WSA Warszawa - II SA/Wa 2826/19

From GDPRhub
WSA Warszawa - II SA/Wa 2826/19
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 24 GDPR
Article 30(1)(d) GDPR
Article 30(1)(f) GDPR
Article 32(1)(b) GDPR
Article 32(1)(c) GDPR
Decided: 26.08.2020
Published:
Parties:
National Case Number/Name: II SA/Wa 2826/19
European Case Law Identifier:
Appeal from: UODO (Poland)
[[[1]] ZSPU.421.3.2019]
Appeal to:
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Agnieszka Rapcewicz

The Provincial Administrative Court in Warsaw found that the fine of PLN 40 000 (approx. €9000) imposed by the UODO on the Mayor of Aleksandrów Kujawski is correct and confirmed that the Mayor committed violations of personal data protection regulations found by the UODO.

English Summary

Facts

On 18.10.2019 the Polish DPA - UODO imposed a fine of PLN 40,000 on the Mayor of Aleksandrów Kujawski. UODO found that the Mayor violated: 1. Article 5(1)(a) and Article 5(1)(f) in connection with Article 5(2) by making personal data available to certain entities without a legal basis (without agreements on entrusting personal data); 2. Article 5(1)(e) in connection with Article 5(2), i.e. the principle of storage limitation and Article 24 GDPR through the lack of appropriate policies concerning the processing of personal data in the BIP (Biuletyn Informacji Publicznej); 3. Article 5(1)(f) in conjunction with Article 5(2), i.e. the principles of integrity and confidentiality, the principle of accountability, and Article 24 GDPR by failing to carry out a risk analysis of the Mayor's use of the YouTube channel for the transmission of the recordings of the deliberations of City Council; 4. [Article 5 GDPR#1f|Article 5(1)(f)]] in conjunction with Article 5(2), i.e. the principles of integrity and confidentiality, and Article 32 GDPR by failing to implement appropriate technical and organisational measures to safeguard the data of natural persons in connection with the storage of the recordings of the sessions of the City Council exclusively on the YouTube servers, without making and backing up those recordings in the own resources of the City Council; 5. Article 5(2), i.e. the principle of accountability and Article 30(1)(d) and Article 30(1)(f) by not indicating in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the Municipal Council , all recipients of data and not indicating for these processing activities the planned date of data deletion in a manner ensuring data processing in accordance with the principle of limited storage.

Apart from imposing a fine, UODO ordered the Mayor to: 1. stop providing personal data without a legal basis, 2. implement policies defining data processing periods and ensuring compliance with data deletion deadlines, 3. carry out a risk analysis in connection with the publication of recordings of city council sessions and to implement appropriate organisational and technical measures in connection with the processing of personal data on the YouTube channel, 4. implement appropriate organisational and technical measures aimed at securing the data of natural persons coming from the recordings of city council sessions by ensuring the availability of backup copies, 5. include in the register of personal data processing activities, for the processing activities connected with the maintenance of BIP, information: about all data recipients to whom the data have been or will be disclosed and about the planned dates of data deletion.

The Mayor has lodged a complaint against the decision with the administrative court.


Dispute

Could the UODO impose a fine on the Mayor on the basis of the GDPR? Has the Mayor actually committed violations of the GDPR as established by the DPA?

Holding

The Provincial Administrative Court dismissed the complaint against the UODO's decision and agreed with the DPA on the infringements committed by the Mayor. It also considered that the fine imposed by the UODO was correct.

Comment

The Provincial Administrative Court did not find that the President of UODO, by issuing the decision, infringed substantive law to the extent that it affected the outcome of the case, or the provisions of the administrative procedure to the extent that it could have a significant impact on the outcome of the case.

The Mayor claimed, that the GDPR is not applicable in the present case and therefore it was not justified to impose a fine. The Court found that this allegation is unfounded and would result in the practical application of the rules of the GDPR being limited to a very narrow scope of Union law, which is absurd.

In the Court's view, the applicant, as a data controller, has not demonstrated that he complies with all the rules on the processing of personal data. The Court entirely shared the UODO's assessment of individual breaches of substantive law by the Mayor, i.e.:

1. the principles of lawfulness, fairness and transparency, integrity and confidentiality of data, because the Mayor has not previously concluded any agreements on the entrustment of personal data with the entities to which he disclosed personal data;

2. the principles of storage limitation and Article 24 GDPR through the absence of appropriate policies regarding the processing of personal data in the BIP of the Municipality in terms of their timeliness and purpose of publication and specifying the deadlines for the deletion of personal data;

3. the principles of integrity and confidentiality, the principles of accountability, and Article 24 GDPR (by failing to carry out a risk analysis of the Mayor's use of the YouTube channel for the transmission of recordings of the City Council's sessions);

4. the provisions of Article 32(1)(b) and Article 32(1)(c) GDPR - the controller has not provided the opportunity to restore the availability of personal data and, as a result, will not be able to ensure the confidentiality, integrity, availability and resilience of the processing systems and services; 5. the principles of accountability and Article 30(1)(d) and Article 30(1)(f) GDPR by not indicating in the register of personal data processing activities, for activities related to the publication of information on the website of the BIP of the Municipality, all recipients of data and not indicating for these processing activities the planned date of data deletion in a manner ensuring data processing in accordance with the principle of limited storage).

The Court assessed that the fine of PLN 40,000 is adequate, proportionate and imposed in a correct manner. The UODO has duly justified the level of the penalty, taking into account the very long duration of the infringements, their intentional nature, the high degree of responsibility of the controller and his lack of cooperation with the authority after the initiation of proceedings.

Further Resources

Original text of Court Decision: https://sip.lex.pl/orzeczenia-i-pisma-urzedowe/orzeczenia-sadow/ii-sa-wa-2826-19-wyrok-wojewodzkiego-sadu-523161595

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Sentence

Provincial Administrative Court in Warsaw composed of the following composition: Chairman Judge of the Provincial Administrative Court Andrzej Kołodziej, Judge of the Provincial Administrative Court Agnieszka Góra-Błaszczykowska (spokesman), Judge of the Provincial Administrative Court Joanna Kube, Court reporter, court secretary Marcin Rusinowicz-Borkowski after the case was examined at the hearing on August 26, 2020. from the complaint of the Mayor A. against the decision of the President of the Personal Data Protection Office of [...] October 2019 No. [...] regarding the processing of personal data, dismisses the complaint
Substantiation

The subject of the examination in this case was the complaint of the Mayor A. against the decision of the President of the Personal Data Protection Office, mark [...] of [...] October 2019, regarding the processing of personal data.

The complaint was submitted in the following facts of the case:

From [...] January to [...] February 2019, the inspectors authorized by the President of the Personal Data Protection Office (hereinafter referred to as: PUODO, authority) conducted an inspection at the Mayor A. (hereinafter referred to as: Mayor, complainants) compliance of the processing of personal data with the provisions on the protection of personal data, i.e. with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of May 4, 2016, p. 1 and Journal of Laws UE L 127 of May 23, 2018, p. 2, hereinafter referred to as: Regulation 2016/679) and the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781, hereinafter: the Personal Data Protection Act).The scope of the control covered the method of processing personal data by the Mayor as part of the process of sending correspondence and keeping the Public Information Bulletin (BIP), as well as the method of keeping a register of processing activities and documenting violations of personal data protection.

In the course of the inspection, oral explanations were collected from the employees of the Municipal Office in A. and the IT systems used to process personal data and the BIP website were inspected. The facts were described in detail in the inspection report, which was signed by the Mayor. On the basis of the evidence collected in this way, it was established that in the process of processing personal data, the Mayor, as the administrator, violated the provisions on the protection of personal data. These shortcomings consisted in: 1) providing personal data to [...] Sp. z o. o. with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. without legal basis, i.e. without prior conclusion with the above-mentioned subjects of the personal data processing agreement referred to in art. 28 sec. 3 of Regulation 2016/679,in connection with the running of the BIP website of the Municipal Office in A. 2) the lack of internal procedures regarding the review of resources published in the BIP in terms of ensuring data processing in accordance with the principle of limited storage, as a result of which, on the BIP website of the Municipal Office in A., documents containing personal data for a longer period than required by law;

3) failure to implement appropriate technical and organizational measures to protect the rights or freedoms of natural persons in connection with the storage of session recordings only on YouTube servers, without making copies of the sessions of the City Council A., located in the office's own resources; 4) failure to conduct a risk analysis in connection with the Mayor's use of the YouTube channel in order to fulfill the legal obligation resulting from art. 8 sec. 2 of the Act of September 6, 2001 on access to information

public (Journal of Laws of 2019, item 1429, hereinafter: udip); 5) failure to indicate in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the Municipal Office in A., all recipients of data and failure to indicate for these processing activities the planned date of data deletion in a manner ensuring data processing in accordance with the principle of limited storage.

On [...] June 2019, the President of the Office for Personal Data Protection initiated ex officio administrative proceedings to clarify the circumstances of the case.

In response to the notification of the initiation of administrative proceedings, the Mayor, in a letter of [...] June 2019, informed the authority that in the scope of the deficiencies regarding the period of publication of documents in BIP, he submitted an application to the Minister of Digitization for the interpretation of the provisions of the Act on access to public information and requested to suspend the proceedings pending receipt of the above-mentioned interpretation. He pointed out that the Act on Access to Public Information clearly shows that disclosure of data concerns people in power, and not those who exercised power. Therefore, property declarations may be made available in BIP only for councilors exercising power for a period of 5 years, and therefore during the term of office, and after this period they should be removed from the BIP and stored in paper form,for a period of 6 years in relation to the dates from the date of their submission and made available on request in accordance with the principle of openness.

By the decision mark [...] of [...] October 2019, PUODO, acting pursuant to Art. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended, hereinafter referred to as the Code of Administrative Procedure), Art. 7 sec. 1, art. 60, art. 102 paragraph. 1 point 1 of the Personal Data Protection Act and art. 57 sec. 1 lit. a), art. 58 sec. 2 lit. d) and i) in connection with with art. 5 sec. 1 lit. a), e) and f) and par. 2, art. 24 sec. 1 and 2, art. 28, art. 30 sec. 1 lit. d) and f) and Art. 32, as well as art. 83 sec. 1 - 3 of Regulation 2016/679, stated that the Mayor has violated the provisions of:

a) Art. 5 sec. 1 lit. a) and f) in connection with with art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of compliance with the law and the principles of confidentiality, and art. 28 sec. 3 of Regulation 2016/679 by providing personal data to [...] Sp. z o. o. with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. without legal basis, i.e. without prior conclusion with the above-mentioned subjects of personal data entrustment agreements referred to in art. 28 sec. 3 of Regulation 2016/679, in connection with the running of the BIP website of the Municipal Office in A.,

b) art. 5 sec. 1 lit. e) in connection with Art. 5 sec. 2, i.e. the rules for limiting storage and art. 24 of Regulation 2016/679 due to the lack of appropriate policies regarding the processing of personal data at BIP of the Municipal Office in A. in terms of their timeliness and purposefulness of publication and specifying deadlines for deleting personal data

c) art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, the principles of correctness, and art. 24 of Regulation 2016/679 by not conducting a risk analysis related to the use by the Mayor of the YouTube channel to transmit recordings of the sessions of the City Council A.,

d) Art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, and art. 32 of Regulation 2016/679 by failing to implement appropriate technical and organizational measures to secure the data of natural persons in connection with the storage of recordings of the City Council sessions A. only on YouTube servers, without making and storing backups of these recordings in the own resources of the City Hall in A. ,

e) Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of accountability and art. 30 sec. 1 lit. d) and f) of Regulation 2016/679 by not indicating in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the City Hall in A., all data recipients and failure to indicate for these processing activities the planned date of data deletion in a manner ensuring processing data in accordance with the principle of limited storage,

and ordered the Mayor to adjust the processing of personal data to the provisions of Regulation 2016/679, within 60 days from the date on which this decision becomes final, by:

1) ceasing to provide personal data to [...] Sp. z o. o. with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K., without any legal basis, i.e. without the prior conclusion of personal data entrustment agreements with the above-mentioned entities referred to in art. 28 sec. 3 of Regulation 2016/679, in connection with the running of the BIP website of the Municipal Office in A.,

2) implementation of policies: - defining the periods of data processing at the BIP of the Municipal Office in A. in accordance with the law or necessary to achieve the purposes for which the data is processed, - ensuring compliance with the deadlines for data deletion,

3) conducting a risk analysis in connection with the publication of recordings of the city council sessions and implementation of appropriate organizational and technical measures in connection with the processing of personal data on the YouTube channel in connection with the transmission of recordings of the city council sessions and the storage of recordings on YouTube servers,

4) implementation of appropriate organizational and technical measures aimed at securing the data of natural persons from the recordings of the sessions of the City Council of A. by ensuring the availability of backups in the own resources of the City Hall in A.,

5) inclusion in the register of personal data processing activities, for processing activities related to the keeping of BIP, information: a) about all data recipients to whom the data has been or will be disclosed, in accordance with art. 30 sec. 1 letter d) of Regulation 2016/679, b) on the planned dates of data deletion, in accordance with art. 30 (1) (f) of Regulation 2016/679.

for violation of the provisions of Art. 5 sec. 1 lit. a), e) and f), Art. 5 sec. 2, art. 28, art. 30 sec. 1 letter d) and f) and Art. 32 of Regulation 2016/679 imposed a fine on the Mayor in the amount of PLN 40,000.

In the justification of the decision taken, the authority indicated that the Mayor, as the administrator of personal data, is obliged to implement appropriate organizational and technical measures that will ensure that personal data will be processed in accordance with the law, factually correct, adequate for the purpose of obtaining and properly secured so that their processing does not violated the rights and freedoms of natural persons. It is also important that the administrator processes personal data only for the time necessary to achieve the purposes of obtaining data or for the time resulting from generally applicable provisions of law. In the absence of provisions regulating processing time, the controller should define the procedures governing the moment when data deemed unnecessary are deleted by him.

The inspection carried out in the case showed that the Mayor did not conclude data processing agreements with entities participating in the processing under BIP. The resources of BIP of the Municipal Office in A. are on the server of an external entity, located in [...] in T., which provides technical parameters for the maintenance of the BIP website of entities covered by the contract, including the Municipal Office in A., on the basis of a lease agreement concluded between the Voivodship [...] and [...] Sp. z oo with its seat in T .. During the inspection, contract No. [...] of [...] July 2016, valid from [...] January to [...] December 2017, was presented. , Annex No. [...] of [...] March 2018 to contract No. [...] for the period from [...] January to [...] December 2018. The current contract was not presented between the Voivodship [...] and [...] Sp. z o. o. with headquarters in T ..The presented contract and annex No. [...] did not contain provisions regarding the processing of personal data in connection with the use of the server of an external entity by the City Hall in A.

During the inspection, it was found that in connection with the delivery of software for the creation of the regional BIP, on [...] January 2015, an agreement was concluded between the Voivodship [...] and the consortium of entities: [...] SA with its seat in G. and [...] SA with its registered office in K .. The concluded contract does not contain provisions regarding the protection of personal data, nor has there been an agreement on entrusting the processing of personal data related to the provision of maintenance services to the Municipal Office in A ..

During the inspection, no contract between the Voivodship [...] and the Mayor was presented, no other legal instrument was shown which would indicate that the provision of the server and the provision of software for the creation of the regional BIP is carried out by the Voivodship [...] for the Municipal Office in A ..

PUODO found that the Mayor, in connection with the use of the server of an external entity, ie [...] Sp. z o. o. with its seat in T., where the BIP resources of the Municipal Office in A. are located, and from the services of an external entity in the field of servicing the BIP website, i.e. a consortium of entities: [...] SA with its seat in G. and [. ..] SA with its seat in K., has not entered into an agreement to entrust the processing of personal data with these entities, and thus breached Art. 28 sec. 3 of Regulation 2016/679.

If the personal data is made available without a legal basis (without a previously concluded processing agreement), the principle of compliance with the law (Article 5 (1) (a) of Regulation 2016/679) and the principle of confidentiality (Article 5 (1) (a)) are violated. f) Regulation 2016/679). The mayor did not comply with the above rules by commissioning the BIP with the above entities without the prior conclusion of data entrustment agreements. Thus, it allowed for the lack of control over the correctness of the data processing process contained in the BIP and did not prove that it takes place in compliance with the requirements of the General Data Protection Regulation. In this respect, the mayor also violated the principle of accountability, resulting from Art. 5 sec. 2 of Regulation 2016/679.

The authority further explained that in BIP of the Municipal Office in A. public information is made available on the basis of the obligation incumbent on the Mayor in this respect, resulting from Art. 8 sec. 2 udip The provisions of the Act on access to public information, as well as the provisions of the Regulation of the Minister of Internal Affairs and Administration of 18 January 2007 on the Public Information Bulletin (Journal of Laws of 2007, No. 10, item 68, hereinafter: the Regulation BIP), do not specify the period of providing information in the BIP, both the minimum and the maximum. However, the lack of periods for processing the disclosed information (containing personal data) specified by law does not mean that such information can be processed indefinitely. Therefore, the administrator, in accordance with the principle of limited storage, resulting from art. 5 sec. 1 lit.e) of Regulation 2016/679, should in this respect be guided by the provisions resulting from other legal acts, which indicate the time during which personal data may be processed, and in cases where the law does not regulate the data retention period, after conducting analyzes, specify this period so that the data processing is consistent with the purposes for which it was obtained. The principle of limiting the provision of personal data in time in BIP means that even if certain data correspond to the purpose for which they are collected, they should not be processed, including made available to other entities, without any time limitation. The timing of the processing should be the achievement of the purpose of processing.and in cases where the law does not regulate the data retention period, after conducting analyzes, define this period so that the data processing is consistent with the purposes for which it was obtained. The principle of limiting the provision of personal data in time at BIP means that even if certain data correspond to the purpose for which they are collected, they should not be processed, including made available to other entities, without any time limitation. The timing of the processing should be the achievement of the purpose of processing.and in cases where the law does not regulate the data retention period, after conducting analyzes, define this period so that the data processing is consistent with the purposes for which it was obtained. The principle of limiting the provision of personal data in time at BIP means that even if certain data correspond to the purpose for which they are collected, they should not be processed, including made available to other entities, without any time limitation. The achievement of the purpose of the processing should be the timing indicator.it should not be processed, including made available to other entities, without any time limitation. The achievement of the purpose of the processing should be the timing indicator.it should not be processed, including made available to other entities, without any time limitation. The timing of the processing should be the achievement of the processing purpose.

As a result of inspection of the BIP website of the Municipal Office in A., it was found in particular that among the documents posted there are documents containing personal data, i.e. property declarations and information on the results of recruitment for vacant positions. The oldest information concerns the recruitment conducted in 2012 and includes information on the selected candidates in the scope of: name and surname and place of residence (i.e. the place where the person is staying with the intention of permanent residence). The oldest property declarations on the BIP website of the Municipal Office in A. concern 2010. Pursuant to Art. 24i of the Act of March 8, 1990 on the commune self-government (Journal of Laws of 2019, item 506, hereinafter referred to as: the usg), the information contained in the property declarations of councilors is public,with the exception of information about the address of residence of the person submitting the declaration and the location of the real estate. Pursuant to Art. 24h paragraph 6 of the Act, the declaration of assets is kept for 6 years. These provisions determine the lawfulness of processing, both in terms of the collection and publication of personal data contained in asset declarations. The publication of recruitment notices is governed by Art. 13 sec. 1 of the Act of November 21, 2008 on local government employees (Journal of Laws of 2019, item 1282, hereinafter referred to as: ups), according to which the announcement on a vacant clerical position, including a managerial clerical position, and on the recruitment of candidates for this position is placed in the BIP. Based on Article. 15 sec. 1 oopsimmediately after the recruitment, information on the recruitment results is disseminated by placing on the information board in the unit where the recruitment was conducted, and published in the BIP for a period of at least three months. Thus, the legislator indicated the minimum deadline for the publication of the selection results, without specifying a maximum period, while the legislator left the definition of the maximum date, i.e. the date after which he should remove these data from the BIP, to the administrator (the entity obliged to disclose the information). When determining the period of data processing in BIP, the administrator should take into account the law governing the processing time, and in the absence of legal regulations, specifying the publication period, achieving the purpose of processing and the principle of limiting storage.in which the recruitment was carried out, and published in the BIP for a period of at least three months. Thus, the legislator indicated the minimum deadline for the publication of the selection results, without specifying a maximum period, while the legislator left the definition of the maximum date, i.e. the date after which he should remove these data from the BIP, to the administrator (the entity obliged to disclose the information). When determining the period of data processing in BIP, the administrator should take into account the law governing the processing time, and in the absence of legal regulations, specifying the publication period, achieving the purpose of processing and the principle of limiting storage.in which the recruitment was carried out, and published in the BIP for a period of at least three months. Thus, the legislator indicated the minimum deadline for the publication of the selection results, without specifying a maximum period, and the legislator left the definition of the maximum date, i.e. the date after which he should remove these data from the BIP, to the administrator (the entity obliged to disclose the information). When determining the period of data processing in BIP, the administrator should take into account the law governing the processing time, and in the absence of legal regulations, specifying the publication period, achieving the purpose of processing and the principle of limiting storage.without specifying the maximum period, but specifying the maximum date, i.e. the date after which he should remove these data from the BIP, has been left by the legislator to the administrator (the entity obliged to disclose the information). When determining the period of data processing in BIP, the administrator should take into account the legal provisions regulating the processing time, and in the absence of legal regulations, specifying the publication period, achieving the purpose of processing and the principle of limiting storage.without specifying the maximum period, but specifying the maximum date, i.e. the date after which he should remove these data from the BIP, has been left by the legislator to the administrator (the entity obliged to disclose the information). When determining the period of data processing in BIP, the administrator should take into account the law governing the processing time, and in the absence of legal regulations, specifying the publication period, achieving the purpose of processing and the principle of limiting storage.and in the absence of legal regulations specifying the publication period, achieving the purpose of processing and the principle of limiting storage.and in the absence of legal regulations specifying the publication period, achievement of the purpose of processing and the principle of limiting storage.

In the context of the above, the authority stated that the information published in the BIP, for which the date of publication does not result from the provisions of law, should be assessed in accordance with a formal procedure (introduced by the administrator) ensuring a systematic formation of the BIP, so that all information for which the purpose is processing has been achieved, have been removed from the BIP. As it was established in the course of the inspection, an internal procedure for running the BIP has been implemented in the City Hall in A. However, it does not contain rules on the review of data published in BIP in terms of ensuring their processing in accordance with the principle of limited storage. Thus, the mayor violated the disposition contained in Art. 5 sec. 1 lit. e) and art. 24 sec. 2 of Regulation 2016/679.

The authority indicated that the evidence collected in the case showed that the Mayor did not specify in internal procedures the deadline for deleting data published in the BIP, and did not develop procedures for reviewing data resources in the materials published in the BIP in terms of ensuring data processing in accordance with the principle of limiting storage. Due to the lack of such procedures, as found during the inspection, documents containing personal data are published on the BIP website of the Municipal Office in A. for a longer period than is necessary for the purposes for which these data are processed, and even for a longer period than it results from the legal provisions specifying the period of storage of documents containing personal data, as is the case with property declarations.As a result, an unlimited number of Internet users can access the data. This is because anyone who has access to the Internet, at any time and without any restrictions, can browse the BIP resources of the Municipal Office in A., and consequently have access to the personal data contained in these resources. Thus, the mayor violated art. 5 sec. 1 lit. e) of Regulation 2016/679.

Due to the fact that the internal procedure in question is to regulate activities essential for the processing of personal data, in order to ensure the implementation of the principle of limitation of storage, it should be treated as a data protection policy referred to in Art. 24 sec. 2 of Regulation 2016/679. Consequently, in the absence of this procedure, the authority found that the Mayor also violated this provision of Regulation 2016/679 in the context of the principle of accountability expressed in Art. 5 sec. 2 of Regulation 2016/679.

Referring to the processing of personal data in connection with the publication of recordings from the session of the city council, the authority indicated that pursuant to Art. 20 paragraph 1b of the USG, the deliberations of the commune council are transmitted and recorded by means of video and sound recording devices. Recordings of the proceedings are made available in the Public Information Bulletin and on the website of the commune and in other customary way. The mayor, as the administrator, deciding to choose tools for data transmission on the Internet and recording them using video and sound recording devices, is responsible for the processing of this data and the implementation of the principles resulting from Regulation 2016/679, including demonstrating compliance with them (accountability).Therefore, the Mayor is obliged to ensure the security of data processed along with the implementation of the right to access public information pursuant to art. 8 udip Pursuant to Art. 24 sec. 1 of Regulation 2016/679, the controller (Mayor) is required to implement appropriate technical and organizational measures to ensure that the processing is carried out in accordance with this Regulation and that he can prove it. The administrator is obliged to implement adequate technical and organizational measures, the selection of which is at the discretion of the administrator and should be preceded by an analysis of the risk of violating the rights or freedoms of natural persons.that processing is carried out in accordance with this Regulation and can demonstrate it. The administrator is obliged to implement adequate technical and organizational measures, the selection of which is at the discretion of the administrator and should be preceded by an analysis of the risk of violating the rights or freedoms of natural persons.that the processing is carried out in accordance with this Regulation and can demonstrate it. The administrator is obliged to implement adequate technical and organizational measures, the selection of which is at the discretion of the administrator and should be preceded by an analysis of the risk of violating the rights or freedoms of natural persons.

In the course of the inspection, it was found that due to the obligation to transmit and publish the sessions of the City Council of A., a YouTube channel was created in BIP and an agreement was concluded with an external entity for the transmission of meetings of the City Council of A. on the Internet via the YouTube.com platform. Publication of personal data processed in connection with the recording and publication of the sessions of the City Council A. is carried out using the YouTube channel. There is a link to a dedicated YouTube channel on the BIP website of the Municipal Office in A. The findings of the inspection show that upon the end of the recording of the session, the recording is automatically saved on the YouTube website, and no copy of the recording remains at the Municipal Office in A. Due to the lack of a copy of the session recording, in the event of loss of data posted on the YouTube website,The mayor will lose access to the recording, and without the appropriate technical and organizational measures corresponding to this risk, it is not possible to ensure the confidentiality, integrity, availability and resilience of processing systems and services and the ability to quickly restore the availability of personal data and access to them in the event of a physical incident. or technical, referred to in Art. 32 sec. 1 lit. b) and lit. c) of Regulation 2016/679. The mayor did not indicate that there are procedures that would guarantee the protection of personal data processed on the YouTube channel.the availability and resilience of processing systems and services and the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident referred to in art. 32 sec. 1 lit. b) and lit. c) of Regulation 2016/679. The mayor did not indicate that there are procedures that would guarantee the protection of personal data processed on the YouTube channel.the availability and resilience of processing systems and services and the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident referred to in art. 32 sec. 1 lit. b) and lit. c) of Regulation 2016/679. The mayor did not indicate that there are procedures that would guarantee the protection of personal data processed on the YouTube channel.

In addition, the decision to use the YouTube channel was not preceded by an analysis of the possible risks arising from the use of this tool when processing the personal data of the participants of the City Council session. In particular, when deciding to use the YouTube channel, it was not taken into account that the administrator's use of resources and tools offered by external entities, in this case by the entity operating the YouTube channel, may be associated with a higher risk of breach of personal data protection due to the fact that the organizational and technical measures used to protect personal data published on YouTube have been defined and implemented by Google LLC (based in the USA), the owner of YouTube. Risk analysis for the processing of personal data in connection with their publication in BIP,it is particularly important due to the fact that the Mayor uses the YouTube channel both for the transmission of data on YouTube from the City Council session and for the further storage of session recordings only on YouTube servers. The lack of risk analysis and the lack of procedures led to a breach of the accountability principle - Art. 5 sec. 2 of Regulation 2016/679.

In the opinion of the authority, the Mayor, in connection with the obligation to transmit and publish the recordings of the City Council session in the BIP, did not implement the appropriate security measures referred to in Art. 32 of Regulation 2016/679, corresponding to the risk of violating the rights or freedoms of natural persons. When processing data, it is the controller's obligation to determine the risk taking into account the nature, scope and context of the data being processed, which results from Art. 24 sec. 1 of Regulation 2016/679. It does not appear from the findings of the inspection that organizational and technical measures were taken to protect the data of natural persons in connection with the storage of recordings of the City Council sessions only on YouTube servers by making backup copies of these recordings and storing them in the own resources of the City Hall in A.Thus, the administrator did not implement the appropriate organizational and technical measures referred to in art. 32 of Regulation 2016/679.

The inspection also revealed deficiencies in the keeping of the register of personal data processing activities. At the Municipal Office in A., a register of processing activities has been developed, which includes 54 processing activities. However, the register did not indicate the planned date of deletion of personal data by indicating a specific storage period, the register only referred to the uniform material list of files for communes. The sample cards from the register of activities sent by the Mayor, including the card on processing activities related to the publication of property declarations in the BIP, show that the planned date of deletion of data from BIP has been specified by the Mayor for 5 years, which in the case of property declarations is inconsistent with the content of Art. . 24h paragraph 6 usgThe authority also found incorrect the position of the complainant (contained in the letter of 17 June 2019) regarding the disclosure of data of persons in power (and not those who exercised power) and the period of disclosing these data, stating that the provisions of the act on municipal self-government indicate that the storage period for such information is 6 years. It also does not matter whether the person who made the declaration still performs its function. The obligation to keep BIP and make public information available therein results from the provisions of the Act on access to public information. Since the legislator has decided that the property declarations are public (with the exception of information about the residence address of the person submitting the declaration and the location of the real estate), it should be considered that they constitute public information,which is subject to publication in the BIP for the period resulting from the provisions of the act on municipal self-government, i.e. for a period of 6 years, regardless of whether the person is still a councilor or has ceased to be one. As a consequence, it is the 6-year period that should be indicated in the register of personal data processing activities kept by the Mayor as the planned date for the deletion of personal data contained in the property declaration.

In addition, not all recipients of data, including processors, were indicated in the register of processing activities, while contracts with entities providing the service of providing the server on which BIP resources are stored and the guarantee service in connection with the creation of the regional BIP were presented, which is binding access of these entities to personal data processed by the Mayor in connection with running the BIP. The register of processing activities does not indicate the entity running the YouTube channel on which recordings of the sessions of the City Council A are available. From art. 30 sec. 1 lit. d) of Regulation 2016/679, however, there is an obligation to list all recipients of data in the register of processing activities, regardless of whether they are established in a Member State of the European Union,or in a third country. Thus, the authority concluded that the Mayor did not indicate all recipients of data in the register of personal data processing activities and did not indicate the planned date of data deletion for all processing activities, and thus violated art. 30 sec. 1 lit. d) and f) of Regulation 2016/679 and art. 5 sec. 2 of Regulation 2016/679, i.e. the accountability principle.

As a consequence, PUODO stated that the indicated violations prove that the Mayor does not process personal data in accordance with the principles resulting from art. 5 sec. 1 lit. a), e) and f) of Regulation 2016/679, which means violation of the accountability principle referred to in Art. 5 sec. 2 of Regulation 2016/679, according to which the controller is responsible for compliance with the provisions of para. 1 and must be able to demonstrate compliance with them (accountability). The rules set out in Art. 5 sec. 1 of Regulation 2016/679 are the starting point for the performance of the administrator's obligations and the rights of data subjects, as well as for the assessment of the legality of these processes.

At the same time, PUODO stated that in the case under consideration there were premises justifying the imposition of an administrative fine on the Mayor. When determining the amount of the fine, the authority took into account the circumstances of the case that had an aggravating effect on the amount of the imposed financial penalty: 1) the duration of the violations covered by the order specified in this decision (the irregularities found were not removed either during an inspection carried out at the Mayor's office or in the course of administrative proceedings),

2) any previous violations by the administrator (providing PIT-11 and PIT-37 forms in a non-anonymised version on the BIP website - in this regard, a reminder was issued on [...] December 2018 and the decision maintaining it in force of [...] May 2019), 3) the intentional nature of the violation, 4) the violations found in the course of the inspection concern persons whose data are included in the content of materials constituting public information, published in BIP of the Municipal Office in A., 5) high the degree of responsibility of the administrator - in the absence of his actions aimed at ensuring an adequate level of data security and failure to implement appropriate data protection policies; 6) lack of cooperation of the administrator after initiating the procedure,which, in response to the notification about the initiation of administrative proceedings, did not refer to the violations indicated therein (except for the issue related to the retention period of data made available on the BIP website).

The authority also explained that when determining the amount of the administrative fine, it did not find grounds to believe that there were any mitigating circumstances affecting the final penalty.

In the complaint lodged against the above-mentioned decision with the administrative court, the complainant, represented by a professional attorney, applied for annulment of the contested decision in its entirety and for the administrative proceedings to be discontinued in this respect, or for the appealed decision to be revoked and the authority to issue a decision to discontinue the proceedings within 30 days. in the present case and to order the authority to reimburse the applicant for the costs of the proceedings in accordance with the prescribed standards, including the costs of legal representation. In the issued decision, the complainant alleged violation of the substantive law, i.e .:

1.Art. 2 clause 2 lit. a) of Regulation 2016/679 by its improper application in connection with Art. 1 clause 1 in connection with Art. 168 uodo, which led to the issue of the contested decision finding a violation of Art. 5 of the Regulation 2016/679 outside the scope of its application, and consequently the unjustified imposition of an administrative fine;

2. breach of Art. 28 sec. 3 of the Regulation 2016/679 in connection with Art. 5 sec. 1 point a), point f) and art. 5 sec. 2 of Regulation 2016/679 and ordering the cessation of sharing personal data for [...] sp. Z oo with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. and ordering the adjustment of the processing operation to the provisions of Regulation 2016/679, which in this respect was unenforceable on the day of its issuance and its impracticability is permanent and, consequently, an unjustified administrative fine

3.Art. 5 sec. 1 point e) in connection with Art. 5 sec. 2, art. 24 of Regulation 2016/679 and art. art. 11b paragraph. 1 usg and art. 8 of the Code of Administrative Procedure, through its improper application;

4.Art. 5 sec. 1 point f) in connection with Art. 5 sec. 2 and art. 24 of Regulation 2016/679, due to its improper application;

5.Art. 5 sec. 1 point f) in connection with Art. 5 sec. 2 and art. 32 of Regulation 2016/679, through its incorrect application;

6.Art. 30 sec. 1 point d) and f) in connection with Art. 5 sec. 1 point e) and art. 5 sec. 2 of Regulation 2016/679, by its improper application.

In support of his complaint, the complainant discussed in detail the above-mentioned allegations.

In response to the complaint, the authority requested that the complaint be dismissed, raising the same arguments as presented in the contested decision.

The Provincial Administrative Court in Warsaw considered the following:

The complaint could not be upheld.

Pursuant to art. 3 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325 as amended, hereinafter referred to as ppsa), administrative courts control the activities of public administration and apply measures specified in the Act . This means that the court, when examining the complaint, assesses whether the appealed decision does not infringe the provisions of substantive law or the provisions of administrative proceedings. Pursuant to Art. 134 of the PPSA, the Court adjudicates within the limits of a given case, but is not bound by the allegations and conclusions of the complaint and the legal basis referred to therein.

The court, while inspecting the contested decision, did not find that the President of the Personal Data Protection Office, when issuing the decision of [...] October 2019, violated the provisions of substantive law to a degree that had an impact on the outcome of the case, or the provisions of administrative proceedings to a degree that could have a significant impact on the outcome of the case.

With regard to the first and the most far-reaching of the allegations, referred to in the complaint, consisting in the violation of substantive law, ie Art. 2 clause 2 lit. a) of Regulation 2016/679 by its improper application in connection with Art. 1 clause 1 in connection with Art. 168 of the Act on Personal Data Protection Act, which led to the issue of the contested decision finding an infringement of Art. 5 of Regulation 2016/679 outside the scope of its application and, consequently, the unjustified imposition of an administrative fine, the Court found the allegation unfounded.

The provision of art. 2 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 (Official Journal EU L No. 119, p. 1) of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of May 4, 2016, p. 1 and EU Official Journal L 127 of May 23, 2016). 2018, p. 2, hereinafter: Regulation 2016/679) determines the material scope of application.

Paragraph 1 provides that the Regulation applies to the processing of personal data in a fully or partially automated manner and to the non-automated processing of personal data that are part of a data filing system or are intended to form part of a data filing system.

However, paragraph 2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;

In the opinion of the Court, the allegations made by the complainant that the decision violates the provisions of Regulation 2016/679 as regards their application to activities not covered by the provisions of the European Union, are completely incorrect. The exclusions referred to in Art. 2 clause 2 lit. and Regulation 2016/679, are exceptional and do not apply in the present case.

The interpretation of the above-mentioned exclusions must be made taking into account the systemic and purposeful interpretation. As the authority rightly pointed out in its response to the complaint, understanding the provision in the way indicated by the complainant would cause that personal data would not be properly protected. The intention of the legislator was not to limit the application of personal data protection, but on the contrary, to increase its scope and application. The legislator, as the authority rightly notices, specifies the exclusions from the application of the provisions in Art. 6 of Regulation 2016/679. Interpretation of the provisions in the manner adopted by the complainant would lead to an ad absurdum interpretation, where the application of the provisions of Regulation 2016/679 would be limited to a very narrow scope of application of EU law. Meanwhile, the introduction of the above-mentioned legal act was aimed at increasing,and not a drastic restriction of the protection of personal data.

The idea of ​​the European Union legislation is (inter alia) the protection of personal data; Moreover, under Polish law, these rights are provided with additional protection by the Constitution of the Republic of Poland. The claim of the complainant is completely illogical that although superior acts, such as the Constitution or the generally applicable principles of European Union law, provide for a broad protection of personal data, the regulation narrows it only to an extremely narrow circle.

Pursuant to Art. 8 sec. 1 of the EU Charter of Fundamental Rights, everyone has the right to the protection of personal data concerning them; pursuant to Art. 16 sec. 1 TFEU, every person has the right to the protection of personal data concerning him. These fundamental rights are referred to in the GDPR in its first recital. The rules and regulations regarding the protection of natural persons with regard to the processing of their personal data may not - regardless of their nationality or place of residence - violate their fundamental rights and freedoms, in particular the right to the protection of personal data (recital 2 of the GDPR).

As the authority rightly noted, the doctrine rightly states that the norm resulting from Art. 16 sec. 1 TFEU (and analogous to Article 8 of the EU Charter of Fundamental Rights) has the status of a directly effective standard, becoming an autonomous basis for the rights of individuals with regard to the protection of personal data. A directly effective treaty rule protects natural persons also in situations where they will not be able to benefit from the protection guaranteed by acts of secondary law. The content of art. 16 (2) TFEU unequivocally indicates that the rules on the protection of personal data set out in acts of secondary law will apply to personal data of natural persons processed by institutions, bodies, offices and agencies of the European Union and Member States, but only to the extent thathow these activities will serve the application of European Union law.

Referring to the legal opinion annexed to the complaint, the Court indicates that it does not relate to the substance of the case and therefore was irrelevant to its decision.

Referring to the remaining objections of the complaint, it should first be pointed out that in the provision of Art. 5 of Regulation 2016/679, the rules for the processing of personal data have been formulated, to which the personal data administrator is obliged to comply and implement. In the actual state of the case, the administrator of personal data, i.e. the person obliged to process personal data in accordance with the law and to implement organizational and technical procedures for processing this data, is the Mayor. The rules set out in Art. 5 of the Regulation 2016/679 play an important role among the legal norms regulating the protection of personal data.

The rules specified in this provision are independent in nature and are binding legal norms that define specific standards of conduct in this respect. Of course, they can play a subsidiary role in relation to other regulations, especially in their interpretation and application of legal norms on the protection of personal data, but their function as superior standards over other regulations is equally important. The legislator emphasizes the special importance, defining as principles the legal norms appearing in Art. 5 of Regulation 2016/679. The authority is obliged to follow the rules contained in this provision, and any exclusions are absolutely exceptional.

In art. 5 sec. 2 of the regulation in question indicates that the controller is responsible for compliance with the provisions of para. 1 and must be able to demonstrate compliance with them, this principle is referred to in the Regulation as "accountability". Taking into account all the norms of Regulation 2016/679, it should be emphasized that the controller has considerable freedom in the scope of applied safeguards, but at the same time is responsible for the violation of the provisions on the protection of personal data. The principle of accountability expressly implies that it is the data controller that should demonstrate and therefore prove that it complies with the provisions set out in Art. 5 sec. 1 of Regulation 2016/679.

In the opinion of the Court, the complainant, as the data controller who was burdened with the burden of proof, did not show that he complied with all the rules of personal data processing.

The court fully shares the authority's assessment of individual infringements of substantive law.

Breach of Art. 5 sec. 1 lit. a) and f) in connection with with art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of compliance with the law and the principles of confidentiality, and art. 28 sec. 3 of Regulation 2016/679 was made by providing personal data to [...] Sp. z o. o. with its seat in T. and for the consortium of entities: [...] SA with its seat in G. and [...] SA with its seat in K. without legal basis. The applicant had not previously concluded with the above-mentioned subjects of personal data entrustment agreements referred to in art. 28 sec. 3 of the Regulation 2016/679, in connection with the running of the BIP website of the Municipal Office in A ..

Defined in the provisions of art. 5 sec. 1 lit. a) and f) of Regulation 2016/679, the principles are referred to as a) principles of legality, reliability and transparency, f) integrity and confidentiality of data (data security). In art. 5 sec. 1 lit. and Regulation 2016/679 sets out the requirements for the administrator of personal data in terms of their processing. In the present case, that provision has undoubtedly been infringed. The principle of lawfulness of data processing refers to the compliance of personal data processing with the provisions of law, contained in all normative acts regarding the processing of personal data, including the provisions of Regulation 2016/679. The complainant undoubtedly breached the provision of Art. 28 sec. 3 of this Regulation, thus breached the principle of legality.

Pursuant to Art. 5 section 1 lit. f of Regulation 2016/679, personal data must be processed in a manner ensuring their appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures. The controller of personal data is required to take proportionate measures to protect the data.

The "threats" listed in this provision, against which the administrator must protect himself, have the nature of an open directory, which is indicated by the term "including" used in this provision. The complainant violated both of the above-mentioned principles by failing to comply with the provisions of Art. 28 (3) of Regulation 2016/679. This provision explicitly requires that the processing by the data processor on behalf of the controller takes place on the basis of a contract or other legal instrument. As established by the authority in the evidentiary proceedings, in the contracts concluded by the complainant with entities that participated in the processing of personal data, there were no provisions regarding the processing of personal data and entrusting their processing.

For this reason, the objection of the complaint that the authority violated the provision of substantive law, ie Art. 28 sec. 3 of Regulation 2016/679 through its incorrect application. The complainant's failure to conclude contracts with entities that processed personal data, the administrator of which was the complainant, shall be charged to the personal data administrator who, despite his obligation, did not comply with the provisions on the protection of personal data. Therefore, the authority correctly assessed this situation from a substantive point of view, assuming a violation of Art. 5 sec. 1 lit. a) and f) in connection with with art. 5 sec. 2 and art. 28 sec. 3 of Regulation 2016/679.

The authority also correctly assessed the violation of Art. 5 sec. 1 lit. e) in connection with Art. 5 sec. 2, i.e. the rules for limiting storage and art. 24 of Regulation 2016/679 due to the lack of appropriate policies regarding the processing of personal data at the BIP of the Municipal Office in A. in terms of their timeliness and purposefulness of publication and specifying deadlines for deleting personal data. The principle referred to as "storage limitation" as defined in Art. 5 section 1 lit. 3 of Regulation 2016/679 provides that "personal data must be stored in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed". Moreover, "personal data may be stored for a longer period,insofar as they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 paragraph. 1, subject to the implementation of the appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of data subjects ("storage limitation"). According to this principle, once the purposes for which personal data are processed have been achieved, they should be deleted or deleted.). According to this principle, once the purposes for which personal data are processed have been achieved, they should be deleted or deleted.). According to this principle, once the purposes for which personal data are processed have been achieved, they should be deleted or deleted.

Pursuant to the provision of Art. 24 sec. 1 of Regulation 2016/679 ", taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons of varying probability and seriousness, the controller shall implement appropriate technical and organizational measures to ensure that the processing takes place in accordance with this Regulation and to be able to demonstrate it. These measures shall be reviewed and updated as necessary. "

The court shares the authority's finding that the controller of personal data is obliged to implement appropriate technical and organizational measures to ensure that the processing of personal data is lawful. Such technical measures have not been introduced, the authority has in no way ensured that all information, the purpose of which was achieved, was deleted.

The allegation made in the complaint to the Court, concerning the infringement of substantive law, i.e. 5 section 1 lit. possibly related with art. 5 sec. 2 and art. 24 of Regulation 2016/679 and art. 11b paragraph. 1 of the Act on Municipal Self-Government and Art. 8 of the Code of Administrative Procedure, due to their improper application, actually boils down to the fact that the period for which the data are (may) be published in the Public Information Bulletin has not been specified, which, in the complainant's opinion, is a legal loophole. This objection is not relevant: as indicated above, despite the fact that there are no explicitly indicated maximum periods after which personal data should be deleted, the principle of limitation of storage implies that personal data must be stored for a period not longer than it is necessary to the purposes for which the data is processed. The personal data controller defines the "necessary purpose"by implementing the appropriate procedure referred to in Art. 24 sec. 1 of Regulation 2016/679. Due to the lack of actions of the applicant in the described direction, the Court did not find in the present case a violation by the authority of Art. 8 of the Code of Administrative Procedure

The charge of infringement of Art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, the principles of correctness, and art. 24 of Regulation 2016/679 (by failing to conduct a risk analysis related to the use of the YouTube channel by the Mayor to transmit recordings of the sessions of the City Council A.).

In the context of the provisions referred to in the previous paragraph and the content of the facts of this justification, it should be emphasized once again that the administrator of personal data is obliged to process them in a manner ensuring adequate security, including protection against unauthorized or unlawful processing and accidental loss, destruction. or damage by appropriate technical or organizational measures.

The complainant alleges a breach of substantive law, ie Art. 5 sec. 1 lit. fw conj. with art. 5 section 2 and art. 24 of Regulation 2016/679, due to their improper application, due to the fact that the failure to conduct a risk analysis may not prove that the personal data controller has breached the provisions of the Regulation, because conducting such an analysis is optional and cannot prove that adequate measures have not been implemented technical and organizational so that the processing takes place in accordance with the provisions of Regulation 2016/679. The necessity to introduce such a procedure should be analyzed on a case-by-case basis in a specific case: in these proceedings, the data controller has not proved that failure to conduct a risk analysis is unnecessary, the Court has no doubts,that the implemented procedures did not fully ensure the security of personal data. In the opinion of the Court, the implementation of such an analysis would minimize the risk of deficiencies in the processing of personal data, it is from this perspective that the possible need to create an appropriate procedure for the security and protection of personal data should be considered.

In the contested decision, the authority also accused the complainant of violating Art. 5 sec. 1 lit. f) in connection with Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of integrity and confidentiality, and art. 32 of Regulation 2016/679 by failing to implement appropriate technical and organizational measures aimed at securing the data of natural persons in connection with the storage of recordings of the City Council sessions A. only on YouTube servers, without making and storing backups of these recordings in the own resources of the City Hall in A .. The provision of Art. 32 of Regulation 2016/679 imposes another obligation on the personal data controller, namely the obligation to secure the processed data.

The provision of art. 32 sec. 1 letter b and c of Regulation 2016/679 provides: "taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probabilities and severity, the controller and the processor shall implement appropriate technical measures and organizational to ensure the level of safety corresponding to this risk, including, but not limited to: (...)

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data rapidly in the event of a physical or technical incident. "

This provision does not require the data controller to implement any technical and organizational measures that are to constitute personal data protection measures, but requires the implementation of adequate measures. Such adequacy should be assessed in terms of the manner and purpose for which personal data are processed, but also the risk related to the processing of such personal data, which may vary in size, should be taken into account.

The adopted measures are to be effective, in specific cases some measures will have to be low-risk mitigating measures, others - must mitigate high risk, but it is important that all measures (and each separately) are adequate and proportional to the degree of risk . In the opinion of the Court, the transfer of personal data to an external entity that transmits meetings of the authorities on the public network, such as the Internet, where personal data are processed, resulted in a breach of the provisions on the protection of personal data, and the measures that had to be taken should be proportionate to the indicated high risk.

It should be emphasized that at the end of the recording, it was only saved on the YouTube website, the complainant had no backup, according to the Court, the provisions of Art. 32 sec. 1 lit. b and c of Regulation 2016/679. A possible technical failure of the website may result in the loss of the recording and prevent the personal data administrator from restoring their availability, as a result the obliged entity will not be able to ensure the confidentiality, integrity, availability and resilience of processing systems and services. Therefore, in the opinion of the Court, the authority correctly and in accordance with the applicable provisions proved that the applicant infringed the provisions contained in this paragraph. The allegation of the complainant concerning the infringement of the substantive law, ie Art. 5 sec. 1 point f in conjunction with art.5 section 2 and art. 32 of Regulation 2016/679. As already mentioned, the activities of a technical and organizational nature are the responsibility of the personal data administrator, but they cannot be selected in a completely free and voluntary manner, without taking into account the degree of risk or the nature of the personal data being protected. Undoubtedly, the measures taken by the applicant did not ensure security, which was duly demonstrated by the authority, and the arguments raised by the applicant in this regard constitute only a polemic with the facts, correctly established by the authority in the opinion of the Court.without taking into account the degree of risk or the nature of the personal data being protected. Undoubtedly, the measures taken by the applicant did not ensure security, which was duly demonstrated by the authority, and the arguments raised by the applicant on this point constitute only a polemic with the facts, correctly established by the authority in the Court's opinion.without taking into account the degree of risk or the nature of the personal data being protected. Undoubtedly, the measures taken by the applicant did not ensure security, which was duly demonstrated by the authority, and the arguments raised by the applicant in this regard constitute only a polemic with the facts, correctly established by the authority in the Court's opinion.

The last of the provisions, the correctness of which was applied by the authority by the Court in the present case, are the alleged infringement of the provisions of Art. 5 sec. 2 of Regulation 2016/679, i.e. the principles of accountability and art. 30 sec. 1 lit. d) and f) of Regulation 2016/679 (by not indicating in the register of personal data processing activities, for activities related to the publication of information on the BIP website of the City Hall in A., all data recipients and failure to indicate the planned date of data deletion for these processing activities in a manner ensuring data processing in accordance with the principle of limited storage). In the opinion of the Court, the authority correctly interpreted the provisions of the act on municipal self-government and the act on access to public information, the court fully shares the arguments of the authority in this regard,therefore, he found it pointless to duplicate it at this point.

The provision of art. 30 sec. 1 lit dif of Regulation 2016/679 provides that each administrator and - where applicable - the administrator's representative shall keep a register of personal data processing activities for which they are responsible. This register shall include all of the following information: (...) (d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or in international organizations; (...) (f) if possible, the planned dates of deletion of individual categories of data.

Taking into account the linguistic interpretation directives, the responsibility of the administrator keeping a register of personal data processing activities has been stated directly. Interpretation methods other than linguistic are applicable only when the linguistic interpretation proves insufficient or does not lead to the correct decoding of the legal norm from the provision. indicates the scheduled date for the removal of individual categories of a given (provided that it is possible - and in this case it was possible), it directly violates the provisions on the protection of personal data, compliance with which is responsible. Each of the obligations arising from this provision must be fulfilled:breach of the provision is failure to perform at least one of the obligations indicated in the register of personal data processing activities. For the described reason, the charge of infringement of the provisions of substantive law, i.e. Art. 30 sec. 1 lit. difw zw. with art. 5 section 1 lit. possibly related with art. 5 (2) of Regulation 2016/679.

The court assessed, taking into account the nature of the infringements and the number of provisions of substantive law on the protection of personal data, the violation of which had been committed by the complainant, that the fine of PLN 40,000 was adequate, proportional and was correctly imposed. The authority duly justified the penalty, taking into account the very long duration of the infringements, their intentional nature, the high degree of responsibility of the administrator and the lack of cooperation with the authority after the proceedings were initiated. The maximum fine for the violations found is PLN 100,000, and only 40% of the possible fine was imposed on the applicant, which makes it effective, proportionate and dissuasive.

Taking into account the above considerations, the Court, pursuant to Art. 151 ppsa dismissed the complaint.