WSA w Warszawie - II SA/Wa 809/20

From GDPRhub
WSA Warsaw (Poland) - II SA/Wa 809/20
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 4(14) GDPR
Article 5(1)(c) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Decided: [[Category:]]
Published: [[Category:]]
Parties:
National Case Number/Name: II SA/Wa 809/20
European Case Law Identifier:
Appeal from:
Appeal to: Pending appeal
Original Language(s): Polish
Original Source: Centralna Baza Orzeczeń Sądów Administracyjnych (in Polish)
Initial Contributor: Maciej Niezgoda

The Provincial Administrative Court in Warsaw has overturned the decision of the Polish DPA imposing a fine of PLN 20,000 (approx.4389 EUR) on a school for processing biometric data of children.

English Summary[edit | edit source]

Facts[edit | edit source]

Polish DPA became aware of irregularities in the processing of personal data of pupils of the primary school consisting in the collection of fingerprints of children using the services of the school canteen. The school explained that it uses a biometric reader which is placed at the entrance to the school canteen and which identifies children who take meals in the school canteen in order to verify that they have paid for the meal of the day. The school indicated that it obtains the biometric data of its pupils on the basis of the written consent of the parent (legal guardian). The school further informed that upon termination of the contract for the use of lunches in the school canteen, the data needed for fingerprint identification, i.e. the string of bytes stored in the reader, is deleted.

Polish DPA also found that, according to the lunch policy posted on the website of the canteen run by the school, pupils without biometric identification let everyone through and wait at the end of the queue , and once all pupils with biometric identification have entered the canteen, the admission of pupils without biometric identification begins one by one. As a result of the analysis of the collected evidence, the Polish DPA ordered the school to delete personal data in the area of digitized information on fingerprint characteristics of children using school canteen services, ordered the school to stop collecting personal data in the area of digitized information on fingerprint characteristics of children using school canteen services, and imposed a fine on the school in the amount of PLN 20,000.00 for the violation found in the decision. As the DPA argued, the common law provisions indicate the type of data that a school may obtain from its pupils, but none of them authorises the processing (acquisition and collection) of pupils' biometric data, the processing of which is in principle prohibited under Article 9(1) of the GDPR, for the purpose of the provision of school canteen services.


Dispute[edit | edit source]

Can the consent of a parent (legal guardian) be a legal prerequisite for the processing of biometric data?

Whether pupil data obtained by the school which includes information on fingerprint characteristics and which has been processed into a digital record constitutes biometric data within the meaning of Article 4(14) of the GDPR?


Holding[edit | edit source]

The court held that the DPA, had properly accepted that the pupil data acquired by the school, which included information about fingerprint characteristics processed into a digital record, constituted biometric data within the meaning of the provision of Article 4(14) of the GDPR.

The court found that the written statements in which the parents of the pupils to whom the biometric data pertained gave their consent to the processing of the data for the specified purpose in an unambiguous and unquestionable manner - testified to the fulfilment of the prerequisite of Article 9(2)(a) of the GDPR.

The court stated that the processing of data to a slightly broader extent than the minimum necessary shall be regarded as admissible, provided that the processed data are closely related to the achievement of the purpose (e.g. facilitate its achievement). Consequently, the court held that it could not agree with the DPA that the school's processing of pupils' biometric data was incompatible with the principle of minimisation in Article 5(1)(c) of the GDPR.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.



II SA / Wa 809/20 - Judgment of the Provincial Administrative Court in Warsaw

Date of the judgment

	

2020-08-07
	

invalid judgment

Date of receipt

	

2020-04-20

Court

	

Provincial Administrative Court in Warsaw

Judges

	

Piotr Borowiecki / chairman rapporteur /

Symbol with description

	

647 Matters related to the protection of personal data

The appealed authority

	

Inspector General for Personal Data Protection

Result content

	

The contested decision was annulled

Sentence

Provincial Administrative Court in Warsaw composed of the following composition: President Judge of the Provincial Administrative Court Piotr Borowiecki ( spokesman ), Judge of the Provincial Administrative Court Łukasz Krzycki, Judge of the Provincial Administrative Court Joanna Kube , Adrianna Siniarska , Records clerk, reporter, trainee, after examining the case on complaints of Primary School No. [...] with branches [...] them. [...] in G. against the decision of the President of the Personal Data Protection Office of [...] February 2020, No. [...] on the processing of personal data 1. repeals the contested decision; 2. orders the President of the Personal Data Protection Office to pay to the complainant Primary School No. [...] with sports branches named after [...] in G. the amount of PLN 400 (say: four hundred zlotys) for reimbursement of court proceedings costs

Substantiation

The contested decision of [...] February 2020, No. [...], the President of the Personal Data Protection Office (hereinafter also: "President of the Personal Data Protection Office" or "supervisory authority"), acting pursuant to Art. 104 § 1 of the Act of 14 June 1960 - Code of Administrative Procedure (consolidated text, Journal of Laws of 2018, item 2096 as amended; currently: uniform text of Journal of Laws of 2020, item 256 as amended - hereinafter: "kpa") and art. 7 sec. 1 and 2, art. 60 and art. 102 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, as amended; currently: consolidated text, Journal of Laws of 2019, item 1781 - hereinafter also: " uodo .") in connection with Art. 5 sec. 1 letter c, art. 9 sec. 1, art. 58 sec. 2 lit. f, lit. g and lit and, as well as art. 83 sec. 2, sec. 3, sec. 5 lit. a and paragraph 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation ) (Journal of Laws UE L 119 of May 4, 2016, page 1, with the amendment announced in the Journal of Laws UE L 127 of May 23, 2018, page 2 - hereinafter also referred to as: "GDPR" ), after carrying out the administrative procedure on collecting fingerprints of children for the purpose of their biometric identification when they use the services of the school canteen by the Primary School No. [...] with branches [...] them. [...] in [...] at ul. [...] (hereinafter also: "the complaining School" or "the complaining party"), for which the governing body is the City [...], the President of the Personal Data Protection Office, stating that the complaining School violated the provisions of Art. 5 sec. 1 lit. c and art. 9 sec. 1 of the Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection), consisting in the processing of biometric data of children while using the services of the school canteen:

1) ordered the applicant School to delete personal data in the field of digitized information on the characteristic fingerprints of the fingers of children using the school canteen services,

2) ordered the complainant School to cease collecting personal data in the scope of digitized information on the characteristic fingerprints of the fingers of children using the services of the school canteen,

3) imposed on the applicant school a fine in the amount of PLN 20,000.00 (say: twenty thousand zlotys) for the violation found in this decision.

The contested decision of the President of the Personal Data Protection Office (UODO) was issued in the following factual state.

The Office for Personal Data Protection learned about irregularities in the processing of personal data of students of Primary School No. [...] with Branches [...] for them. [...] at ul. [...] in [...] collecting fingerprints of children using the school canteen services.

In connection with the above, the supervisory body initiated an ex officio investigation into the irregularities in the processing of personal data by the above-mentioned School.

The President of the Personal Data Protection Office, conducting appropriate explanatory proceedings, took steps to collect relevant evidence, determining the actual state of affairs necessary to issue a decision.

The supervisory body first of all addressed Primary School No. [...] with Branches [...] of them. [...] with a request for explanations.

Responding to the above summons, the applicant School, in a letter of [...] December 2018, explained that it uses a biometric reader called the KPT Finger-Transponder Controller, which is located at the entrance to the school canteen, and which identifies children receiving meals in the school canteen to verify payment for the meal on a given day. The applicant school indicated that it obtains the biometric data of its students on the basis of the written consent of a parent (legal guardian). In the statements in question of [...] December 2018, the applicant School also indicated that it did not have any collection containing images of children's fingerprints. The complainant informed the supervisory authority that the data related to the fingerprint reader is collected only in the reader itself, in the form of a sequence of bytes. The complainant School submitted that when reading the reader , the reader compares whether there is a corresponding sequence of bytes, and if so, it sends to the program only the position number assigned to a specific child. At the same time, the complainant emphasized that two persons had access to the data in the reader: the system administrator and the authorizing officer - authorized employees of the complainant School. As explained by the complainant School of [...] December 2018, the parent in the contract for the use of meals in the school canteen has the option of: agreeing or not consenting to the use of the fingerprint reader. The school also ensured that parents are informed about this possibility on the website of the school canteen. The complainant further stated that after the termination of the contract for the use of lunches in the school canteen, the data needed for fingerprint identification, i.e. the sequence of bytes stored in the reader, was deleted. Following deletion, as the applicant School submitted, an archival copy is made anew on a micro SD card and kept in a secure room. According to the applicant School, the system does not contain any data that would constitute biometric data. Moreover, in the explanations of [...] December 2018, the complainant emphasized that the SEWiP Program (system for recording payments and meals) is installed on the school server, which is protected against unauthorized access by means of a password. Moreover, as the complainant assured, the server also has anti-virus protection with a firewall. According to the applicant's assurances, only an authorized employee of the applicant School has access to the server.

In turn, in a letter of [...] September 2019, the complainant School, responding to further requests from the supervisory authority, explained that it had been using a biometric reader from 1 September 2015. The complainant also informed that in the school year 2018/2019, 1247 students attended the school, of which 603 used a biometric reader and 2 from an alternative identification system. The complainant also submitted that 1,121 students attended the school in the 2019/2020 school year, of which 680 students use a biometric reader and 4 students use an alternative identification system. Moreover, the applicant School explained in the letter of [...] September 2019 that in a situation where the parent of a given child did not withdraw their consent to use the biometric reader and the child ceased to use the school canteen services (without terminating contracts for the use of lunches in the school canteen), the biometric template stored in the reader is stored until it is terminated or until the end of the school year. According to the applicant's assurances, the biometric pattern recorded on the reader and on the SD card remains during the holidays. In the event of non-renewal of the contract for the use of lunches in the school canteen for the new school year, the above-mentioned data are deleted by 30 September each year at the latest. In the written explanations of [...] September 2019, the complainant School also noted that after signing the contract and consenting by the parent to use the biometric reader, the child was registered in the payment and meal registration system ( SEWiP ) by entering his / her name , surname, class and name, surname, e-mail address, contact telephone number of the parent. Then, if the parent has consented, the child's fingerprint pattern is registered in the reader. The applicant School submitted that, from that moment on, the pattern was identified by the abovementioned the system uses an ordinal number in the reader, which, when it finds a biometric pattern corresponding to the fingerprint at a given moment, sends to the system the number that is assigned to the given person in the system and then reads the lunch status (paid / unpaid).

The President of UODO also established that, in accordance with the rules for issuing lunches posted on the website of the canteen operated by the applicant School, students who do not have biometric identification pass all and wait at the end of the queue (point 3), and when all students with biometric identification enter the canteen, the admission of students individually without biometric identification (point 9) (proof: printout of the school canteen website attached to the official note of the UODO employee of [...] October 2018).

Before issuing the decision, the supervisory authority informed the complainant that evidence sufficient to issue an administrative decision had been gathered, and at the same time instructed the complainant School about the party's rights under both Art. 10 § 1 of the Code of Administrative Procedure and Art. 73 § 1 of the Code of Administrative Procedure

As a result of the analysis of the collected evidence, the President of the Personal Data Protection Office - acting pursuant to art. 104 § 1 of the Code of Administrative Procedure and Art. 7 sec. 1 and 2, art. 60 and art. 102 of the Act of May 10, 2018 on the protection of personal data in connection with art. 5 sec. 1 lit. c, art. 9 sec. 1, art. 58 sec. 2 lit. f, lit. g and lit and and with Art. 83 sec. 2 and 3, art. 83 sec. 5 lit. a, art. 83 sec. 7 GDPR - ordered the complainant School to delete personal data in the scope of digitally processed information on fingerprints characteristic of the fingers of children using the school canteen services (point 1), ordered the complainant School to stop collecting personal data in the scope of digitized information on characteristic points fingerprints of the fingers of children using the services of the school canteen (point 2), and also fined the applicant School with a fine of PLN 20,000.00 for the violation found in that decision (point 3).

In the justification of the issued decision, the President of the Personal Data Protection Office noted at the outset that pursuant to Art. 9 sec. 1 GDPR, it is prohibited to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership as well as genetic, biometric data processed in order to uniquely identify a natural person or data concerning health, sexuality or sexual orientation of that person .

In turn, while pointing to Art. 4 point 14 of the GDPR, the President of the Personal Data Protection Office noted that biometric data means personal data resulting from special technical processing, relating to the physical, physiological or behavioral characteristics of a natural person and enabling or confirming the unambiguous identification of that person, such as facial image or dactyloscopic data.

At the same time, the supervisory authority emphasized that children require special protection of personal data, as they may be less aware of the risks, consequences, safeguards and rights they have in relation to the processing of personal data (recital 38 of the GDPR preamble).

Moreover, referring to the wording of recitals 10 and 45 of the GDPR, the supervisory authority indicated that, due to their characteristics, biometric data are particularly sensitive in the light of fundamental rights and freedoms, and therefore require special protection. According to the supervisory authority, the context of their processing may pose a serious risk to fundamental rights and freedoms, therefore, in principle, such data should not be processed, and the conditions legalizing this process included in the GDPR are an exception.

The President of the Personal Data Protection Office stated that the biometric system identifies those features that are, in principle, unchanged and, as in the case of dactyloscopic data, often impossible to change. In this situation, the supervisory authority indicated that due to the uniqueness and stability of biometric data, which translates into their unchanging over time, the use of biometric data should be carried out with particular care and caution. Therefore, as indicated by the President of the Personal Data Protection Office, it should be taken into account that any leakage of biometric data will result in a high risk of violating the rights and freedoms of natural persons. According to the supervisory authority, this applies in particular to the biometric data of children, because the decision to share this type of child's data by legal guardians and their possible leakage will not be reversible in time, even after the child reaches the age of majority.

The President of the Personal Data Protection Office pointed out that, on the basis of the collected evidence, it was found that a fingerprint image was obtained from children whose parents agreed to identify them and identify their entitlement to receive a meal (on a given day) using a fingerprint method. From this image, the KPT Finger-Transponder Controller automatically selects selected features of the fingerprint and converts them into a digital record (biometric template), which it stores in its memory. The supervisor noticed that a digital entry is assigned a position number (from 1 to 3000) when a finger is placed on the reader, the system compares it with the biometric patterns in the reader memory. Later, he connects the item number with the same number in SEWiP , to which his name, surname, class, permission to collect a meal on a given day are assigned, as well as name, surname, e-mail address, contact telephone number of the parent.

Bearing in mind the above, the President of the Personal Data Protection Office stated that - contrary to the explanations of the complainant - the data of students obtained by the complainant School, including information on characteristic points of fingerprints, processed into a digital record, constitute biometric data within the meaning of Art. 4 point 14 of the GDPR). The supervisory authority noticed that as a result of comparing the biometric template registered on the device with the child's finger placed against the biometric reader, as well as other information (including the item number, name, surname, class and authorization to collect dinner), it is possible to identify it.

The President of the Personal Data Protection Office stated that the processing of a special category of personal data, which includes biometric data, is regulated in Art. 9 sec. 1 GDPR, according to which the processing of personal data revealing biometric data in order to uniquely identify a natural person is prohibited. The supervisory authority indicated that the catalog referred to in Art. 9 sec. 2 GDPR is closed, and each of the premises legalizing the processing of personal data is autonomous and independent. This means, in the opinion of the authority, that these conditions are, in principle, equal, and therefore the fulfillment of at least one of them constitutes a lawful processing of personal data.

In addition, the appeal body noted that the processing of personal data must be in accordance with the principles set out in Art. 5 sec. 1 GDPR, including with the principle of data minimization (Article 5 (c) of the GDPR), which requires the processing of personal data to be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Referring to the explanations of the complainant School, which indicated that the processing of biometric data is based on the voluntary consent of the parents of the students (legal guardians), the President of the Personal Data Protection Office - referring to the definition of consent expressed in Art. 4 sec. 11 of the GDPR, as well as recital 43 of the GDPR Preamble - he stated that, in order to be able to speak of a voluntary consent, it should not constitute a valid legal basis for the processing of personal data, in particular in a situation where there is a clear imbalance between the data subject concern and the administrator. At this point, the supervisory authority noted, referring to the wording of Art. 106 of the Act of 14 December 2016 - Education Law (consolidated text, Journal of Laws of 2019, item 1148), that the basis for the processing of any personal data of children in connection with the implementation of the school task consisting in running a canteen could not be consent , because the basis for the processing of children's personal data by the School for this purpose is Art. 6 sec. 1 lit. e GDPR. In the opinion of the supervisory authority, it should therefore be concluded that, by providing the service consisting in running a canteen, the applicant School may only process the student's personal data necessary for the provision of school canteen services. Meanwhile, as pointed out by the supervisory authority, the provisions of generally applicable law indicate the type of data that the applicant School may obtain from its students, but none of them allows that institution to process (acquire and collect) the biometric data of students, the processing of which is in principle prohibited. based on Article. 9 sec. 1 GDPR, in order to provide services in the form of school canteen services.

In such a situation, in the opinion of the President of the Personal Data Protection Office, the parent's consent cannot be a premise legalizing the processing of biometric data, because consent is the basis for legalizing the processing of personal data only if there are no other grounds for such processing. In the opinion of the supervisory authority, recognizing the fact of giving consent by the parents of children as a circumstance legalizing the collection of data from children other than those indicated by the Polish legislator would circumvent these provisions.

By the way, the President of UODO emphasized at the same time that the rules for distributing lunches posted on the website of the canteen operated by the applicant School introduced unequal treatment of students, as they clearly promoted students with biometric identification.

Having regard to the foregoing, the supervisory authority consequently found that the applicant School had no legal basis authorizing the processing of biometric data of children using the services of the school canteen.

In this situation, the supervisory authority stated that due to the fact that the applicant School did not hold any of the conditions set out in Art. 9 sec. 2 GDPR, it should be considered that its operation violates Art. 9 sec. 1 GDPR and the principle of data minimization set out in the GDPR, according to which the complaining School, as the data controller, should not obtain data excessively, but only those that are necessary to achieve the goals.

Meanwhile, as recognized by the supervisory authority, the processing of pupils' biometric data is not necessary to achieve the goal of identifying the child's entitlement to receive lunch. According to the supervisory authority, the above-mentioned identification of the student may be carried out by the applicant School by other means, less interfering with the privacy of the child using the services of the school canteen. All the more so as, as noted by the supervisory authority, the collected evidence shows that the applicant School allows the use of the school's canteen services by means of a fingerprint, electronic card or based on the name and contract number, which therefore means that there are alternative forms at the School identifying the child's entitlement to pick up lunch.

The President of UODO also emphasized that biometric data may be used, inter alia, by for the purposes of ensuring personal and industrial security, information protection in order to verify suspects and assess their involvement in crimes, issuing identification documents (passports), access control to specific security zones. In the opinion of the supervisory authority, in these cases, these processes may be considered as justified due to the subject of protection or the seriousness of the aim pursued, and the scope of the data used as adequate. Meanwhile, according to the President of the Personal Data Protection Office, verification of who intends to use the services of the school canteen and whether they are entitled to receive lunch, through the biometric data obtained from students, constitutes too much interference with their privacy, compared to the seriousness of the purpose for which they are to be processed. .

Bearing in mind the above findings, the President of the Personal Data Protection Office stated that when exercising his powers specified in Art. 58 sec. 2 lit. fi lit. g GDPR, there was a basis for ordering the complainant School to delete personal data in the scope of digitally processed information on characteristic fingerprint points of fingers of children using the school canteen services and to order the cessation of personal data collection in the field of digitally processed information on characteristic fingerprint points of fingers children using the school canteen services.

Moreover, the President of the Personal Data Protection Office noted that pursuant to Art. 58 sec. 2 lit. and GDPR, each supervisory authority has the right to apply, in addition to or instead of other remedies provided for in Art. 58 sec. 2 of this GDPR, an administrative fine pursuant to Art. 83 GDPR, depending on the circumstances of a specific case. In this situation, the President of the Personal Data Protection Office stated that in the case at hand there were conditions for imposing an administrative fine on the complainant School.

The President of the Personal Data Protection Office stated that by deciding to impose an administrative fine on the applicant School and determining its amount, pursuant to Art. 83 sec. 2 lit. ak GDPR, took into account a number of important circumstances of this case.

Assessing the nature, gravity and duration of the violation, the President of the Personal Data Protection Office noted that the biometric data of children had been processed without a legal basis in violation of the minimization principle, and that this state of affairs has lasted from [...] May 2018 to the present. The supervisory authority indicated that, although it does not have evidence that the data subjects would have suffered material damage, the very breach of the principle of data minimization of special category may constitute non-pecuniary damage. At the same time, the supervisory authority found that the actions of the complainant School could lead to an unjustified differentiation of the situation of students using the services of the school canteen.

When assessing the nature, gravity and duration of the infringement, the President of the Personal Data Protection Office pointed out that the infringement found in this case is of significant importance and serious nature, as it concerns the processing of special category data, which are also personal data of children. In addition, the processing in question takes place without a legal basis and violates the basic principle of minimization in relation to the processing of personal data (Article 5 (1) (c) of the GDPR). Moreover, the supervisory authority indicated that the infringement found continues to date.

In turn, assessing the nature of the infringement (intentional or unintentional), the supervisory authority argued that the applicant School had made an informed decision, motivated by the willingness to efficiently identify children taking meals in the school canteen in order to verify payment for the meal on a given day, which means that it should be attributed deliberate action that violated Art. 5 sec. 1 lit. c and art. 9 sec. 1 GDPR.

When analyzing the actions taken by the controller to minimize the harm suffered by the data subjects, the supervisory authority indicated that the controller did not take action to minimize the potential non-pecuniary damage as it did not qualify its action as unlawful.

When assessing the degree of the controller's responsibility, taking into account technical and organizational measures, the supervisory authority found that the breach found was not related to the implementation and quality applied by the applicant School - pursuant to Art. 25 and art. 32 GDPR - organizational and technical measures, therefore there is no need to establish in this context the degree of liability of the complaining party.

On the other hand, when assessing any relevant prior infringements by the controller or processor, the President of the Personal Data Protection Office noted that it had not been found that the complaining School had previously violated the provisions of the GDPR, which would be relevant to the present proceedings.

Taking into account the categories of personal data concerned by the violation, the President of the Personal Data Protection Office decided that the identified violation related to biometric data, i.e. categories of data subject to special protection.

Analyzing the way in which the supervisory authority learned about the breach, the President of the Personal Data Protection Office noticed that he obtained information about unlawful processing of the above-mentioned personal data by the applicant School ex officio.

The supervisory authority also took into account the fact that, in the same case, the measures referred to in Art. 58 sec. 2 GDPR.

At the same time, the supervisory authority noted that the applicant School did not apply the approved codes of conduct under Art. 40 GDPR or approved certification mechanisms pursuant to Art. 42 GDPR.

The President of the Personal Data Protection Office also indicated which of the above circumstances he considered aggravating and influencing the penalty.

Consequently, the President of the Personal Data Protection Office stated that the administrative fine, in the established circumstances of this case, fulfills the functions referred to in Art. 83 sec. 1 GDPR, i.e. it is effective, proportionate and dissuasive in this individual case.

At the same time, the supervisory authority emphasized that the application of an administrative fine in the present case was necessary, also given that the applicant School had completely ignored the fact that the biometric data of the children were processed by stating that it did not process data in the above-mentioned scope.

The President of the Personal Data Protection Office (UODO) also found that the administrative fine would be repressive, as it would be a response to the complainant School's breach of the GDPR provisions, and would also fulfill a preventive function, as it would effectively discourage the complaining School from violating the provisions on personal data protection in the future in this way.

In the established circumstances of the case, the President of the Personal Data Protection Office also stated that pursuant to Art. 102 paragraph. 1 of the Act of 10 May 2018 on the Protection of Personal Data, could impose, by way of a decision, an administrative fine of up to PLN 100,000, because the complaining party is a unit of the public finance sector referred to in Art. 9 points 1-12 and 14 of the Act of 27 August 2009 on Public Finance (consolidated text, Journal of Laws of 2019, item 869).

In connection with the above, the supervisory body indicated that the fine in the amount of PLN 20,000 meets the conditions referred to in Art. 83 sec. 1 GDPR due to the seriousness of the breach found in the context of the basic principle of the GDPR - the principle of data minimization.

In a letter of [...] March 2020, the complainant School, acting through the supervisory body, lodged a complaint with the Provincial Administrative Court in Warsaw against the above decision of the President of the Personal Data Protection Office of [...] February 2020.

By requesting the revocation of the challenged decision of the President of the Personal Data Protection Office, as well as ordering the supervisory body to reimburse the complainant for the costs of the proceedings in accordance with the prescribed standards, the complainant School alleged a breach of substantive law - due to their incorrect interpretation by the supervisory authority.

In support of the complaint, the complainant pointed out at the outset that as regards the issue of the alleged violation of Art. 9 sec. 1 GDPR, it should be noted that the parent (legal guardian) has voluntarily consented in writing to the use of the biometric fingerprint reader or did not consent to the use of the biometric fingerprint reader. In the event of disagreement, the student could use the school canteen, and the verification was done "manually" based on the contract number and surname. Moreover, the applicant School noted that it had processed biometric data in the digitized form of information on the characteristic fingerprint points of the finger of a child using the services of the school canteen with the knowledge and consent of the parent (legal guardian).

The complainant pointed out that the parent's consent was free, specific, informed and unambiguous in the form of a declaration.

The applicant School complained at the same time that it had been very responsible with the biometric data and that the parents had trusted the applicant School on this point.

The complainant found it incomprehensible to her the statement of the President of the Personal Data Protection Office that "Recognition of the consent given by the parents of the children as a circumstance legalizing the collection of other data from children than indicated by the Polish legislator, would circumvent these provisions". The applicant School stated that it had never and did not intend to circumvent the regulations in any way, and added that it was the parents who had initiated the initiative to use a biometric fingerprint reader. The complainant further added that each parent made an individual decision as to whether or not to use the biometric fingerprint reader.

Consequently, the School's complainant considered that the consent of the parent (legal guardian) may be a premise legalizing the processing of biometric data.

On the other hand, as regards the issue of the alleged violation of Art. 5 sec. 1 lit. c of the GDPR, the applicant School noted that before introducing the fingerprint reader, it had used an electronic card reader, but this system did not fully meet the intended purpose of verifying payment for a meal on a given day, because children too often lost or forgot to take the card from home and - in the absence of a card - there remained the verification with the name and number of the card, which caused the various problems described by the complainant. In this situation, as the complainant pointed out, the Parent Council, seeing this situation, requested the introduction of the fingerprint system itself, which was to eliminate the problems related to the loss or forgetting of the dinner card by the child, or the problem of using someone else's card. The complainant therefore stated that, in order to meet the parents' expectations, as of 1 September 2015, it had used a biometric fingerprint reader, and - importantly - each parent made an individual decision as to whether or not to consent to the use of the biometric reader for the fingerprint of your baby.

In this situation, the complainant argued that all the alternative methods of verification did not fully meet the intended purpose of verifying the payment of the payment for a meal during the specified period, ie the school break.

Nevertheless, the applicant School clearly noted that it had previously introduced other methods of verifying the payment for a meal, and only seeing problems, at the request of the Parents' Council and with the parent's written consent, decided to introduce a biometric fingerprint reader.

The complainant submitted that it was trying to apply the principle of a friendly school for the student and the parent, while at the same time taking care to respect the principle of minimizing personal data.

The complainant further alleged that it was not true that allegedly "(...) it had completely ignored the fact that the biometric data of children had been processed by stating that it did not process data in the above-mentioned scope". The complainant School stated that it had not used such a wording, and only indicated in a letter of [...] December 2018 that "(...) only the personal data of the children and the parent (legal guardian) are stored in the system itself, and Meal payment information. No biometric data is stored in the system. " The complainant School indicated that by the system it means the System of Records of Payments and Meals ( SEWiP ) installed on the server. Thus, as stated by the applicant, no biometric data is stored on the server, as the biometric data is only stored in the memory of the fingerprint biometric reader itself. The applicant School also stated that she was aware that she was processing biometric data, as evidenced by the wording used in her letter of [...] September 2019 that "(...) In the event of termination of the contract, the biometric data are deleted "from the reader where they were stored.

Having regard to the above, the complainant School stated that although the disputed decision of the President of the Personal Data Protection Office (UODO) appeared to be controversial, especially in the statement that the parent's consent could not be a premise legalizing the processing of biometric data, immediately, i.e. on [...] February 2020, the website the complainant deleted the personal data relating to digitized information on the characteristic fingerprints of the fingers of children using the school canteen services and ceased the collection of personal data in the field of digitized information on the characteristic fingerprint points of the fingers of children using the school canteen services.

Regardless of the foregoing, however, the applicant noted that it did not agree with the supervisory authority's statement in the contested decision that the data of students obtained by the applicant school, including information on the characteristic points of fingerprints, processed into digital records, constituted biometric data within the meaning of Art. . 4 point 14 of the GDPR.

At this point, the applicant submitted that she had attached to her complaint an opinion from a specialist in automatic identification systems, which stated that the personal data in question collected by the applicant School were not biometric data. In this situation, the applicant School stated that, in the light of the said opinion, it had serious doubts as to whether the data recorded in the biometric reader constituted biometric data within the meaning of Art. 4 point 14 of the GDPR.

In response to the complaint, the President of the Office for Personal Data Protection appealed for its dismissal, maintaining his current position expressed in the justification of the contested decision.

Referring to the allegations of the complainant School concerning the infringement of substantive law, the President of the Personal Data Protection Office - materially referring to Art. 9 sec. 1 GDPR and art. 4 point 14 of the GDPR - indicated that children require special protection of personal data, as they may be less aware of the risks, consequences, safeguards and rights they have in relation to the processing of personal data (recital 38 of the GDPR preamble).

Moreover, the supervisory authority considered that - contrary to the applicant's position - the data of students obtained by the applicant School, including information on the characteristic points of fingerprints, processed into a digital record, constituted biometric data within the meaning of Art. 4 point 14 of the GDPR. The supervisory authority noticed that as a result of comparing the biometric template registered on the device with the child's finger placed against the biometric reader, as well as other information (including the item number, name, surname, class and authorization to collect lunch), it is possible to identify the child.

Considering the above, the President of the Personal Data Protection Office stated that he did not share the opinion contained in the opinion attached to the complaint, according to which the digitally processed information on the characteristic points of fingerprints does not allow for unambiguous identification of the person and is therefore not biometric data.

In addition, the authority indicated that the President of the Personal Data Protection Office, as a supervisory authority, is the competent authority in Poland in matters relating to the protection of personal data. Thus, as acknowledged, only the President of the Personal Data Protection Office has the competence to perform legal qualification and assess the legality of the activities of administrators and processors in the processing of personal data by these entities. Consequently, the supervisory authority concluded that the opinion relied on by the complainant School as regards the legal qualification and assessment of the legality of the complainant's processing of children's personal data was not binding and irrelevant in the present case. Moreover, the supervisory authority submitted that in the course of the proceedings it assesses the facts on the basis of the collected evidence, while the evidence in the proceedings cannot be the opinion submitted by the complainant making the legal qualification.

Referring only to procedural precaution to the opinion attached to the complaint, the President of UODO indicated that if the interpretation provided in the opinion in question were to be adopted, it should be concluded that the fingerprint itself would not constitute biometric data or personal data in general, because without comparing it with other data, it would not be possible to identify the person to whom the print relates. In the opinion of the supervisory authority, the interpretation resulting from that opinion also leads to the conclusion that when a person is identified by fingerprint or even an image of the iris of the eye, we are not dealing with biometric data, as they do not allow the unambiguous identification of persons. The supervisory authority stated that the President of the Personal Data Protection Office could not agree with such an interpretation, because - in the opinion of the President of the Personal Data Protection Office - it is enough to identify a person, even indirectly, so that the data concerning him / her constitute his personal data, which clearly results from the definition contained in Art. . 4 pts 1 GDPR.

Moreover, the supervisory authority stated that due to the nature of the processing (special technical processing), as well as the nature of the data themselves, which concern physiological and physical characteristics, it should be indicated that the digitized information on the characteristic points of children's fingerprints constitute biometric data because they are used for the automated verification of the rights of a specific natural person.

Considering the above, the President of the Personal Data Protection Office stated that the complainant School's position that it did not process biometric data was unfounded.

The supervisory authority pointed out that there was a contradiction between the conclusions contained in the opinion attached by the complainant and the content of the complaint itself against the contested decision.

Moreover, the supervisory authority found that the applicant School, in its complaint to the Provincial Administrative Court in Warsaw, erroneously assumed that there was no basis for the processing of biometric data in the premises set out in letters bj of Art. 9 sec. 2 GDPR automatically entitles you to use consent as the basis for legalizing the disputed processing of students' personal data.

At the same time, the supervisory authority indicated that the processing of personal data by the complaining School must be in accordance with Art. 5 sec. 1 GDPR, the principles of personal data processing (including the principle of minimization), irrespective of the parents' consent, which - in the opinion of the President of the Personal Data Protection Office - is ineffective.

The supervisory authority found that in the event of a failure by the controller to fulfill the obligations set out in Art. 5 sec. 1 GDPR, it has no legal basis to process personal data, which makes this process illegal.

The supervisory authority indicated that in such a situation, the parent's consent cannot be a premise legalizing the processing of biometric data, because consent is the basis for legalizing the processing of personal data only if there are no other grounds for such processing.

In the opinion of the President of the Personal Data Protection Office, recognizing the consent of the parents of children as a circumstance legalizing the collection of data from children other than those indicated by the Polish legislator, would circumvent these provisions.

In view of the above, the supervisory authority considered that the applicant School had no legal basis authorizing the processing of biometric data of children using the school's canteen services.

Therefore, due to the fact that the complaining School does not have any of the conditions set out in Art. 9 sec. 2 GDPR, the supervisory authority found that such conduct led to a breach of Art. 9 sec. 1 of the GDPR and the principles of data minimization established in the GDPR.

The supervisory authority noted that the processing of biometric data is not necessary to achieve the purpose of identifying the child's right to receive lunch, as the above-mentioned identification of the applicant School may be carried out by other means less intrusive to the privacy of the child using the school canteen services, as evidenced by for example the fact that at the applicant school there are alternative forms of identifying the child's entitlement to receive lunch.

The supervisory authority maintained its position that verifying who intends to use the school canteen services and whether they are entitled to receive lunch through biometric data obtained from students constitutes too much interference with their privacy, compared to the seriousness of the purpose for which they are to be processed.

Consequently, the supervisory authority concluded that the processing of pupils' biometric data by the complainant School was inconsistent with the principle of minimization.

Bearing in mind the above findings, the President of the Personal Data Protection Office stated that in the case in question there were conditions for imposing an administrative fine on the complainant School. At the same time, the supervisory authority noted that when deciding on its imposition and determining its amount, it was guided by the content of Art. 83 sec. 2 GDPR, taking into account the individual circumstances set out in the contested decision in detail regarding the case at hand.

The Provincial Administrative Court in Warsaw considered the following.

Pursuant to Art. 1 § 1 and 2 of the Act of 25 July 2002 - Law on the System of Administrative Courts (consolidated text, Journal of Laws of 2019, item 2167, as amended), administrative courts administer justice by controlling the activities of public administration, the control is carried out in terms of compliance with the law, unless the laws provide otherwise.

In the light of the above-mentioned provisions of the above-mentioned act, the Provincial Administrative Court in Warsaw, within its jurisdiction, assesses the appealed administrative decision, decision or other act or activity in the field of public administration regarding the rights or obligations arising from the provisions of law, from the point of view of their compliance. with substantive law and the provisions of administrative proceedings, according to the factual and legal status in force on the date of issuing this act or taking the action in dispute. It is therefore about the control of acts or activities in the field of public administration made solely in terms of their compliance with substantive law and procedural regulations, and not according to the criteria of equity or compliance with the principles of social coexistence.

Moreover, what needs to be emphasized, the Court adjudicates within the limits of a given case, but is not bound by the allegations and motions of the complaint and the legal basis referred to (see: Art. 134 § 1 of the Act of August 30, 2002 - Law on proceedings before administrative courts - text consolidated Journal of Laws of 2019, item 2325, hereinafter also: " Ppsa .").

It should also be clearly noted that from the date of entry into force of the Accession Treaty of April 16, 2003 (Journal of Laws of 2004, No. 90, item 864), pursuant to which Poland became a Member State of the European Union, court control administration also covers the compliance of decisions of public administration bodies with European law (European Union law), understood as the entirety of the European Union acquis ( acquis communautaire ), including general principles of European law, interpreted and applied uniformly throughout the European Union.

It should be noted that according to the principle of primacy, European Union law takes precedence over national law of the European Union Member States. There is no doubt that the principle of primacy applies to all Community acts that are binding. Consequently, EU Member States cannot apply a national law that is inconsistent with EU law, as the priority principle guarantees uniform legal protection of citizens throughout the territory of the European Union. At the same time, there is no doubt that national courts must ensure that the priority principle is respected.

It is also worth paying attention to the principle of direct effect of EU law, which allows individual entities to invoke EU law directly before courts, regardless of whether there are similar legal regulations in national law. In this way, the principle of direct effect guarantees the application and effectiveness of EU law in the EU countries.

The principle of direct effect applies not only to primary law contained in the EU Treaties, but also to acts of secondary law, i.e. acts adopted by the EU institutions on the basis of the aforementioned treaty law. At this point, however, it should be clearly noted that the scope of the direct effect depends on the type of act in question. In the light of both the treaty provisions and the jurisprudence of the Court of Justice of the European Union to date, the provisions of regulations which are directly applicable in the EU Member States have full direct effect.

In this situation, the Provincial Administrative Court in Warsaw, when assessing the legality of the contested decision of the President of the Personal Data Protection Office of [...] February 2020, was obliged to examine its compliance primarily with the provisions of European law, including in particular the regulations contained in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection of data - also known as: "GDPR").

In the opinion of the Provincial Administrative Court in Warsaw, the complaint of the Primary School No. [...] with branches [...] [...] deserves to be taken into account in [...], because the challenged decision of the President of the Personal Data Protection Office of [...] February 2020, issued on ordering the complainant School to take specific action in the scope of personal data processing and imposing a fine for a violation of the provisions on the protection of personal data - it violates the applicable provisions of law.

The court found that the President of the Personal Data Protection Office, by issuing the disputed decision of [...] February 2020, breached both the provisions of European law binding on Poland and the provisions of domestic law, to a significant extent having a significant impact on the final result of the case culminating in the aforementioned administrative decision.

When analyzing the present case, the Court came to the conclusion that the supervisory authority, by issuing the decision in question, primarily violated the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, in particular Art. 5 sec. 1 lit. c and art. 9 sec. 1 and sec. 2 lit. a GDPR - through their incorrect interpretation and application, and consequently defective recognition that the complaining School, while processing biometric data of its students while using the services of the school canteen, violated the principle of "data minimization" referred to in Art. 5 sec. 1 lit. c GDPR, as well as a breach consisting in the processing of the above-mentioned sensitive (sensitive) data in breach of the prohibition of processing such data, referred to in art. 9 sec. 1 GDPR, due to the failure - in the opinion of the supervisory authority - to meet one of the conditions waiving this prohibition, invoked by the complaining party, which was to consist in expressing consent by the data subject (Article 9 (2) (a) of the GDPR) GDPR).

As a consequence of a significant violation of the above-mentioned provisions of the GDPR, the President of the Personal Data Protection Office unjustifiedly applied the rights resulting from the provisions of Art. 58 sec. 2 lit. fi lit. g of the GDPR, ordering the complainant School to delete personal data in the scope of digitized information about the characteristic fingerprint points of the fingers of children using the school canteen services, as well as by unauthorized ordering the complainant to stop collecting the aforementioned biometric data of the students.

At the same time, in the opinion of the Court, the supervisory body unjustifiably applied to the complainant School the right resulting from the provisions of Art. 58 sec. 2 lit. and in connection with Art. 83 of the GDPR, imposing a fine on the complainant in the amount of PLN 20,000.00.

Thus, the Court found that the President of the Personal Data Protection Office, by issuing the disputed administrative decision, had committed, in the above scope, a material breach of the rule of law expressed in the provisions of Art. 6 of the Administrative Procedure Code and Art. 7 in principio kpa and art. 7 of the Polish Constitution.

Turning to the assessment of the legality of the contested decision, it should be noted at the outset that the subject of the dispute was both the correctness of the findings of the supervisory authority as regards the actual classification of the personal data processed by the applicant School as biometric data and, as a further consequence, the correctness of the allegations made against the applicant. based on the legal regulations contained in the provisions of art. 5 sec. 1 lit. c and art. 9 sec. 1 GDPR.

In this situation, it should be considered, first of all, that - contrary to the allegations of the complainant - the President of UODO, when issuing the challenged decision, correctly assumed that the data of students obtained by the complainant School, including information on the characteristic points in the fingerprints of their fingers, processed into a digital record, constitute biometric data within the meaning of art. 4 point 14 of the GDPR.

It should be pointed out that pursuant to Art. 4 (14) of the GDPR, "biometric data" means personal data resulting from special technical processing, relating to the physical, physiological or behavioral characteristics of a natural person and allowing or confirming that person's unequivocal identification, such as facial image or dactyloscopic data.

In this situation, it should be considered that, in order to obtain the status of "biometric data" in accordance with the definition, the data must jointly meet the conditions indicated in the above-mentioned provision, i.e. be personal data referring to specific features on the basis of which - using special technical methods - it is possible to unequivocally identify a natural person or confirm its identity.

The physical and physiological features mentioned in the definition may include, inter alia, fingerprints, the appearance of the retina or iris of the eye, face oval, shape of the auricle, hand geometry, arrangement of blood vessels in the hand, voice and its color.

It is assumed that in order for certain features to become biometric data with high efficiency in the processes of identifying and verifying identity, it is necessary to process them with special technical methods. The techniques on which the identification systems are based should be considered as special technical methods. Using appropriate techniques, the identification system automatically compiles templates of features (properties) and then converts them into a digital representation, which it compares with the model profiles in search of the best match. At the same time, as indicated in the literature, the key functions fulfilled by identification systems include enabling unambiguous identification by comparing a specific biometric pattern with many comparative profiles in the database (one-to- many ) or unambiguous confirmation - verification, authorization (one-to- one) (see General Data Protection Regulation. Commentary, edited by M. Sakowska-Baryły , 1st edition, CH Beck Publishing House, Warsaw 2018, commentary to Article 4 (14) of the GDPR).

In this situation, the Court found that - contrary to the explanations provided by the applicant - as a result of comparing the biometric pattern registered on the device with the finger of a child (a school student using the services of the school canteen) placed against the biometric reader, as well as other information (e.g. position number, first name, surname, class and authorization to collect the dinner) it is possible to identify the child.

In the opinion of the Court, it is necessary to agree with the supervisory authority that it is sufficient to even indirectly identify a person, for the data concerning him to constitute his personal data, which clearly results from the definition contained in Art. 4 point 1 of the GDPR. In addition, due to the nature of the processing (special technical processing), as well as the nature of the data itself, which relate to physiological and physical characteristics, it should be stated that digitized information on the characteristic points of children's fingerprints constitute biometric data, as they are used for automated processing. verification of the entitlement of a specific natural person.

Considering the above, the Court shared the opinion of the President of the Personal Data Protection Office that the allegations of the complainant School that it did not process the biometric data of its students, which was allegedly confirmed by the opinion attached to the complaint, are unfounded.

Moving on to the other charges, it should be noted that biometric data have been classified as the so-called special categories of personal data (sensitive data, sensitive data), the processing of which must be based on the grounds indicated in the GDPR appropriate for this category (legal grounds).

As a rule, in the light of the GDPR, the processing of a special category of personal data revealing biometric data in order to uniquely identify a natural person is prohibited.

This is provided for in Art. 9 sec. 1 GDPR, which lays down a general prohibition on the processing of personal data that may be considered sensitive, i.e. personal data which, by their nature, are particularly sensitive in the light of fundamental rights and freedoms, and therefore require special protection, as the context of their processing may result in serious risk to fundamental rights and freedoms (cf. Recital 51 of the Preamble to the GDPR).

In turn, Art. 9 sec. 2 GDPR specifies situations in which the above ban on the processing of sensitive personal data has been lifted. It should also be pointed out that each of the premises indicated in this provision is autonomous and independent, and the structure of this provision used by the European legislator makes it impossible to interpret them extensively. This means that the conditions set out in Art. 9 sec. 2 GDPR - in principle - are equal, and therefore meeting at least one of them constitutes a lawful processing of sensitive (sensitive) personal data.

The conditions set out in Art. 9 sec. 2 GDPR are self-contained, independent and equivalent, which means that for the admissibility of processing it is enough to meet one of them, and the legislator does not differentiate the conditions in terms of their legal importance.

The basic premise that waives the prohibition of processing sensitive data is the consent of the data subject.

It should be noted that the concept of "consent" is defined in Art. 4 point 11 of the GDPR and means "voluntary, specific, informed and unambiguous demonstration of will, which the data subject, in the form of a declaration or a clear affirmative action, allows the processing of personal data concerning him".

Pursuant to this provision, consent to the processing of personal data is the manifestation of the will by the data subject, the content of which is consent to the processing of personal data. The demonstration of will may take the form of a declaration or a clear affirmative action, as well as be characterized by the following features: be voluntary, specific, informed and unambiguous (see, inter alia, the EU Regulation on the protection of individuals with regard to the processing of personal data and free the flow of such data. Commentary, edited by Dr. Paweł Litwiński, 1st edition, CH Beck Publishing House, Warsaw 2018).

Nevertheless, it should be emphasized that pursuant to Art. 9 sec. 2 lit. a GDPR, it is permissible to process sensitive data if the data subject has expressly consented to the processing of personal data for one or more specific purposes, unless EU law or the law of a Member State provides that the data subject may not revoke the prohibition in question. In this situation, it should be recognized that the feature that characterizes consent to the processing of sensitive data is its clarity.

Although the feature of clarity has not been further specified in the provisions of the GDPR, it can be stated that its consequence will be the requirement to submit a declaration regarding consent, but without any particular indication of the form. The consent expressed conclusively can certainly be considered as not meeting the condition of clarity . There is no doubt, however, that a written statement in which the person to whom the sensitive data relate clearly and unequivocally indicates that he consents to their processing for a specific purpose (or several specific purposes) is the consent referred to in Art. . 9 sec. 2 lit. a GDPR.

Having regard to the above, it should be noted that the applicant School, in the statements submitted during the proceedings, indicated that the processing of the biometric data of her students was based on the voluntary written consent of the parents (legal guardians) of the students using the school canteen services.

It should be noted that the above-mentioned consent was given by the parents (legal guardians) of the students in writing, in which the specific purpose of the processing of personal data was clearly indicated.

In this situation, the Court found that the written statements of the parents referred to by the applicant, in which the parents of the pupils whose biometric data referred to, unequivocally and unequivocally agreed to their processing for a specific purpose - prove that the condition was met referred to in Art. 9 sec. 2 lit. a GDPR.

In the opinion of the Court, one cannot agree with the position presented by the supervisory authority that the abovementioned written consent by the applicant School did not prove that the controller fulfilled the condition referred to in Art. 9 sec. 2 lit. a GDPR.

In this situation, the Court found that - contrary to the position of the supervisory authority - the applicant School had not breached the general prohibition of processing personal data laid down in Art. 9 sec. 1 of the GDPR, because she had an express consent to the processing of pupils' biometric data given by their parents.

However, one should agree with the President of the Personal Data Protection Office, who stated in the justification of the contested decision that regardless of the fulfillment of one of the conditions legalizing the processing of sensitive personal data referred to in Art. 9 sec. 2 GDPR, the processing of personal data must additionally comply with the principles set out in art. 5 sec. 1 GDPR, which - which should be clearly emphasized - play a special role among the legal norms on the protection of personal data contained in the GDPR. It is assumed that these principles are not only postulates read from the entirety of the provisions on the protection of personal data, but are even of a normative nature - they are binding legal norms that define a specific procedure, having particular significance for the application and interpretation of the provisions on the protection of personal data (cf. P. Fajgielski / w: / Commentary to Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection) [in: ] General Data Protection Regulation. Personal Data Protection Act. Commentary, WKP 2018).

The supervisory authority therefore reasonably considered that the processing of the pupils' biometric data at issue by the applicant School should, inter alia, with the principle of data minimization referred to in Art. 5 sec. 1 lit. c GDPR. This provision states that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization").

It is worth noting here that Recital 39 of the GDPR Preamble states that "(...) Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. the period of data storage to a strict minimum. Personal data should only be processed in cases where the purpose of the processing cannot reasonably be achieved by other means (...) ".

Introduces the principle of data minimization criteria limitacyjne limiting the collection and further processing of personal data, which leads to a limitation of the scope of data processing based on the criterion of necessity, which means to process only such personal data, without which it is impossible to achieve the intended purpose of the processing.

This corresponds to the aforementioned Recital 39 of the GDPR Preamble, which indicates that personal data should only be processed in cases where the purpose of the processing cannot reasonably be achieved by other means.

It is assumed that according to the discussed principle, the data must be adequate and appropriate to achieve the purpose of their collection, but at the same time they cannot be excessive. The data may therefore be processed only to the extent that is necessary to achieve the purpose of their collection. Thus, processing of data to the extent unnecessary to achieve the purpose will constitute a breach of the provisions of the regulation. The principle of data minimization should be considered together with other principles, in particular the principle of purpose limitation. The implementation of proportionality of data processing depends on the correctness of the determination of the purpose of processing, which determines the scope of the collected data necessary to achieve this goal. Processing data in a proportionate manner means the obligation to ensure that the personal data collected by the controller is suitable for the purposes of processing and corresponds to them in terms of quantity, content and scope (see General Data Protection Regulation. Comment, edited by Dr. Marlena Sakowska -Baryła , 1st edition, CH Beck Publishing House, Warsaw 2018, vol. 6 of the commentary to Article 5 of the GDPR and the literature quoted therein).

Consequently, it is assumed that in order to determine whether the processed amount of data or its scope exceeds the scope of adequate data, it is first necessary to define the purpose of processing, because a properly defined purpose will determine what data are necessary to achieve it (cf. D. Lubasz / in: / MERITUM. Personal data protection, edited by Dr. D. Lubasz, 1st edition, Wolters Kluwer Publishing House, Warsaw 2020, p. 114).

Referring to the principle of data minimization, the President of the Personal Data Protection Office decided that the processing of students' biometric data is not necessary to achieve the goal of identifying the child's entitlement to collect lunch. The supervisory authority considered that the above-mentioned identification of the applicant School could be carried out by other means, less intrusive to the privacy of the child using the services of the school canteen. The supervisory authority noted that, as the evidence gathered showed that the applicant School made it possible to use the school's canteen services by means of a fingerprint, electronic card or based on the name and contract number, it must therefore be concluded that there are alternative forms of identification of entitlement at the School. child to pick up dinner.

At the same time, the President of the Personal Data Protection Office emphasized that biometric data may be used, among others, by for the purposes of ensuring personal and industrial security, information protection in order to verify suspects and assess their involvement in crimes, or to issue identification documents (passports) or to control access to specific areas of security. According to the supervisory authority, in these cases, these processes may be considered as justified due to the subject of protection or the seriousness of the purpose pursued, and the scope of the data used is adequate.

In this situation, the President of the Personal Data Protection Office decided that the verification of who intends to use the services of the school canteen and whether they are entitled to receive lunch, through the biometric data obtained from students, constitutes too much interference with their privacy, compared to the seriousness of the purpose for which are to be processed. As a consequence, the supervisory authority concluded that the processing by the complainant School of the biometric data of students is inconsistent with the principle of minimization referred to in Art. 5 sec. 1 lit. c GDPR.

In turn, the applicant School emphasized in the course of the proceedings that all alternative methods of verification did not fully meet the intended purpose of verifying the payment of the payment for a meal within a specified period, i.e. the school break. The school emphasized in the explanations presented to the supervisory body that it had previously introduced other methods of verifying the payment for a meal and only seeing problems, at the request of the Parents' Council and with the parent's written consent, decided to introduce a biometric fingerprint reader. Consequently, the school indicated that, in order to respect the principle of minimizing personal data, it first applied the system of verification of the payment for lunch with a lunch card, and the fingerprint reader was not introduced first, but as a follow-up to the lunch card reader and only when previously used data verification methods did not meet expectations.

In the opinion of the Court, the interpretation of Art. 5 sec. 1 lit. c of the GDPR and the principle of data minimization expressed therein is incorrect, as it illegally omits in its assessment an important aspect of adequacy and appropriateness, which in turn leads to an overly rigorous perception of this principle.

Well, it should be noted that the provisions of Art. 5 sec. 1 lit. c GDPR, the term "adequate" means "appropriate, compliant, proportionate, not excessive" and may be considered synonymous with the word "appropriate". Adequacy and appropriateness can be understood as the necessity to maintain appropriate proportions of the scope of data for the purposes of processing and to process only such data that are needed to achieve specific purposes.

The rest of the provision of Art. 5 sec. 1 lit. c GDPR requires that data be limited to what is necessary for the purposes for which they are processed.

According to the Court, it should be admitted that personal data that are unnecessary to achieve the purpose should not be processed. Nevertheless, it must be clearly emphasized that reading the norm from the analyzed provision requiring the limitation of data only to the necessary minimum and processing of only such data without which it is impossible to achieve the goal (this is the interpretation presented by the President of the Personal Data Protection Office) should be considered too far walking.

In the opinion of the Court, the requirement of necessity should be read together with the requirement of adequacy and appropriateness, which should allow for taking into account the circumstances and allowing the processing of data that may significantly help to achieve the purposes of processing.

At this point, it should be noted that in practice it often happens that the goal can be achieved easier, faster and cheaper by using data without which it is possible to achieve the basic goal. Nevertheless, in the opinion of the Court, the adoption of such a restrictive interpretation as presented in the present case by the supervisory authority would make it impossible in practice to process any data other than those without which the purpose cannot be achieved.

Also in the literature it is noted that the rule expressed in Art. 5 sec. 1 lit. c GDPR has been briefly defined as "data minimization", which does not fully correspond to its essence and may be the reason for a restrictive interpretation, leading to various doubts and problems (this problem was noted, among others, by Prof. P. Fajgielski / in: / Commentary on of Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) [in:] General Data Protection Regulation. personal data. Commentary, WKP 2018).

The doctrine assumes that the aforementioned principle, relating to the determination of the relationship between the purpose and scope of data processing, means two requirements: 1) limiting the collection of data only to those necessary to achieve the purpose, and 2) the need to delete data when they become unnecessary to achieve the purpose of processing (see M. Jagielski, The right to personal data protection. European standards, Warsaw 2010, p. 87).

In this situation, while trying to read the requirements of adequacy and minimization literally, it can be concluded that in practice it is not easy to reconcile them with each other, because adequacy assumes assessing the usefulness of a specific type of data to achieve the goal, while minimization leads to the recognition that if the purpose can be achieved without processing a specific type of data, such data should not be processed.

The Provincial Administrative Court in Warsaw, deciding in this case, stated, however, fully sharing the position of prof. P. Fajgielski, presented in the above-mentioned publication, that it is possible to reconcile these two not entirely consistent requirements, recognizing that their fulfillment should be assessed jointly, which in turn means that the primacy of minimization should not be granted at the expense of adequacy. In this situation, the Court stated that it is admissible to process data in a slightly wider scope than - as the President of the Personal Data Protection Office adopted - the minimum necessary, provided that the processed data is closely related to the achievement of the goal (e.g. they facilitate its achievement).

Consequently, the Court found that the supervisory authority could not agree that the processing of biometric data of students by the applicant School was inconsistent with the principle of minimization referred to in Art. 5 sec. 1 lit. c GDPR.

In addition, it is worth noting that the doctrine indicates that the controller should be able to demonstrate and justify the existence of a legitimate relationship between the purpose of processing and the scope of data determined by him that he plans to process (see D. Lubasz / in: / MERITUM. Data protection) personal data, edited by Dr. D. Lubasz, 1st edition, Wolters Kluwer Publishing House, Warsaw 2020, p. 114).

According to the Court, there is no doubt that the applicant School, as the administrator of the disputed biometric data, justified in the course of the investigation procedure the existence of a legitimate link between the purpose of the processing and the scope of data determined by it that it plans to process, and explained precisely why the previously used methods data verification turned out not to meet the expectations.

Considering the above, the Court found that as a consequence of a material breach of the above-mentioned provisions of Art. 5 sec. 1 lit. c and art. 9 sec. 2 lit. a GDPR, the President of the Personal Data Protection Office unjustifiedly applied the rights resulting from the provisions of art. 58 sec. 2 lit. fi lit. g of the GDPR, ordering the complainant School to delete personal data in the scope of digitized information about the characteristic fingerprint points of the fingers of children using the school canteen services, as well as by unauthorized ordering the complainant to stop collecting the aforementioned biometric data of the students.

At the same time, in the opinion of the Court, the supervisory body unjustifiably applied to the complainant School the right resulting from the provisions of Art. 58 sec. 2 lit. and in connection with Art. 83 of the GDPR, imposing a fine on the complainant in the amount of PLN 20,000.00.

Thus, the Court found that the President of the Personal Data Protection Office, by issuing the disputed administrative decision, had committed, in the above scope, a material breach of the rule of law expressed in the provisions of Art. 6 of the Administrative Procedure Code and Art. 7 in principio kpa and art. 7 of the Polish Constitution.

The analyzed activity of the President of the Personal Data Protection Office significantly violated the principle of citizens' trust in the organs of the state and the law applied by them, expressed in Art. 8 of the Code of Administrative Procedure There is no doubt that the principle of trust expressed in Art. 8 of the Code of Administrative Procedure has a constitutional and EU context, and public administration bodies are obliged, within the framework of an interpretation consistent with EU law and the Constitution of the Republic of Poland, to take into account that the principle of trust, also in the procedural aspect, is an essential element of the principle of a democratic state ruled by law and as such has its authorization and source in art. 2 of the Polish Constitution.

In this situation, since the activities of the supervisory body did not clearly meet the above conditions, it was the basis for the elimination from legal circulation of the challenged decision of the President of the Personal Data Protection Office of [...] February 2020.

Taking the above into account, the Provincial Administrative Court in Warsaw - acting pursuant to Art. 145 § 1 point 1 lit. a and c Ppsa . - ruled, as in point 1 of the operative part of the judgment.

At the same time, ordering the President of the Personal Data Protection Office to pay the complainant School the amount of PLN 400 as reimbursement of the costs of court proceedings, the Court acted pursuant to the provisions of Art. 200 Pps . in connection with Art. 209 Pps .