WSA Warsaw - II SA/Wa 2378/20

From GDPRhub
WSA Warsaw - II SA/Wa 2378/20
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 7(3) GDPR
Article 12(2) GDPR
Article 17(1)(b) GDPR
Article 24(1) GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83(3) GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Decided: 10.02.2021
Published:
Parties:
National Case Number/Name: II SA/Wa 2378/20
European Case Law Identifier:
Appeal from: UODO (Poland)
ZSPR.421.7.2019
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Provincial Administrative Court of Warsaw held that asking data subjects about their reasons for withdrawing consent has no legal basis, is a deliberate action aimed at obstructing or even preventing the exercise of data subjects' rights, and violates the principle of lawfulness, fairness, and transparency.

English Summary

Facts

The President of the Office for Personal Data Protection, after conducting administrative proceedings on the processing of personal data by ClickQuickNow, issued a decision finding that the entity had violated the principle of lawfulness, fairness and transparency of personal data processing. In addition, he found that the company violated Article 7 (3) GDPR, Article 12 (2) GDPR, Article 17 (1)(b)GDPR and Article 24 (1) GDPR, by failing to implement appropriate technical and organisational measures to enable the data subject to easily and effectively withdraw consent to the processing of his personal data and to exercise his right to request the immediate erasure of his personal data (right to be forgotten). In addition, the supervisory authority found that the company processed without legal basis the data of persons who are not its customers, from whom it received requests to cease processing personal data. A fine of €47,000 was imposed on the company.

The company appealed against this decision to the Provincial Administrative Court.

Holding

The court dismissed the complaint and held that the controller is obliged to provide the data subject with the possibility to withdraw consent as easily as to give consent. While the controller may provide for an easier way to withdraw consent than to give consent, it may not limit this right by adopting solutions that would make it more difficult to provide a statement of withdrawal of consent than to provide a statement of consent. Asking the data subject about the reasons for withdrawing consent has no legal basis and is a deliberate action aimed at obstructing or even preventing the exercise of data subjects' rights. Such action constitutes at the same time an infringement of the principle of lawfulness, transparency and fairness of data processing.

In the Court's view, the procedure applied by the company in the process of revoking consent to the processing of personal data previously obtained by the company does not meet the criteria of a simple and quick revocation of consent and constitutes a violation of the provisions of the GDPR. The court found that the company was not only failing to facilitate, but was actually making it more difficult for data subjects to exercise their right to erasure of personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Date of the judgment
2021-02-10
invalid judgment

Date of receipt

2020-12-03

Court

Provincial Administrative Court in Warsaw

Judges

Ewa Kwiecińska / chairman-rapporteur / Joanna KubeSławomir Antoniuk

Symbol with description

647 Matters related to the protection of personal data

The appealed authority

Inspector General for Personal Data Protection

Result content

The complaint was dismissed

Sentence

Provincial Administrative Court in Warsaw composed of the following composition: Chairman Judge of the Provincial Administrative Court Ewa Kwiecińska (spokesman), Judge of the Provincial Administrative Court Joanna Kube, Judge of the Provincial Administrative Court Sławomir Antoniuk, after hearing the case from a complaint filed by C. sp.z o.o. at a closed session on February 10, 2021 based in W. against the decision of the President of the Personal Data Protection Office of [...] October 2019 No. [...] regarding the processing of personal data, dismisses the complaint.

Substantiation

The President of the Personal Data Protection Office, acting pursuant to art. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended) and Art. 7 sec. 1 and sec. 2, art. 60, art. 101, art. 103 of the Personal Data Protection Act of May 10, 2018 (Journal of Laws of 2019, item 1781) in connection with Art. 5 sec. 1 lit. a, art. 5 sec. 2, art. 6 sec. 1, art. 7 sec. 3, art. 12 sec. 2, art. 17 sec. 1 lit. b, art. 24 sec. 1, art. 58 sec. 2 lit. d and lit. and, and in connection with Art. 83 sec. 3, art. 83 sec. 5 lit. a and lit. b of the Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) ( Journal of Laws UE L 119 of 04/05/2016, page 1 and Journal of Laws UE L 127 of 23/05/2018, page 2), after administrative proceedings regarding the processing of personal data by C. Sp. z o.o. with its seat in W., by decision of [...] October 2019 no. [...] I. finding a breach by the Company of the provisions of: a) Art. 5 sec. 1 lit. and in connection with with art. 5 sec. 2 of Regulation 2016/679 of the European Parliament and of the Council of the EU and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (Journal EU L 119 of May 4, 2016 and EU Official Journal L 127 of May 23, 2018), hereinafter referred to as Regulation 2016/679, i.e. the principles of lawfulness, fairness and transparency of personal data processing and art. 7 sec. 3, art. 12 sec. 2 Art. 17 sec. 1 lit. b and art. 24 sec. 1 of Regulation 2016/679 by failure to implement appropriate technical and organizational measures that would enable the data subject to easily and effectively withdraw consent to the processing of his personal data and exercise the right to request the immediate deletion of his personal data (the right to be forgotten), b) art. . 5 sec. 1 lit. and in connection with with art. 5 sec. 2 of Regulation 2016/679, i.e. the principle of legal compliance, and art. 6 sec. 1 of Regulation 2016/679, by processing data of persons who are not customers of C. Sp. z o.o., and from which C. Sp. z o.o. received requests to stop processing personal data, ordered C. Sp. z oo, adjusting the processing of personal data to the provisions of Regulation 2016/679, within 14 days from the date of delivery of this decision, by: 1) modifying the process of handling requests to revoke consent to data processing, in such a way that data subjects can effectively exercise their right to withdraw consent and the right to be forgotten, 2) deletion of personal data of persons who are not customers of C. Sp. z o.o., and from which C. Sp. z o.o. received a request to stop processing personal data. II. for violation of the above-mentioned of provisions, the authority imposed a fine on the complainant in the amount of PLN 201,559.50, which is the equivalent of EUR 47,000, according to the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table for January 28, 2019 In the justification of the decision of [...] October 2019 The President of the Personal Data Protection Office mentioned that during the inspection oral explanations were received from the Company's employees and the IT system was inspected. The facts are described in detail in the control protocol signed by the President of the Management Board of the Company. According to the information contained in the National Court Register, the Company's business activities include data processing, website management (hosting) and similar activities, advertising agencies, activities call centers, other consultancy in the field of business and management as well as the operation of internet portals. The organization found that in the process of processing personal data, the Company, as an administrator, breached the provisions on the protection of personal data. These shortcomings include: 1. Failure to provide data subjects with easy exercise of their right to withdraw consent to the processing of their personal data (violation of Article 7 (3) and Article 12 (1) of Regulation 2016/679). Violation of the principles of transparency and fairness in the process of revoking consent, by sending contradictory messages to data subjects, which results in a person revoking consent being misled and may not withdraw consent (violation of Article 5 (1) (b) of the GDPR). a Regulation 2016/679). 3. Violation of the right to delete data (the right to be forgotten), through the use of the consent revocation process, which hinders the effective revocation of consent - violation of art. 17 sec. 1 lit. b of the Regulation 2016/679.4. Processing data of persons who are not the Company's clients without a legal basis (violation of Article 6 (1) of Regulation 2016/679 and violation of the principle of lawfulness of processing referred to in Article 5 (1) (a) of Regulation 2016/679) .5. Failure to apply appropriate technical and organizational measures that would enable the data subject to effectively exercise his rights (violation of Article 24 (1) of Regulation 2016/679). By letter mark: [...] the President of the Office for Personal Data Protection initiated ex officio proceedings administrative shortcomings in order to clarify the circumstances of the case. In a letter of July 15, 2019, the Company submitted explanations in which it indicated, inter alia, that: 1. The position of the President of the Personal Data Protection Office regarding the objections relating to the processing of personal data contained in the notice of initiation of the procedure deviates from the findings contained in the inspection protocol and therefore the proceedings should end with the statement that the Company did not breach the provisions of the law on the protection of personal data .2. The company does not agree with the allegation that in the process of revoking consent to the processing of personal data, it prevents or hinders data subjects from exercising the rights referred to in art. 17 sec. 1 lit. b of the Regulation 2016/679. 3. The company leaves the so-called "blank e-mails" (which do not contain any content, apart from the e-mail address of the sender, date and time of sending, and an indication of the addressee: [...]). Messages of this type are not considered as requests for revocation of consent, or as other correspondence in the case (e.g. incomplete requests for revocation of consent). The company does not agree with the position of the President of the Personal Data Protection Office that an "empty e-mail" sent to the following address: [...] is an incomplete application to revoke consent to the processing of personal data. In the opinion of the Company, such an e-mail may constitute, for example, an incomplete request for data rectification or an incomplete request for information on data processing. 5. The adoption of the concept of legal classification of empty e-mail messages as declarations of will to use a specific right of the sender of such a "letter", in the opinion of the Company, is not supported by the provisions of Regulation 2016/679 and the rules for interpreting declarations of will included in Regulation 2016/679 (prohibition of presumption of declarations of the data subject). Therefore, in the opinion of the Company, "empty e-mails" are not recognized by the Company as correspondence in the case. In the opinion of the Company, the notice of initiation of the procedure omitted a significant circumstance recorded in the inspection protocol, which shows that the "empty e-mails" in question come from two websites - interia.pl and onet.pl, which introduced automated mechanisms on their side calling e-mail messages directed to the address of the Company. 7. In the opinion of the Company, the large scale of this phenomenon makes it possible to conclude that "empty e-mails" indicate systemic or accidental operation of the portal users. The rules of life experience indicate that people who consciously use e-mail do not send correspondence without content to their addressees. 8. Taking into account the potential risks related to websites adopted by third parties providing e-mail services to Internet users and automation mechanisms not agreed with the Company, which result in the inflow of "empty correspondence" to the Company, the Company intervened with entities running these services in order to eliminate this phenomenon. As confirmation of correspondence in this matter, printouts of the e-mail correspondence were attached to the letter constituting a response to the notice of initiation of the procedure. 9. The company recognizes that since the alleged consent for data processing should not be collected, it should not delete data on the basis of an alleged request, nor demand that the request be specified. 10. In the opinion of the Company, the process in which clicking the link included in the content of the advertising message redirects the user to two websites - to the first, where the user is asked about the reason for revoking his consent, and to the second page, where he is informed about the method of its withdrawal - does not infringe the obligations regarding the easy revocation of consent, because: "quotation" on the second website (after answering the question about the reason for a potential resignation), the user displays a message on the method of revoking consent (requesting an e-mail address). On this basis, the Company considers that the method of withdrawing consent is not less complicated than the process during which the consent was obtained. 11. In the opinion of the Company, the allegation that the Company obtains additional information without a legal basis from persons submitting an application for revocation of consent in terms of the need to provide the reason for its revocation is also unfounded. The Company confirms that the inquiry about the reason for resignation from further data processing should be considered as the collection of additional data by the Company, which, if it were deemed that the revocation of consent would be effective, would be removed. However, in the event that the revocation of consent did not take place, the information obtained would be processed by the Company pursuant to Art. 6 sec. 1 lit. f of the Regulation 2016/679, i.e. based on the legitimate interest of the administrator. 12. Referring to the content of the message: "Your consent is revoked today, 13/02/2019! Thank you for your answer! In this case, I would like to inform you that you have the right to access, delete, limit processing, transfer, object, request rectification and withdraw consent in at any time at the address [...], including the right to file a complaint to the President of the Personal Data Protection Office. (...) ", which is displayed to the user only after answering the question about the reason for the resignation, it was indicated that after receiving of the notice of initiation of the procedure from the website, the message containing the text "Your consent is revoked today, 13/02/2019" has been removed. The information provided also indicates that the following message will be placed in place of this message: "Information on the method of revoking your consent". 13. The company, explaining why it does not use the model of revocation of consent only by clicking once on the link of the e-mail message (containing the link "revocation of consent"), indicates that the use of such a model could result in the request being made unconsciously (by mistake). by accidental clicking) and by an unauthorized person or by the so-called "bots" - automated Internet software which, without the knowledge of the owner of an e-mail account, can activate links contained in the content of e-mail correspondence. It was indicated that similar solutions are also used in the public administration sector, and as an example it was indicated that the website of the Ministry of Justice uses the so-called captcha, which is to prevent filling in forms and downloading data from the pages of this Ministry by the so-called bots. As evidence, a screenshot from the KRS search engine was attached to the response to the notification, which, in the opinion of the Company, confirms the fact of using solutions on the Internet that prevent the use of forms and e-mail addresses provided on the Internet by the so-called bots (robots) 14. The Company believes that the President of the Personal Data Protection Office incorrectly assumes that simply clicking on the "revocation of consent" link contained in a marketing message should be considered by the Company as submitting a declaration of will to revoke consent. This is not the case, because in the box where the above-mentioned is given, the link also contains other information on various rights related to the processing of personal data. 15. The company does not agree with the allegation that when fulfilling the information obligation, it always addresses the same issues differently and indicates different ways and possibilities for data subjects to submit declarations on the revocation of consent to the processing of personal data, which results in that these persons cannot effectively revoke their consent. 16. As regards information on how to withdraw consent to data processing, the Company invariably and consistently (on the basis of the current and previous legal status) informs that the data subject may submit a request by traditional mail to the address of the Company's registered office or by e-mail to the e-mail address. Companies. The fact that the Company, after the commencement of application of Regulation 2016/679 (i.e. on June 15, 2018), indicated an additional e-mail address for submitting requests should be assessed as an extension of the rights of data subjects. Therefore, the statement that the Company indicates various ways and possibilities of withdrawing consent to the processing of personal data is not consistent with the collected evidence - it is always both written correspondence addressed to the address of the Company's registered office and e-mail correspondence to the Company's e-mail address. 17. The company emphasizes that it does not comply with the collected evidence in the case of the allegation that the Company in a document called "Information for you on the processing of personal data by C. Sp. Z o.o." did not indicate the e-mail address to which the data subject could effectively submit a declaration of withdrawal of consent to the processing of personal data. In point 1 of the above-mentioned of the document, apart from indicating the address of the registered office of the Company, the e-mail address was indicated in the next paragraph, ie [...]. 18. Regarding the message: "Your consent is revoked today, February 13, 2019! Thank you for your answer!" and the following text: "I would like to inform you that you have the right to access data, delete them, limit processing, transfer, object, request rectification and withdrawal of consents at any time at [...] it was indicated that the information in this content is displayed as a result of clicking on the link contained in the marketing information. However, the message is not sent to the e-mail address from which the information about the withdrawal of consent was received.Moreover, the authority unjustifiably recognizes that clicking on the link means the user's statement about the withdrawal of consent to data processing The information accompanying this link does not indicate such a consequence of clicking, nor does any of the Company's information documents indicate such a consequence. The reasons for adopting a two-step process of obtaining information on how to withdraw consent result from the need to protect against Internet software executing without the knowledge and will of the owner box accidental clicks 19. In the Company's opinion, the notice of initiation of the procedure did not explain how the above-mentioned process of informing about the user's personal data rights allegedly constitutes failure to develop appropriate technical and organizational measures within the meaning of Art. 24 sec. 1 of Regulation 2016/679. The authority does not provide an interpretation of this legal provision and does not refer it to the facts and the collected evidence, which is required especially in a situation where the argumentation contained on p. 9 of the Notice refers to the requirement to provide an easy way of giving consent (Art. 3 of Regulation 2016/679), and not the obligation contained in art. 24 sec. 1 of Regulation 2016/679.20. The method of informing about the revocation of consent in each advertising mail, developed by the Company, containing a two-step access to the e-mail address to which the request can be sent, means that the Company applies above-standard technical and organizational measures within the meaning of Art. 24 sec. 1 of Regulation 2016/679.21. As regards the reservation regarding the processing of data by the Company without a legal basis, in the case of data received from persons who are not its clients, and whose data the Company obtains in correspondence received via the e-mail address: [...], it was indicated that the Company did not agrees with this allegation, because the Company (as well as other entities that publish their e-mail addresses on the Internet) has no influence on who and for what purpose provides it with their data to the e-mail address. The Company processes the data in question only for the purpose of handling correspondence, but the data is not processed for any other purposes (e.g. for marketing purposes). The letter constituting a reply to the notice of initiation of the administrative procedure was enclosed with the financial statements for the period from 1 January 2017 to December 31, 2017, which shows that the amount of net revenues from sales and equivalent revenues is: PLN 1,714,451.61 and the financial statements for the financial year from January 1, 2018 to December 31, 2018, which show that the amount of net revenues from sales and equivalent revenues is: PLN 1 051 903.43. In the justification of the decision of [...] October 2019, the President of the Office for Personal Data Protection stated that the evidence collected in the case shows that that: The company has had its own database since 2012, in which, as at January 31, 2019, it processed personal data of 2,190,689 people. In 98%, these data were obtained from participants in the competition called "The fastest - wins". All personal data for the Company's database were obtained electronically using registration forms. The same form was used for all competitions. When completing the registration form, the user expressed the following consents: 1) consent to the processing of personal data by C. Sp. z o.o. for third party marketing purposes also in the future; 2) consent to share data with contractors of C. Sp. z o.o. for marketing purposes; 3) consent to provide commercial information by electronic means by C. Sp. z o.o., including on behalf of third parties and by contractors of C. Sp. z o.o .; 4) consent to the transmission of marketing information by phone and e-mail by C. Sp. z o.o., including on behalf of third parties and by contractors of C. Sp. z o. o. According to PUODO, the Company currently uses the obtained personal data of competition participants in order to carry out marketing orders for other entities. The Company attaches a document called "Statement on the processing of personal data from May 25, 2018 to the contracts concluded for the conduct of a given marketing campaign. year". The content of this document shows, inter alia, that via a link in the e-mail or SMS messages sent, as well as in telephone conversations via the e-mail address indicated in the conversation, persons to whom the marketing campaign will be directed will be able to easily and simply withdraw the consent granted. Immediately after receiving this type of information, the company will block the possibility of further campaign implementation in relation to the user who has withdrawn his consent or has stated that he does not want the campaign to be addressed to him. The findings made during the PUODO inspection showed that the Company does not comply with the rules, which she developed herself. The use of the link (link) included in the content of commercial information, contrary to the assurances of the Company, does not result in a quick revocation of consent to the processing of personal data. Messages sent as a result of activating this link mislead the person requesting the revocation of consent, which results in the revocation of consent ineffective. During the inspection, it was found that a sample marketing offer sent by the Company at the request of another entity contains: .in. such information: C. Sp. z o.o. informs that after clicking on the message you will be redirected to the website of C. Sp. z o.o., where you will be able to answer your questions. Clicking on the link "revocation of consent" results in the following: 1) the user is redirected to the website where there is a question about the reason for opting out of receiving advertisements by e-mail (with two defined answers: "A: I receive advertisements that do not interest me "," B: I get ads too often "); 2) after answering the above-mentioned questions, the user is redirected to the next page on which the following message appears: "Your consent is revoked today, 13/02/2019!". Under this message, there is the following entry: "Thank you for your answer! In such a situation, I would like to inform you that you have the right to access your data, delete it, limit processing, transfer, object, request rectification and withdraw your consent at any time at [... ], including the right to lodge a complaint with the President of the Personal Data Protection Office. That's all for me. PM "Analyzing the consent revocation process, PUODO stated that the Company in the first place (without any legal basis) requires the person who submits the statement on the revocation of consent indicated the reason for its request. Importantly, failure to answer this question does not allow for the continuation of the consent revocation process, which results in the consent not being revoked. After providing the person with the following message: "Your consent is revoked today, 13/02/2019!", The Company informs the person about the method of revoking consent. In the Company's opinion, an effective declaration of will regarding the revocation of consent to data processing may take place only if the person, after reading with the content of the above-mentioned of the announcement, will send his request once again to the following address: [...] and specify exactly what he is demanding from the Company. The vast majority of people, after reading the wording of this announcement, state that the statement on the revocation of consent was accepted by the Company in the date indicated in the message and therefore it does not take any further steps in this regard. The application of such a mechanism by the Company results in the data subject not taking further actions after reading this message, which means that consent is not effectively withdrawn. Such actions of the Company result in the fact that persons who cannot effectively exercise their rights (i.e. revoke their consent) submit complaints to the Personal Data Protection Office in this respect. In the opinion of the President of the Personal Data Protection Office, the manner of proceeding used by the Company in the process of revoking consent does not meets the criteria for simple and quick consent withdrawal. Thus, the Company violates the provision of Art. 7 sec. 3 of Regulation 2016/679. The authority also indicated that in accordance with Art. 12 sec. 2 of Regulation 2016/679, the controller makes it easier for the data subject to exercise his rights under art. 15-22. In the cases referred to in Art. 11 sec. 2, the controller does not refuse to take action at the request of the data subject who wishes to exercise his / her rights under Art. 15-22, unless it proves that it is not able to identify the data subject. In the opinion of the President of the Personal Data Protection Office, the Company violates the principles of transparency and fairness referred to in Art. 5 sec. 1 lit. and Regulation 2016/679, because the Company sends contradictory messages to persons who revoke the consent, which results in the fact that the person revoking the consent, after receiving from the Company the message "Your consent is revoked today, 13/02/2019!" is convinced that it has successfully revoked its consent. However, the consent is not revoked, the Company, after sending the above-mentioned of the message, sends a message to the same person in which he informs about the method of effective withdrawal of consent. The company, as the controller, does not make it easier for the data subject to exercise the right to withdraw consent (the right to be forgotten). that the allegation of the President of the Personal Data Protection Office in terms of this violation is justified and therefore the Company removed the message from the website: "Your consent is revoked today, 13/02/2019". In addition, in the same letter it was declared that the quotation "introduces the subject and phrase to the above messages: Information on how to withdraw your consent" instead of "Your consent is revoked today, 13/02/2019". These explanations, however, have not been confirmed to the President of the Personal Data Protection Office with any additional evidence. In the opinion of the authority, the evidence collected in the case does not show that the Company ceases to obtain information on the reason for revoking consent, which undoubtedly results in the fact that the lack of such a reply still prevents the person from data subject to effective revocation of consent It was indicated that the information contained in the notice on the initiation of the procedure regarding the Company's failure to conduct correspondence regarding incorrectly submitted applications and failure to respond to the requests of data subjects is not consistent with the evidence collected. Referring to this objection, PUODO pointed out that the President of the Management Board of the Company during the inspection explained that the quotation "(...) feedback on the manner of considering a given application is not sent by the Company to its sender, because in the Company's opinion, effective removal of personal data is tantamount to the final consideration of a given application "and the quote" The Company does not conduct any form of correspondence regarding incorrectly submitted applications. "Findings made in the course of the inspection also showed that the Company for a long time, i.e. from the beginning of 2018, via e-mail, receives daily about 10,000 (ten thousand) so-called empty e-mail messages (not containing the request body). These messages are sent to the address [...] posted on the pages of two websites ([...]). During the inspection it was found that the Company leaves such messages without consideration. In response to the Notice of Initiation, it was clarified that the "blank e-mails" did not contain any requests and the Company itself could not presume what the e-mail was about. The company, explaining the above issue, indicated that it had taken steps to eliminate the above-mentioned phenomenon. To confirm the above explanations, as additional evidence in the case, along with the response to the notice of initiation of the procedure, printouts of the correspondence conducted in this case were sent to the Office for Personal Data Protection. The content of the correspondence shows that the Company informs the entities conducting the above-mentioned portals, the need to disable automatic sending mechanisms, the so-called "blank letters" to [...] The process of receiving "blank e-mails" by the Company has been going on since at least the beginning of 2018 and so far, nothing has changed in this regard. The company indicated that in the case of "empty e-mails", the Company cannot fulfill the requests of an unidentified person, and moreover, it is not known what the e-mail addressee is asking for. "blank e-mails" contain such information as: sender's e-mail address, date and time, and the addressee: [...]. In the opinion of the President of the Personal Data Protection Office, defining the addressee in such a way indicates the conscious actions of the sender of such an e-mail, i.e. that he revokes consent. The Company's doubts as to the request of the sender of such a message could be clarified, for example by means of a reply sent to the sender's e-mail address asking what the e-mail concerns. The evidence collected in the case clearly shows that the Company leaves "empty e-mails" sent to the address [...] without consideration, and does not give them any further course. The addressee of the e-mail does not receive any feedback from the Company. The authority stated that the Company violates Art. 7 sec. 3 of Regulation 2016/679, because the consent revocation process used makes it difficult or even impossible for the data subject to effectively use his right to revoke consent. for data processing prevents the data subject from effectively exercising his right referred to in Art. 17 sec. 1 lit. b of the Regulation 2016/679. As a result, the authority found that the Company also breached this provision of Regulation 2016/679. In the opinion of the President of the Personal Data Protection Office, the evidence collected in the case shows that the Company has not developed and implemented such technical and organizational measures that would the data subject receives information in an easily accessible, concise, transparent and comprehensible form on the possibility of effective electronic revocation of consent to the processing of personal data. The data subject may not effectively exercise his right to withdraw his consent at any time and the right to be forgotten. The Company, as the controller, should provide such technical and organizational solutions in the processing of personal data (also used by other entities participating in the this process), the use of which will ensure that the realization of the rights of persons is carried out effectively. The solutions taken over by the Company in the process of revoking the consent are ineffective, as evidenced by the fact that the breach consisting in the inflow of the so-called "empty e-mail" has not been removed. Organizational solutions used by the Company are also ineffective, because, as established, the Company does not conduct any correspondence regarding requests for revocation of consent. The administrator should ensure the possibility of submitting relevant requests also electronically, in particular when personal data are processed electronically. The administrator should be obliged to respond to the requests of data subjects without undue delay - no later than within one month, and if he does not intend to comply with such request - provide the reasons. On this basis, the authority concluded that they had not been implemented by the Company (administrator) appropriate technical and organizational measures in the process of revoking consent, which constitutes an infringement referred to in Art. 24 sec. 1 of Regulation 2016/679. The evidence collected in the case shows that from the beginning of 2018, from the websites of interia.pl and onet.pl, to the Company's e-mail address: [...] numerous applications are sent to stop sending advertisements . These requests also include requests from persons who request the cessation of the processing of their data by entities other than the Company. These persons have e-mail accounts on the indicated websites, but are not the Company's customers. During the inspection, screenshots of the search for personal data of an exemplary person in the Company's database were obtained, from whom the Company had received a revocation of its consent to the processing of personal data by another entity. This evidence confirms that in the so-called The data of the searched person are not processed on the "production base" of the Company. According to the findings of the control, the Company does not conduct any correspondence with these persons, in particular, the Company does not send any correspondence to such persons. Therefore, the statement of the Company that the data of these persons is processed by the Company in order to handle correspondence is not consistent with the facts. The President of the Office for Personal Data Protection decided that the Company - after determining that it did not have any information about a given person - should delete the obtained data due to on the lack of legal grounds for their further processing (storage). The President of the Office for Personal Data Protection decided that the Company violates Art. 6 sec. 1 of Regulation 2016/679, and thus violates the principle of legality, which under Regulation 2016/679 is called the principle of lawfulness of processing (Article 5 (1) (a) of Regulation 2016/679). out of his right specified in the aforementioned provision, stated that in the case in question there were premises justifying the imposition of an administrative fine on the Company. When deciding to impose a fine on the Company, the President of the Personal Data Protection Office - pursuant to Art. 83 sec. 2 lit. a-k of the Regulation 2016/679 - took into account the following circumstances of the case, read to the detriment of the Company and having an aggravating effect on the amount of the imposed financial penalty: 1. The consent revocation process applied by the Company results in a breach of Art. 7 sec. 3, art. 12 sec. 2 and art. 17 sec. 1 lit. b of the Regulation 2016/679, by not providing data subjects with easy exercise of their right to withdraw consent to the processing of their data and the right to delete data (the right to be forgotten). In the opinion of the President, this violation is an intentional violation. According to the position of the Working Group for Art. 29 Data Protection (contained in the guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679), adopted on October 3, 2017, in the part relating to the intentional or unintentional nature of the breach, "intention" includes both knowledge and deliberate action in connection with the characteristics of a prohibited act. The content of the document prepared by the Company called "Statement on the processing of personal data valid from May 25, 2018" indicates that the persons to whom the marketing campaign is addressed will have the possibility to simply and quickly withdraw their consents. This information also shows that the Company, immediately after receiving the declaration of revocation of consent, will block the possibility of further implementation of the marketing campaign towards a given person. On this basis, it should be considered that the Company knows that the consent revocation process should be easy, simple and effective. Unfortunately, the findings made during the inspection showed that the Company did not comply with the rules it had developed. Contrary to the Company's assurances, the use of a link included in the content of commercial information does not result in a quick withdrawal of consent. After activating the link in question, messages addressed to the person interested in revoking consent mislead him. The company, after sending the message "Your consent is revoked today, 13/02/2019!" confirms the person in the fact that the revocation of consent has been recognized by the Company, and then requires additional actions from the same person in order to effectively revoke the consent. The company definitely complicates, and even hinders, the revocation of consent. In the process of revoking consent, it is necessary to provide the reason for revoking the consent. Failure to indicate the reason interrupts the consent revocation process. Indication of the reason also does not result in the revocation of the consent, because the Company, after receiving the answer, continues the process of revoking the consent, providing the person concerned with contradictory messages, which ultimately means that revocation of consent does not take place. Such actions of the Company should, in the opinion of the authority, definitely be regarded as deliberate actions aimed at obstructing or even preventing the exercise of the rights of the data subjects. The intention of the Company to take action to remedy this state of affairs does not constitute grounds for believing that the violation has been removed. Meanwhile, the Company as an administrator is obliged to act in accordance with the law, it is obliged to facilitate the exercise of data subjects' rights (Article 12 (2) of Regulation 2016/679), to ensure that the consent withdrawal process used allows for effective withdrawal of consent (Article 7 (3) of Regulation 2016/679). By its actions in the processing of data, the company also violates the principle of lawfulness of data processing, the principle of transparency and the principle of fairness referred to in art. 5 sec. 1 lit. and Regulation 2016/679, and most importantly, it misleads people who want to effectively exercise their right. The consent revocation process applied by the Company poses a high risk of negative consequences for a very large number of people (personal data of 2,190,689 people were processed in the Company's database as at January 31, 2019). The company has been processing data in the database since 2012. Due to the fact that all personal data was obtained on the basis of consent, ie pursuant to Art. 6 sec. 1 lit. and Regulation 2016/679, each data subject has the right to withdraw (revoke) consent at any time. In the process of revoking the consent, the Company did not apply appropriate technical and organizational measures that would enable the data subject to effectively use from its rights (Article 24 (1) of Regulation 2016/679). According to the evidence collected in the case, the Company did not take into account the principle that the withdrawal of consent should be as easy as expressing consent in the process of revoking consent (Article 7 (3) of Regulation 2016/679). The authority indicated that the consent to data processing was always obtained from all persons whose personal data are processed in the Company's database (database of competition participants) in electronic form, by using the "checkbox" button included in the registration form. The consent revocation process should also be easy, uncomplicated, and most importantly, using the same communication channel, i.e. via the Internet (e.g. by placing a consent revocation form or a tab for revoking it on the website). The Company as the administrator is responsible for the fact that in the process of revoking the consent an ineffective tool is used, i.e. the button: "[...]" placed on the websites ([...]). The effect of the solutions applied by the Company is that that persons who use this button to revoke consent cannot effectively exercise their right. The scale of this phenomenon is very large (daily around 10,000 so-called "empty e-mails"). The company cannot be released from liability in this regard only because the button in question is available on the websites of other entities. It should be pointed out that it is the controller's obligations to ensure that the data processing process uses such technical and organizational solutions (also used by other entities participating in this process), the use of which will ensure the effective implementation of the rights of data subjects. the amount of the administrative fine, the President of the Personal Data Protection Office did not take into account any mitigating circumstances affecting the final penalty. In the letter constituting a response to the notice of initiation of the procedure, the Company explained that after receiving the notice of initiation of the procedure from the website, the announcement - "Your consent is revoked today, February 13, 2019" was removed, and the letter also indicated that the Company declared itself to change the announcement "Your consent is revoked today, 13/02/2019" to the message "Information on the method of revocation of your consent". Nevertheless, the submitted explanations have not been confirmed to the President of the Personal Data Protection Office with any additional evidence. On this basis, the President of the Personal Data Protection Office concluded that the mere intention of the Company to take action to remove the infringement does not constitute a mitigating circumstance affecting the final penalty. : a) The Company does not apply the approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of Regulation 2016/679; b) no evidence that the Company obtained financial benefits and avoided losses in connection with the violation; c) there was good cooperation on the part of the Company in the course of the audit; within this period, the Company sent to the Office for Personal Data Protection a response to the notice of initiation of the procedure; d) the collected evidence does not contain any evidence that the data subjects have suffered material damage; e) there is no evidence that financial benefits by the Company and the avoidance of losses in connection with the infringement; f) it has not been found that the Company previously violated the provisions of Regulation 2016/679, which would be significant for this proceeding. The President of the Office for Personal Data Protection took the position that imposing an administrative fine on the Company is necessary and justified by the gravity and nature of the infringements accused of the Company. Application to the Company of any other remedy provided for in Art. 58 sec. 2 of Regulation 2016/679, would not be proportional to the identified irregularities in the processing of personal data and would not guarantee that the Company will not engage in similar practices in the future that would violate the rights of data subjects. The Personal Data Protection Office found that in the established circumstances of this case, i.e. in the event of a breach by the Company of the right to delete data (the right to be forgotten), referred to in art. 17 sec. 1 lit. b of the Regulation 2016/679 and violation of the principle of lawfulness of data processing, the principle of transparency and the principle of fairness expressed in art. 5 sec. 1 lit. a of Regulation 2016/679 (and reflected in the form of obligations specified in Article 7 (3), Article 12 (2) and Article 24 (1) of Regulation 2016/679), as well as the processing of data of persons who do not are clients of the Company (i.e. violation of Article 6 (1) of Regulation 2016/679), through the use of complex organizational and technical solutions in the consent revocation process, Art. 83 sec. 5 lit. a and lit. b of the Regulation 2016/679. In accordance with these provisions, violations of the basic principles of processing, including consent conditions, the terms and conditions of which are referred to, inter alia, in art. 5, art. 6, art. 7 of this regulation and violation of the rights of data subjects are subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover from the previous financial year, with the higher amount being applicable. In the event that the Company finds a breach of several provisions of this Regulation as part of the same or related processing operations, pursuant to Art. 83 sec. 3 of Regulation 2016/679, the President of the Personal Data Protection Office determined the total amount of the administrative fine in an amount not exceeding the amount of the fine for the most serious violation. In the presented facts, the violation of the right to delete data by the Company (the right to be forgotten) should be considered the most serious violation by the Company (the right to be forgotten). referred to in Art. 17 sec. 1 lit. b of the Regulation 2016/679 and the violation of the principles of transparency and fairness referred to in article 1. 5 sec. 1 lit. a regulation 2016/679. This is evidenced by the serious nature of these violations and the group of people affected by them (personal data of 2,190,689 people were processed in the Company's database as at January 31, 2019). Due to the fact that all data of persons was obtained on the basis of consent (i.e. pursuant to Article 6 (1) (a) of Regulation 2016/679), each of these persons at any time has the right to withdraw (revoke) their consent Approval by the Company in the process of personal data processing inadequate technical and organizational measures referred to in art. 24 sec. 1 of Regulation 2016/679, led to the violation of the principle of lawfulness of data processing referred to in art. 5 sec. 1 lit. and Regulation 2016/679, because the Company came into possession of personal data for processing, which it is not entitled to, because it does not meet any of the conditions specified in art. 6 sec. 1 of the Regulation 2016/679 The authority took into account the fact that this violation applies only to persons who mistakenly sent to the Company statements on the withdrawal of consent to data processing (despite the fact that they are not the Company's clients), this violation to a small extent affects the decision to the imposition of the penalty and its amount. The authority stated that pursuant to Art. 103 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, as amended), the equivalent of the amounts expressed in EUR, referred to in Art. 83 of Regulation 2016/679, are calculated in PLN according to the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28 of each year, and if the National Bank of Poland does not announce the average EUR exchange rate on January 28 in a given year - according to the average the euro exchange rate announced in the next table of exchange rates of the National Bank of Poland after that date. The President of the Office for Personal Data Protection, pursuant to Art. 83 sec. 3 and art. 83 sec. 5 lit. a Regulation 2016/679, in connection with art. 103 of the Act on the Protection of Personal Data of 2018, for the violations described in the operative part of this decision, imposed on the Company - using the average EUR exchange rate of January 28, 2019 (EUR 1 = PLN 4.2885) - an administrative fine in the amount of 201,559 , PLN 50 (equivalent to EUR 47,000), according to the average EUR exchange rate announced by the National Bank of Poland in the exchange rate table as of January 28, 2019 In the opinion of the President of the Personal Data Protection Office, the administrative fine, in the established circumstances of this case, performs the functions for which referred to in Art. 83 sec. 1 of Regulation 2016/679, i.e. it will be effective, proportionate and dissuasive in this individual case. The penalty imposed on the Company is intended to lead to a state in which the Company applies such technical and organizational, which will ensure the effective exercise of data subjects' rights. The applied fine is also proportional to the breaches found, in particular their severity, the number of individuals affected and the risks incurred by them in connection with such breaches. The amount of the fine has been set at such a level as to constitute an adequate response of the supervisory authority to the degree of breach of the administrator's obligations. In these specific circumstances, the imposed administrative fine will fulfill a repressive function, as it will be a response to the breach by the Company of the provisions of Regulation 2016/679, but also preventive. , as the Company itself and other administrators will be effectively discouraged from violating the provisions on the protection of personal data in the future. The applied fine meets the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679, due to the importance of the infringements found in the context of the basic requirements and principles of Regulation 2016/679 C. Sp. z o.o. in W. lodged a complaint with the Provincial Administrative Court in Warsaw against the decision of the President of the Personal Data Protection Office of [...] October 2019 No. [...] The applicant alleged that the decision was infringed: 1. art. 7 of the Code of Administrative Procedure, Art. 8 § 1 of the Code of Administrative Procedure, Art. 77 § 1 of the Code of Administrative Procedure, Art. 80 of the Code of Civil Procedure, Art. 107 § 3 of the Code of Civil Procedure - in connection with with art. 87 and art. 88 sec. 2 point 6 u.o.d.o. and in connection with with art. 5 sec. 1 lit. a and art. 5 sec. 2, art. 7 sec. 3, art. 12 sec. 2, art. 17 sec. 1 lit. b and art. 24 sec. 1 of the GDPR, by erroneous determination of the facts, resulting from: i) the omission in the decision of the factual findings contained in the data processing control report of [...] February 2019 and the evidence attached hereto, and; ii) contradiction of this state with the findings contained in the protocol and the accompanying evidence, without carrying out additional evidence justifying such a change of factual findings, - in particular the following circumstances, the assessment of which influenced the content of the decisions contained in the decision: - the decision omitted the findings of the protocol that the Company offers simple and effective ways of withdrawing consent to data processing, i.e. sending a request to the e-mail address or the address of the registered office of the Company, and in addition, the decision incorrectly qualified the mechanism assessed on p. 9 of the decision as the "consent withdrawal process" and it was wrongly stated that the Company did not uses no methods of withdrawing consent to the processing of data, apart from this "mechanism" - impact on points Ia, I.1 and II of the decision; - the decision omits the findings from the Protocol that the data subjects have been informed at least twice about the methods of revoking consent used by the Company - impact on points Ia, I.1 and II the decision; - the authority omitted the protocol to the extent that it contains evidence of the methods used by the Company for easy and effective revocation of consent to data processing, assuming selectively that the Company uses only one method of revoking consent, which the authority has incorrectly determined, especially on the basis of a fragment of the contract on the advertising campaign concluded between the Company and the advertiser (its contractor) - the impact on points Ia, I.1 and II of the decision; - the authority determined that the Company did not offer the possibility of withdrawing the consent via the Internet, while the Authority stated in the protocol that the Company the option offers and the evidence attached to the Protocol shows that users effectively use this option - the impact on points Ia, I.1 and II of the decision; - the authority found that the on pp. 8-9 of the decision, a single advertising e-mail sent by the Company initiates the "consent revocation process", while in the protocol the President of the Personal Data Protection Office established that the e-mail was for information purposes and did not say that it would close the way to revoke consent on the processing of personal data - the impact on points Ia, I.1 and II of the decision; - the authority determined that the Company is allegedly responsible for the fact that it receives "blank" e-mail messages from interia.pl and onet.pl postal services and in the Protocol stated on the contrary that: - the above-mentioned interia.pl and onet.pl websites are responsible for sending these messages, • "blank e-mails" from interia.pl and onet.pl websites are not ordered by the Company, • the Company intervened so that the above-mentioned websites would resign from practices harmful to the Company - impact on points I.b, I.2 and II of the decision; - the authority determined that the Company did not delete "empty" e-mails from onet.pl and interia.pl postal services , while such a circumstance not only does not appear from the evidence , but it is also contradictory, since the Protocol states that the Company does not have messages from these websites in its inbox that are older than those received on the day of the inspection - impact on points 1. b, I.2 and II of the decision; 2. art. 7 of the Code of Administrative Procedure, Art. 77 § 1 of the Code of Civil Procedure and art. 80 of the Code of Civil Procedure in connection with with art. 7 sec. 3 GDPR, by erroneous and arbitrary evaluation of the evidence material, including in isolation from the assessment presented in the protocol, consisting in the recognition that the information note contained in a sample advertising e-mail message (k. 156) is allegedly a stage of the Company's "appeal process consent "consisting in withdrawing consent by clicking on a link and that the use of this note and the related website allegedly prevents the withdrawal of consent to the processing of personal data; 3. art. 7 sec. 3, art. 12 sec. 1-2, art. 17 sec. 1 lit. b GDPR through an erroneous interpretation, consisting in the assumption that: a) the data controller offers two methods of revoking consent to data processing, i.e. sending a request to a dedicated e-mail address or sending a request to a correspondence address, the effectiveness of which was confirmed in the protocol, and also, informing at least twice about these methods of withdrawing consent, which was also confirmed in the protocol, does not prevent the authority from concluding that the complainant has failed to comply with the obligation for the controller to provide an easy and effective method of withdrawing consent to the processing of personal data; when the administrator has collected consent to the processing of data via the online form, the revocation of this consent by sending an e-mail to the administrator does not constitute an online means of revoking the consent; 4. art. 4 point 1 of the GDPR, by groundlessly assuming that the e-mail address of the sender of the "blank letter" sent to the complainant is "personal data", i.e. it concerns a "natural person identifiable by the complainant", where the Authority found that the complainant does not have any additional information about the person whose "letter" ends up in the complainant's inbox and the complainant does not take any steps to identify who the e-mail address relates to; 5. art. 58 sec. 2 lit. d GDPR, art. 104 § 2 of the Code of Civil Procedure and art. 107 § 1 point 5 of the Code of Civil Procedure in connection with with art. 7 sec. 3, art. 12 sec. 2, art. 17 sec. 1 lit. b and art. 24 sec. 1 of the GDPR by not resolving in the conclusion of the decision (in points la and I.1) which specific act of the Company allegedly violates the provisions of substantive law on the protection of personal data indicated in point Ia, including the formulation of this point of the decision in an ambiguous manner and not resulting from the justification of the Decision, i.e. through a vague act described as: "failure to implement appropriate technical and organizational measures that would allow the data subject to easily and effectively withdraw consent to the processing of his personal data and to exercise the right to request immediate deletion of his personal data (the right to be forgotten) "and not specifying the order related to such an act, i.e. the order:" to modify the process of handling requests for revocation of consent to data processing in such a way that data subjects can effectively exercise their right to withdraw consent and the right to be forgotten "; 6. art. 58 sec. 2 lit. d GDPR, art. 104 § 2 and art. 107 § 1 point 5 of the Code of Civil Procedure and art. 8 § 1 and art. 11 of the Code of Civil Procedure by formulating the conclusion of the decision in point 1b and I.2 with the use of common terms (referring to data of persons who are "not customers" of the Company), which does not allow to clearly determine the actions that should be taken by the Company on the basis of such an incorrectly formulated decision ; 7. art. 107 § 1 paragraph 6 and article. 107 § 3 of the CC. by including redundant findings and assessments in the justification of the decision regarding whether the "blank letter" sent to the address of the Company is a request to delete personal data, in a situation where the decision (point 1b and I.2 of the decision) regarding the said "blank letters" is related to assessment of a completely different legal issue, i.e. verification whether the e-mail address of the sender of such a letter is personal data and whether the Company processes the data in question; 8. art. 58 sec. 2 lit. d GDPR, art. 104 § 2 and art. 107 § 1 point 5 and 6 of the Code of Civil Procedure by ordering the applicant to modify the consent revocation process, to the one that the applicant is already implementing, which was confirmed in the protocol - i.e. by providing the possibility of revoking consent to data processing via the Internet (files 103-106, pp. 155); 9. art. 83 sec. 1, section 2, section 3 and 5 of the GDPR in connection with with art. 6 sec. 1 and 2 of the Convention for the Protection of Human Rights and Fundamental Freedoms concluded in Rome on November 4, 1950, hereinafter referred to as the "ECHR") and Art. 47 and 48 of the Charter of Fundamental Rights of the European Union (hereinafter "EU CPP") and in connection with with art. 101 u.o.d.o. and art. 7, art. 8 § 1 and art. 107 § 3 of the Code of Civil Procedure in connection with with art. 72 u.o.d.o. and in connection with with art. 5 sec. 1 lit. a) GDPR, art. 6 sec. 1 GDPR, Art. 7 sec. 3 GDPR, Art. 12 sec. 2 GDPR, Art. 17 sec. 1 lit. b) GDPR and art. 24 sec. 1 GDPR, by not specifying the amount of the fine imposed on the complainant in relation to individual alleged violations (acts) indicated in point a) and lb) of the Decision, which is tantamount to failure by the President of UODO to indicate the conditions for imposing this penalty and correctly assessing its amount, and which at the same time makes it impossible to determine the adequacy and proportionality of the imposed penalty to the alleged infringements (acts) of the complainant subject to penalty and thus proves the infringement standards of conduct in matters of imposing an administrative sanction on the entrepreneur, analogous to the standards applicable in a criminal case; 10. art. 83 sec. 1, sec. 2, sec. 3 and sec. 5 GDPR and Art. 6 of the ECHR and Art. 47 and 48 of the EU Charter in connection with with art. 101 u.o.d.o., as well as art. 7, art. 8 § 1, art. 77 § 1, art. 78, art. 80 and art. 107 § 3 of the Code of Civil Procedure in connection with with art. 72 u.o.d.o. and in connection with with art. 5 sec. 1 lit. a) GDPR, art. 6 sec. 1 GDPR, Art. 7 sec. 3 GDPR, Art. 12 sec. 2 GDPR, Art. 17 sec. 1 lit. b) GDPR and art. 24 sec. 1 of the GDPR, by: - imposing a fine on the applicant in the absence of establishing the circumstances proving the existence of the premises justifying its imposition; - incorrect determination of the amount of the fine imposed on the applicant due to defective consideration of the alleged circumstances aggravating the penalty imposed, while incorrectly disregarding a number of mitigating circumstances that should affect the penalty, as well as - failure to properly justify the decision to impose a fine and its amount, especially in connection with: a) imposing a fine for undefined (unspecified) violations (acts); b) failure to indicate and lack of substantive justification as to whether and why the President considered that the imposition of an administrative fine was in each individual case (in relation to each of the alleged violations alleged by the applicant - acts referred to in point I. a) and b) of the Decision ) "effective, proportionate and dissuasive" and why the circumstances of each of the alleged infringements made it necessary to impose such a penalty; c) failure to establish and consider the grounds for imposing a penalty (aggravating and mitigating circumstances) referred to in Art. 83 sec. 2 GDPR, separately for individual alleged (breaches) of the complainant indicated in point I. a) and b) of the Decision; d) by disregarding the decision to impose a fine and determining its amount: i) the duration of the alleged breaches (acts) of the applicant; ii) the categories of personal data concerned by the alleged breaches; iii) the nature of , the scope and purpose of the processing in question; (iv) the degree of the Complainant's responsibility as the controller, taking into account the implemented technical and organizational measures; e) unjustified omission of mitigating circumstances, showing both that there are no grounds to impose a fine on the Complainant in principle, and that the penalty imposed is excessive , that is, the circumstances that: i) there is no evidence that the applicant obtained any financial benefits and avoided losses due to the alleged violation or violations; ii) in the course of the inspection and in the course of further proceedings there was "good cooperation [with The President of the Personal Data Protection Office] on the part of the Company "; iii) there is no evidence that the data subjects experienced any damage to property in connection with the alleged breach or breaches; iv) it has not been found that the Complainant has previously committed any breach of the provisions of the GDPR; f) erroneously concluding that the alleged "intention" of the alleged breach, consisting in failure to provide data subjects easy to exercise their right to withdraw consent to the processing! data and the right to delete data is evidenced by the fact that "the Company has knowledge that the consent revocation process should be easy, simple and effective"; g) unjustified and in no way justified by the President of the Personal Data Protection Office that the group of people affected by the alleged the breach by the complainant of the right to erasure (the right to be forgotten) covers "personal data of 2,190,689 persons" (i.e. all persons in the complainant's database), while even assuming that such a hypothetical breach occurred (which the applicant contradicts), in the light of the findings of the Authority itself, it could at most concern persons to whom correspondence was addressed as part of the advertising letter subject to the Authority's assessment; h) unjustified arbitrary assumption that the alleged infringements (acts) occurred "as part of the same or related operations processing "within the meaning of Art. 83 sec. 3 GDPR, without indicating what processing operations the President of the Personal Data Protection Office means, and without specifying whether the Authority considers that they are "the same" or that they are "related" processing operations and for what reasons. 11. art. 83 sec. 1, sec. 2, sec. 3 and sec. 5 GDPR in connection with with art. 101 u.o.d.o. and art. 107 § 3 of the Code of Civil Procedure in connection with with art. 72 of the PDPA, by imposing an administrative fine in the amount grossly excessive, inadequate and disproportionate to the alleged violations found, i.e. a fine of nearly 20% of the Company's net revenues for the previous financial year for alleged breaches of additional circumstances, the importance and scale of which in the context of The complainant's activity is marginal, as well as by omitting any factual justification for imposing such a fine. The Complainant Company filed for annulment of the contested decision in its entirety and a ruling on the costs of court proceedings. In response to the complaint, the authority appealed for its dismissal. Warsaw weighed as follows: Pursuant to Art. 1 § 1 and § 2 of the Act of 25 July 2002 - Law on the System of Administrative Courts (i.e. Journal of Laws of 2021, item 137, hereinafter: "Pusa" and Art. 3 § 1 of the Act of 30 August 2002 - Law on proceedings before administrative courts (i.e. Journal of Laws of 2019, item 2325), hereinafter referred to as "Ppsa", administrative courts administer justice by controlling the activities of public administration. Pursuant to Art. 134 § 1 Ppsa, the court decides within the limits of a given case, without being bound by the charges and conclusions of the complaint and the legal basis provided, subject to Art.57a. § 2). The complaint assessed in the light of the above criteria cannot be considered. The subject of the control of the Court is the decision of the President of the Personal Data Protection Office of [...] October 2019 No. [...] stating the infringement by C. Sp. in W. indicated in the part of hist legal provisions of Regulation 2016/679 by failing to implement appropriate technical and organizational measures that would allow the data subject to easily and effectively withdraw consent to the processing of his personal data and exercise the right to request immediate deletion of his personal data, as well as processing data without a legal basis persons who are not the Company's clients and from whom the Company has received a request to stop processing personal data, and further ordering the Company to modify the application handling process, withdraw consent to data processing and delete personal data of persons who are not the Company's clients and from whom the Company has received a request cease processing personal data and imposing an administrative fine on the Company in the amount of PLN 201,559.50. The legal basis for the contested decision was in particular the provisions of the General Data Protection Regulation, including Art. 57 sec. 1, according to which, without prejudice to other tasks set out under this Regulation, each supervisory authority on its territory monitors and enforces the application of this Regulation (point a), conducts investigations on the application of this Regulation, including on the basis of information received from another authority supervisory or other public authority (letter h). An instrument for the performance of the tasks specified in art. 57 above the regulation includes, in particular, the remedial powers referred to in Art. 58 sec. 2, including an ordering the controller or processor to adapt the processing operations to the provisions of this Regulation and, where applicable, an indication of the manner and time limit (point (d) and the power to apply, in addition to or instead of the measures referred to in this paragraph, an administrative fine for pursuant to Art. 83, depending on the circumstances of a particular case (point i). The provision of Art. 5 of the General Data Protection Regulation sets out a catalog of basic rules for the processing of personal data. As emphasized in the literature, these principles are interpretative directives, according to which individual provisions should be interpreted. For this reason, they are assigned the power overriding other provisions on the protection of personal data. These rules set out obligations for data controllers. The obligations imposed on administrators, included in the principles of data processing, are determined by the sanctions imposed by the EU legislator for their violation, primarily in the form of administrative fines. The basic principle of personal data processing is the principle of accountability set out in Art. 5 sec. 2 of the regulation. This provision states that the data controller is responsible for compliance with all rules when processing personal data (listed in Article 5 (1)) and must be able to demonstrate compliance with them. The principle of accountability is therefore based on the legal responsibility of the controller for the proper fulfillment of obligations and imposes on him the obligation to prove, both to the supervisory authority and to the data subject, evidence that all data processing rules have been complied with. The principle of accountability is governed by the principle of fairness and legality and the principle of transparency expressed in art. 5 sec. 1 lit. a) of the Regulation. Pursuant to this provision, personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The requirement to process data in accordance with the law means both the necessity to meet the conditions of lawfulness of data processing, as well as ensuring compliance with other provisions on the protection of personal data. The requirement of reliability refers to moral values and the criterion of social acceptance of data processing operations. Moving on to the subsequent provisions of the regulation indicated by the authority as the basis for the decision, it should be clarified that the provision of Art. 7 sec. 3 of the Regulation provides for the right to withdraw consent to data processing previously given. This right results from the essence and legal nature of consent, because the right to the protection of personal data is a right of a personal nature, closely related to the person to whom it is entitled. The inseparable relationship of this right with a specific person means that consent cannot take the form of a regulation that would result in the permanent transfer or expiry of this right (see P. Fajgielski, "Legal grounds for the admissibility of processing personal data" [in:] Studies in public law, vol. 1, Contemporary problems of public law, ed. S. Fundowicz, Lublin 1999, p. 116; more broadly also P. Fajgielski, "Consent to the processing of personal data" [in:] Personal data protection. Current problems and new challenges, ed. G. Sibiga, X. Konarski, Warsaw 2007, pp. 41-60). Withdrawal of consent does not have retroactive effect and - as stipulated in par. 7 sec. 3 sentence the second UODO does not affect the lawfulness of the processing which was carried out on the basis of consent before its withdrawal. The declaration of revocation of consent has ex nunc effect, i.e. for the future, from the moment it is submitted to the controller. The new requirement regarding consent to the processing of personal data is introduced by the provisions of the Regulation, is the obligation to inform the data subject about the right to withdraw consent, before expressing it As commentators explain, such a requirement was introduced in order to increase the data subjects' awareness of their rights related to data protection. that they are entitled to this type of right.The new requirement means the extension of the information obligation and the need to provide, among other information, required under Art. 13 of the Regulation, also information on the possibility of withdrawing consent to data processing. (yes Paweł Fajgielski "Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection, the Act on the Protection of Personal Data. Comment) "WKP 2018, legal status on July 1, 2018. LEX Omega as, commentary to art. 7 theses 9 and 10). Another consent requirement is the obligation on controllers to provide the data subject with the possibility to withdraw consent in a manner as easy as This means that if the declaration of consent was submitted using a paper form, the administrator should provide the possibility of withdrawing consent also using a paper form. The wording "equally easy" contained in the commented provision allows to assume that the administrator has the freedom to choose the method here. , in which it will provide the data subject with the possibility of withdrawing consent, may provide for an easier way of withdrawing consent than expressing consent, but it cannot limit this right by adopting solutions that would make it difficult to submit a declaration of consent withdrawal if submitting a declaration of consent withdrawal would be more difficult than submitting a declaration of consent. withdrawal of consent and the requirement that the withdrawal should be as easy as giving consent) must entail changes in the practice of data processing. Controllers that obtained consent prior to the application of the Regulation usually did not inform data subjects about the right to withdraw consent, nor did they make it possible to withdraw consent easily, as the legislation in force at the time did not provide for such requirements. This entails the necessity to inform data subjects about these new rights which have been granted to them under the provisions of the discussed regulation (see P. Fajgielski, op. Cit., Commentary to Art. 7, thesis 11). 12 sec. 2 of the regulation imposes an obligation on the data controller to facilitate the data subject's exercise of the rights specified in the provisions of art. 15-22, including the right to delete data (Article 17 of the Regulation). The legislator does not specify exactly what this facilitation would consist of, therefore it can be assumed that the manner of implementing this requirement has been left to the administrator, although some guidance in this regard is provided by the further content of this provision, as well as by subsequent provisions relating to the implementation of individual rights. Undoubtedly, this structure also indicates that the controller cannot hinder the exercise of rights by data subjects. (see P. Fajgielski, op.cit., Commentary on Article 12, thesis 7). Finally, it should be noted that recital 59 explains that "Procedures should be provided to facilitate the exercise of the data subject's rights under this Regulation, including request mechanisms - and, where applicable, obtaining free of charge - in particular, access to personal data and their rectification or deletion, and the possibility of exercising the right to object.The administrator should provide the possibility of submitting relevant requests also by electronic means, in particular when personal data are processed by The administrator should be obliged to answer the requests of data subjects without undue delay - no later than within one month, and if he does not intend to comply with such request - provide the reason. "It should also be emphasized that the premise indicated in Art. 17 sec. 1 lit. b of the regulation, which entitles the data subject to request the data controller to delete the data, is the withdrawal of consent to the processing of data where the controller has no other legal basis on which to base the data processing. If the data subject has consented to the processing of data, he has the right to withdraw his consent at any time, as provided for in Art. 7 sec. 3 of the regulation. Withdrawal of consent should result in the cessation of data processing to the extent that the processing is based on consent. If the administrator, despite the withdrawal of consent, has not stopped processing the data, the data subject may request the fulfillment of this obligation, and the administrator is obliged to immediately delete the data. reasonably found that the consent revocation process applied by the complaining Company resulted in a violation of Art. 7 sec. 3, art. 12 sec. 2 and art. 17 sec. 1 lit. b of the Regulation 2016/679. In the opinion of the Court, the manner of proceeding used by the complaining Company in the process of revoking consent to the processing of personal data previously obtained by the Company does not meet the criteria for a simple and quick revocation of consent and constitutes a breach of Art. 7 sec. 3, as well as art. 12 sec. 2 and art. 17 sec. 1 lit. b of Regulation 2016/679. The Company sends contradictory messages to persons who revoke their consent, as demonstrated by the administrative proceedings conducted in this case. The person revoking the consent, after receiving from the complainant Company the message "Your consent is revoked today, 13/02/2019!" has every reason to believe that she successfully revoked her consent. However, consent is not revoked. The company, after sending the above-mentioned message, sends a message to the same person in which he informs about the method of effective withdrawal of consent. Such action of the data controller has been aptly found by the authority as misleading and misleading persons intending to exercise the right to withdraw consent, and as a result violating the principles of transparency and fairness, referred to in Art. 5 sec. 1 lit. 2016/679. Moreover, as evidentiary proceedings have shown, the Company obtains information on the reasons for the revocation of consent in the process of revoking the consent. Failure to answer the question about the reasons for the revocation of consent prevents the data subject from effectively revoking the consent, as it interrupts the process of revoking the consent. Moreover, indicating the reason does not result in revoking the consent. After receiving the answer as to the reason for revoking the consent, the Company continues the process of revoking the consent, providing the person concerned with conflicting messages. The actions of the complaining Company in this respect are as follows: clicking on the link "revocation of consent" results in the fact that 1) the user is redirected to a website where he is asked about the reason for resignation from receiving advertisements by e-mail (with two defined answers : "A: I receive advertisements that do not interest me", "B: I receive advertisements too often"); 2) after answering the above-mentioned questions, the user is redirected to the next page, where the following message appears: "Your consent is revoked today, 13/02/2019!". Under this message, there is the following entry: "Thank you for your answer! In such a situation, I inform you that you have the right to access your data, delete it, limit processing, transfer, object, request rectification and withdraw your consent at any time at [... ]; Including the right to lodge a complaint with the President of the Personal Data Protection Office. That's all for me. PM "There is no doubt, in the opinion of the Court, that the question of the data subject about the reasons for withdrawing consent is devoid of any legal basis and is a deliberate action aimed at hindering or even preventing the exercise of the rights of data subjects. Such action is also a violation of the principles of lawfulness, transparency and fairness of data processing referred to in art. 5 sec. 1 lit. and Regulation 2016/679. The Complaining Company does not fulfill the obligation under Article 12 sec. 2 of Regulation 2016/679, because it not only does not facilitate, but even makes it difficult for data subjects to exercise the right to delete personal data regulated in art. 17 sec. 1 lit. b of the same regulation, which is confirmed by the above-described operation scheme. For this reason, the allegations of violation of Art. 5 sec. 1 lit. a, art. 5 sec. 2, art. 7 sec. 3, art. 12 sec. 2 and art. 17 sec. 1 lit. b of the Regulation 2016/679 cannot have the intended effect. The court did not share the complainant's view as to the incorrect interpretation of Art. 7 sec. 3, art. 12 sec. 1-2 and art. 17 sec. 1 lit. b of the Regulation 2016/679 contained in plea 3 of the complaint. In fact, this plea relates to a subsumption error and not to a misinterpretation of the law. Moreover, the applicant does not indicate, in making that objection, what, in its view, the correct interpretation of those provisions should be. Therefore, this objection does not deserve to be considered. The opinion of the authority should also be shared that the Company has not applied appropriate technical and organizational measures that would enable data subjects to effectively exercise their rights, as provided for in Art. 24 sec. 1 of Regulation 2016/679. In the process of revoking consent, the complainant did not take into account the principle that the withdrawal of consent should be as easy as expressing it, pursuant to Art. 7 sec. 3 of Regulation 2016/679. It should be emphasized once again that the process of revoking consent should be easy, uncomplicated and using the same information channel through which the consent was obtained (in this case via the Internet). It is the complainant as the data controller that is responsible for the fact that an ineffective tool is used in the process of withdrawing consent, ie the button: "[...]" posted on the websites. This ineffective tool leads to the phenomenon of about 10,000 per day, the so-called "blank e-mail", because people who use this button to revoke consent cannot effectively exercise the right to be forgotten. According to the Court, the authority also accurately assessed the Company's actions as to the requests of people who are not its clients, and regarding the cessation of processing their personal data by entities other than the Company. Since the Company does not conduct - as it was established in the course of proceedings with these persons - any correspondence, the claim of the complainant that the data of these persons is processed in order to handle correspondence cannot be regarded as consistent with the facts. Therefore, the Company - after determining that it has not had any information about a given person so far - should delete this data due to the lack of legal grounds for further processing. The decision contained in point I. 2) of the decision is therefore lawful. Pursuant to Art. Pursuant to Article 83 (1) of the Data Protection Regulation, each supervisory authority shall ensure that the administrative pecuniary sanctions referred to in paragraph 1 are applied under this Article for infringements of this Regulation. 4, 5 and 6 were effective, proportionate and dissuasive in each individual case. Pursuant to Art. 83 sec. 2 of the Regulation, administrative fines are imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 sec. 2 lit. a) -h) and lit. j). When deciding whether to impose an administrative fine and determining its amount, in each individual case, due attention should be paid to: the degree of responsibility of the administrator, taking into account technical and organizational measures implemented pursuant to Art. 25 and 32 (letter d); any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained directly or indirectly due to the infringement or avoided losses. The content of the contested decision shows that the President of the Personal Data Protection Office considered the premises set out in the above-mentioned provision and justified sufficient position adopted. The authority indicated the circumstances determining the imposition of an administrative fine and the conditions affecting its amount, namely elements related to activities constituting a breach of the General Data Protection Regulation, the complainant's conduct as a data controller before and after the assessed breach, the effects of the breach and its intentional character. Consequently, it determined the amount of the fine at such a level as to constitute an adequate reaction of the supervisory authority to the degree of infringement. In the Court's opinion, the authority properly balanced the imposition directives and the amount of the administrative fine in the analyzed case. Therefore, there are no grounds to conclude that the penalty is grossly excessive or inadequate to the degree of the offense. It should be noted that the President of the Personal Data Protection Office, when determining the amount of the fine, correctly accepted, in the opinion of the Court, that the violations of the law by the Company were intentional, and at the same time, there were no mitigating circumstances that could affect the final sentence. The declaration of the complainant about the change of the message "Your consent is revoked today, 13/02/2019" to the message "Information on the method of revocation of your consent" has not been confirmed by any additional evidence. The mere intention of the applicant to take additional steps to remedy the infringement of the law does not constitute, as the authority rightly held, an attenuating circumstance. In view of the foregoing, the allegation that the complaint has infringed Art. 83 sec. 1 clause 2 and paragraph 5 of Regulation 2016/679 and art. 6 of the ECHR by imposing a pecuniary penalty in the absence of establishing the circumstances proving the existence of the premises justifying its imposition, incorrect determination of the amount of the fine due to defective determination of aggravating circumstances and omitting of mitigating circumstances, failure to properly justify the decision on imposing the fine and its amount, as well as on imposing an administrative fine in the amount grossly excessive and disproportionate to the irregularities found. The defaults committed by the Company are not minor and relate to the Company's operations consisting in the implementation of orders for marketing and advertising campaigns for other entities. The applicant company concludes commission contracts with third parties to conduct marketing campaigns and uses, in the implementation of such a contract, personal data that it has previously obtained from participants in competitions organized by it, mainly called "The fastest - wins", and is obliged to take such activities the above-mentioned provisions of Regulation 2016/679 Failure to comply with the basic principles contained in Regulation 2016/679, including the right to delete data referred to in Art. 17 sec. 1 lit. b of the Regulation and the principles of transparency and fairness regulated in Art. 5 sec. 1 lit. a of the Regulation, as well as the group of persons affected by the infringement (over 2 million people) support the assessment of the seriousness of the infringement, and thus the recognition that the administrative fine fulfills the functions referred to in Art. 83 sec. 1 of the Regulation. It should also be added that the Court did not find such violations of the procedural provisions that could have a significant impact on the result of the case. Therefore, the Court did not accept the allegations of violation of Art. 7, art. 8 § 1, art. 80, art. 107 § 3, art. 104 § 2, art. 107 § 1 point 5, art. 104 § 2, art. 11, art. 107 § 1 point 6 and article. 78 of the Code of Administrative Procedure In the opinion of the Court, the administrative proceedings were conducted fairly and the party had the opportunity to submit extensive explanations. The justification of the decision, in turn, contains all the legally required elements, and in particular, the legal basis for the decision has been explained in detail, the key provisions of the case have been cited, the facts of the case have been presented and the facts have been subsumed under certain legal standards. Also, the decision contained in the contested decision is understandable, clear and meets the requirements of the law, contrary to the allegations of the complaint. Given the above, the Provincial Administrative Court in Warsaw, pursuant to Art. 151 of the Act - Law on Proceedings Before Administrative Courts, ruled as in the sentence.