WSA Warsaw - II SA/Wa 734/21

From GDPRhub
Revision as of 11:01, 15 November 2021 by Gr (talk | contribs)
WSA Warsaw - II SA/Wa 734/21
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 6(1) GDPR
Article 6(1)(f) GDPR
Decided: 29.09.2021
Published:
Parties:
National Case Number/Name: II SA/Wa 734/21
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Court found that the processing of personal data available in the public registers or in the non-confidential declaration of assets, in order to justify the termination of the employment contract, is supported by Article 6(1)(f) GDPR.

English Summary

Facts

Applicant is the President of the Polish DPA (UODO) and defendant is a school (hereafter: controller). This appeal resulted from a decision by the DPA, in which it ordered the controller to remove certain processed' personal data of the complainant.

The complainant is a teacher whose contract got terminated by the controller (her employer). She had received a notice of termination of her employment together with a statement of reasons, the content of which contained processed' personal data concerning her and her husband. She considered that she had never provided this personal data to the employer, and that this was not in line with the GDPR. Hence, she filed a complaint with the Polish DPA (UODO).

In the justification for the termination of employment, the controller presented personal data obtained from public registers concerning the assets and income from complainant's business activity and agricultural activity, as one of the reasons for the termination. Furthermore, it stated that the processing of the this data resulted from the obligation to comply with all the orders imposed by law in terms of justifying the termination of the employment relationship for reasons beyond the employer's control (collective redundancies).

In its decision, the DPA referred to the position of the Supreme Court in their judgement of 19 April 2019 (I PK 20/18), in which it held that the criteria for assessing the reasonableness of termination, such as family, personal or financial situation, do not fall within the concept of the reason for termination. They only constitute criteria for assessing the decision's legitimacy. In the light of the above, the DPA stated that the controller had no legal basis to process complainant's personal data obtained from publicly available public registers in the text of the termination notice, and thus violated Article 6 GDPR. Hence, the DPA ordered the controller to delete complainant's personal data concerning her assets and income from her business and agricultural activities.

The controller appealed to this decision and brought the complaint to the administrative court.

Holding

The Court held that the DPA did not fulfil its obligation to correctly assess the processing criterion indicated by the school, because in order to make such an assessment it is not sufficient to cite the Supreme Court's decision concerning the reasons for termination of the employment contract. According to the Court, this assessment must find support in the case under consideration, which was lacking in the justification of the decision.

Regarding the Supreme Court judgment cited by the DPA, the Court indicated that there are also judgments interpreting the issues related to the selection of the criterion for termination in a different manner, as there is a divergence in the case law in this respect. The first position, which the court in the present case found to be correct, indicates that when terminating an employment contract by notice, the employer must indicate the criteria it used to terminate an employee's contract.

The Court pointed out that, in this case, the controller included these criteria in the termination notice, apart from the main reason for termination (redundancy). Among these criteria, was the criterion of financial situation, which was supported by the personal data from public records and an open declaration of assets. The Court held that the controller had a legitimate interest in processing this data, and therefore could rely on the legal basis in Article 6(1)(f) GDPR. Hence, the Court found that the DPA's decision violated the law and annulled the DPA's decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

 The President of the Personal Data Protection Office (the President of the Personal Data Protection Office, the authority), by decision of [...] January 2021 No. [...], acting pursuant to Art. 104 § 1, art. 105 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended; hereinafter the Code of Administrative Procedure), art. 6 sec. 1 and art. 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (Journal of Laws of the EU, L 119 of May 4, 2016, page 1, as amended; hereinafter referred to as the GDPR Regulation), after conducting administrative proceedings regarding the complaint of MB and KBN regarding irregularities in the processing of their personal data by the Primary School [...] with its seat in [...] ...] (School), ordered the School to remove MB's personal data concerning the state of property and income from business and agricultural activities, discontinued the proceedings regarding the processing of personal data by the School by the School. By. The above decision was issued in the following state of the case. The Personal Data Protection Office received a complaint from MB and KB, residing in in [...], irregularities in the processing of their personal data by the School consisting in the acquisition and processing of data on the state of property, income from economic and agricultural activities by the director of the School without a legal basis. M.B. explained that on June 11, 2019, she received a registered letter terminating the employment relationship with a justification, which contained processed data about her and her husband, not in the possession of the employer. She added that she never transferred her and her husband's data to her employer for processing and sharing. It decided that their data had been processed in breach of the applicable provisions of the GDPR. In a letter of [...] November 2019, the authority informed MB that it initiated an explanatory procedure in connection with the complaint and asked the School to provide explanations on the matter. results from the arrangements made, MB was employed as a teacher at the Primary School M. K. in M. [...] June 2019, received a notice of termination of the employment contract concluded with the [...] School in July 1999 for an indefinite period. In the justification, the School presented the data obtained from public registers regarding the state of property and income from economic and agricultural activities as one of the reasons for termination of the employment relationship. The school indicated that obtaining MB data from public registers, i.e. the Central Register of Information on Economic Activity ( CEIDG), the National Court Register (KRS) and the property declaration of the councilor of the Chodzież poviat, took place only for the purposes of the procedure of termination of the employment contract with her. This data has not been made available to third parties, it was used for the purposes of the procedure of termination of the employment contract with the above-mentioned and are included in the employee's personal files (evidence: explanations from the School on December 5, 2019 with attachments). legal provisions regarding the justification of termination of employment (proof: explanations of the School of March 9, 2020). In the justification of the decision indicated at the beginning, the President of the Personal Data Protection Office explained that the GDPR Regulation defines the obligations of the controller, which include the processing of personal data in compliance with the conditions specified in the GDPR . Art. 6 sec. 1 GDPR, according to which data processing (including sharing) is allowed only if one of the conditions indicated in this provision is met. The catalog of the premises listed in Art. 6 sec. 1 GDPR is closed. Each of the premises legalizing the processing of personal data is autonomous and independent. This means that these conditions are, in principle, equal, and therefore the fulfillment of at least one of them determines the lawful processing of personal data. As a consequence, the consent of the data subject is not the only basis for the processing of personal data, as the data processing process will be compatible with the GDPR also when the controller demonstrates that another of the above-mentioned conditions is met. Regardless of the consent of the data subject (Article 6 (1) (a) of the GDPR), the processing of personal data is permissible when it is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject, to whom the data relate, before concluding the contract (Article 6 (1) (b) of the GDPR), when it is necessary to fulfill the legal obligation incumbent on the controller (Article 6 (1) (c) of the GDPR), when the processing is necessary to protect vital interests of the data subject or another natural person (Article 6 (1) (d) of the GDPR), when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority entrusted to the controller (Article 6 (1) (d) of the GDPR) 1 letter e of the GDPR), when processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except where these interests are overridden they have the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Art. 6 sec. 1 lit. f of the GDPR), the authority cited the content of Art. 5 sec. 1 of the GDPR Regulation and art. 221 of the Act - Labor Code. As he stated, in the present case, the School pointed out that the acquisition of data from CEIDG, KRS and the poviat councilor's property declaration resulted from the obligation to compensate all orders imposed by law in the scope of justifying the termination of employment with MB, while the processing of publicly available data of the complainant - as a person running a business whether performing specific functions in entities subject to entry in the National Court Register, is supported by Art. 6 sec. 1 lit. f GDPR. According to the authority, the concept of a legitimate legal interest should be understood not as an interest resulting from legal provisions, but as a lawful interest. This lawfulness limits the notion of the controller's interest as a potential basis for the processing of personal data. The interpretation of the concept of legitimate interest should therefore be broad and cover economic, factual or legal interests. The authority shared the position of the Supreme Court contained in the judgment of April 16, 2019 (I PK 20/18), in which it was indicated that "the criteria for assessing the validity of the termination, such as the current employment relationship, length of service, professional qualifications, do not fit into the concept of They are only criteria for assessing the justification of this reason, and even more so, circumstances such as family, personal or property situation do not fall within this concept, because in accordance with the established position of the Supreme Court, they are considered in the context of the principles of social coexistence, and their violation is not signifies the groundlessness of the notice, but its contradiction to the principles of coexistence. " In connection with the above, the President of the Personal Data Protection Office stated that the actions taken by the administrator, consisting in including the complainant's personal data obtained from publicly available registers in the content of the termination notice, are not justified in the provisions of the GDPR and constitute a violation of Art. 6 sec. 1 GDPR. As for the complaint filed by KB, the authority stated that the investigation did not provide evidence that the personal data had been processed, as indicated by the authority, in the submitted explanations, the School stated that it had used data from public registers to conduct procedures for terminating the employment contract relating only to MB in connection with organizational changes carried out at the School. In turn, the personal data of K. B. were not processed, and also in no way made available by the School to unauthorized persons. Therefore, it cannot be concluded that the School is processing the personal data of K. B., who is the applicant's husband and co-owner of the farm indicated in the complaint. The task of the President of the Personal Data Protection Office in administrative proceedings conducted as a result of the lodging of an individual complaint against the processing of personal data is to evaluate the existing data processing process, while the supervisory authority does not take action in relation to a potential violation that has not occurred. As a consequence, the proceedings in the above-mentioned scope were found by the authority to be redundant as such, and the school brought a complaint to the Voivodship Administrative Court in Warsaw against the decision of the President of the Personal Data Protection Office (UODO) indicated at the beginning, in part including the order to remove MB's personal data concerning the state of property and income from business and activity. The contested decision alleged infringement of Art. 6 sec. 1 of the GDPR Regulation, due to its incorrect interpretation and application consisting in the incorrect assumption that "actions taken by the administrator consisting in including in the content of the termination notice, personal data obtained from publicly available registers, are not grounded in the provisions of the GDPR and constitute a violation of art. RODO ". In connection with the above, pursuant to art. 145 § 1 point 1 lit. a) p.p.s.a. requested to accept the complaint and to revoke the decision of the President of the Personal Data Protection Office of [...] January 2021 in the part concerning point 1, and awarding the complainant School the costs of proceedings in accordance with the prescribed standards. In the complainant's opinion, the authority did not take into account that the data was obtained from publicly available registers only for the purposes of the procedure of terminating the employment contract with a teacher and its detailed justification. When deciding to reduce employment for reasons not related to employees, certain rules (criteria) for selecting employees to be dismissed apply. The selection criteria for dismissal - as a rule - must be presented to the dismissed employee in a letter terminating the employment contract (Article 30 § 4 of the Labor Code). One of the criteria indicated both in the jurisprudence and the literature that should be used is the financial situation of teachers, having other sources of income, etc. According to the judgment of the Supreme Court of September 18, 2003 (I PK 286/02), the financial situation of the dismissed teacher is one of the basic criteria to be taken into account by the employer when selecting an employee to be dismissed. The teacher's fulfillment of the conditions entitling to a retirement pension or a compensation benefit may be a criterion for selection to be dismissed. The selection of the dismissed teacher may also be influenced by the fact that the teacher has other sources of income, e.g. employment of his spouse, running a business, shares in a company. e.g. ZFŚS) as well as based on publicly available information contained in public registers: a) Central Register and Information on Economic Activity (https://prod.ceidg.gov.pl/ceidg/ceidg.public.ui/ search.aspx) - the fact of running a business; b) the National Court Register (https://ekrs.ms.gov.pl/) - the fact of holding shares in commercial companies; c) property declaration of the poviat councilor [...] term [. ..] (http://bip.wokiss.pl/chodziezp/) - the fact of having a farm. In the complainant's opinion, the processing of the questioned data is based on the provisions of law, because both the CEIDG, the National Court Register and the councilor's property declarations are public. Consequently, it should be assumed that the processing by the School of publicly available data of a person running a business or performing specific functions in entities subject to entry in the National Court Register is based on Art. 6 sec. 1 lit. f GDPR, according to which the processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. As stated by the complainant, the processed data are publicly available data collected in official, public registers. The scope of these data is relatively narrow, and the risk to the rights and freedoms of the data subject related to their processing - low. The scope of personal data obtained by the School from publicly available KRS and CEIDG registers and property declarations and subject to further processing is consistent with the legitimate interest of the administrator (Article 6 (1) (f) of the GDPR). In the opinion of the complainant School, these data are limited to information directly related to the financial situation of the dismissed teacher, which should be assessed in the context of selecting the employee to be dismissed. In response to the complaint, the President of the Office of Personal Data Protection appealed for its dismissal, sustaining the arguments contained in the justification of the contested decision. in Warsaw weighed the following: Pursuant to Art. 1 § 1 and 2 of the Act of 25 July 2002 - Law on the System of Administrative Courts (consolidated text, Journal of Laws of 2021, item 137), administrative courts administer justice by controlling the activities of public administration, where this is performed in terms of compliance with the law, unless the acts provide otherwise. public regarding the rights or obligations arising from the provisions of law, from the point of view of their compliance with substantive law and the provisions of administrative proceedings, according to the factual and legal status in force on the date of issuing this act or taking the action in dispute. Therefore, it is about the control of acts or activities in the field of public administration performed solely in terms of their compliance with substantive law and procedural regulations, and not according to the criteria of equity or compliance with the principles of social coexistence. , however, not being bound by the allegations and conclusions of the complaint and the legal basis established (see: Art. 134 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts - consolidated text, Journal of Laws of 2019, item 2325 with amendments - hereinafter also: "ppsa"). In the opinion of the Provincial Administrative Court in Warsaw, the complaint of the Primary School [...] analyzed in this respect [...] deserves to be considered, because the contested decision of the President of the Data Protection Office Personal data of [...] January 2021, violates applicable law. The court decided that the President of the Personal Data Protection Office, by issuing the disputed administrative decision of [...] January 2021, will allow There is a breach of both the provisions of European law binding on Poland and the domestic law to a degree that significantly influenced the final result of the case ended with the issue of the above-mentioned decision in the scope of its first point. It should be noted that in the light of Art. 4 point 2 of the GDPR, "processing" shall mean an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using , disclosure by sending, distributing or otherwise sharing, matching or combining, limiting, deleting or destroying. In this case, the subject of the proceedings was the unauthorized processing of MB and KB personal data by the Primary School [...] in [...]. (the complaint concerns only point 1 of the decision, i.e. the processing of MB's personal data). In this situation, taking into account the above definition of processing, the President of the Office for Personal Data Protection, as the supervisory body, was obliged to analyze the data filed on [...] February 2021 a complaint, conduct appropriate explanatory proceedings and, on the basis of all the collected evidence, determine whether the violations of the rights arising from the GDPR referred to by the complainant have been proven, due to the fact that both the GDPR and the Act on the Protection of Personal Data do not regulate the issue of taking evidence and the duties of the supervisory authority related to making findings of fact, the rules and principles set out in the Code of Administrative Procedure apply. fulfilled all obligations which include the processing of personal data in accordance with the conditions set out in the GDPR It is worth noting here that the EU legislator, requiring in art. 5 sec. 1 lit. a GDPR, in order for the data to be processed in accordance with the law, fairly and transparently for the data subject, included in this provision two principles, i.e. the principle of fairness and legality and the principle of transparency, which have an established place in the personal data protection system from the beginning of its shaping. The principle of fairness and legality (lawfulness) requires that data be processed fairly, i.e. fairly and in accordance with the law. The requirement to ensure the lawfulness of data processing operations means not only the need to meet the conditions of lawfulness of data processing, as set out in Art. 6 and art. 9 GDPR, but also the need to ensure compliance with other provisions on the protection of personal data. This requirement also means the necessity to ensure compliance with the entirety of the provisions regulating the activities of entities processing personal data (cf., inter alia, P. Drobek / in: / GDPR. General Data Protection Regulation. Comment, edited by E. Bielak-Jomaa and D Lubasza, WKP 2018, thesis 6 of the commentary to Article 5 of the GDPR). The school being the MB Data Administrator indicated Art. 6 sec. 1 lit. f GDPR and the fact that the School has obtained personal data from publicly available CEIDG and KRS registers and the councilor's property declaration, which is public. 6 sec. 1 lit. f GDPR, processing is lawful when processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject concern, requiring the protection of personal data, in particular when the data subject is a child. The above provision is addressed to data controllers and third parties. First of all, it is necessary to assess whether there is a legitimate interest on the part of the administrator or a third party. It may be a factual, economic or legal interest, but one that is lawful. To achieve the purpose resulting from the administrator's interest understood in this way, processing must be necessary. This implies a reasonable need to achieve this goal. In the next step, it is necessary to assess whether the planned implementation of the goal resulting from the legitimate interest of the administrator or a third party may violate the interests, fundamental rights or freedoms of the data subject which require the protection of personal data. 6 sec. 1 lit. f GDPR, the authority limited itself in the contested decision to stating that "the concept of a legitimate legal interest (although the provision refers to a legitimate interest) should be understood not as an interest resulting from legal provisions, but as a legitimate interest. This lawfulness limits the notion of the controller's interest as a potential basis for data processing. The interpretation of the concept of a legitimate interest should therefore be broad and cover economic, factual, economic or legal interests. Then the authority referred to the judgment of the Supreme Court I PK 20/18, in which it was stated that "the criteria for assessing the validity of the termination, such as the previous employment relationship, length of service, professional qualifications, do not fall within the concept of the reason for the termination. Even more so, this concept does not include circumstances such as family, personal or property circumstances, as in accordance with the established position of the Supreme Court, they are considered in terms of the principles of social coexistence, and their violation does not mean that the termination notice is unjustified, but its contradiction to the principles of coexistence. ". Considering the above, the Authority maintained its position expressed in the contested decision that the actions taken by the administrator, who, within the meaning of Art. 4 point 7 of the GDPR is the School, consisting in the inclusion of the complainant's personal data obtained from publicly available registers in the content of the notice of employment, do not find grounds in the provisions of the GDPR and constitute a violation of art. 6 sec. 1 GDPR. "To sum up, the authority did not fulfill the obligation to correctly assess the processing criterion indicated by the school, in accordance with the above-mentioned scheme, because it is not sufficient to cite the judgment of the Supreme Court to make this assessment, as this assessment must be based on the case under consideration, which in the justification The decision was missing and it resulted in the violation of Art. 107 § 3 of the Code of Administrative Procedure. To sum up, the authority's statements are insufficient, in the opinion of the Court, to recognize the lack of a legitimate interest in the processing of MB's data by the School as the Administrator. Also, judgments interpreting the issues related to the selection of the criterion for termination in a different way, as there is a discrepancy in the jurisprudence in this regard. he guided selecting a given employee for dismissal. In the judgment of September 30, 2014, file ref. I PK 33/14, the Supreme Court indicated that the employer is obliged to define in the notice the criteria for selecting employees to be dismissed. - also the criteria which she followed when selecting employees to be dismissed, including the criterion of financial situation, which was supported by data from public non-confidential registers and an open asset declaration, which, in the opinion of the Court, gives rise to the assumption that processing by the School to justify the termination , available in open sources of the complainant's personal data - is supported by the already mentioned art. 6 sec. 1 lit. f GDPR. In addition to the case, the Court indicates that the Act of August 20, 1997 on the National Court Register (Journal of Laws of 2018, item 986, as amended), introduces in art. 8 the principle of formal openness of the National Court Register, hereinafter referred to as the Register. The aforementioned provision expressly states that the Register is public (section 1), that everyone has the right to access the data contained in the Register via the Central Information (section 2) and that everyone has the right to receive, also by electronic means, certified copies, excerpts , certificates and information from the Register (section 3). However, according to Art. 13 sec. 1, entries in the register are subject to the obligation to be published in the Court and Economic Monitor (hereinafter referred to as the Monitor), unless the law provides otherwise. proxies and partners are entered into the indicated Register on the basis of art. 36 points 2 and 5-7, art. 38 points 4 and 8 and article. 39 points 1 and 3 in connection with joke. 35 point 1 of the Act on the National Court Register and constitute public information and available to everyone pursuant to Art. 8 of the discussed legal act.Thus, it should be assumed that the processing by the School, in order to justify the termination, of the complainant's available personal data - as a person holding shares in entities subject to entry in the Register - is based on the already mentioned Art. 6 sec. 1 lit. f GDPR; however, pursuant to Art. 45 of the Act of March 6, 2018 on the Central Register of Business Activity and the Information Point for Entrepreneurs (Journal of Laws 2020.2296, i.e.), data and information provided by CEIDG are public. Everyone has the right to access this data and information, therefore it should be assumed that the processing by the School, in order to justify the termination, of the complainant's available personal data obtained from CEIDG, is based on the already mentioned Art. 6 sec. 1 lit. f GDPR. It also results from the provisions of the acts on the commune self-government, the poviat self-government and the voivodeship self-government that the information contained in the property declaration is public, with the exception of the information about the place of residence of the person submitting the declaration and the location of the real estate. in order to justify the termination, the available personal data of the complainant obtained from the declaration of financial interests is based on the already mentioned art. 6 sec. 1 lit. f GDPR. At the stage of responding to the complaint, the authority referred to the content of Art. 22¹ of the Labor Code, indicating that the employer may only process the employee's personal data listed therein. The court does not share this view and emphasizes that pursuant to Art. 6 sec. 1 GDPR, data processing is permissible when at least the condition indicated in this provision is met, which was met in the present case. Taking the above into account, acting pursuant to art. 145 § 1 point 1 lit. a) and c) of the AA 200 of the BRL. When re-examining the case, the authority should take into account the above-mentioned comments.