WSA Warszawa - II SA/Wa 607/20

From GDPRhub
WSA Warsaw - II SA/Wa 607/20
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 6(1) GDPR
Article 21(3) GDPR
Article 58(2)(b) GDPR
Article 58(2)(c) GDPR
Decided: 13.01.2021
Published:
Parties:
National Case Number/Name: II SA/Wa 607/20
European Case Law Identifier:
Appeal from: UODO (Poland)
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Provincial Administrative Court of Warsaw held that it is unacceptable to process personal data with the assumption that they may be possibly useful in the future, if the data subjects do not make specific claims against the controller.

English Summary

Facts

Individuals have complained to the Polish supervisory authority about the processing of their personal data by their bank without a legal basis and for marketing purposes. The applicants were customers of the bank and held personal and savings accounts with it. After some time, the customers requested the bank in writing to stop sending advertising material and bank statements to their address and withdrew their consent to the processing of their personal data by the bank, which withdrawal of consent included the quote: "the use, processing and archiving of all our personal data by the Bank".

The bank informed the applicants that it would not comply with the request due to the impossibility of confirming the identity of the applicants, and also indicated the possibility of submitting the request in person at any bank office or by sending a request to that effect via the bank's helpline or Internet channel. The applicants have refused to use the communication channels indicated to them by the bank and have renewed their statement withdrawing their consent to the processing of their personal data by the bank. The bank eventually closed the customers' bank accounts and at the end sent them a monthly bank statement and later a combined bank statement, which contained information about the bank's subscription to a new structured deposit.

By letter from November 2018 the bank stated that it currently processes the applicants' data in terms of first names, surnames, type of identity document, identity document number, expiry date of identity document, country of issue of identity document, PESEL identification number, date of birth, place of birth, country of birth, residence status, nationality, parents' first names, marital status, mother's maiden name, gender, residential address, correspondence address, mobile phone number, home phone number, form of employment and preferred language of contact, data on the bank's products held, CIF number (identification number assigned to the bank's customers), on the basis of Article 6(1)(f) GDPR, i.e. in the legitimate interest pursued by the bank, for the purpose of establishing, investigating or defending against possible claims by applicants.

The DPA pointed out that, as of the date of closure of the clients' bank accounts, the bank should cease processing their personal data in connection with the contracts between it and the applicants, i.e. on the basis of Article 6(1)(b) GDPR. However, pursuant to Article 17(3)(e) GDPR, the right to request from the controller the immediate erasure of personal data concerning the data subject, pursuant to which the controller is obliged to erase personal data without undue delay, does not apply to the extent that the processing is necessary for the establishment, assertion or defence of claims.

In the opinion of the DPA, the evidence gathered in the present proceedings has not demonstrated that the applicants have made any claim against the bank that would justify the bank's right to retain and process their personal data for evidential purposes in connection with the applicants' pursuit of this claim.

The DPA issued a decision ordering the bank to delete the applicants' personal data and issued a warning to the bank for violating Articles 6(1), 12(2) and (3), and 21(3) GDPR.

Holding

The administrative court dismissed the bank's appeal against the supervisory authority's decision. It indicated that it did not appear from the evidence gathered in the course of the proceedings that the applicants had made any claim against the bank which would entitle the bank to retain and process their personal data for evidential purposes in connection with their pursuit of that claim. The court emphasised that the premise of Article 6(1)(f) GDPR relates to an already existing situation where the purpose deriving from the legitimate interests pursued by the controller is the need to prove, or the need to assert or defend against, an existing claim, not to a situation where the data are processed in order to safeguard against a possible claim. Therefore, it is not permissible to process personal data as if "in advance" with the assumption that they may possibly be useful in the future and with reference to the provisions concerning the limitation of civil law claims.

Comment

Quite similar to this case, where the controller also attempted to rely on Article 6(1)(f) as a lawful basis for processing data related to future claims.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

 The subject of the examination in this case was the complaint of the Bank [...] Spółka Akcyjna with its seat in W. against the decision of the President of the Personal Data Protection Office, mark [...] of [...] January 2020, regarding the processing of personal data. The complaint was submitted in the following facts of the case: On [...] July 2018 (date of receipt by the authority) HK and TK (hereinafter referred to as: applicants), filed to the President of the Personal Data Protection Office (hereinafter referred to as: PUODO, the authority ), a complaint about irregularities in the processing of their personal data by the Bank [...] Spółka Akcyjna with its registered office in W. (hereinafter: the bank, the complainant), consisting in the processing of applicants' personal data without a legal basis and for marketing purposes. complaints, the applicants petitioned to prohibit the bank from using, processing and archiving any personal data concerning them. By decision mark [...] of [...] January 2020, the authority, acting pursuant to Art. 104 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended, hereinafter: the Code of Administrative Procedure), Art. 6 sec. 1, art. 21 sec. 3, and art. 58 sec. 2 lit. b and lit. c of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (Journal of Laws of the EU (OJ L 119 of 04.05.2016, p. 1, as amended, hereinafter: Regulation 2016/679), ruled: in point 1 - on an order for the bank to delete personal data of applicants, in terms of their names, surnames, type of identity documents , identity document numbers, validity dates of identity documents, country of issuance of identity documents, PESEL identification numbers, dates of birth, places of birth, country of birth, residence status, citizenship, parents' names, marital status, mother's maiden names, gender, address of residence, correspondence address , mobile number, home telephone number, form of employment and preferred language of contact, data on the bank's products, CIF numbers (identification number bank customers); in point 2 - on issuing a reminder to the bank for violation of Art. 6 sec. 1, art. 12 sec. 2 and sec. 3, and art. 21 sec. 3 of Regulation 2016/679 consisting in: a) failure to take into account the opposition of the applicants, expressed in the letter of 23 May 2018, in breach of the provision according to which the administrator facilitates the data subject to exercise his rights under Art. . 15-22, b) processing the applicants' personal data for marketing purposes without a legal basis, despite the objection raised. In the justification of its decision, the authority indicated the following facts of the case: In connection with the conclusion of the Personal Account agreement and the Savings Account agreement, the bank obtained personal data applicants in terms of: first names, surnames, type of identity document, identity document number, validity date of the identity document, country of issuance of the identity document, PESEL identification number, date of birth, place of birth, country of birth, statute, residence, citizenship, parents' names, marital status, mother's maiden name, gender, home address, correspondence address, mobile phone number, home telephone number, form of employment and preferred language of contact, in order to prepare and conclude the above-mentioned agreements, as well as their implementation.On [...] April 2017, applicants submitted to the bank an instruction to change the type of a checking and savings account from [...] Account to [...] Account. On May [...] 2018, the bank sent the applicants "information on the processing of personal data at Bank [...] SA", which includes the purposes and deadlines for data processing at the bank. By letter of May [...] 2018 r., signed by hand by the applicants and containing their names and addresses, the applicants asked the bank to stop sending advertising materials and bank statements to their address and withdrew their consent to the processing of their personal data by the bank, which withdrawal of consent included quotation : "the use, processing and archiving of all our personal data by the Bank [...] SA". On [...] June 2018, the bank informed the applicants about the failure to comply with the request expressed in the letter of [...] May 2018, due to the inability to confirm the applicants' identity, moreover, about the possibility of submitting a request in person at any bank branch or by sending an application with this content via the hotline or channel The bank also explained that the correspondence received by the applicants were bank statements in connection with the Account [...] and the Account [...] kept for the benefit of the applicants. In a letter of [...] June 2018, the applicants refused to use the communication channels indicated to them by the bank in the letter of [...] June 2018 and reiterated their statement on the withdrawal of consent to the processing of their personal data by the bank , calling on the complainant to comply with their request expressed in the letter of [...] May 2018 quoting: "containing an express prohibition on the use, processing and archiving of my spouse's personal data". On [... ] July 2018, the bank, through its AD employee, in response to letters submitted to the bank by applicants, contacted the abovementioned via the mobile phone number provided by the applicants in order to clarify the situation and confirm the identity of the applicants. The applicants refused to interview. On [...] July 2018, following the content of the correspondence with the applicants, the bank closed the [...] and the [...] Accounts of the applicants and from that date does not process their personal data for marketing purposes. on [...] August 2018, the bank sent the applicants a monthly bank statement, and on [...] August 2018, a combined bank statement containing information about the bank's subscription to a new structured deposit. of [...] November 2018, the bank stated that it is currently processing data of applicants in terms of first names, surnames, type of identity document, identity document number, validity date of the identity document, country of issuance of the identity document, PESEL identification number, date of birth, place of birth, country of birth, statute of residence, citizenship, parents' names, marital status, mother's maiden name, gender, address, correspondence address, mobile phone number it, home telephone number, form of employment and preferred language of contact, data on the bank's products, CIF number (identification number assigned to the bank's customers), pursuant to art. 6 sec. 1 lit. f of the Regulation 2016/679 of 27 April 2016, i.e. in the legitimate interest pursued by the bank, in order to establish, investigate or defend against possible claims of applicants. actual existing at the time of this decision. He indicated that Regulation 2016/679 defines the lawfulness of the processing of personal data. Each of the conditions of Art. 6 sec. 1 of Regulation 2016/679 is autonomous and independent, which means that the fulfillment of one of them determines the lawfulness of the processing of personal data in a given case. He also emphasized that the consent of the data subject is not the only basis authorizing the processing of his personal data (letter a). The data processing process will be compliant with the provisions of the Act also if the data controller demonstrates that at least one condition of Art. 6 sec. 1 of Regulation 2016/679, including when processing is necessary for the purposes of legitimate interests pursued by the administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject concern, requiring the protection of personal data, in particular when the data subject is a child (point f). In addition, it emphasized that it is not the authority competent to resolve issues related to the correct (or not) submission of a declaration of termination by applicants and that it could not assess its effectiveness. Such cases are civil cases and should be considered in proceedings conducted by common courts, and the President of the Personal Data Protection Office is not a controlling authority or supervising the correct application of substantive and procedural law in cases falling within the competence of other authorities, services or courts, whose judgments are subject to review in the course of the instance. or otherwise specified by relevant procedures. Referring to the findings of the facts of the case, he indicated that the bank is currently processing the personal data of applicants pursuant to Art. 6 sec. 1 lit. f of the Regulation 2016/679. The purpose indicated by the bank is to establish, investigate or defend against possible claims of applicants. The temporal scope of data processing for the above purpose is specified in Art. 118 of the Act of 23 April 1964 Civil Code (Journal of Laws of 2019, item 1145, as amended, hereinafter referred to as: the Civil Code), according to which, unless a special provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to running a business - three years. However, the limitation period ends on the last day of the calendar year, unless the limitation period is less than two years. With regard to applicants' request to order the bank to stop processing their personal data, the authority indicated that by letter of [...] May 2018, the applicant applied to the bank with a request to delete their personal data. On [...] July 2018, the Bank closed the Account [...] and the Account [...] of the applicants, therefore, from that date, it should stop processing their personal data in connection with the agreements between it and the applicants, i.e. . based on Article. 6 sec. 1 lit. b of the Regulation 2016/679. However, according to Art. 17 sec. 3 lit. e of Regulation 2016/679, the right to request the administrator to immediately delete personal data relating to the data subject, according to which the administrator is obliged to delete personal data without undue delay, does not apply to the extent that the processing is necessary to establish, investigate In the opinion of the authority, the evidence collected in these proceedings has not shown that the applicants have made any claim against the bank that would justify the bank's right to retain and process their personal data for evidence purposes in connection with the pursuit of this claim by the applicants. Therefore, there is no fulfillment of the condition of necessity indicated by the bank for the purposes of the legitimate interests pursued by the administrator with regard to the processing of personal data of applicants. The premise of art. 6 section 1 lit. f of Regulation 2016/679 applies to an already existing situation, in which the purpose resulting from the legitimate interests pursued by the administrator is the need to prove, the need to investigate or defend against an existing claim, and not a situation when data is processed in order to protect against a possible claim. Due to the fact that the administrative proceedings carried out by the President of the Personal Data Protection Office did not show that the applicants had brought any claims against the bank, he stated that the complainant was processing the applicants' personal data in the above-mentioned only "in advance", to protect against possible future and uncertain claims of applicants. According to the authority, adopting a different interpretation of the above-mentioned the provisions would result in depriving applicants of protection under Regulation 2016/679 and the Act on the Protection of Personal Data. There is also no justification for assuming that the time limits for the limitation of claims arising from the obligation relationship also define the time frame in which personal data may be processed by the bank. The statute of limitations for a claim does not have any effects on the protection of personal data, as it does not affect the existence of the claim, but only changes the sphere of procedural charges in the form of the possibility of raising the circumstances of the statute of limitations in a court dispute. the claim and the intention to pursue it, however, is not a change in the procedural powers of the defendant, who stated that since the bank did not indicate the claim which it is demanding from the applicants, and there is no pending dispute between the applicants and the complainant regarding the obligation relationship, in its assessment there is no purpose justifying the processing of the above-mentioned personal data of applicants, within the meaning of art. 6 sec. 1 lit. f of the Regulation 2016/679. In view of the above, the continuation of the processing of applicants' personal data for the purpose of establishing, investigating or defending against possible, future and uncertain claims is unnecessary and inconsistent with the applicable provisions on the protection of personal data. Therefore, the President of the Personal Data Protection Office ordered the bank to delete the applicants 'personal data. Referring to the applicants' allegation that despite being summoned by a letter of [...] May 2018, the bank did not stop sending advertising materials and bank statements to their address, thus processing their personal data for marketing purposes, the authority indicated that in accordance with art. 21 sec. 2 and sec. 3 of Regulation 2016/679, if personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his personal data for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing. If the data subject objects to processing for the purposes of direct marketing, the personal data may no longer be processed for such purposes. by the provision of the applicant, in a letter of [...] May 2018 - signed by hand and containing their names and surname and address - raised an objection to the bank against the processing of their personal data for marketing purposes. In response to the above, the complainant informed the applicants that he could not fulfill the above-mentioned requests due to the impossibility of their unambiguous identification and proposed another form of submitting the request, from which the above-mentioned did not benefit. Pursuant to Art. 12 sec. 6 of Regulation 2016/679, if the controller has reasonable doubts as to the identity of the natural person submitting the request referred to in art. 15-21, may request additional information necessary to confirm the identity of the data subject. However, in the letter of [...] June 2018, the bank did not ask for such additional information, and in particular did not explain or justify the reasons for the doubts as to the identity of the applicants in relation to the letter of [.. .] May 2018 Also in the letters sent by the bank to the authority with explanations regarding these proceedings, the complainant did not show such reasons. He pointed out that despite the bank's recognition that the letter of [...] May 2018 and other letters the applicants sent to the bank did not allow their identity to be identified, and despite the applicants' failure to use the method of submitting the request, the complainant, guided by the content of correspondence with them, on [...] July 2018, closed the Account [.. .] and the [...] accounts of applicants and from that date was not to process the applicants' personal data for marketing purposes. Therefore, the authority concluded that failure to comply with the deadline specified in Art. 12 sec. 3 of Regulation 2016/679, the opposition of the applicants, expressed in the letter of [...] May 2018, occurred in breach of the provision of Art. 12 sec. 2 of Regulation 2016/679, according to which the controller makes it easier for the data subject to exercise his rights under Art. Moreover, contrary to the bank's assertion that on [...] July 2018, it ceased processing the applicants' personal data for marketing purposes, the above-mentioned on [...] and [...] August 2018, they received correspondence from the complainant related to the closure of the account, which contained information about the bank's commencement of subscription for a new structured deposit, with reference to further information on this matter on the indicated page website. According to the authority of the above-mentioned the information sent to the applicants by the bank is marketing (advertising) information. The essence of advertising is the dissemination of information about goods and services, as well as the interest of the potential buyer and encouraging him to buy the goods and services offered. The aim of the above-mentioned The message was to present the applicants with a specific product of the bank and persuade the client to act, consisting in taking advantage of the offer. The bank sent this message to the applicants and, as a consequence, processed their personal data for marketing purposes, despite their effective objection in this regard. Pursuant to Art. 21 sec. 3 of Regulation 2016/679, if the data subject objects to the processing for the purposes of direct marketing, personal data may no longer be processed for such purposes. Therefore, by not taking into account the right to object to the processing of applicants' personal data for direct marketing purposes, the bank violated the above-mentioned Therefore, when exercising the right provided for in Art. 58 sec. lit. b of Regulation 2016/679, the President of the Personal Data Protection Office (UODO) admonished the bank for the violation of the above-mentioned provisions of Regulation 2016/679. the decision in the part relating to point 1 (i.e. an order to delete the applicants' personal data by the bank to the extent indicated in this point of the decision). It sought annulment of point 1 of the contested decision on the ground that its implementation by the applicant would have resulted in a criminal offense, possibly for the contested decision to be annulled in part including point 1 and for the costs of the proceedings to be reimbursed. In that decision, the applicant alleged a violation of: provisions of substantive law that had an impact on the outcome of the case, i.e .: 1. art. 6 sec. 1 lit. f of the Regulation 2016/679 in connection with Art. 117 § 2 and § 21, art. 118 and art. 119 of the Civil Code consisting in the recognition that the storage of data for the period of limitation of claims, also in the event that neither the administrator nor the data subject has filed a claim, constitutes a legitimate interest of the bank within the meaning of Art. 6 sec. 1 lit. f of the Regulation 2016/679; 2. art. 6 sec. 1 lit. c of the Regulation 2016/679 in connection with art. 33, art. 34 and art. 49 sec. 1 of the Act of March 1, 2018 on counteracting money laundering and terrorist financing (Journal of Laws of 2019, item 1115, hereinafter: upppft), consisting in its improper application and the assumption that the bank does not have the condition for processing data resulting from art. 6 sec. 1 lit. c of the Regulation 2016/679 in connection with art. 33, art. 34 and art. 49 sec. 1 u.p.p.f.t., while these provisions impose an obligation on the bank to process personal data for 5 years from the first day of the year following the year in which the business relationship with the client was terminated for anti-money laundering purposes; 3. art. 6 sec. 1 lit. c of the Regulation 2016/679 in connection with art. 71 and art. 74 sec. 2 points 1, 4 and 8 of the Accounting Act of September 29, 1994 (Journal of Laws of 2019, item 351, hereinafter: ur) in connection with § 49 of the Regulation of the Minister of Finance of October 1, 2010. on specific rules of bank accounting (Journal of Laws No. of 2019, item 957, hereinafter referred to as: the Regulation of the Minister of Finance) consisting in its improper application and the assumption that the bank does not have the condition for data processing resulting from art. 6 sec. 1 lit. c of the Regulation 2016/679 in connection with art. 74 sec. 2 points 1, 4 and 8 of the Act, while these provisions impose an obligation on the bank to process personal data for 5 years for accounting purposes; II. breach of procedural regulations that had a significant impact on the outcome of the case, i.e .: 1. art. 7 in connection with Art. 77 and art. 80 of the Code of Civil Procedure, consisting in non-exhaustive collection and examination of all evidence and failure to take all steps necessary to thoroughly clarify the facts and settle the case, which resulted in the complainant being ordered to delete the applicants' personal data to the extent indicated in point 1 of the contested decision; 2. art. 8 § 2 of the Code of Administrative Procedure, consisting in the withdrawal from the established practice of resolving cases in the same factual and legal status. In the response to the complaint, the authority applied for dismissal of the complaint, raising the arguments identical to the one presented in the contested decision. In the letters submitted to the Court in the course of the court proceedings, the complainant also asked for additional documentary evidence to be taken, i.e .: 1) the decision of the General General Personal Data Protection Inspector (predecessor of the President of the Personal Data Protection Office) of [...] May 2014, ref. No. [...] that there is an established practice, different from the position adopted in the contested decision, despite the fact that the facts and law are the same; 2) the decision of the President of the Personal Data Protection Office of [...] March 2019, file ref. [...] that there is an established practice, different from the position adopted in the contested decision, despite the fact that the facts and law are the same; 3) decision of the President of the Personal Data Protection Office of September 2020, file ref. [...] (not published, obtained through access to public information, the date of publication was removed by the authority). The Provincial Administrative Court in Warsaw considered the following: Pursuant to Art. 3 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended, hereinafter referred to as: ppsa), administrative courts control the activities of public administration and apply measures specified in the Act. This means that the court, when examining the complaint, assesses whether the appealed decision does not infringe the provisions of substantive law or the provisions of administrative proceedings. Pursuant to Art. 134 p.p.s.a. The court decides within the boundaries of a given case, but is not bound by the allegations and conclusions of the complaint and the legal basis referred to therein. The complaint is admitted if the Court finds that the provisions of the law referred to in Art. 145 § 1 point 1 of the GDPR. First of all, it should be pointed out that the procedure for infringement of data protection provisions is one of the administrative proceedings before the President of the Personal Data Protection Office. Its nature is resolved by Art. 7 sec. 1 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781, hereinafter referred to as: the Personal Data Protection Act), according to which in matters not regulated in the Act for administrative proceedings before the President of the Office for Personal Data Protection, referred to in chapters 4-7 and 11 (and thus also in chapter 7 on the procedure for violating the provisions on the protection of personal data), the provisions of the Code of Administrative Procedure (hereinafter referred to as the Code of Administrative Procedure). In accordance with the rules set out in the Code of Administrative Procedure, evidence proceedings and explanatory proceedings are also carried out - allowing to establish the exact facts of a given case. As a result of the investigation, the public administration body is to reach the point referred to in Art. 7 of the Code of Civil Procedure According to the administrative files of the case, in order to establish the facts of the case, in connection with the complaint submitted by the applicants, the authority asked the complainant to submit written explanations and supporting evidence. The explanations provided by the bank showed that the complainant had obtained the applicants' personal data directly from them, in connection with the opening of an [...] account (Account [...]), and then an Account [...]. As a result of the applicants' instructions from [...] April 2017, the Account [...] was changed to the Account [...]. By a letter dated [...] of May 2018, signed by hand, containing their names and addresses, the applicants asked the bank to stop sending advertising materials and bank statements to their address and withdraw their consent to the processing of their personal data by the bank, which withdrawal of consent included "the use, processing and archiving of all our personal data by the Bank [...] SA" The complainant did not accept the above request, referring to the inability to confirm the addressees' identity. Nevertheless, on [...] July 2018, the bank closed the [...] and the [...] Accounts of the applicants and, as stated in the letter of [...] November 2018, addressed to the authority from that date, it does not process their personal data for marketing purposes. However, on [...] and [...] August 2018, the bank sent applicants a monthly bank statement and a combined bank statement, which contained information about the bank's subscription to a new structured deposit. In addition, in a letter of [...] November 2018 (in response to the request of the President of the Personal Data Protection Office to submit explanations and documents), the bank stated that it is currently processing data of applicants (in terms of names, surnames, type of identity document, number of the identity document, expiry date of the identity document, country of issuance of the identity document, PESEL identification number, date of birth, place of birth, country of birth, statute of residence, citizenship, parents' names, status civil number, mother's maiden name, gender, home address, correspondence address, mobile phone number, home telephone number, form of employment and preferred language of contact, data on the Bank's products, CIF number), pursuant to Art. 6 sec. 1 lit. f) Regulation 2016/679 - in the legitimate interest pursued by the bank, in order to establish, investigate or defend against possible claims of the applicants. From the findings of the Court presented above, it is unquestionable that in the course of the proceedings conducted by the authority, the complainant did not indicate that he would process personal data applicants on a different than specified in Art. 6 sec. 1 lit. f) of Regulation 2016/679 on the basis, i.e. in order to secure their interests in the event of possible claims of applicants. The actual state of this case was correctly determined by the President of the Personal Data Protection Office. In the course of the conducted administrative proceedings, there was no violation of Art. 7, art. 77 and art. 80 of the Code of Civil Procedure The authority conducted explanatory proceedings required by law, sufficient to establish the circumstances of fundamental importance for the resolution of the case and to assess whether the legal conditions for issuing a decision have been met. It should be remembered that in accordance with the principle expressed in art. 80 of the Code of Civil Procedure, the authority conducting the proceedings, according to its knowledge, experience and internal conviction, assesses the probative value of individual evidence, the impact of proving one circumstance on other circumstances. When assessing the results of the evidentiary proceedings (credibility and strength of evidence), the authority should take into account the content of all the conducted and examined evidence, indicating in the justification of the decision the facts that it considered proven, the evidence on which it relied and the reasons why other evidence refused to be credible and valid. evidentiary. The analysis of the justification of the challenged decision leads to the conclusion that the President of the Personal Data Protection Office complied with the above obligations and did not violate the rules of the free assessment of evidence. It should also be noted that before issuing the challenged decision, in accordance with the provisions of the Code of Administrative Procedure, the authority informed the complainant (letter of [ ..] May 2019) with the content of Art. 10 § 1 of the Code of Civil Procedure i.e. collecting evidence sufficient to issue a decision, to which the complainant did not react and did not indicate other than the previously raised grounds for processing the applicants' personal data. refusal by the authority to take into account that the bank processes the personal data of applicants pursuant to art. 6 sec. 1 lit. c of the Regulation 2016/679 in connection with art. 33, art. 34 and art. 49 sec. 1 u.p.p.f.t. and art. 6 sec. 1 lit. c of the Regulation 2016/679 in connection with art. 71 and art. 74 sec. 2 points 1, 4 and 8 of birth, which impose an obligation on the bank to process the personal data of its clients for 5 years, respectively, counting from the first day of the year following the year in which the business relationship with the client was terminated for anti-money laundering purposes and for 5 years for accounting purposes. Referring to the merits of the case, it should be pointed out that used in Art. 60 u.o.d.o. the term "breach of personal data protection rules" is broad in scope and covers breaches of all data protection rules, both contained in the EU regulation and in national rules that supplement or modify EU regulations. Pursuant to Art. 4 point 2 of Regulation 2016/679, "processing" shall mean an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise sharing, adjusting or combining, limiting, deleting or destroying. Pursuant to Art. 6 sec. 1 of Regulation 2016/679, processing is lawful only in cases where - and to the extent that - at least one of the following conditions is met: a) the data subject has consented to the processing of his personal data in one or more the number of specific goals; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary to fulfill the legal obligation incumbent on the controller; d) processing is necessary to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the data subject is a child. First subparagraph, point f) does not apply to processing carried out by public authorities in the performance of their tasks. 17 sec. 1 of Regulation 2016/679, the data subject has the right to request the administrator to immediately delete his personal data, and the administrator is obliged to delete personal data without undue delay, if one of the following circumstances occurs: a) personal data are no longer necessary to the purposes for which they were collected or otherwise processed; b) the data subject has withdrawn consent on which the processing is based in accordance with art. 6 sec. 1 lit. a) or Art. 9 sec. 2 lit. a), and there is no other legal basis for the processing; c) the data subject objects to the processing pursuant to Art. 21 sec. 1 against processing and there are no overriding legitimate grounds for processing or the data subject objects pursuant to art. 21 sec. 2 against processing; d) the personal data have been processed unlawfully; e) personal data must be removed in order to comply with the legal obligation provided for in the Union law or the law of the Member State to which the controller is subject; f) the personal data has been collected in relation to the offering of information society services referred to in art. 8 sec. 1. If the controller made the personal data public, and pursuant to para. 1 is obliged to delete this personal data, then - taking into account the available technology and the cost of implementation - takes reasonable steps, including technical measures, to inform the controllers processing this personal data that the data subject requests that these controllers delete all links to this data, copies of these personal data or their replications (Article 17 (2)). 17 sec. 3 of the Regulation 2016/679 para. 1 and 2 shall not apply to the extent that processing is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the field of public health in accordance with Art. 9 sec. 2 lit. h) and i) and Art. 9 sec. 3; d) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 sec. 1, if it is probable that the law referred to in para. 1, will prevent or seriously hinder the implementation of the purposes of such processing; or e) to establish, assert or defend claims. In addition, pursuant to Art. 21 sec. 1 of Regulation 2016/679, the data subject has the right to object at any time - for reasons related to his particular situation - to the processing of his personal data based on art. 6 sec. 1 lit. e) or f), including profiling based on these provisions. The administrator is no longer allowed to process this personal data, unless he demonstrates the existence of valid legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject, or the grounds for establishing, investigating or defending claims. If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his personal data for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing. (paragraph 2). If the data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes (paragraph 3). At the latest when communicating with the data subject for the first time, he or she shall be clearly informed of the right referred to in para. 1 and 2, and shall be presented clearly and separately from any other information (paragraph 4). In the context of the use of information society services, and without prejudice to Directive 2002/58 / EC, the data subject may exercise his right to object by automated means using technical specifications (paragraph 5). If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 sec. 1, the data subject has the right to object - for reasons related to his particular situation - to the processing of his personal data, unless the processing is necessary to perform a task carried out in the public interest (paragraph 6). to the facts of the present case, the Court finds that where the applicants - following the complainant's letter of [...] May 2018 "information regarding the processing of personal data (...)", submitted a letter of [.. .] May 2018, in which they asked the bank to stop sending advertising materials and bank statements to their address and made a written statement on the withdrawal of consent to the processing of their personal data by the bank, which withdrawal of consent included: "using, processing and archiving all our personal data (...) ", the bank had no legal grounds to legally process their personal data. Ultimately, the account of [...] and [...] applicants, as requested, was closed by the bank on [...] July 2019. By the way, the Court indicates that it has knowledge from professional and life experience that every bank has specimens of signatures of all its customers, which is a condition for using various types of products offered by this entity. Therefore, it was unfounded that the bank did not take into account (and ignored) the effects of the declaration (and objection) submitted by the applicants of [...] May 2019. applicants of possible claims. However, the evidence collected by the authority in the course of administrative proceedings did not show that the applicants made any claim against the bank that would entitle the bank to retain and process their personal data for evidence purposes in connection with their pursuit of this claim. Therefore, the authority correctly concluded that the condition of necessity indicated by the bank was not met for the purposes of the legitimate interests pursued by the administrator with regard to the processing of the personal data complained of. The premise of art. 6 section 1 lit. f of Regulation 2016/679 applies to an already existing situation, in which the purpose resulting from the legitimate interests pursued by the administrator is the need to prove, the need to investigate or defend against an existing claim, and not a situation when data is processed in order to secure against a possible claim. the jurisprudence of administrative courts with regard to a condition analogous to Art. 6 sec. 1 lit. f of the Regulation 2016/679 resulting from Art. 23 sec. 1 point 5 of the previously applicable Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2016, item 922, as amended), a position was developed that data processing should be necessary to fulfill legally justified purposes. Therefore, it is unacceptable to process personal data "in advance" with the assumption that they may possibly be useful in the future and with reference to the provisions on limitation of civil law claims. The opposite argumentation would lead to absurd conclusions that banks are entitled to process the data of persons with whom they have no legal relationship longer than the data of persons with whom the loan agreement was concluded, and to whom the restrictions resulting from the provisions of Art. 105a of the Banking Law. Appealing in this case for evidence purposes for the purposes of any civil, criminal or administrative proceedings that the client could potentially institute against the bank due to a non-existent obligation relationship between the parties, has no logical or legal justification (see judgments of the Provincial Administrative Court in Warsaw of July 12, 2017, file reference number II SA / Wa 2221/16, Supreme Administrative Court of August 27, 2019, file reference number I OSK 2567/17, Supreme Administrative Court of March 6, 2019, file reference number Act I OSK 994/17, publ .: oliwenia.nsa.gov.pl). In the opinion of the Court, the basis indicated by the bank does not justify the processing of the applicants' personal data, as they did not bring any claims against the bank. Thus, the processing of their personal data is not authorized by law and is not necessary to fulfill legally justified purposes pursued by the bank, in particular to defend against any complaints or compensation claims. If, on the other hand, (hypothetically) applicants filed claims with a common court, they would have to provide all their personal data necessary to conduct the proceedings, as specified in the Code of Civil Procedure. The bank, as a hypothetical defendant, would then have full access to them. In the light of the above considerations, the allegation made in the complaint concerning the infringement of Art. 6 point 1 lit. f of the Regulation 2016/679 in connection with Art. 117 § 2 and § 21, art. 118 and art. 119 of the Civil Code, because, as presented above, the President of the Personal Data Protection Office correctly stated that the basis for the processing of personal data specified in this provision did not exist in the present case. 8 of the Code of Civil Procedure, because the decisions presented by the applicant in the course of the court proceedings were issued in situations other than those established in the case. Taking into account the above-mentioned circumstances, the Court, acting pursuant to Art. 151 of the AA, ruled on the dismissal of the complaint.