/20
European Case Law Identifier:
Appeal from: PUODO
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Provincial Administrative Court in Warsaw upheld the PUODO's decision to impose a fine of PLN 8,000 on a company which is the administrator of the common part of the property, for infringement of provisions on personal data protection in processing data from video monitoring used in the real estate without the agreement on entrusting data processing and for failing to implement organisational and technical measures in connection with the use of video monitoring in the real estate ensuring control over personal data from the monitoring of the Residential Community. The Court held that the fined Company should be treated as a data controller in this case according to Article 28(10) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The President of the Office for Personal Data Protection (PUODO) found that L. Sp. z o.o. ("the Company") infringed the provisions of Article 5(1)(a)GDPR, Article 5(1)(f)GDPR in connection with Article 5(2) GDPR, i.e. the principles of lawfulness, data integrity and confidentiality and accountability in connection with Article 28(1) GDPR, Article 28(3) GDPR, Article 28(10) GDPR and Article 29 GDPR, with regard to the processing of data from video surveillance systems used in the Residential Community without legal basis in the form of an agreement on entrustment of processing.

The DPA stated that in the course of the proceedings the indicated shortcomings in the process of personal data processing were eliminated, but nevertheless imposed on the Company an administrative fine in the amount of PLN 8000.00 due to the duration of the violations.

The DPA emphasised that, in the absence - in the data processing entrustment agreement of May 2018 concluded by the Housing Community - of entrusting the Company with the processing of data, including the determination of the purposes and means of processing of the data derived from the video surveillance system used at the property, to which the Company actually had access within the framework of the proper performance of the contract for the administration of the common part, pursuant to Article 28(10) GDPR, the Company was deemed to be the controller with regard to this process in the period from May 2018 to September 2019, i.e. until the date of conclusion of Annex No. 1 to the aforementioned contract.

The Company appealed against the decision to the Provincial Administrative Court.

Dispute[edit | edit source]

Was it legitimate to consider that the Company was the controller of personal data in relation to the processing of video surveillance data?

Holding[edit | edit source]

The Provincial Administrative Court Warsaw dismissed the appeal and held that on the basis of the factual findings, the PUODO stated correctly that the Company infringed the provisions on the protection of personal data in the processing of data from video monitoring applied at the real estate.

Comment[edit | edit source]

The Court emphasised that it follows from the established facts that the Company had access to the personal data processed by the video surveillance in connection with the day-to-day administration of the property, and that it decided on the purposes and means of data processing. However, this did not arise from the contract for administration of the common part concluded with the Housing Association, from the contract for entrustment of personal data processing of May 2018, or from the internal procedures concerning the management of the monitoring system.

The Court pointed out that where a processor of personal data breaches the General Data Protection Regulation in determining the purposes and means of processing, it is deemed to be the controller in respect of that processing (Article 28(10) GDPR). Deciding on the purposes and means of processing falls within the sphere of competence of the controller. If a processor unlawfully intervenes in this sphere by encroaching on the controller's reserved scope, Article 28(10) GDPR requires the processor to be considered the controller in respect of this processing. This means that the processor is liable for the breach of the Regulation in this respect in the same way as the controller.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

SENTENCE
The Provincial Administrative Court in Warsaw, in the following composition Presiding Judge WSA Andrzej Góraj, Judge WSA Danuta Kania (spr.), Judge WSA Iwona Maciejuk, having examined at a closed session on 27 October 2020 a case on a complaint by L. Sp. z o.o. with its registered office in [...] against the decision of the President of the Office for Personal Data Protection of [...] November 2018 No. [...] on the processing of personal data dismisses the complaint

GROUNDS
The President of the Office for Personal Data Protection (hereinafter: 'the President of the Office for Personal Data Protection', 'the Authority'), by decision of [...] November 2019 No. [...], issued pursuant to Article 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2018, item 2096 as amended), hereinafter: 'k.p.a.', Article 7(1), Article 60, Article 101 of the Act of 10 May 2018 on personal data protection (Journal of Laws of 2019, item 1781), hereinafter: 'u. o.d.o.', and Articles 57(1)(a), 58(2)(i) in conjunction with Articles 5(1)(a), 5(1)(f), 5(2), 28(1), (3), (10), Art. 29 and Article 83(1)-(3) and (5) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the EU L 119 of 4 May 2016, p. 1 and Dz. Urz. UE L 127 of 23 May 2018, p. 2), hereinafter: the "General Data Protection Regulation", found that L. Sp. z o.o. with its registered office in [...] (hereinafter: "L. Sp. z o.o.", "the Company", "the applicant") infringed the provisions of Article 5(1)(a), Article 5(1)(f) in conjunction with Article 5(2) of the General Data Protection Regulation, i.e. the principles of lawfulness, data integrity and confidentiality and accountability, in conjunction with Art. 28(1), (3), (10) and (29) of the General Data Protection Regulation, to the processing of data from video monitoring used in the Housing Community "[...]" without the legal basis in the form of an agreement on entrustment of processing in the period from [...] May 2018 to [...] September 2019, and imposed on L. Sp. z o.o. with its registered office in [...] an administrative fine in the amount of PLN 8000.00.

In the justification of the aforementioned decision, the President of the Office for Harmonization in the Internal Market (the 'OCCP') presented the course of the proceedings so far, indicating as follows:

On [...]-[...] June 2019, the controllers authorised by the President of the Office for Harmonisation in the Internal Market (OCCP), acting pursuant to Article 78(1), Article 79(1) and Article 84(1)(1)-(4) of the APSI in conjunction with Article 57(1)(a) and (h), Article 58(1)(b), (e) and (f) of the General Data Protection Regulation, carried out control activities at L. Spółka z o.o. with its registered office in [...] with regard to the compliance of personal data processing with the provisions of the Act on personal data protection and the General Regulation on data protection.

The scope of the inspection covered processing of personal data in the framework of video monitoring of the real estate located at [...] in [...].

In the course of the inspection, oral testimony as a witness was taken from D. O. - Vice-President of the Management Board of L. Sp. z o.o. and from A. K. - authorised by the Vice-President of the Management Board to provide detailed explanations - Director and administrator of the real estate located at [...]. The video surveillance system located in the building of the Housing Community of [...] was also inspected.

The facts were described in detail in the inspection protocol signed by the Vice-President of the Management Board of L. Sp. z o.o. The inspection file includes evidence from the inspection [...] conducted in the Housing Community [...], which is the administrator of data from video monitoring used in the above-mentioned Community, including the protocol of questioning the witness E. G. - member of the Management Board of the Community

On the basis of the evidence gathered, the President of the Office for Harmonization in the Internal Market (the Office) found that in the process of data processing within the framework of video monitoring applied in property [...] in [...], L. Sp. z o.o. breached the provisions on personal data protection. These infringements consisted in:

1) the processing of data from video surveillance at the property located at [...] in [...] by L. Sp. z o.o. without a data processing entrustment agreement, in breach of Article 5(1)(a) of the General Data Protection Regulation;

2) failure to implement by L. Sp. z o.o. organisational and technical measures in connection with the use of video monitoring in the real estate located at [...] in [...], ensuring control over personal data provided from the monitoring of the Housing Community of [...], which constitutes an infringement of Article 5(1)(f) of the General Data Protection Regulation.

In view of the above, on [...] September 2019. The President of the Office for Personal Data Protection initiated ex officio administrative proceedings to clarify the circumstances of the present case.

In response to the notice of initiation of administrative proceedings, L. Sp. z o.o., by letter dated [...] September 2019, sent explanations with regard to the deficiencies found and evidence of their elimination, which show that:

1) on [...] September 2019. Housing Community [...] in [...] signed with L. sp. z o.o. Annex No. 1 to the agreement on entrustment of personal data processing of [...] May 2018, whereby it follows from § 1(1)(e) of the Annex that the Community entrusted L. sp. z o.o. with the processing of personal data from video surveillance with regard to image and vehicle registration number,

2) By Annex No. 1, the Community entrusted L. Sp. z o.o. with the control of the compliance of the processing of the data coming from the video monitoring by companies providing security services (§ 1 point 2 letter g) of the Annex) and with the performance of activities related to the processing of the data from the monitoring, as well as with the provision of access to the data in accordance with the principles specified in the Regulations on the Provision of Personal Data and Regulations on Video Monitoring (§ 1 point 2 letter h) of the Annex),

3) by means of Annex No. 1, the Community entrusted L. Sp. z o.o. with the performance of activities at the request of the controller, specified in the Regulations on Personal Data Sharing, with the exception of consent to the disclosure of personal data (§ 1 point 3 subpoint 1 of the Annex), and authorized the performance of activities specified in the Regulations on Video Monitoring, with the exception of activities for which access levels are specified in § 5 paragraph 3 of the said Regulations (§ 1 point 3 subpoint 2 of the Annex)

4) by declaration dated [...] September 2019. Housing Community [...] in [...] confirmed the activities performed by the property manager on behalf of L. Sp. z o.o. with regard to access to video surveillance in the period from [...] June 2019 to [...] July 2019 as performed at the direction of the data controller, concerning, inter alia inter alia, processing access logs to the video surveillance system, entering access codes to the recorders and transferring the codes to the company with which the Community signed a contract on [...] July 2019 to operate the video surveillance system.

By request dated [...] September 2019. L. Sp. z o.o. requested the President of the Office for the Protection of Human Rights to include in the file of the present proceedings the minutes of testimonies of security personnel from the file of proceedings to which Group C. Sp. z o.o. (mark: [...]) as evidence in the case.

The President of the Office for Harmonization in the Internal Market refused to accept the abovementioned request for evidence, indicating that pursuant to Article 78 § 1 of the Code of Administrative Procedure, the administrative body is not obliged to take evidence presented by a party if, in its opinion, the request for evidence concerns circumstances which have been sufficiently clarified in a given proceeding.

To substantiate its decision, the body referred to Article 57(1)(a) and (h), Article 58(2)(d) and (i) as well as Article 28 and Article 29 of the General Data Protection Regulation, pointing out that the Regulation binds the processing of data to compliance with the principles set out in Article 5 of this legal act. The main principle is the principle of accountability (Article 5(2) of the Regulation), which imposes on the controller the burden of proof consisting in the necessity to prove, both to the controller and to the data subject, compliance with all the principles of data processing, i.e. the principles of lawfulness, fairness, transparency, integrity and confidentiality of data (Article 5(1) of the Regulation).

The President of the Office for Harmonisation in the Internal Market (OCCP) found that in the course of the proceedings the indicated shortcomings in the processing of personal data, being the subject of the proceedings, were remedied, namely:

1) it was ensured that L. Sp. z o.o. processes data originating from video surveillance in accordance with Article 28(3) and (9) of the General Data Protection Regulation by concluding with the Housing Community [...] Annex No. 1 to the agreement on entrustment of personal data processing of [...] May 2018, in which the Community entrusted the Company with the processing of personal data in the scope of images and vehicle registration numbers originating from video surveillance.

2) Annex No. 1 to the data processing entrustment agreement of [...] May 2018. the access of L. Sp. z o.o. to the data coming from the video surveillance was regulated by authorising the Company to process the data on the basis of technical and organisational measures implemented by the Housing Community, i.e. Regulations on the Provision of Personal Data and Regulations on Video Surveillance.

The Body further indicated that, despite the Company's remedying of the indicated failures, the prerequisites justifying the imposition of a fine for non-compliance of data processing with the provisions of the Regulation on the protection of personal data, i.e. with the principle of lawfulness (Article 5(1)(a)), the principle of data integrity and confidentiality (Article 5(1)(f)), and, consequently, the principle of accountability (Article 5(2) of the General Regulation on data protection) and related to the duration of the indicated infringements occurred.

At the same time, the Authority stressed that, in the absence - in the data processing entrustment agreement of [...] May 2018 concluded by the Community -to entrust L. Sp. z o.o. with the processing of data, including the determination of the purposes and means of processing of the data from the video surveillance system used at property [...] in [...], to which it actually had access in the framework of the proper performance of the contract for the administration of the common part, pursuant to Article 28(10) of the General Data Protection Regulation, L. Sp. z o.o. was deemed to be the controller in relation to this process for the period from [...] May 2018 to [...] September 2019, i.e. until the date of conclusion of Annex No. 1 to the aforementioned agreement.

It follows from the contract for administration of the common part that the Company is responsible for keeping a register of correspondence concerning the Housing Community, and requests for access to monitoring data were received by the Community at the address for service, i.e. the address of the property manager. In the case of the need to provide access to data from the monitoring system, there was only the customary procedure of operation, in which the role of L. Sp. z o.o. consisted in passing information on the need to provide access to the recording to the coordinator appointed by the entity providing security services. The adopted method of operation did not result from the provisions of contracts or internal procedures adopted by the Housing Association [...]. Moreover, the lack of records of applications for access to recordings from the monitoring of property located in [...] at [...] makes it impossible to settle L. Sp. z o.o. on the handling of such requests in the scope of to whom the request was submitted, who accepted it and how the request was handled.

In the course of the inspection it was also established that in connection with the occurrence of the incident, L. Sp. z o.o. commissioned an external entity to carry out an audit of the monitoring system, including changing passwords to the monitoring system, as a result of which it came into possession of new passwords in order to transfer them to the company dealing with real estate security. These activities were carried out as part of the day-to-day administration of the real estate, however, they did not result from the agreement on the administration of the common part concluded with the Housing Community [...], from the agreement on entrustment of personal data processing of [...] May 2018 or from the internal procedures on the management of the monitoring system.

The Body pointed out that the Company, as the data controller in relation to the processing of the data originating from the video surveillance system, was subject to all obligations concerning the controller under the General Data Protection Regulation referred to in Article 24(1) and (2). On the other hand, the evidence gathered in the case at hand does not show that the applicant, with regard to this process, took measures to comply with all the obligations of the controller imposed by the provisions of the Regulation.

Referring to the objections raised by the Company to the inspection protocol contained in the letter of [...] July 2019, the authority indicated that in the light of Article 88(4) of the a.o.d.o. in connection with the signing of the inspection protocol by the Company, the authority took into account the raised objections as additional explanations in the post-inspection proceedings. It also indicated that the allegation concerning the failure to present the inspection files and appendices to the inspection protocol to the Company along with the inspection protocol is unfounded because the documents collected in the inspection files constitute materials provided to the inspectors in the course of the inspection, while the Company made photocopies of the minutes of hearing witnesses - which are the basis for drawing up the inspection protocol - which was confirmed and recorded in these minutes. In addition, as is evident from the records of the proceedings, the applicant, on [...] and [...] September 2019, exercised its right to examine the material collected.

The President of the Office for Harmonization in the Internal Market (the President of the Office for Harmonization in the Internal Market) further indicated that in the situation where the infringement has already been remedied and, consequently, issuing a warrant would be pointless, the supervisory authority, instead of applying remedial measures, may impose an administrative fine, depending on the circumstances of the particular case. In doing so, the authority referred to Article 58(2)(i) and Article 83(2) of the General Data Protection Regulation.

When determining the amount of the administrative fine in the present case, the authority took into account as circumstances against L. Sp. z o.o. and having an aggravating effect on the amount of the imposed penalty:

1) infringement of the principles of personal data processing in connection with the processing of data originating from video monitoring applied in the Housing Community [...] in [...], i.e. the principle of lawfulness, the principle of data integrity and confidentiality and the principle of data accountability;

2) the duration of the breaches found during the inspection related to the processing of data by means of video monitoring;

3) the failure to implement organisational and technical measures to ensure control over personal data provided from the monitoring of the Housing Community [...] in [...].

The authority also took into account the mitigating factors of the penalty, namely:

1) the unintentional nature of the breach of Article 28(3) and (9) of the General Data Protection Regulation by failing to indicate in the data processing entrustment agreement of [...] May 2018 the data from video surveillance,

2) the fact that the corrective measures referred to in Article 58(2) of the aforementioned Regulation were not ordered against the Company,

3) the actions taken by the Company during the proceedings before the supervisory authority to remedy the violations.

Both the fact of imposing and the amount of the administrative fine itself were not influenced by the circumstances that:

1) the Company does not apply approved codes of conduct under Article 40 of the General Data Protection Regulation or approved certification mechanisms under Article 42 of the said Regulation,

2) there is no evidence of any financial benefit or avoided loss to the Company as a result of the breaches identified,

3) no evidence that the data subjects have suffered damage.

When deciding on imposing the administrative fine and determining the amount of the fine, the President of the Office for Harmonisation in the Internal Market (the President of the Office for Harmonisation in the Internal Market) considered as the most important the serious nature of the breach resulting from the infringement of the principle of compliance with the law in connection with the lack of an agreement on entrusting the processing of the data originating from the video monitoring, and thus acting without a legal basis for the data processing. He also took into account the content of Article 83 paragraph 3 and paragraph 5 letter a) of the General Data Protection Regulation in conjunction with Article 103 of the u.o.d.o.

It concluded that the applied administrative fine of PLN 8,000 fulfils, in the established circumstances of the case, the functions referred to in Article 83(1) of the Regulation and is effective, proportionate and dissuasive in this individual case. He acknowledged that the penalty will be effective if its imposition results in the Company fulfilling the obligations of a processor with regard to the scope, purpose and manner of processing indicated in the entrustment agreement. It also indicated that the monetary penalty applied is proportionate to the infringement found, in particular due to the failure of L. Sp. z o.o. to comply with its obligations as a controller in the period from [...] May 2018 to [...] September 2019 under the General Data Protection Regulation. The deterrent nature of the fine is related to the prevention of future violations and to placing greater importance on the implementation of both the tasks of the controller and the tasks of the processor. The penalty has a repressive character (the Company has breached the provisions of the aforementioned Regulation) and a preventive character (both the Company and other entities involved in the processing of personal data will carry out their obligations under the General Data Protection Regulation with more attention and due diligence). The purpose of the penalty imposed is to oblige L. Sp. z o.o. to carry out data processing in accordance with the applicable legal provisions.

By letter dated 2 January 2020. L. Sp. z o.o. in [...], represented by a professional attorney, filed a complaint with the Voivodship Administrative Court in Warsaw against the above decision of the President of the Office for Personal Data Protection of [...] November 2019, alleging:

1) violation of Article 7 of the Code of Administrative Procedure in conjunction with Article 77 of the Code of Administrative Procedure, Article 8 of the Code of Administrative Procedure and Article 84 of the Code of Administrative Procedure by disregarding the applicant's requests for evidence, relevant to the case, contained in the letters of [...] September 2019 and [...] September 2019, including the failure to include in the files of the present case the files from the proceedings to which Grupa C. Sp. z o.o. (mark: [...]), in order to take evidence of the documents in the file of that case for the purposes of:

(a) knowledge of the security personnel of Grupa C. Sp. z o.o. of the scope and purpose of the processing of personal data by the controller of such data, including in particular the direct commissioning by the controller of security staff to carry out tasks related to the processing of monitoring data,

b) not ordering by the claimant's representatives to the security staff any operations on personal data from the monitoring processed by the controller,

(d) the sole responsibility of the controller to provide organisational and technical measures to ensure the control of personal data provided from video surveillance,

(d) the exclusion of the commissioning of operations on personal data from video surveillance by the controller to security staff,

e) the non-access by the applicant's representatives to the tools enabling them to view and perform any operations on the personal data derived from the video surveillance,

(2) breach of Article 5(1)(a), Article 5(1)(f), Article 5(2), Article 28(1), (3) and (10), Article 29, Article 83(1), (2), (3) and (5) in conjunction with Article 57(1)(a) and Article 58(2)(i) of the General Data Protection Regulation by reason of the unlawful assumption that the applicant is the controller of the personal data in connection with the processing of video surveillance data, which is subject to the obligation laid down by the abovementioned regulation, in the situation where the controller of the data in question was the Housing Community '[...]' of the property in [...] in [...], which was obliged, as the data controller, to Regulation in a situation where the controller of the data was the Housing Community "[...]" of the property in [...] in [...], which - as the controller - was obliged to implement organisational and technical measures to ensure the adequate processing of the data, including their security, while the entity which actually processed the personal data in connection with the processing of data from video monitoring was Grupa C. Sp. z o.o., who committed the violations in relation to the data processing,

3. infringement of Article 58(2)(i) of the General Data Protection Regulation by reason of the imposition on the applicant in the contested decision of an exorbitant amount of an administrative fine which is out of proportion to the degree of the offence and disproportionate to the penalty imposed by the authority on the Residential Community '[...]' of the property at [...] in [...].

In connection with the above, the applicant requested that:

1) request the President of the Office for Competition and Consumer Protection to attach to the files of the present case the files of the case conducted against Grupa C. Sp. z o.o. (mark: [...]) and with the participation of the Housing Community "[...]" of the property in [...] in [...] in order to take evidence of the following circumstances

(a) knowledge of the security staff of Grupa C. Sp. z o.o. of the scope and purpose of the processing of personal data by the controller of these data, including in particular direct commissioning by the controller of security staff to perform tasks related to the processing of monitoring data,

b) not ordering by the claimant's representatives to the security staff any operations on personal data from the monitoring processed by the controller,

(d) the sole responsibility of the controller to provide organisational and technical measures to ensure the control of personal data provided from video surveillance,

(d) the exclusion of the commissioning of operations on personal data from video surveillance by the controller to security staff,

(e) the unavailability to the applicant's representatives of the tools enabling them to gain access to and carry out any operations on the personal data from the video surveillance system,

(f) the imposition in the contested decision of an exorbitant amount of an administrative fine disproportionate to the gravity of the offence and disproportionate to the penalty imposed by the authority on the Residential Community '[...]' of the property at [...] in [...],

2. amend the contested decision by annulling it in its entirety or, in the alternative, reduce the amount of the administrative fine imposed on the applicant

3. order reimbursement of the costs of the proceedings, including the costs of legal representation;

4. a hearing of the case.

In the grounds for the complaint, the above allegations were developed by quoting extensive excerpts from administrative court decisions concerning the application of the general principles of the Code of Administrative Procedure and the rules for evidence proceedings.

It is submitted, in particular, that in the course of the proceedings which ended with the adoption of the contested decision, it was not established that the applicant carried out any operations in connection with the processing of video surveillance data as a result of coming into possession of new passwords for the video surveillance system. The authority's finding that the applicant is the controller of the video surveillance data and that it carried out the processing thereof is therefore unlawful. In the commissioning of the monitoring audit, the applicant played only a technical and service role, acting as an intermediary between the commissioning party (the Housing Community of the property at [...]) and the contractor in terms of establishing cooperation.

It was also argued that the Company did not meet the requirement of being a controller within the meaning of Article 4(7) of the General Data Protection Regulation. It is not the Company, but the Housing Community of the property at [...], as the controller, that determines the purpose and manner of processing of the data from video monitoring. Moreover, it is the aforementioned Housing Community that processes the data of the owners of premises and contractors of the Community, which is confirmed in Article 6 and Article 18(1) of the Act of 24 June 1994 on the ownership of premises (Journal of Laws of 2019, item 737, as amended).

It was further indicated that the evidence collected by the President of the Office for Harmonization in the Internal Market (OCCP), without being supplemented by the material requested by the Company, did not provide grounds for issuing the appealed decision. The case was not exhaustively and comprehensively explained. The inclusion in the case file of the evidence collected in proceedings ref: [...] and familiarisation with the content of the testimony of the employees of the entity providing monitoring services on the premises of the property at [...] in [...], is of significant importance from the point of view of the formulation of further requests for evidence and assessment of the possible liability of the Company for the incident related to the occurrence of which the proceedings in the present case were initiated.

Irrespective of the above, the complainant pointed out that the President of the Office for Harmonisation in the Internal Market imposed a fine in the contested administrative decision in a grossly excessive amount, which is not adequate to the degree of the offence and disproportionate to the penalty imposed by the authority on the aforementioned Housing Association.

In his reply to the complaint, the President of the Office for Competition and Consumer Protection requested that the complaint be dismissed, maintaining his position as in the contested decision.

By order of the President of the Division dated 15 October 2020, the case under case file No. II SA/Wa 310/20 was removed from the agenda of the public hearing scheduled for 27 October 2020 and referred to a closed hearing on the same date.

The Provincial Administrative Court in Warsaw ruled as follows:

Pursuant to Article 1 § 1 and § 2 of the Act of 25 July 2002. - Law on the system of administrative courts (Journal of Laws of 2019, item 2167), hereinafter: "p.u.s.a." and Article 3 § 1 of the Act of 30 August 2002. Law on Proceedings before Administrative Courts (Journal of Laws of 2019, item 2325), hereinafter: 'p.u.s.a.', administrative courts exercise the administration of justice by controlling the activity of public administration.

Pursuant to Article 134 § 1 of p.p.s.a., the court decides within the limits of a given case without being bound by the charges and motions of the complaint and the legal basis invoked, subject to Article 57a. The court may not rule to the detriment of the appellant, unless it finds a violation of law resulting in the annulment of the appealed act or action (§ 2).

The complaint assessed in the light of the above criteria does not merit consideration.

The object of the Court's review is the decision of the President of the UODO of [...] November 2019 No. [...] finding an infringement by L. Sp. z o.o. with its registered office in [...] of the provisions of Article 5(1)(a), Article 5(1)(f) in conjunction with Article 5(2) of the General Data Protection Regulation in conjunction with Article 28(1), (3), (4) and (5) of the General Data Protection Regulation. Article 5(1)(a), 5(1)(f) in conjunction with Article 5(2) of the General Data Protection Regulation, in conjunction with Article 28(1), (3) and (10) and Article 29 of that regulation, in relation to the processing of data from video surveillance systems used in the Residential Community of [...] without a legal basis in the form of a data entrustment agreement for the period from [...] May 2018 to [...] September 2019, and imposing on L. Sp. z o.o. with its registered seat in Warsaw an administrative fine in the amount of PLN 8000.00.

The legal basis for the contested decision was in particular the provisions of the General Data Protection Regulation, including Article 57(1), according to which, without prejudice to its other tasks under this Regulation, each supervisory authority within its territory shall monitor and enforce the application of this Regulation (point a), conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or another public authority (point h).

The instruments for performing the tasks set out in Article 57 of the aforementioned Regulation are in particular the remedial powers referred to in Article 58(2), including ordering the controller or processor to bring the processing operations in line with this Regulation and, where appropriate, the modalities and timing (point d) and the power to impose, in addition to or in place of the measures referred to in this paragraph, an administrative pecuniary sanction under Article 83, depending on the circumstances of the particular case (point i).

Pursuant to Article 28(1) of the General Data Protection Regulation, where processing is to be carried out on behalf of a controller, the controller shall use only such processors who offer sufficient guarantees to implement appropriate technical and organisational measures that the processing will meet the requirements of this Regulation and protect the rights of data subjects. The processing by a processor shall be based on a contract or other legal instrument which is subject to Union or Member State law and which binds the processor and the controller, specifies the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller (Article 28(3)). However, pursuant to Article 28(9) of the aforementioned Regulation, the agreement referred to in paragraph 3 shall be in writing, including in electronic form.

According to Article 28(10) of the General Data Protection Regulation, without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation in determining the purposes and means of the processing, the processor shall be considered to be a controller in respect of that processing. The processor and any person acting under the authority of the controller or of the processor and having access to the personal data shall only process them on instructions from the controller, unless required by Union or Member State law (Article 29 of the Regulation).

The provision of Article 5 of the General Data Protection Regulation establishes a catalogue of basic principles relating to the processing of personal data. As it is stressed in the literature, these principles have the nature of interpretative directives, according to which particular provisions should be interpreted. That is why they are given precedence over other provisions on personal data protection. These principles determine the obligations directed to the controllers. The obligations imposed on controllers, included in the principles of data processing, are accompanied by sanctions determined by the EU legislator for their infringement, mainly in the form of administrative fines.

The basic principle of the processing of personal data is the principle of accountability defined in Article 5(2) of the Regulation. This provision states that the controller is responsible for compliance with all the rules for the processing of personal data (listed in Article 5(1)) and must be able to demonstrate compliance with them. The principle of accountability is thus based on the controller's legal responsibility for the proper fulfilment of its obligations, and imposes on the controller the obligation to demonstrate, both to the supervisory authority and to the data subject, compliance with all the rules for data processing.

The accountability principle is implemented by the principles of fairness and lawfulness and transparency as expressed in Article 5(1)(a) of the Regulation. According to this provision, personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The requirement of lawfulness of data processing implies both the necessity to meet the prerequisites of lawfulness of data processing and to ensure the compliance with other provisions on personal data protection. The requirement of fairness, on the other hand, refers to moral values and the criterion of social acceptance of the data processing operation.

Ensuring accountability of the data requires compliance with the data security principle, i.e. the principle of data integrity and confidentiality set out in Article 5(1)(f) of the Regulation. This provision stipulates that data shall be processed in a way ensuring appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures. Data integrity means thus the property ensuring that personal data have not been altered or destroyed in an unauthorised way, while data confidentiality means that data are not disclosed to unauthorised entities (cf. General Data Protection Regulation. Commentary edited by E. Bielak-Jomaa, D. Lubosz, Wolters Kluwer, Warsaw 2018).

It should also be noted that in accordance with Article 184b of the Act of 21 August 1997 on real estate management (Journal of Laws of 2018, item 2204, as amended), real estate management consists in making decisions and performing actions aimed at ensuring rational management of the real estate, in particular: 1) proper economic and financial management of the real estate; 2) safety of use and proper operation of the real estate; 3) proper energy management within the meaning of the Energy Law; 4) day-to-day administration of the real estate; 5) maintenance of the real estate in a non-deteriorated condition in accordance with its purpose; 6) reasonable investment in the real estate.

The scope of management of the real property shall be specified by an agreement for the management of the real property concluded with its owner, a residential community or another person or organisational unit to which the right to the real property applies, with legal effect directly for that person or organisational unit. The agreement shall be in writing or in the electronic form, otherwise being null and void (Article 185(2) of the aforementioned Act).

Transposing the above into the facts of the present case, it should be stated that the President of the Office for Harmonisation in the Internal Market (the 'OCCP'), on the basis of the factual findings, correctly stated that L. Sp. z o.o. infringed the provisions on personal data protection in the process of processing data from video monitoring applied at real estate [...] in [...], by

1) processing data from video surveillance at the above property without a data processing entrustment agreement (Article 5(1)(a) of the General Data Protection Regulation);

2) failure to implement organisational and technical measures in connection with the use of video monitoring at the abovementioned real estate ensuring control over personal data provided from the monitoring of the Housing Community (Article 5(1)(f) of the Regulation).

Indeed, the evidence gathered in the case (Inspection Protocol of [...] June 2019 and annexes) shows that between L. Sp. z o.o. and the Housing Community [...] an Agreement for the Administration of the Common Part was concluded on [...] July 2012. Agreement on the Administration of the Common Part of the Property, and on [...] May 2018. Agreement on entrustment of personal data processing (k. 37 et seq. and k. 45 et seq. of the admin. file). The provisions of the above-mentioned agreements did not indicate how and to what extent the Property Manager participates in the process of servicing the monitoring of the property located at [...] in [...] and to what extent the Property Manager should carry out control and supervisory activities so that the processing of data in connection with the monitoring is carried out in compliance with the provisions of the law.

The agreement on entrusting data processing did not indicate that the Housing Community entrusted L. Sp. z o.o. with the processing of data from video monitoring carried out on the premises of the real estate located at [...], nor did it indicate the purpose of processing of the monitoring data, to which L. Sp. z o.o. actually had access within the framework of proper performance of the agreement on administration of the common part. The agreement also did not indicate who decided on behalf of the Housing Association to provide access to the data in connection with the received requests for access to the monitoring data.

The administration agreement, however, indicated that L. Sp. z o.o. was responsible for keeping a register of correspondence concerning the Housing Association [...], and that requests for access to monitoring data were received by the Housing Association at its address for service, i.e. the address of the property manager.

In the case of the necessity to provide access to the monitoring data, there was only a customary procedure of operation, in which the role of L. Sp. z o.o. consisted in passing information on the necessity to provide access to the recording to the coordinator appointed by the entity providing security services. The adopted method of operation did not result from the provisions of contracts or internal procedures adopted by the Housing Community. What is important, the lack of records of applications for access to recordings from the monitoring of real estate at [...] prevented L. Sp. z o.o. from the handling of the applications in terms of to whom the application was forwarded, who accepted it and how the application was processed.

In connection with the occurrence of the incident (leakage of the monitoring recording to the press), L. Sp. z o.o. commissioned an external entity to carry out an audit of the monitoring system, including changing the passwords to the monitoring system, and consequently came into possession of new passwords in order to transfer them to the real estate security company. These activities did not result from the administration contract, the data processing entrustment contract or the internal procedures concerning the management of the monitoring system (witness interview protocols: k. 59 et seq. and k. 132 et seq. of the administrative file).

It should be noted that the abovementioned findings of the body are reflected in the collected, complete evidence obtained in the course of the inspection and administrative proceedings. This evidence was examined by the body in a comprehensive manner. The assessment of the evidence was reflected in the justification of the appealed decision. For this reason the allegations of the complaint related to the violation by the body of Article 7, Article 8, Article 77 paragraph 1 and Article 84 of the Code of Administrative Procedure are unfounded.

It is also necessary to agree with the position of the authority that there were no grounds to grant the applicant's request for evidence by including in the files of the administrative proceedings minutes of testimonies of security officers from the files of proceedings to which Grupa C. Sp. z o.o. (mark: [...]). Indeed, the circumstances alleged by the applicant concerning the processing of data have already been established by other evidence, i.e. the above-mentioned minutes of the hearing of witnesses and the Agreement on entrustment of personal data processing of [...] May 2018. Therefore, the prerequisite referred to in Article 78(2) of the Code of Civil Procedure occurred.

Considering the above, the Court found no grounds to grant the applicant's request to apply to the President of the Office for Harmonisation in the Internal Market and to attach to the files of the present case the files of the case conducted against Grupa C. Sp. z o.o. (mark: [...]) in order to provide evidence for the circumstances indicated in the complaint. Pursuant to Article 106 § 3 of the Code of Civil Procedure, the court may, ex officio or at the request of the parties, conduct supplementary evidence from documents if this is necessary to clarify material doubts and does not unduly prolong the proceedings in the case. In the opinion of the Court, none of the prerequisites listed in the abovementioned provision occurred in the present case.

 (i) of the General Data Protection Regulation by reason of the unlawful assumption that the applicant is the controller of the personal data (in connection with the processing of video surveillance data) which is subject to the obligation laid down in that regulation.

As indicated above, the applicant - within the framework of the proper performance of the contract for the administration of the common area - had actual access to the personal data processed by means of video surveillance. This circumstance is confirmed by the testimony of the witness "in the monitoring room (...) there is also, in the case of the performance of tasks, the property manager and the managing director, who supervises the work of the company providing the security service". (k. 60 of the administrative file), as well as the obligations of the real estate manager resulting from § 4 clause 1 item 24 of the Agreement on the Administration of the Common Part of the Real Estate dated [...] July 2012. (k. 37 of the administrative file). At the same time, the Applicant itself, in a letter dated [...] July 2019. "Objections and remarks to the inspection protocol No. [...]" in point 3 of this letter confirmed the fact of access and processing of the monitoring data in the course of performing the service of administering the Common Property, explaining as follows: "with regard to the statement (...) that the Director (...) and the property manager have access to the monitoring (...), it should be clarified that this statement should be understood in the sense that these persons, during their stay on the property in the security room, can observe the current view from the cameras, and can also order the ripping of archival recordings from the monitoring". It should be stressed that according to the definition provided in Article 4(2) of the General Data Protection Regulation, processing of data shall mean an operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Furthermore, as already indicated above, in connection with the incident, the applicant, after the external entity had performed an audit of the monitoring system and changed the passwords to the system, came into possession of new passwords to the system as part of the ongoing administration of the property in order to pass them on to the property security entity.

It therefore follows from the above that the applicant had access to the personal data processed in the video surveillance in connection with the day-to-day administration of the property, and decided on the purposes and means of the processing. However, this was not apparent from the contract for the administration of the common part concluded with the Housing Association [...], from the contract for entrustment of the processing of personal data dated [...] May 2018, or from the internal procedures for the management of the video surveillance system.

As already indicated above, where a processor of personal data breaches the General Data Protection Regulation in determining the purposes and means of processing, it shall be deemed to be the controller in respect of that processing (Article 28(10)). Deciding on the purposes and means of processing falls within the sphere of competence of the controller. If a processor unlawfully intervenes in this sphere by encroaching on the controller's reserved scope, Article 28(10) of the aforementioned Regulation requires the processor to be considered the controller in respect of this processing. This means that the processing entity shall be liable in this respect for breach of the Regulation in the same way as the controller (Fajgielski P., General Data Protection Regulation. Personal Data Protection Act. Commentary, WKP 2018, Article 28).

In the Court's opinion, the complaint's allegation of a breach of Article 58(2)(i) of the General Data Protection Regulation consisting in the imposition by the administrative authority of a fine that is grossly excessive and inadequate to the degree of misconduct is unfounded.

In accordance with Article 83(1) of the General Data Protection Regulation, each supervisory authority shall ensure that the administrative pecuniary sanctions provided for in paragraphs 4, 5 and 6 applied under this Article for infringements of this Regulation are effective, proportionate and dissuasive in every individual case. Pursuant to Article 83(2) of the Regulation, administrative pecuniary sanctions shall be imposed in addition to or in place of the measures referred to in points (a) to (h) and (j) of Article 58(2), depending on the circumstances of each individual case. In deciding whether to impose an administrative pecuniary penalty and in fixing the amount of that penalty, due account shall be taken, in each individual case, of the degree of responsibility of the controller, taking into account the technical and organisational measures implemented under Articles 25 and 32 (point (d)); any other aggravating or mitigating factors applicable to the circumstances of the case, such as the financial benefit derived directly or indirectly from the breach or the loss avoided.

It is apparent from the wording of the contested decision that the authority considered the conditions laid down in the abovementioned provision and substantiated its position. The authority indicated the circumstances determining the imposition of the administrative fine and the factors having impact on its amount: the elements related to the incident constituting the infringement of the General Data Protection Regulation, the applicant's conduct as data controller before and after the infringement under assessment, the effects of the infringement. It set out the mitigating factors for the amount of the penalty (inter alia, the actions taken to remedy the infringements: signing on [...] September 2019. Annex No. 1 to the personal data processing entrustment agreement of [...] May 2018 and the issuance by the Housing Community of [...] of a statement of [...] September 2019) and aggravating factors (including the fact of violation of the principles of data processing - i.e. the principles of legality, integrity, confidentiality and accountability, as well as the duration of these violations). Consequently, it determined the amount of the fine at such a level as to, on the one hand, constitute an adequate response of the supervisory authority to the degree of the infringement, and, on the other hand, not to cause a situation in which the necessity to pay the financial fine would result in negative effects in the form of a significant reduction in employment or a significant decrease in the applicant's turnover.

In the Court's opinion, the authority exhaustively weighed the justification for imposing and the amount of the administrative fine in the case at hand. Thus there are no grounds for holding that the penalty is grossly excessive and inadequate to the degree of misconduct. As regards the allegation that the fine is disproportionate to the fine imposed on the Housing Association [...], it should be stated that this criterion exceeds the circumstances relevant to the individual administrative case considered in these proceedings and could not have affected the decision.

In conclusion, it should be stated that the appealed decision does not violate the law, while the arguments and conclusions of the complaint do not merit consideration.

In this state of affairs, the Voivodship Administrative Court in Warsaw, pursuant to Article 151 p.p.s.a. and Article 15zzs4 section 3 of the Act of 2 March 2020 on special solutions for preventing, counteracting and combating COVID-19, other infectious diseases and crisis situations caused by them (Journal of Laws No. 347, as amended), ruled as in the conclusion of the judgment.