You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Internal
Global
Contatto
it
Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |
In tutto il mondo
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Mondiale
Algeria
Angola
Arabia Saudita
Argentina
Australia
Austria
Azerbaigian
Bahrain
Belgio
Bielorussia
Bosnia ed Erzegovina
Botswana
Brasile
Bulgaria
Cambogia
Canada
Cile
Cina
Cipro
Colombia
Corea del Sud
Costa Rica
Croazia
Danimarca
Ecuador
Egitto
Emirati Arabi Uniti
Estonia
Etiopia
Finlandia
Flippine
Francia
Georgia
Germania
Ghana
Giappone
Grecia
Hong Kong
India
Indonesia
Irlanda
Italia
Kazakistan
Kenya
Kuwait
Lettonia
Libia
Liechtenstein
Lituania
Lussemburgo
Macedonia del Nord
Malesia
Marocco
Mauritius
Messico
Moldavia
Mongolia
Mozambico
Myanmar
Namibia
Nigeria
Norvegia
Nuova Zelanda
Oman
Paesi Bassi
Pakistan
Perù
Polonia
Portogallo
Qatar
Regno Unito
Repubblica Ceca
Romania
Serbia
Singapore
Slovacchia
Slovenia
Spagna
Sudafrica
Svezia
Svizzera
Taiwan
Tanzania
Thailandia
Tunisia
Turchia
Ucraina
Uganda
Ungheria
Uruguay
USA
Uzbekistan
Vietnam
Zambia
I nostri uffici Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(I colori appaiono al passaggio del mouse)
Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra
Cookie Policy
.
Approfondimenti
Servizi
Whistleblowing
Data Protection
Servizi legali
Servizi fiscali
Servizi multipractice
Industry
Revisione contabile
Formazione
Professionisti
Media
Rödl E-Book
RÖDL REPLAY - I NOSTRI WEBINAR
Newsletter
Legal Newsletter
Tax Newsletter
Data Protection Bites
Comunicati stampa
Comunicati operazioni
Rödl E-Book
Rödl & Partner sulla stampa online
Eventi
Su di noi
Currently selected
E-Book INTERNATIONAL VAT GUIDELINES
Uno studio internazionale
Uno studio internazionale
Le nostre sedi
Impegno sociale
Whistleblowing
Codice Etico
Modello 231
Sostenibilità
Carriera
Media
Pubblicazioni
Newsletter
Data Protection Bites
Data Protection Bites 2/2021
The Court for the first time issued a judgment entirely overturning a decision of the Polish Supervisory Authority
Recent
Italian (Italy)
Currently selected
Consulenza legale, Consulenza fiscale, Audit, Servizi in outsourcing
Approfondimenti
Carriera
Cookie Policy
Cookie Policy
Eventi
Home
Informativa Privacy
Media
Privacy Policy
Professionisti
Servizi
Uno studio internazionale
BPO - Business Process Outsourcing
no-it-version-available
Profile
Error 404!
Error 401!
The Court for the first time issued a judgment entirely overturning a decision of the Polish Supervisory Authority
Page Content
published on 23 February 2021 | reading time approx. 3,5 minutes
The Polish Administrative Court (Polish: Wojewódzki Sąd Administracyjny), overturning a penalty imposed by the Polish Supervisory Authority, has interpreted in its judgment the principle of data minimisation expressed in Article 5(1)(c) and the grounds for processing of special categories of personal data expressed in Article 9 of GDPR.
The judgment is interesting for several reasons. Firstly, as of today it is one of the few verifications of the position of the Supervisory Authority in the Polish legal system and at the same time it is a legally binding interpretation of the provisions of the GDPR. So far, we could only rely on decisions of the Polish Supervisory Authority itself and specialist literature. (There are, of course, guidelines of EU bodies available).
Secondly, this is another Court judgment that overturns sanctions imposed by the Polish Supervisory Authority and indicates a less restrictive interpretation of the regulations by the Court in relation to the interpretation of the Polish Supervisory Authority.
It should be noted that the judgment is not yet final and the parties have the right to appeal against it to the Supreme Administrative Court.
Factual Situation
In 2015, an elementary school implemented a system for collecting students' fingerprints for biometric identification. The identification was introduced for the purpose of serving meals in the school canteen.
The Polish Supervisory Authority, the President of the Personal Data Protection Office, ex officio initiated inspection proceedings, which revealed that:
The school placed a fingerprint reader at the entrance to the canteen. The purpose of the system was to verify the payment for meals. The school indicated consent as the basis for the processing, which was given by a parent in the form of a written statement. The school also explained that it did not have a database that contained fingerprint images, and the data associated with the fingerprint reader were only collected in the reader itself in the form of a byte string record. Access to the data in the data reader was restricted to two individuals authorised by the school. Parents were informed of the option to consent or to refuse to consent to the use of the fingerprint reading system. Upon termination of the school canteen contract, the data were deleted.
Decision of the Polish Supervisory Authority
The Polish Supervisory Authority ruled that the school violated the provisions of Article 5(1)(c) and Article 9(1) of the GDPR and ordered:
the erasure of students' personal data stored in the form of fingerprint records;
definitive ban on the processing;
imposed a fine on the school in the amount of PLN 20,000 (approx. EUR 4,500).
In the Polish legal system, the maximum administrative fine that can be imposed on a public school is PLN 100,000 (EUR 22,500), so the imposed fine should be considered relatively high.
In its decision, the Polish Supervisory Authority indicated mainly that:
the school processed the data without any of the bases listed in Article 9(1) and thus without a valid basis for the processing;
the principle of data minimisation, according to which the school, as the data controller, should not acquire data beyond what is necessary, but only those that are necessary for the purposes;
the processing of student biometric data is not necessary to achieve the purpose of identifying a child's eligibility to receive lunch;
the school has the ability to verify identity through means that are less intrusive to the child's privacy. The school itself offers other means such as a smart card;
verification of who intends to use the school canteen services and whether they are entitled to collect their lunch by means of biometric data obtained from students constitutes an intrusion into their privacy, when weighed against the seriousness of the purpose for which data will be processed.
The Authority also questioned the consent-based processing of students’ data. According to the definition of consent expressed in Article 4(11) of the GDPR, as well as in Recital 43) of the GDPR Preamble:
consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller
consent constitutes a valid legal ground for the processing of personal data only if there are no other legal grounds for the processing.
Judgment of the Administrative Court
The Court overturned the decision of the Polish Supervisory Authority in its entirety.
The Court found that the decision was in material breach of the applicable provisions of both European and national law and questioned the legitimacy of the sanctions such as: (1) ban of processing, (1) ordering data erasure, (3) imposing an administrative monetary penalty.
The qualification of the data as biometric data in accordance with the definition in Article 14(4) of the GDPR was found to be correct.
Legal basis for the processing
The legal bases set out in Article 9(2) of the GDPR are self-contained, independent and equivalent, which consequently means that the fulfilment of one of them is sufficient for the admissibility of the processing, and the legislator does not generally differentiate between the bases in terms of their legal significance.
Consent
The Court held that the written parental statements in which the parents of the students unambiguously and without any doubt gave their consent to the processing of the data for a specific purpose - proved that the legal basis referred to in Article 9(2)(a) of the GDPR was met.
Principle of data minimisation
According to the Court, the principles expressed in Article 5 are binding norms of law, prescribing a particular way of proceeding, with particular relevance for the application and interpretation of data protection law.
The term 'adequate' means 'relevant, compatible, proportionate, not excessive' and can be considered as a synonym for the word 'appropriate'. Adequacy and appropriateness can be understood as the necessity to keep the scope of data in appropriate proportion to the purposes of the processing and to process only those data which are necessary for the achievement of specified purposes. The school proved that in order to respect the principle of minimisation of personal data, it first used the lunch card payment verification system, while the fingerprint reader was not introduced as the first but as a follow-up to the lunch card reader and only when the previously used data verification methods proved not to meet the expectations.
Limiting the data only to the necessary minimum and processing only such data without which the purpose cannot be achieved (this interpretation was presented by the Polish Supervisory Authority) should be regarded as a too broad interpretation. It is permissible to process data which significantly help to achieve the purposes of the processing. In practice it often happens that the purpose may be achieved more easily, quickly and more cost-effectively by using data without which it is impossible to achieve the basic objective.
The principle of data minimisation should not be applied at the expense of adequacy. In this situation, the Court found that it should be admissible to process data to a slightly larger extent than the minimum necessary, provided that the processed data are closely related to the achievement of the purpose. The school, as the controller of the biometric data, substantiated in the course of the investigation the existence of a legitimate nexus between the purpose of the processing and the scope of the data it plans to process, and explained in a precise manner why the previously used data verification methods proved not to meet expectations.
Comment
The Court adopted an interpretation of the principle of data minimisation favourable for the controller, while pointing out that the principle of data minimisation should not take precedence over other principles. Adopting such a restrictive interpretation as the Polish Supervisory Authority has presented in this case would make it impossible in practice to process any data other than those without which the purpose cannot be achieved. The judgment is the first in which such a complete and extensive analysis and interpretation of the application of the basic provisions of the GDPR has been made. The Polish Supervisory Authority did not agree with this interpretation and has already announced an appeal to the Supreme Administrative Court.
CONTACT
Paweł Foltman
Attorney at Law
+48 58 582 65 86
Invia richiesta
RÖDL & PARTNER POLAND
Discover more about our offices in Poland.
Read more »
DATA PROTECTION BITES
Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR.
Read all releases
»
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
